Group Policy in a Mixed Windows XP – Windows 7 Environment

Mark Berry December 29, 2009

I’ve recently added a Windows 7 Enterprise computer to a network that is mostly running Windows XP SP3 with a Windows Server 2003 R2 server.

One of the main challenges is to get Group Policy to work properly in the mixed Windows XP – Windows 7 environment. For now, the goal isn’t to take advantage of all the new Group Policy features–we just want Group Policy to do on Windows 7 what it does on XP.

Logon Script Fails

The first issue was that we use a simple logon script to map drives. However, drives were not getting mapped with Windows 7. When tested with Group Policy Modeling, the following message was displayed on the logon script:  “An unknown error occurred while data was gathered for this extension.”

Eventually I realized that this might have something to do with the way that Windows 7 (and Windows Vista) access files when UAC is active. I found this thread that references MSKB 937624 and advises adding the EnableLinkedConnections registry value:

Click Start, type regedit in the Start Search box, and then press ENTER.

  1. Locate and then right-click the following registry subkey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
  2. Point to New, and then click DWORD Value.
  3. Type EnableLinkedConnections, and then press ENTER.
  4. Right-click EnableLinkedConnections, and then click Modify.
  5. In the Value data box, type 1, and then click OK.
  6. Exit Registry Editor, and then restart the computer.

Sure enough, once I added that value, logged off, and logged back on, the script ran fine and the drives were mapped as they are under XP.

Roaming Profiles and Folder Redirection

Windows XP and Windows 7 by default do not share roaming profiles. Getting them to “see” each other can be accomplished at least in part. The main document on this has not been updated for Windows 7, but still seems relevant:  Windows Vista:  Managing Roaming User Data Deployment Guide.

Here is my “cheat sheet” on how I added Windows 7 folder redirection to a domain that already has Windows XP roaming profiles and folder redirection. This environment has two server shares, UserDocs and UserProfiles. I chose to create a separate GPO for Windows Vista and above:

  1. Install the Windows Server Administration Tools on a Windows 7 machine and activate the Group Policy Management Tools feature. Start the Group Policy Management snap-in.
  2. Create two WMI filters:
    WinXP/2003/2003R2:  Select * from Win32_OperatingSystem where (Version like “5.1%” or Version like “5.2%”)
    WinVista/7/2008/2008R2:  Select * from WIN32_OperatingSystem where Version like “6.%”
  3. Rename the current policy from “Redirect User Data” to “Redirect User Data – WinXP/2003″.
  4. Copy the “Redirect User Data – WinXP/2003″ policy and rename it to “Redirect User Data – WinVista/7/2008/2008R2″.
  5. Apply the WMI filters from step 2 to the appropriate policies.
  6. Edit the new “Redirect User Data – WinVista/7/2008/2008R2″. Under User Configuration > Policies > Windows Settings > Folder Redirection, make the settings shown in the Windows Vista/7/2008/2008R2 column of the table below.
Folder Windows XP/2003 Setting Windows Vista/7/2008/2008R2 Setting Also apply redirection policy to Windows 2000, Windows 2000 Server, Windows XP, and Windows Server 2003 operating systems
AppData(Roaming) Basic – redirect to the local userprofile location
\\SERVER01\UserProfiles\%username%\Application Data
Redirect to the following location
\\SERVER01\UserProfiles\%username%\Application Data
No
Desktop Not configured (part of user profile in XP) Redirect to the following location
\\SERVER01\UserProfiles\%username%\Desktop
Yes (but won’t be set due to WMI filter)
Start Menu Not configured (part of user profile in XP) Redirect to the following location
\\SERVER01\UserProfiles\%username%\Start Menu
No
Documents Create a folder for each user under the root path
\\SERVER01\UserDocs
No change Yes (but won’t be set due to WMI filter)
Pictures Follow the Documents folder No change Not available (grayed out)
Music Follow the Documents folder No change Not available (grayed out)
Videos Follow the Documents folder No change Not available (grayed out)
Favorites Not configured (part of user profile in XP) Redirect to the following location
\\SERVER01\UserProfiles\%username%\Favorites
Not available (grayed out)
Contacts Not configured (not available in XP) Create a folder for each user under the root path
\\SERVER01\UserProfiles
Not available (grayed out)
Downloads Not configured (not available in XP) Create a folder for each user under the root path
\\SERVER01\UserProfiles
Not available (grayed out)
Links Not configured (not available in XP) Create a folder for each user under the root path
\\SERVER01\UserProfiles
Not available (grayed out)
Searches Not configured (not available in XP) Create a folder for each user under the root path
\\SERVER01\UserProfiles
Not available (grayed out)
Saved Games Not configured (not available in XP) Create a folder for each user under the root path
\\SERVER01\UserProfiles
Not available (grayed out)

The basic principle is that if a folder is available in the Windows XP roaming profile, redirect the corresponding Windows 7 folder to the roaming profile folder. This is covered in some detail in the last section of the Deployment Guide, “Scenario 3: Windows Vista and Windows XP Roaming User Profile Interoperability.” 

It’s worth noting that when you make a setting to “Redirect to the following location” (as instructed in the Deployment Guide), then go back into the settings, the setting has changed to “Create a folder for each user under the root path”.

