OU GPO - Problem setting TS Profile Path for users under a specifi

[Guest dudeDad]

Here is what I am trying to accomplish:

 

I have 3 different OUs : OU1, OU2, OU3 each with its own set of users. I

want all users in OU1 to use the same Mandatory Profile. I want all users in

OU2 to use a mandatory profile that is configured just for OU2, ...etc...

 

I try to accomplish this by using a GPO at the OU level to set the TS

Roaming profile. Unfortunately, it is not working. When i log in for the

first time with one of the child users, it just creates a local account off

the default user.

 

Here is the setup:

 

Each of these OUs has several user account defined under them:

OU1 --> User11, User12, User13

OU2 --> User21, User22, User23

OU3 --> User31, User32, User33

 

Each OU gets a unique Mandatory Profile Path that each of its child users

will use

 

OU1 --> \\ts\Profiles\User1Series

OU2 --\\ts\Profiles\User2Series

OU3 --> \\TS\Profiles\User3Series

 

I set up a GPO on the OU and properly configure Computer

Configurations\AdminTemplates\WindowsComponants\TermServices\Set Path for TS

Roaming Profile

 

I properly share the Profiles Directory

 

I had followed the proper procedures to create a mandatory profile (

MyComputer/Manager\Advance\Users\Copy To & Permission Everyone and then

change ntuser.dat to ntuser.MAN

 

The TS is in its own OU with a GPO that has LoopBack processing turned on

(Merge)

 

All of this and yet it does not work as expected. What happens is that

each time one of the users logs it, it goes ahead and creates a profile based

on the default user.

 

Any thoughts?

 

Another strange (related?) thing.... I set the OU GPO also to start a

specific application when the conneciton is made. When I do this using the

/Computer Setting/AdminTemp/Windowscomponants/Start Program on connection

.... it doesn't do it! However, if I also make the same configuration under

User Configurations it does start the program (full screen) but does not show

any desktop behind it! Strange!

[Guest Vera Noest [MVP]]

Re: OU GPO - Problem setting TS Profile Path for users under a specifi

 

You are configuring settings under Computer Configuration in a GPO

which is linked to an OU which contains user accounts. These

settings will never be applied.

Computer Configuration settings are applied to computers, not

users, and vice versa. That's also the reason that your starting

application isn't applied when defined as a Computer Configuration

setting. The fact that the desktop isn't displayed in the

background of the starting application is the whole idea with this

setting. It's considered a feature.

 

I think that you have misunderstood the functionality of the

loopback processing setting of the GPO linked to the OU which

contains the Terminal Server machine account.

It causes all settings, both Computer and User Configurations, to

be taken from any GPOs applied to the TS-OU, not from the Users-OU.

 

So you'll have to redesign your GPOs. TS settings go into the TS-

GPO, settings which should apply to your users when they logon to

their workstation go into the Users-GPO.

 

231287 - Loopback Processing of Group Policy

http://support.microsoft.com/?kbid=231287

 

Note that you can accomplish different settings for different user

groups by using security filtering of the GPOs:

 

816100 - How To Prevent Domain Group Policies from Applying to

Administrator Accounts and Selected Users in Windows Server 2003

http://support.microsoft.com/?kbid=816100

 

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

=?Utf-8?B?ZHVkZURhZA==?= <dudeDad@discussions.microsoft.com> wrote

on 26 apr 2008 in microsoft.public.windows.terminal_services:

> Here is what I am trying to accomplish:

>

> I have 3 different OUs : OU1, OU2, OU3 each with its own set of

> users. I want all users in OU1 to use the same Mandatory

> Profile. I want all users in OU2 to use a mandatory profile

> that is configured just for OU2, ...etc...

>

> I try to accomplish this by using a GPO at the OU level to set

> the TS Roaming profile. Unfortunately, it is not working.

> When i log in for the first time with one of the child users, it

> just creates a local account off the default user.

