We help IT Professionals succeed at work.

Local and Roaming profiles

I need to create roaming profiles for all of my mobile users.  What I need the profile to do is prompt the user when their password is about to expire so they can change it before hand.  I would like to have the profile maintain being saved locally on PC's to save space.  Is it possible to have a roaming profile that is saved locally on a system and still update to the server once the user has established the VPN connection to the network? Thanks.
Watch Question

Unfortunately, no.  If the user's network profile isn't available when they logon, the user is given the machine's default policy.  Roaming Profiles require the user to be connected to the network because the machine is reading and writing the profile constantly.

If you're just interested in synchronizing personal documents to a network drive, look at Offline Files:


If you're interested in advanced profile management options, you could also look at the AppSense Environment Manager: http://support.microsoft.com/kb/312171


Since that is the case, what is the best way to set up the profiles so they are prompted that their password will expire in 'x' amount of days.  Currently we do have a password policy set up to change password every 45days.  the users are constantely  calling in stating they have no access because of their password (Which is obvious as they aren't getting prompted to change their password)
Lets look at this step by step
yes, you can map the user profile to any UNC path. Be it on a server or workstation.  If you map it to a share on the local computer it will always be available to the machine and will not have to copy settings accross the network...  althoughthis seems to defeat the purpose of a roaming profile, especially since the remote computer we are talking about will not always be accessable by computers on the internal network.

So heres your workaround.
If you were to set up Distributed file system you could map the profile to a single UNC path that is replicated between multiple shares.  As DFS is site aware, if you set up your VPN clients in a seperate subnet than your main network, and configure this as a seperate site in AD, DFS will automatically retrieve the profile from the closest available site, which when your on the laptop would be the DFS mapping to the share on your laptop, and when you are on your network the DFS mapping to a share on one of your file servers.  

DFS will automajically handle synchronizing for you.

Other considderations......  

also these statements are not entirely correct:
Unfortunately, no.  If the user's network profile isn't available when they logon, the user is given the machine's default policy.  Roaming Profiles require the user to be connected to the network because the machine is reading and writing the profile constantly.

The user is only given the machines default policy if they have never logged on to the computer before, or if any other situation where there is not a cached copy of thier profile.

Roaming profiles do not require an active connection, rather all changes are written at the end of the session, not constantly.

Also, if you are having issues with the size of the profile you can redirect the desktop, start menu, and my Docs folders to other netwirk shares.  

Ofline files does not work so well for most situations.....  only use this feature in a situation where only a single user is accessing the files, or where the files are static (don't change frequently) if being viewed by multiple users

What type of VPN solution are you using?  


Cisco ASA 5505
Now we are into complicated teritory.....    The question is are your users authenticating to the domain, or to the VPN.

The first reaction is ofcourse we are using domain accounts and passwords so we must be authenticating to the domain...  Whether you are or not depends on how you have configured your VPN client as well as your firewall.

Typically most VPN setups do not pass RPC traffic to any domain controllers so you are not actually authenticating to the domain, don't get password reset messages, and wont recieve any group policy settings.  What these boxes typically do is authenticate you at the firewall, using RADIUS.  Radius is configured through RRAS in windows.  Here what happens is the user authenticates at the firewall, the firewall sends the users credentials to the radius server, which does the actual authentication.  The users computer never accesses a domain controller though.  

I am not an expert on the cisco VPN client however, I do believe it can be setup to allow sometype of passsthrough to DCs.
A request has been made in Community Support to close this question:

If there are no objections, a moderator will finalize this question in approximately 4 days as follows:
Delete with refund

Please leave any recommendations here.

Experts Exchange Moderator

with refund?  Really?

I concur with chikenhead.  In my opinion, the question has been answered.  The functionality that the user has requested is not directly available.  A number of workarounds are discussed in this thread.  The community answered the question that was asked of it -- and the requestor seems to have accepted their answer.

Force accepted.
Community Support Moderator

Explore More ContentExplore courses, solutions, and other research materials related to this topic.