Carl Webster Accessibility Statement

Carl Webster is committed to facilitating the accessibility and usability of its website, carlwebster.com, for everyone. Carl Webster aims to comply with all applicable standards, including the World Wide Web Consortium’s Web Content Accessibility Guidelines 2.0 up to Level AA (WCAG 2.0 AA). Carl Webster is proud of the efforts that we have completed and that are in-progress to ensure that our website is accessible to everyone.

If you experience any difficulty in accessing any part of this website, please feel free to email us at info@carlwebster.com and we will work with you to provide the information or service you seek through an alternate communication method that is accessible for you consistent with applicable law (for example, through telephone support).

  • PowerShell One-Liner for Finding Users with a Home Drive Configured in Active Directory Users and Computers

    November 28, 2017

    Active Directory, PowerShell

    On a recent project, I needed to generate a report of all users who had a Home Drive configured on the Profile tab in Active Directory Users and Computers (ADUC).

    Something most IT Pros do not know is that if anything is configured on the Profile tab in ADUC (Figure 1), Group Policy optimization is disabled for that user.

    Figure 1
    Figure 1

    A few years ago, I did not know this either until a very long discussion took place on the NTSysAdmin mailing list. Microsoft describes this in Understand the Effect of Fast Logon Optimization and Fast Startup on Group Policy.

    The synopsis is this:

    Fast Logon Optimization and Group Policy processing

    By default in Windows 8.1, Windows 8, Windows 7, Windows Vista, and Windows XP, the Fast Logon Optimization feature is set for domain and workgroup members. Policy settings apply asynchronously when the computer starts and when the user signs in. As a result, these operating systems do not wait for the network to be fully initialized at startup and sign-in. Existing users are signed in by using cached credentials. This results in shorter sign-in times. Group Policy is applied after the network becomes available.

    Fast Logon Optimization is always off during sign-in when a user:

    • First signs in to a computer.
    • Has a roaming user profile or a home directory for sign-in purposes.
    • Has synchronous sign-in scripts.

    Bullet points 2 and 3 are what you see in the Profile tab in ADUC. This also applies to all versions of Windows 10.

    Bottom line, do not configure any of these items in ADUC, use Group Policy. Setting any of these items in ADUC forces the user to use legacy (NT4) logon processes.

    The PowerShell you can use to find these users is:

    Get-ADUser -Filter 'HomeDrive -ne "$Null"' `
    -Property Name,CanonicalName,CN,DisplayName,DistinguishedName,HomeDirectory,`
    HomeDrive,SamAccountName,UserPrincipalName | `
    export-csv -path (Join-Path $pwd HomeDrive.csv) -encoding ascii -NoTypeInformation
    

    You may not need all those properties. SamAccountName, HomeDirectory, and HomeDrive should be enough for you.

    The Get-ADUser cmdlet will automatically add several other properties like Enabled, GivenName, ObjectClass, ObjectGUID, SID, and Surname.

    Figure 2 shows the results of running the one-liner and Figure 3 shows the contents of the CSV file.

    Figure 2
    Figure 2
    Figure 3
    Figure 3

    Once you have the CSV, you can open the CSV in Excel and analyze the data any way you choose.

    Now you can clean up all those home drive users and move the home drive setting to a Group Policy and get back your Group Policy logon optimizations.

    But what about Profile path and Logon script? Don’t those also disable the optimizations? Yes, they do. A simple adjustment to the one-liner will find users with those settings.

     
    Get-ADUser -Filter 'ProfilePath -ne "$Null"' `
    -Property Name,CanonicalName,CN,DisplayName,DistinguishedName,ProfilePath,`
    SamAccountName,UserPrincipalName | `
    export-csv -path (Join-Path $pwd ProfilePath.csv) -encoding ascii -NoTypeInformation 
    
     
    Get-ADUser -Filter 'ScriptPath -ne "$Null"' `
    -Property Name,CanonicalName,CN,DisplayName,DistinguishedName,ScriptPath,`
    SamAccountName,UserPrincipalName | `
    export-csv -path (Join-Path $pwd ScriptPath.csv) -encoding ascii -NoTypeInformation 
    

    Or combine all three searches into one one-liner.

    Get-ADUser -Filter {HomeDrive -ne "$Null" -or ProfilePath -ne "$Null" -or ScriptPath -ne "$Null"}`
    -Property Name,CanonicalName,CN,DisplayName,DistinguishedName,`
    HomeDirectory,HomeDrive,ProfilePath,ScriptPath,SamAccountName,UserPrincipalName | `
    export-csv -path (Join-Path $pwd ADUC.csv) -encoding ascii -NoTypeInformation
    

    Hope these one-liners help.

    Thanks

    Webster







    About Carl Webster

    Webster is a Sr. Solutions Architect for Choice Solutions, LLC and specializes in Citrix, Active Directory and Technical Documentation. Webster has been working with Citrix products for many years starting with Multi-User OS/2 in 1990.

    View all posts by Carl Webster

    4 Responses to “PowerShell One-Liner for Finding Users with a Home Drive Configured in Active Directory Users and Computers”

    1. Kevin Says:

      You just saved my final project for school! Oh my gosh! Thank you!

    2. Mike Leone Says:

      So let me see if I’ve got this straight … I shouldn’t list the home folder in ADUC, because that results in slower logons. And instead I should use folder re-direction in a GP to specify the various parts of the profile (documents, desktop, etc), and drive mappings in a GP to assign it a drive letter?

      We list the home folder in ADUC, and assign it as drive Z:, for consistency. We also do folder re-direction via GP. You’re saying doing all this via GP only speeds up logon speeds? And just leave the home folder section alone and blank?

      • Carl Webster Says:

        I am talking only about setting the user’s home drive via GPO.

        Computer Configuration/Adminstrative Templates/System/User Profiles/Set user home folder.

        I would rather make a change to one GPO setting than try to change any user setting in ADUC.

        Webster

    3. Max Says:

      Hi Carl,

      thank you for your post!

      A small improvement would be to set encoding to UTF8, ascii doesn’t know üöäß etc.