I am administering a Windows Server 2008 R2 environment that is using roaming profiles and folder redirection. The client machines are running Windows 7. Due to the nature of the business, users rarely logoff and frequently have logons on multiple machines at once. This obviously creates a lot of problems with "last writer wins" conflicts and each session overwriting changes made in another session.
I have tried different methods to reduce the conflicts, but still do not have a satisfactory solution. I am using the new feature of background uploading of user profiles, but as this article explains that really does not solve the problem: http://blogs.sepago.de/helge/2009/04/02/microsoft-tackles-the-last-writer-wins-problem-of-roaming-profiles-in-windows-7-server-2008-r2/. I have also ran a few trials of third party software such as ProfileUnity, but still had some issues with that. And of course I suggested that users could just be more conscientious about logging off when they leave their computer and before they start a new session. But management said that that just will not happen and will not work for our environment.
So the question is, do any of you have experience with this issue? Do you know of any settings or third party apps that at least minimize the conflicts even if it does not eliminate them? Is there any way to make it so that the computer does a periodic logoff and log back on that is transparent to the user?
First, there's nothing wrong with using roaming profiles so long as they're implemented correctly. Just because they're an older concept doesn't make them any less useful or valid in today's IT environment. Roaming profiles were not designed with the intention of one user per PC and one PC per user, they were designed for your exact use case, one or many users who log on to multiple computers (be they workstations or Terminal Servers). The intention was to give the user a consistent environment (desktop, application settings, etc.) regardless of which computer they log on to.
Second, implementing some type of automatic logoff mechanism doesn't solve your problem as it doesn't prevent a user from having multiple logons across multiple computers simultaneously. What's to stop a user from logging on to one computer or TS at 9AM and logging on to another at 10AM? When your automatic logoff mechanism kicks in you'll still have the same problem.
Third, folder redirection can help the situation by redirecting some folders out of the roaming profile but it doesn't solve the problem because all of the users folders can't be redirected. There are core components of the roaming profile (ntuser.dat, program settings, etc) that can't be redirected.
Fourth, there isn't a setting that will log a user of of their session based on their logon hours setting. The two settings that have to do with logging a user off and disconnecting their session based on their logon hours disconnects them from SMB shares, it does not log them off of their desktop session. There are settings for terminating (logging off) a user session on a TS, based on various timings (idle, active, disconnected).
You have, unfortunately, a technical problem, caused by a behavioral problem, that can't be completely solved with a technical solution. Here are some suggestions that may help:
Implement Folder Redirection (as others have suggested) for folders such as My Documents, Desktop, Start Menu.
If your users are logging on to Terminal Services, implement a single logon restriction via GPO. This will prevent any user from having more than one session.
Educate your users on developing the habit of logging off before leaving for the day. This is considered good practice/etiquette and should be encouraged and supported by management. If management balks at the idea, then they're partly to blame if the problem persists.
The big problem with roaming profiles is that they were designed long ago in the mid-90s for one specific use case: one PC per user and one user per PC. In that scenario roaming profiles work reasonably well, but if the scenario changes, they faily (miserably).
The "last writer wins" problem caused by concurrent sessions is very well known in the terminal server world where I have been working for a many years. Because of so-called silos it is very common there that users have more than one concurrent session.
The last writer wins problem is not really about the files (that could be solved by folder redirection) but about the registry hive HKCU, stored in a single file, NTUSER.DAT. That file is changed in every session, so it is written always back when a session is logged off, overwriting any existing versions of that file in the network.
Unfortunately, there is no way to work around this with roaming profiles alone. For that very reason third-party profile management products are very popular in the Citrix / terminal server world. I helped create one such product which was later sold to Citrix and is now bundled with their major products XenApp and XenDesktop. It identifies the changed keys in HKCU and merges them into the copy of NTUSER.DAT residing on the network.
Other commercial products solve the last writer wins problem, too. I am afraid I do not know of any free solution.
Folder redirection mitigates most of the problem as most writes happen in near real time, though over the network. I have seen people get locked out of their (specific, not folder) documents because they forgot to close them.
You can in addition try logging off if idle (if you can get management's buy in, it means your users will have to save their work before leaving, but they should do that anyway).
http://t3chnot3s.blogspot.com/2011/04/logoff-idle-windows-sessions-via-screen.html
You could use a GPO to force log off the computer based off logon hours. This would only push them off after business hours, and would not log them back on.
You could use a GPO to push a 3rd party app to all PC's that would force a logoff after a time limit was passed, I think there is a screensaver that will do this. When the screensaver is activated after X minutes, the user will be logged off. Again, this won't log them back on.
In a roaming profile environment I administered, I was REALLY unhappy with the logon/off speeds and network traffic caused by the profiles syncing the data all the time. Some people stored hundreds of files on their desktops - totally unnecessary. I changed the structure of things and did this instead:
This solved the problems I was seeing because their profiles were now very neat and clean, logons were blazing fast, and I fixed problems with multiple copies of files being open because they would get a "file is already open" message if they tried to open a file on the file server from a second PC. This also helped with some issues of file backups I was getting, because I had all my important data on a single server I could run backups off of.
Lastly, if you are uninterested in changing the configuration of your environment, you need to educate your users. In a lot of ways, this does not strike me as a problem that you need to fix. The environment is working correctly, the users are just not aware of how they need to be doing things correctly. Speak to your management and ask to have a training class held, put together a 15 minute talk on how to properly save, and log off of workstations. Don't tell them that they're doing it wrong - just tell them that if they do things the way you're teaching, they will have less problems, and their jobs will be easier and more efficient.
You could have a windows service or exe pushed to each machine that monitors the wfica32.exe process. And when that process disappears from the machine due to smooth roaming, lock the workstation.
You should give a look to UserLock, a 3rd-party software solution that allows you to (among other features) prevent or limit simultaneous logon (same ID, same password), per user, user group or Organizational Unit and per session type (workstation, terminal, interactive, Internet Information Services or VPN/RAS).
Limitations can be set in a granular way and can vary from one user to another, one group to another, or one Organizational Unit to the other.
Besides, UserLock will allow users to remotely close a previous session from the new workstation on which he/she is not allowed to logon due to the maximum allowed number restriction.
A solution to prevent concurrent user logins can also be achieved using LimitLogin which doesn't require purchasing (unlike UserLock). It may not have as many features but its free.
Download and info available from here at Microsoft TechNet:
We are considering implementing this at one of our customers due similar issues with roaming profiles.