Update 10/13/2010:  There is a fairly major “gotcha” in the interoperability approach presented in the Deployment Guide and condensed above. Windows XP requires that Offline Caching be disabled on the \\SERVER01\UserProfiles share because XP handles the caching of profiles separately. However with Offline Caching disabled, when the server is down, Windows 7 users will not be able to access the items shared with XP (AppData, Desktop, Start Menu, and Favorites) because Windows 7 thinks those are “normal” redirected folders, not part of the roaming profile, so with Offline Caching disabled, it has no local copy. Had I realized this earlier, I might have just kept the Windows 7 redirected folders completely separate rather than try to link them to the XP profiles. (By the way, if you do turn on caching on the \\SERVER01\UserProfiles folder, you’ll get Userenv event 1525 on the XP machines:  “Windows has detected that Offline Caching is enabled on the Roaming Profile share – to avoid potential profile corruption, Offline Caching must be disabled on shares where roaming user profiles are stored.”)

Testing

Of course the setup needs testing. I tried to use Group Policy Modeling but kept getting this error on the Folder Redirection settings:  “An unknown error occurred while data was gathered for this extension. Details: Not found.” In the end I just logged on and off the Windows 7 machine as various users and watched what happened on the server’s UserProfiles and UserDocs shares.

Permissions

It seems permissions are a common issue with Group Policy, and the advice on how to set them up is not always consistent. The main reference is Security Considerations when Configuring Folder Redirection. It’s unclear whether Enabling the administrator to have access to redirected folders still applies. Although I have enabled the policy Computer Configuration > Administrative Templates > System > User Profiles > Add the Administrators security group to roaming user profiles, Windows 7 seems to create folders without Administrators rights.

Change Shut Down to Log Off

If you usually want your users to log off rather than shut down the computer, change the default action on Windows 7 from Shut Down to Log Off here:

User Configuration > Administrative Templates > Start Menu and Taskbar > Change Start Menu power button

You might want to add the Log Off button to pre-Windows 7 operating systems while you are at it:

User Configuration > Administrative Templates > Start Menu and Taskbar > Add Logoff to the Start Menu

Userenv 1525:  “Windows has detected that Offline Caching is enabled on the Roaming Profile share – to avoid potential profile corruption, Offline Caching must be disabled on shares where roaming user profiles are stored.”


5 Comments

  1. Timo Lappalainen   |  September 29, 2010 at 1:08 am

    Dear Sir,

    In your blog you prefere to set App Data redirection for Win/ with Redirect to the following location
    \\SERVER01\UserProfiles\%username%\Application Data. If I use that setting on server, it changes it to “Create a folder for each user under the root path” and changes path to \\SERVER01\UserProfiles. I have tried to find solution for this problem without success. Or is there?

    The point was that I would keep App data for XP machines not redirected and so for W7 machines redirected to \\SERVER01\UserProfiles\%username%\Profile\Application Data. User Profile has been set to \\SERVER01\UserProfiles\%username%\Profile, so for w7 it will be \\SERVER01\UserProfiles\%username%\Profile.V2.

  2. Mark Berry   |  September 29, 2010 at 9:28 am

    So basically you just want different policies for XP vs. Win7, right? As explained in the post, you are going to have two policies anyway, filtered using WMI for XP or Win7. So I would think you could just disable AppData roaming on the XP profile?

    Not sure what you are doing with the extra “Profile” folder below %username%. In my environment, Application Data, like everything else, is directly under %username%:

    \\SERVER01\UserProfiles\%username%\Application Data

    or for Windows 7, it winds up here:

    \\SERVER01\\UserProfiles\%username%.V2\AppData.

    Note that the .V2 is appended to %username% (at least the way I have it set up).

  3. Timo Lappalainen   |  October 03, 2010 at 8:02 am

    Thanks for quick response.

    Actually we do not wan’t to have completely different policies. The App Data should be same in both profiles, since some applications in both XP and Win7 saves their settings to AppData. If they does not point to same directory then you know that user will loose all settings when she/he moves from Win7 machine to XP machine and opposite.

    With extra profile I got these two profiles working. Since \\SERVER01\UserProfiles did not had proper rights, Win7 just warned that temporary profile is in use. By using extra profile, I could give full rights for and owner for \\SERVER01\UserProfiles\%username% level, which then gave possibility to create \\SERVER01\UserProfiles\%username%\Profile.V2. On \\SERVER01\UserProfiles level only Admin has rights and this caused error when Win7 tried to create \\SERVER01\UserProfiles\%username%.V2

  4. Mark Berry   |  October 03, 2010 at 1:39 pm

    Well my approach was to use two group policies, one for WinXP and one for Win7, but both pointing to the the same folders.

    Permissions are very tricky with roaming profiles. I spent many hours on that last week after a server migration. You have to take ownership, assign correct permissions, then assign ownership back to the user.

  5. Mark Berry   |  October 06, 2010 at 12:13 pm

    I’ve blogged about resetting permissions:

    Reset Roaming Profile and Folder Redirection Permissions

Leave a Reply





Notify me of followup comments via e-mail. You can also subscribe without commenting.