>

> Here is the setup:

>

> Each of these OUs has several user account defined under them:

> OU1 --> User11, User12, User13

> OU2 --> User21, User22, User23

> OU3 --> User31, User32, User33

>

> Each OU gets a unique Mandatory Profile Path that each of its

> child users will use

>

> OU1 --> \\ts\Profiles\User1Series

> OU2 --\\ts\Profiles\User2Series

> OU3 --> \\TS\Profiles\User3Series

>

> I set up a GPO on the OU and properly configure Computer

> Configurations\AdminTemplates\WindowsComponants\TermServices\Set

> Path for TS Roaming Profile

>

> I properly share the Profiles Directory

>

> I had followed the proper procedures to create a mandatory

> profile ( MyComputer/Manager\Advance\Users\Copy To & Permission

> Everyone and then change ntuser.dat to ntuser.MAN

>

> The TS is in its own OU with a GPO that has LoopBack processing

> turned on (Merge)

>

> All of this and yet it does not work as expected. What happens

> is that each time one of the users logs it, it goes ahead and

> creates a profile based on the default user.

>

> Any thoughts?

>

> Another strange (related?) thing.... I set the OU GPO also to

> start a specific application when the conneciton is made. When

> I do this using the /Computer

> Setting/AdminTemp/Windowscomponants/Start Program on connection

> ... it doesn't do it! However, if I also make the same

> configuration under User Configurations it does start the

> program (full screen) but does not show any desktop behind it!

> Strange!

[dudeDad]

Re: OU GPO - Problem setting TS Profile Path for users under a specifi

 

' date=' post: 0"']

So you'll have to redesign your GPOs. TS settings go into the TS-

GPO, settings which should apply to your users when they logon to

their workstation go into the Users-GPO.

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: Terminal Server and Citrix troubleshooting

___ please respond in newsgroup, NOT by private email ___ [/color]

 

 

Thanks... Most of what you said was very helpful. Removing loopback from a few locations helped with a related problem (setting the active desktop wallpaper)

 

However, my problem with your advice regarding TS Profile Path is that TS Roaming Profile is only definable as a Computer configuration... not as a User configuration (which seems strange to me)

 

So when I go to the OU1 and I create a GPO to implement the "settings that should apply to the user when they log on to thier workstations" and one of those settings I want to set is the TS roaming Profile path (so they hit a standard mandatory profile for that group of users) , the only choice I have is to define it at a computer configuration in that "user OU" . When I actually do this, and I log in as User11 (which lives in that OU1 "user ou") it does not result in the user actually ending up with the mandatory profile.

 

Thoughts?

[Guest dudeDad]

Re: OU GPO - Problem setting TS Profile Path for users under a spe

 

Re: OU GPO - Problem setting TS Profile Path for users under a spe

 

"Vera Noest [MVP]" wrote:

> You are configuring settings under Computer Configuration in a GPO

> which is linked to an OU which contains user accounts. These

> settings will never be applied.

> Computer Configuration settings are applied to computers, not

> users, and vice versa.

> So you'll have to redesign your GPOs. TS settings go into the TS-

> GPO, settings which should apply to your users when they logon to

> their workstation go into the Users-GPO.

 

So here is my problem, then:

 

TS Roaming Profile Path can only be set as as a Computer Configuration.

 

If I go into the "user ou" (OU1) and define a GPO called "Set TS Roaming

PRofile" and edit it by going User

Configurations/AdminTemp/WindowsComponants/Terminal Services/ there is no

option for setting the TS Roaming Profile Path.

 

However, If I do the same thing but under Computer configurations, there is

a setting "Set path for TS Roaming Profile"

 

 

Remember, I want to have each "group" of users to share a single manditory

profile that is different from another "group" of users.

 

I can make this happen if go into the user record and manually set it on the

"Terminal Server Profile" tab. But this is not scalable for my application.

I need all users within a group (OU) to use the same manditory profile.

 

 

Would filtering help me here?

[Guest Vera Noest [MVP]]

Re: OU GPO - Problem setting TS Profile Path for users under a specifi

 

dudeDad <dudeDad.38hs4a@news.home.local> wrote on 26 apr 2008 in

microsoft.public.windows.terminal_services:

>

> 'Vera Noest [MVP Wrote:

>> ;742308']

>> So you'll have to redesign your GPOs. TS settings go into the

>> TS- GPO, settings which should apply to your users when they

>> logon to their workstation go into the Users-GPO.

>> _________________________________________________________

>> Vera Noest

>> MCSE, CCEA, Microsoft MVP - Terminal Server

>> TS troubleshooting: 'Terminal Server and Citrix

>> troubleshooting' (http://ts.veranoest.net)

>> ___ please respond in newsgroup, NOT by private email ___

>>

>

>

> Thanks... Most of what you said was very helpful. Removing

> loopback from a few locations helped with a related problem

> (setting the active desktop wallpaper)

>

> However, my problem with your advice regarding TS Profile Path

> is that TS Roaming Profile is only definable as a Computer

> configuration... not as a User configuration (which seems

> strange to me)

>

> So when I go to the OU1 and I create a GPO to implement the

> "settings that should apply to the user when they log on to

> thier workstations" and one of those settings I want to set is

> the TS roaming Profile path (so they hit a standard mandatory

> profile for that group of users) , the only choice I have is to

> define it at a computer configuration in that "user OU" .

