1 Introduction
1.1 Overview of Primary Computer feature
In Windows Server “8” Beta, administrators can designate a set of computers, known as primary computers, for each domain user, which controls which computers use Folder Redirection, Roaming User Profiles, or both. Designating primary computers is a simple and powerful method to associate user data and settings with particular computers or devices, simplify administrator oversight, improve data security, and help protect user profiles from corruption.
There are four major benefits to designating primary computers for users:
- The administrator can specify which computers users can use to access their redirected data and settings. For example, the administrator can choose to roam user data and settings between a user’s desktop and laptop, and to not roam the information when that user logs on to any other computer, such as a conference room computer.
- Designating primary computers reduces the security and privacy risk of leaving residual personal or corporate data on computers where the user has logged on. For example, a general manager who logs on to an employee’s computer for temporary access does not leave behind any personal or corporate data.
- Primary computers enable the administrator to mitigate the risk of an improperly configured or otherwise corrupt profile, which could result from roaming between differently configured systems, such as between x86-based and x64-based computers.
- The amount of time required for a user’s first sign-in on a non-primary computer is faster because the user’s roaming user profile and/or redirected folders are not downloaded. Sign-out times for roaming user profile users on non-primary computers are also reduced, because changes to the user profile do not need to be uploaded to the file share.
1.2 Overview of this document
This post describes the steps I took to set up a user with Folder Redirection and assign primary computers, so that you can experiment with this new technology yourself. The post does not include details on how to set up a domain controller or a domain. The audience of this document is expected to have an existing file server, domain controller, and clients setup or be able to set these up independently.
2 Installation Steps
2.1 Prerequisites
You need only a single computer (the specs are provided below) and the ISO files for the Windows Server “8” Beta and Windows 8 Consumer Preview, both of which are available as free downloads.
- Windows Server “8” Beta ISO file
Download from http://technet.microsoft.com/en-us/evalcenter/hh670538.aspx - Windows 8 Consumer Preview ISO file
Download from http://windows.microsoft.com/en-US/windows-8/iso
You will need a computer that meets the following requirements:
- Meets the minimum system requirements for Windows Server “8” Beta and Hyper-V
- Has at least 4 GB of RAM
In my case, I am using a Lenovo W520 Laptop with 8GB of RAM and an Intel Core i7.
You need to provision virtual machines for:
- Domain Controller (Windows Server “8” Beta)
- File Server (Windows Server “8” Beta)
- Primary Client (Windows 8 Consumer Preview)
- Other (non-primary) Client ((Windows 8 Consumer Preview)
In my demo setup, I provisioned three virtual machines:
- One domain controller that also functions as a file server. I named this server PMDemo and named the domain dPMDemo.
- Two clients, which I named PMClient1 and PMClient2. Both clients are joined to the dPMDemo domain. PMClient1 will be designated as the demo user’s primary computer.
- I assigned 1.5GB RAM to each of the VMs. If you have less memory on your host computer, I would recommend provisioning enabling Dynamic Memory with a Startup RAM value of at least 1GB for the domain controller / file server and 1GB each for the two clients.
- All VMs are connected to the ‘External network’ virtual network switch that is connected to the physical network interface card (NIC) of the computer.
2.2 Setting up Folder Redirection
2.2.1 Create a file share for user data
To create a file share for user data, use the following procedure on the domain controller/file server.
- Create a folder named C:\Share.
- Right-click the folder you created, point to Share with and then click Specific people.
- Type Everyone, click Add, and then click Share.
Alternatively, you can add Authenticated Users or any security group with all users to which the Folder Redirection policy will apply as long as the users have Read/Write access to the file share.
2.2.2 Create a new user
To create a new user, use the following procedure on the domain controller.
- Open the Active Directory Users and Computers MMC snap-in.
- In the console tree, right-click Users, point to New and then click User.
- In the New Object – User dialog box, create a new user named Bob Smith.
- Assign a password, clear the User must change password at next logon check box, and then select the Password never expires check box.
2.2.3 Create a new group policy object
To create a new GPO for Folder Redirection and primary computer support, use the following procedure on the domain controller.
- Open the Group Policy Management MMC snap-in.
- In the console tree, right-click Group Policy Objects. Click New to create a new group policy object.
- In the Name box, type Folder Redirection and Primary Computer and click OK.
- In the Security Filtering section, remove Authenticated Users and target the GPO to user Bob Smith.
2.2.4 Configure Folder Redirection
To set up Folder Redirection for Bob Smith, use the following procedure.
- Right-click the Folder Redirection and Primary Computer GPO and then click Edit.
The Group Policy Management Editor opens.
- In the console tree, expand User Configuration, then Policies, Windows Settings, and then Folder Redirection.
- Right-click Documents, and then click Properties.
