Configuring access to home folders and mapped drives

The following procedures describe how to configure access to home folders, and how to manually remove user profiles when using mapped drives:

Configuring access to home folders and mapped drives—You can specify how remote endpoints access their home folder, mapped drives, and configure share permissions. Each time a remote endpoint accesses mapped drives using file access, the File Access engine runs the user’s logon script.
Deleting user profiles when using mapped drives—For each new user, the operating system running on the Forefront UAG server creates and saves a user profile. By default, user profiles are not deleted from the server, including old profiles that are no longer used. This consumes disk space unnecessarily. In addition, in environments where a large number of users access mapped drives, if a 10,000 profile limit is reached, new profiles cannot be created, and new users cannot access the drives. This procedure describes how to manually remove user profiles.

Configuring access to home folders and mapped drives

To configure access to home folders and mapped drives

In the Forefront UAG Management console, on the Admin menu, click File Access. The Windows Security dialog box is displayed. Enter the name and password, and then click OK. The network is browsed, and the File Access window is displayed, showing all the domains in the network which are accessible from the File Access host. This may take a few seconds.
In the left pane of the File Access window, under General, click Configuration.
To configure access to the home directory, select one of the following options:
- Don’t define user’s home directories—The home directory is not accessible to remote users. The My home directory button and tree item are not displayed in the browser.
- Use domain controller settings for home directories—The home directory is accessible to remote users through a My home directory button and tree item. Home directory path information is taken from the domain controller.
- Use the following template for home directories—The home directory is accessible to remote users through a My home directory button and tree item. Home directory path information is taken from the template you define in the text field. You can define the path to the template by using one of the following two methods:
  - Valid universal naming convention path. For example: \\server\share\dir1\dir2
  - Valid distributed file system path. For example: domain\server\share\dir1\dir2
    
    In either of these path types, you can use one or both of the variables: %domain% and %username%.
    
    For example:
    
    %domain%/users/%username%
Determine whether the browser displays the listing of the home directory each time a remote user accesses File Access. This is controlled by the setting User’s home directory will be displayed every time file access is loaded.
To configure access to mapped drives, select the Show mapped drives check box. If the users logon script is not a batch file (.bat, .exe) or not wrapped within a batch file, enter the full path of the script engine in Script Engine box.
By default, users view all the shares that you configure for File Access. If you want users to view only the configured shares for which they have access permissions, select the Show only the shares a user is permitted to access check box.
When you have finished configuring user access to the home directory and mapped drives, in the File Access window, click Apply.
When you have finished configuring the settings, in the File Access window, click Close.

Tip:
When configuring mapped drives and shares, note the following: File access supports the mapping of drives G-Z. Due to a Windows application programming interface limitation, not all environment variables are supported by the File Access option. If you use unsupported environment variables in the users logon scripts, the remote user will not be able to access the mapped drives as expected. To examine the environment variable supported for a typical user, do the following. On the Forefront UAG server, open a command prompt, and impersonate the user by entering this command: runas/user: username cmd.exe where username is the name entered by the user during login. In the secondary command window that opens, representing the user that you defined, run the set command. The environment variables that are displayed are those that are supported by Forefront UAG for this user. Mapped drives are defined by the users logon script, which is located in the organization’s Domain Controller, in the NETLOGON directory. File Access automatically supports batch files (.bat, .exe). For any other scripts, such as JavaScript (.js) or Microsoft Visual Basic (.vbs), you can do one of the following: Wrap each script within a separate batch file. During the configuration of users’ access to mapped drives, specify the script engine that will be used to run the user’s logon script, as detailed in the configuration procedure. Share Permissions are users’ permissions to view configured shares, that is, whether users can view all the shares that are configured for File Access, or only the shares for which they have access permissions. Share permissions settings affect the share level only; they do not affect the way users view folders in a share.

Tip:

When configuring mapped drives and shares, note the following:

File access supports the mapping of drives G-Z.
Due to a Windows application programming interface limitation, not all environment variables are supported by the File Access option. If you use unsupported environment variables in the users logon scripts, the remote user will not be able to access the mapped drives as expected. To examine the environment variable supported for a typical user, do the following.
1. On the Forefront UAG server, open a command prompt, and impersonate the user by entering this command:
  
  runas/user: username cmd.exe
  
  where username is the name entered by the user during login.
2. In the secondary command window that opens, representing the user that you defined, run the set command. The environment variables that are displayed are those that are supported by Forefront UAG for this user.
Mapped drives are defined by the users logon script, which is located in the organization’s Domain Controller, in the NETLOGON directory. File Access automatically supports batch files (.bat, .exe). For any other scripts, such as JavaScript (.js) or Microsoft Visual Basic (.vbs), you can do one of the following:
- Wrap each script within a separate batch file.
- During the configuration of users’ access to mapped drives, specify the script engine that will be used to run the user’s logon script, as detailed in the configuration procedure.
Share Permissions are users’ permissions to view configured shares, that is, whether users can view all the shares that are configured for File Access, or only the shares for which they have access permissions.
Share permissions settings affect the share level only; they do not affect the way users view folders in a share.

Deleting user profiles when using mapped drives

To delete user profiles when using mapped drives

On the Forefront UAG server, access the following Custom Update folder; if it does not exist, create it:

…\Microsoft Forefront Unified Access Gateway\von\conf\CustomUpdate.
Copy the file userProfiles.ini from this folder:

…\Microsoft Forefront Unified Access Gateway\common\conf.

Place it in the Custom Update folder you accessed in step 1. If such a file already exists in the custom folder, use the existing file.
Configure the parameters in the file as follows:
- EnableProfileDelete—Determines whether or not user profiles are deleted from the Forefront UAG server.
- HighWaterMark—Number of profiles above which the deletion process starts. This must be equal to or greater than the LowWaterMark parameter.
- LowWaterMark—Number of profiles that are kept on the Forefront UAG server after the deletion process is complete. A minimum number of 50 profiles must remain undeleted.
- SleepPeriod—Number of minutes after which the process checks whether the HighWaterMark has been reached, and deletes excessive profiles as required.
- DoNoRemoveProfile—Defines a user profile that is not deleted. For example: DoNotRemoveProfile = MyDomain\Admin. You can configure an unlimited number of profiles that will be left out of the deletion process by configuring one DoNotRemoveProfile parameter for each profile.

Tip:
Note the following: Only profiles of domain users are deleted; profiles of local users are not deleted. Least recently-used profiles are deleted first. Profiles of users who are currently connected to one or more mapped drives are not deleted.