Delete cached copies of roaming profiles – Not behaving

[rablazer]

I work for a company that sells software to the Insurance industry. I am working on a side project of creating procedures for roaming profiles for our users. The network is W2K3 server and WinXP clients
The basics of what I have done so far and my problem.
Using the GPMC I have created a basic GPO called Roaming Profiles . The GPO is created and linked to a Separate OU with Users and Computers below. Also created is separate group called Roaming with Read and Apply group policy permissions set, the Authenticated Users group was removed.
The GPO roaming profiles settings enabled include:
- Always wait for the network at computer startup and logon.
- Delete cached copies of roaming profiles.
- Add the Administrators security group to roaming user profiles
Also I am doing folder redirection of My Documents with ‘Basic – Redirect everyone’s folder to the same location’ also set ‘Create a folder for each user under the root path’ the path is set to a share.

My problem is the only way I can get the roaming (local) profile of a user in the Roaming group to delete on logoff automatically off the WinXP workstation (W/SP2) is by enabling ‘Delete cached copies of roaming profiles’ in the Default Domain Policy and Default Domain Controller Policy.

Is there another way of doing this without editing the two Default policies?

[AdamV]

. The GPO is created and linked to a Separate OU with Users and Computers below.

good

Also created is separate group called Roaming with Read and Apply group policy permissions set, the Authenticated Users group was removed.

why? if you control this by locating them in the OU, why the group?

The GPO roaming profiles settings enabled include:
- Always wait for the network at computer startup and logon.
- Delete cached copies of roaming profiles.
- Add the Administrators security group to roaming user profiles

I think I see the problem

Also I am doing folder redirection of My Documents with ‘Basic – Redirect everyone’s folder to the same location’ also set ‘Create a folder for each user under the root path’ the path is set to a share.

so you want to use redirection for My Documents, but use roaming profiles for everything else, but then delete the cached copy on logoff?
that's odd, it makes some kind of sense to protect the data from being left around on hard drives all over the place, but don't forget that some things in the profile won't roam (local settings, for example), so they will be lost each day, and other things which do roam can get quite big (some apps use application data a bit too heavily) so this will be a big download every day. That's not to say don't do it, I just mean make sure you are ready for it.
If you already have roaming profiles I would recommend using something like TreeSize Pro to analyse this data and look at which folders are actually large before you commit to this (eg > 10Mb for a user, barring My Docs)

My problem is the only way I can get the roaming (local) profile of a user in the Roaming group to delete on logoff automatically off the WinXP workstation (W/SP2) is by enabling ‘Delete cached copies of roaming profiles’ in the Default Domain Policy and Default Domain Controller Policy.

Domain controller policy ought to be irrelevant here, I guess if you changed both you would not know which one fixed it.

Is there another way of doing this without editing the two Default policies?

Yes.
Your problem (I think) is that the "delete cached copies" setting applies to machines, not users.
So although you have the machines in the OU, you have not described adding them to the group you are using to filter on (although maybe you did this but did not tell us!). This means they simply don't get it. Machine policies are processed at startup - by the time a user logs on it's too late, and even then the filter does not let the machine account get to the policy.

So the reason this works in your default domain policy is because that does apply to the machines - assuming you left that applying to all auth users?

I would either add all machines to this group (a pain as you go forward and add machines to the network) or just go back to auth users as it was. Your OU structure sounds like it will apply this correctly then.

Let us know if this helps or if it makes no sense.

[rablazer]

Thanks AVero

Your suggestion of adding the computer to the Roaming group worked great. I know it is a bit of pain but now we have the answer!

[AdamV]

Glad to help, and happy it was as easy as that, not something horrible and obscure.

I thought it better to walk through the whole thing rather than just say "add it to the group" for the benefit of proper understanding the bigger picture. That way people reading the thread in future who have similar (but maybe slightly different) problems can self-diagnose!