- Choose Basic – Redirect everyone’s folder to the same location from the Setting list.
- In the Root Path box, and specify the root path to the file share created in step 2.2.1 and then click OK. In my demo, the share is \\PMDemo\Share.
2.2.5 Link the GPO to your domain
To link the GPO to your domain, use the following procedure on your domain controller.
- In the Group Policy Management console, right-click the domain created for this demo (in my case, dPMDemo), and then click Link an Existing GPO.
- Click Folder Redirection and Primary Computer and then click OK.
2.2.6 Test the Folder Redirection setup
At this point, the Folder Redirection setup is complete. If you’d like to test it out, sign in as Bob Smith onPMClient1. Ensure that Folder Redirection successfully applies for Bob Smith, as shown in step 2.4.1 below.
It is possible that you may have to reapply group policy on the client computer in order for Folder Redirection to apply. To do so, sign in as Bob Smith, open a command prompt window and then type Gpupdate /force. After signing out and then signing back in, the Folder Redirection policy should apply.
2.3 Setting up primary computers
2.3.1 Designate a Primary Computer in Active Directory
2.3.1.1 Designate a primary computer by using Active Directory Administrative Center
To designate a primary computer in Active Directory Domain Services (AD DS), use the following procedure.
- Open Active Directory Administrative Center.
- In the console tree, under the domain name node (dPMDemo in my case), click Computers.
- To designate PMClient1 as Bob Smith’s primary computer, double click PMClient1, and then in the Extensions section, click the Attribute Editor tab.
- Double-click the distinguishedName attribute, right-click the value and then click Copy.
- In Active Directory Administrative Center, click Users, and then double-click Bob Smith. In the Extensions section, click the Attribute Editor tab.
- Double-click the msDS-Primary Computer attribute, paste the distinguished name of PMClient1 into the Value to Add box, and then click Add.
You can specify a list of computer names in the Value to Add box; each listed computer will be designated as a primary computer for the user.
- Click OK in the Multi-valued String Editor dialog and again in the Bob Smith window.PMClient1 is now configured in AD DS as a primary computer for Bob Smith.
2.3.1.2 Designate a primary computer by using Windows PowerShell
To use Windows Powershell to designate a primary computer in AD DS, use the following procedure.
- Open a Windows PowerShell window on the domain controller.
- To retrieve the computer properties, including the distinguished name, of the primary computer, type the following command:
PS C:\Users\Administrator> $computer=Get-ADComputer PMClient1
- To setup the user – primary computer partnership for user Bob Smith, type the following command:
PS C:\Users\Administrator> Set-ADUser bobsmith –Add @{‘msDS-PrimaryComputer’=”$computer”}
- To check if the partnership was correctly set up, type the following command:
PS C:\Users\Administrator> Get-ADUser bobsmith –Properties msDS-PrimaryComputer
During the setup, if you’d like to remove the user-primary computer partnership for user Bob Smith, type the following command:
PS C:\Users\Administrator> Set-ADUser bobsmith –Remove @{‘msDS-PrimaryComputer’=”$computer”}
2.3.2 Configure Folder Redirection policy to apply to primary computers
To enable primary computer support for Folder redirection, use the following procedure on the domain controller.
- In the Group Policy Management console, right-click Folder Redirection and Primary Computer and then click Edit.
Group Policy Management Editor appears. - In the console tree, expand User Configuration, then Policies, Administrative Templates, System, and then Folder Redirection.
- Double-click Redirect folders on primary computers only, click Enabled, and then click OK.
At this point, all steps to configure primary computers for the user are complete.
2.4 Testing primary computers
2.4.1 Sign on to a primary computer using the Bob Smith account
To test the experience of using a primary computer, use the following procedure on the PMClient1 computer.
- Use the Bob Smith account to sign on to PMClient1, which has been designated as Bob Smith’s primary computer.
- Open Windows Explorer, and under Libraries, expand Documents to show both My Documents and Public Documents.
- Click My Documents, and then click the Address Bar to show the path to the redirected folder. Also notice the State field in the Status bar, which indicates that the folder is enabled for Offline Files and that Bob Smith successfully got his Documents folder redirected and subsequently cached on his primary computer.
2.4.2 Sign on to a non-primary computer using the Bob Smith account
To test the experience of using a non-primary computer, use the following procedure on the PMClient2 computer.
- Use the Bob Smith account to sign on to PMClient2, which has not been designated as Bob Smith’s primary computer.
- Open Windows Explorer, and under Libraries, expand Documents to show both My Documents and Public Documents.
- Click My Documents, and then click the Address Bar to show the local path to the Documents folder. Also notice the State field in the Status bar is not present, indicating that the folder is not enabled for Offline Files, and that Bob Smith has successfully logged on to a non-primary computer and received a local profile.