> When I actually do this, and I log in as User11 (which lives in

> that OU1 "user ou") it does not result in the user actually

> ending up with the mandatory profile.

>

> Thoughts?[/color]

 

Yes, the behaviour that you describe is by design.

That's how settings in GPOs are applied. When a user logs on to a

computer (be it a workstation or a TS) the following settings apply

(without loopback processing):

1. the Computer Configuration settings from the GPO linked to the

OU which contains the computer account

2. the User Configuration settings from the GPO linked to the OU

which contains the user account

 

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

[Guest dudeDad]

Re: OU GPO - Problem setting TS Profile Path for users under a spe

 

Re: OU GPO - Problem setting TS Profile Path for users under a spe

 

 

 

"Vera Noest [MVP]" wrote:

>

> Yes, the behaviour that you describe is by design.

> That's how settings in GPOs are applied. When a user logs on to a

> computer (be it a workstation or a TS) the following settings apply

> (without loopback processing):

> 1. the Computer Configuration settings from the GPO linked to the

> OU which contains the computer account

> 2. the User Configuration settings from the GPO linked to the OU

> which contains the user account

>

 

Yes, I get that... (and am resigned to that fact :-) )

 

I am now trying to figure out how to "skin the cat" a different way.

 

Basically, I want to use Active Directory to make a group of users act as

if I manually went into each of their user properties and manually

configured the Terminal Server Profile Tab's Terminal Server Profile Path/Set

Path"

 

Right now, the only thing I can think of is setting a GPO at the "user OU"

level that makes a login script run that somehow automagically sets that user

to mandatory profile. At the moment , I don't know how to write that script.

 

Any thoughts on the script? Or other ways to skin the cat?

 

Regards

 

Ken

 

(btw as an aside, I got the "run program with desktop behind it" behavior I

wanted by using the userconfig setting "run program at login" rather than the

conputer config "run program at connection)

 

> _________________________________________________________

> Vera Noest

> MCSE, CCEA, Microsoft MVP - Terminal Server

> TS troubleshooting: http://ts.veranoest.net

> ___ please respond in newsgroup, NOT by private email ___

>

>

>

[Guest dudeDad]

Re: OU GPO - Problem setting TS Profile Path for users under a spe

 

Re: OU GPO - Problem setting TS Profile Path for users under a spe

 

Vera:

 

So after thinking about my strategy again, your comments made me realize a

few things.... that has helped me to resolve my difficulties.

 

Basically, I changed my opinion as to if I really needed a different

mandatory profile for each group of users. I decided to that i could "go

with the flow" and use a single mandatory profile for all users on the TS in

order to get the "no saved data/no saved state" functionality. I then will

implement the other more fine grained functionality I was hoping to do with

specific profiles, by using other methods... mostly (hopefly) GPOs and

perhaps sone regedits

 

 

Thanks

 

"dudeDad" wrote:

>

>

> "Vera Noest [MVP]" wrote:

> >

> > Yes, the behaviour that you describe is by design.

> > That's how settings in GPOs are applied. When a user logs on to a

> > computer (be it a workstation or a TS) the following settings apply

> > (without loopback processing):

> > 1. the Computer Configuration settings from the GPO linked to the

> > OU which contains the computer account

> > 2. the User Configuration settings from the GPO linked to the OU

> > which contains the user account

> >

>

> Yes, I get that... (and am resigned to that fact :-) )

>

> I am now trying to figure out how to "skin the cat" a different way.

>

> Basically, I want to use Active Directory to make a group of users act as

> if I manually went into each of their user properties and manually

> configured the Terminal Server Profile Tab's Terminal Server Profile Path/Set

> Path"

>

> Right now, the only thing I can think of is setting a GPO at the "user OU"

> level that makes a login script run that somehow automagically sets that user

> to mandatory profile. At the moment , I don't know how to write that script.

>

> Any thoughts on the script? Or other ways to skin the cat?

