TS Roaming Profiles Policy against XP?

[Guest Matt MC]

Hi Guys

 

We are currently testing VDI

Users would connect to the Virtual XP Desktop using RDP.

We also want to use Roaming Profiles and at 1st I thought creating a TS

Roaming Profile GPO would work be it seems not to

 

 

If I modify the users AD account to use Roaming Proflies it does work

 

Is this because I'm connecting with RDP to an XP Desktop instead of a full

Terminal Server?

 

 

--

Regards,

Matt MC

 

A+ / MCSA 2003 + Messaging / MCSE 2003

[Guest Lanwench [MVP - Exchange]]

Re: TS Roaming Profiles Policy against XP?

 

Matt MC <MattMC@discussions.microsoft.com> wrote:

> Hi Guys

>

> We are currently testing VDI

> Users would connect to the Virtual XP Desktop using RDP.

> We also want to use Roaming Profiles and at 1st I thought creating a

> TS Roaming Profile GPO would work be it seems not to

>

>

> If I modify the users AD account to use Roaming Proflies it does work

>

> Is this because I'm connecting with RDP to an XP Desktop instead of a

> full Terminal Server?

 

Yes, they're different. When you RD to an XP desktop (virtual or not),

you'll use a regular Windows profile (which will be a roaming profile if

you've got that configured per user in ADUC). When you log into TS, you'll

be using a TS profile as specified either via Group Policy (preferred) or

your ADUC properties. Make sure you have TS profiles enabled via one of

those means if you'll have users connecting to Terminal Services in your

environment....but if not, there's no point.

 

Veering slightly OT, here's my standard boilerplate on roaming (not TS)

profiles....

 

********************

General tips:

 

1. Set up a share on the server. For example - d:\profiles, shared as

profiles$ to make it hidden from browsing. Make sure this share is *not* set

to allow offline files/caching! (that's on by default - disable it)

 

2. Make sure the share permissions on profiles$ indicate everyone=full

control. Set the NTFS security to administrators, system, and users=full

control.

 

3. In the users' ADUC properties, specify \\server\profiles$\%username% in

the profiles field

 

4. Have each user log into the domain once - if this is an existing user

with a profile you wish to keep, have them log in at their usual

workstationand log out. The profile is now roaming.

 

5. If you want the administrators group to automatically have permissions to

the profiles folders, you'll need to make the appropriate change in group

policy. Look in computer configuration/administrative templates/system/user

profiles - there's an option to add administrators group to the roaming

profiles permissions. Do this *before* the users' roaming profile folders

are created - it isn't retroactive.

 

********************

Notes:

 

Make sure users understand that they should not log into multiple computers

at the same time when they have roaming profiles (unless you make the

profiles mandatory by renaming ntuser.dat to ntuser.man so they can't change

them, which has major disadvantages),. Explain that the 'last one out wins'

when it comes to uploading the final, changed copy of the profile. If you

want to restrict multiple simultaneous network logins, look at LimitLogon

(too much overhead for me), or this:

http://www.jsifaq.com/SF/Tips/Tip.aspx?id=8768

 

********************

Keep your profiles TINY. Via group policy, you should be redirecting My

Documents (at the very least) - to a subfolder of the user's home directory

or user folder. Also consider redirecting Desktop & Application Data

similarly..... so the user will end up with:

 

\\server\users\%username%\My Documents,

\\server\users\%username%\Desktop,

\\server\users\%username%\Application Data.

 

[Alternatively, just manually re-target My Documents to

\\server\users\%username% (this is not optimal, however!)]

 

You should use folder redirection even without roaming profiles, but it's

especially critical if you *are* using them.

 

If you aren't going to also redirect the desktop using policies, tell users

that they are not to store any files on the desktop or you will beat them

with a

stick. Big profile=slow login/logout, and possible profile corruption.

 

********************

Note that user profiles are not compatible between different OS versions,

even between W2k/XP. Keep all your computers. Keep your workstations as

identical as possible - meaning, OS version is the same, SP level is the

same, app load is (as much as possible) the same.

 

*********************

If you also have Terminal Services users, make sure you set up a different

TS profile path for them in their ADUC properties - e.g.,

\\server\tsprofiles$\%username%

 

********************

Do not let people store any data locally - all data belongs on the server.

 

********************

The User Profile Hive Cleanup Utility should be running on all your

computers. You can download it here:

http://www.microsoft.com/downloads/details.aspx?familyid=1B286E6D-8912-4E18-B570-42470E2F3582&displaylang=en

 

********************

Roaming profile & folder redirection article -

http://www.windowsnetworking.com/articles_tutorials/Profile-Folder-Redirection-Windows-Server-2003.html