Local and Roaming profiles

I need to create roaming profiles for all of my mobile users.  What I need the profile to do is prompt the user when their password is about to expire so they can change it before hand.  I would like to have the profile maintain being saved locally on PC's to save space.  Is it possible to have a roaming profile that is saved locally on a system and still update to the server once the user has established the VPN connection to the network? Thanks.
valf_47Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

dpetr000Commented:
Unfortunately, no.  If the user's network profile isn't available when they logon, the user is given the machine's default policy.  Roaming Profiles require the user to be connected to the network because the machine is reading and writing the profile constantly.

If you're just interested in synchronizing personal documents to a network drive, look at Offline Files:

http://support.microsoft.com/kb/312171

If you're interested in advanced profile management options, you could also look at the AppSense Environment Manager: http://support.microsoft.com/kb/312171
0
valf_47Author Commented:
Since that is the case, what is the best way to set up the profiles so they are prompted that their password will expire in 'x' amount of days.  Currently we do have a password policy set up to change password every 45days.  the users are constantely  calling in stating they have no access because of their password (Which is obvious as they aren't getting prompted to change their password)
0
chikenheadCommented:
Lets look at this step by step
yes, you can map the user profile to any UNC path. Be it on a server or workstation.  If you map it to a share on the local computer it will always be available to the machine and will not have to copy settings accross the network...  althoughthis seems to defeat the purpose of a roaming profile, especially since the remote computer we are talking about will not always be accessable by computers on the internal network.

So heres your workaround.
If you were to set up Distributed file system you could map the profile to a single UNC path that is replicated between multiple shares.  As DFS is site aware, if you set up your VPN clients in a seperate subnet than your main network, and configure this as a seperate site in AD, DFS will automatically retrieve the profile from the closest available site, which when your on the laptop would be the DFS mapping to the share on your laptop, and when you are on your network the DFS mapping to a share on one of your file servers.  

DFS will automajically handle synchronizing for you.

Other considderations......  

also these statements are not entirely correct:
Unfortunately, no.  If the user's network profile isn't available when they logon, the user is given the machine's default policy.  Roaming Profiles require the user to be connected to the network because the machine is reading and writing the profile constantly.

The user is only given the machines default policy if they have never logged on to the computer before, or if any other situation where there is not a cached copy of thier profile.

Roaming profiles do not require an active connection, rather all changes are written at the end of the session, not constantly.

Also, if you are having issues with the size of the profile you can redirect the desktop, start menu, and my Docs folders to other netwirk shares.  

Ofline files does not work so well for most situations.....  only use this feature in a situation where only a single user is accessing the files, or where the files are static (don't change frequently) if being viewed by multiple users

0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

chikenheadCommented:
What type of VPN solution are you using?  
0
valf_47Author Commented:
Cisco ASA 5505
0
chikenheadCommented:
Now we are into complicated teritory.....    The question is are your users authenticating to the domain, or to the VPN.

The first reaction is ofcourse we are using domain accounts and passwords so we must be authenticating to the domain...  Whether you are or not depends on how you have configured your VPN client as well as your firewall.

Typically most VPN setups do not pass RPC traffic to any domain controllers so you are not actually authenticating to the domain, don't get password reset messages, and wont recieve any group policy settings.  What these boxes typically do is authenticate you at the firewall, using RADIUS.  Radius is configured through RRAS in windows.  Here what happens is the user authenticates at the firewall, the firewall sends the users credentials to the radius server, which does the actual authentication.  The users computer never accesses a domain controller though.  

I am not an expert on the cisco VPN client however, I do believe it can be setup to allow sometype of passsthrough to DCs.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
chikenheadCommented:
kodiakbear:
A request has been made in Community Support to close this question:
http://www.experts-exchange.com/Q_23123312.html

If there are no objections, a moderator will finalize this question in approximately 4 days as follows:
Delete with refund

Please leave any recommendations here.

kb
Experts Exchange Moderator

with refund?  Really?
0
dpetr000Commented:
I concur with chikenhead.  In my opinion, the question has been answered.  The functionality that the user has requested is not directly available.  A number of workarounds are discussed in this thread.  The community answered the question that was asked of it -- and the requestor seems to have accepted their answer.
0
Vee_ModCommented:
Force accepted.
Vee_Mod
Community Support Moderator
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.