>

> Regards

>

> Ken

>

> (btw as an aside, I got the "run program with desktop behind it" behavior I

> wanted by using the userconfig setting "run program at login" rather than the

> conputer config "run program at connection)

>

>

> > _________________________________________________________

> > Vera Noest

> > MCSE, CCEA, Microsoft MVP - Terminal Server

> > TS troubleshooting: http://ts.veranoest.net

> > ___ please respond in newsgroup, NOT by private email ___

> >

> >

> >

[Guest Vera Noest [MVP]]

Re: OU GPO - Problem setting TS Profile Path for users under a spe

 

Re: OU GPO - Problem setting TS Profile Path for users under a spe

 

That sounds like a wise decision to me!

 

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

=?Utf-8?B?ZHVkZURhZA==?= <dudeDad@discussions.microsoft.com> wrote

on 27 apr 2008 in microsoft.public.windows.terminal_services:

> Vera:

>

> So after thinking about my strategy again, your comments made me

> realize a few things.... that has helped me to resolve my

> difficulties.

>

> Basically, I changed my opinion as to if I really needed a

> different mandatory profile for each group of users. I decided

> to that i could "go with the flow" and use a single mandatory

> profile for all users on the TS in order to get the "no saved

> data/no saved state" functionality. I then will implement the

> other more fine grained functionality I was hoping to do with

> specific profiles, by using other methods... mostly (hopefly)

> GPOs and perhaps sone regedits

>

>

> Thanks

>

> "dudeDad" wrote:

>

>>

>>

>> "Vera Noest [MVP]" wrote:

>> >

>> > Yes, the behaviour that you describe is by design.

>> > That's how settings in GPOs are applied. When a user logs on

>> > to a computer (be it a workstation or a TS) the following

>> > settings apply (without loopback processing):

>> > 1. the Computer Configuration settings from the GPO linked to

>> > the OU which contains the computer account

>> > 2. the User Configuration settings from the GPO linked to the

>> > OU which contains the user account

>> >

>>

>> Yes, I get that... (and am resigned to that fact :-) )

>>

>> I am now trying to figure out how to "skin the cat" a different

>> way.

>>

>> Basically, I want to use Active Directory to make a group of

>> users act as if I manually went into each of their user

>> properties and manually configured the Terminal Server Profile

>> Tab's Terminal Server Profile Path/Set Path"

>>

>> Right now, the only thing I can think of is setting a GPO at

>> the "user OU" level that makes a login script run that somehow

>> automagically sets that user to mandatory profile. At the

>> moment , I don't know how to write that script.

>>

>> Any thoughts on the script? Or other ways to skin the cat?

>>

>> Regards

>>

>> Ken

>>

>> (btw as an aside, I got the "run program with desktop behind

>> it" behavior I wanted by using the userconfig setting "run

>> program at login" rather than the conputer config "run program

>> at connection)

[Guest Vera Noest [MVP]]

Re: OU GPO - Problem setting TS Profile Path for users under a spe

 

Re: OU GPO - Problem setting TS Profile Path for users under a spe

 

=?Utf-8?B?ZHVkZURhZA==?= <dudeDad@discussions.microsoft.com> wrote

on 27 apr 2008 in microsoft.public.windows.terminal_services:

> "Vera Noest [MVP]" wrote:

> >

>> Yes, the behaviour that you describe is by design.

>> That's how settings in GPOs are applied. When a user logs on to

>> a computer (be it a workstation or a TS) the following settings

>> apply (without loopback processing):

>> 1. the Computer Configuration settings from the GPO linked to

>> the OU which contains the computer account

>> 2. the User Configuration settings from the GPO linked to the

>> OU which contains the user account

>

> Yes, I get that... (and am resigned to that fact :-) )

>

> I am now trying to figure out how to "skin the cat" a different

> way.

>

> Basically, I want to use Active Directory to make a group of

> users act as if I manually went into each of their user

> properties and manually configured the Terminal Server Profile

> Tab's Terminal Server Profile Path/Set Path"

>

> Right now, the only thing I can think of is setting a GPO at the

> "user OU" level that makes a login script run that somehow

> automagically sets that user to mandatory profile. At the

> moment , I don't know how to write that script.

>

> Any thoughts on the script? Or other ways to skin the cat?

 

That won't work, you can't set the profile in a login script, it's

far too late then.

 

I'd write a small script to automate the user account property

setting. Some thing along the lines:

if user is member of security group SecUser1 then Terminal Server

Profile Path = \\server\path1

 

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___