Profile Management 2103

Administer profiles within and across OUs

Within OUs

You can control how Profile Management administers profiles within an Organizational Unit (OU). In Windows Server 2008 environments, use Windows Management Instrumentation (WMI) filtering to restrict the .adm or .admx file to a subset of computers in the OU. WMI filtering is a capability of the Group Policy Management Console with Service Pack 1 (GPMC with SP1).

For more information on WMI filtering, see https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc779036(v=ws.10) and https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc758471(v=ws.10).

For more information on GPMC with SP1, see https://www.microsoft.com/en-us/download/details.aspx?id=21895.

The following methods let you manage computers with different OSs using a single Group Policy Object (GPO) in a single OU. Each method is a different approach to defining the path to the user store:

  • Hard-coded strings
  • Profile Management variables
  • System environment variables

Hard-coded strings specify a location that contains computers of just one type. This allows profiles from those computers to be identified by Profile Management uniquely. For example, if you have an OU containing only Windows 7 computers, you might specify \server\profiles$\%USERNAME%.%USERDOMAIN%\Windows7 in Path to user store. In this example, the Windows7 folder is hard-coded. Hard-coded strings do not require any setup on the computers that run the Profile Management Service.

Profile Management variables are the preferred method because they can be combined flexibly to identify computers uniquely and do not require any setup. For example, if you have an OU containing Windows 7 and Windows 8 profiles running on operating systems of different bitness, you might specify \server\profiles$\%USERNAME%.%USERDOMAIN%!CTX_OSNAME!!CTX_OSBITNESS! in Path to user store. In this example, the two Profile Management variables might resolve to the folders Win7x86 (containing the profiles running on the Windows 7 32-bit operating system) and Win8x64 (containing the profiles running on the Windows 8 64-bit operating system). For more information on Profile Management variables, see Profile Management policies.

System environment variables require some configuration. They must be set up on each computer that runs the Profile Management Service. Where Profile Management variables are not suitable, consider incorporating system environment variables into the path to the user store as follows.

On each computer, set up a system environment variable called %ProfVer%. (User environment variables are not supported.) Then, set the path to the user store as:

pre codeblock \\upmserver\upmshare\%username%.%userdomain%\%ProfVer% <!--NeedCopy-->

For example, set the value for %ProfVer% to Win7 for your Windows 7 32-bit computers and Win7x64 for your Windows 7 64-bit computers. For Windows Server 2008 32-bit and 64-bit computers, use 2k8 and 2k8x64 respectively. Setting these values manually on many computers is time-consuming, but if you use Provisioning Services, you only have to add the variable to your base image.

Tip: In Windows Server 2008 R2 and Windows Server 2012, you can speed up the creation and application of environment variables using Group Policy. In Group Policy Management Editor, click Computer Configuration > Preferences > Windows Settings > Environment, and then Action > New > Environment Variable.

Across OUs

You can control how Profile Management administers profiles across OUs. Depending on your OU hierarchy and GPO inheritance, you can separate into one GPO a common set of Profile Management policies that apply to multiple OUs. For example, Path to user store and Enable Profile Management must be applied to all OUs. So you might store them separately in a dedicated GPO, enabling only these policies there (and leaving them unconfigured in all other GPOs).

You can also use a dedicated GPO to override inherited policies. For information on GPO inheritance, see the Microsoft website.

Administer profiles within and across OUs