Managing User Data in a Windows Server 2008 R2 Remote Desktop Services Deployment

  • 12/8/2010
Contents

Deploying Roaming Profiles with Remote Desktop Services

This section discusses managing roaming profiles in an RDS environment, including the following.

  • Creating roaming profiles

  • Converting an existing local profile to a roaming profile

  • Creating a default network profile

  • Using Group Policy to set up the roaming profile storage area automatically

  • Implementing a Group Policy infrastructure that supports these policies, including security filtering and loopback policy

  • Managing roaming profiles cached on the RD Session Host servers

Creating a New Roaming Profile

To implement roaming profiles, you will need to

  1. Create a network share in which to store the roaming profiles.

  2. Configure the user accounts (through Active Directory Users And Computers or Group Policy) to use roaming profiles.

  3. Have each user log on and create the roaming profile.

First, create a shared network location to store the roaming profiles. On the file server, create a new folder and set the appropriate NTFS and share permissions, using the guidelines in Table 5-5.

Table 5-5 Recommended Share and NTFS Permissions for an RDS Roaming Profiles Storage Folder

User Account

Permission Type

NTFS Permissions

Authenticated Users group

Share

Full Control

Creator Owner

NTFS

Full Control, subfolders and files only

Local System

NTFS

Full Control on this folder, subfolders, files

User/Group whose profiles will be stored in the folder

NTFS

List Folder Content/Read, Create Folders/Append Data, all on this folder only

DIRECT FROM THE SOURCE

How Profile Folders Are Named

Sergey Kuzin

Software Development Engineer II

The way that a user’s profile folder is named depends on the circumstances in which it’s created. The user My Name (with user name Myname) with an account in Domain1 will store his profile in one of two places: \RDS-Roaming-Profiles\ Myname or \RDS-Roaming-Profiles\Myname.Domain1.

The best case is to add the domain name to the profile path; this disambiguates the path when there are two (or more) users with the same name living in different domains. For example, in a large corporate network, you might have Domain1\ Myname (that’s me) and Domain2\Myname (some other user). When Domain1\ Myname logs on to a legacy terminal server the profile created for him will be ...\Myname. If Domain2\Myname later wants to store his profile on the same server, he will have a problem. That’s why you add .domain to the profile path, so that users with the same name but from different domains would have different profiles. So ideally, you always want to add .domain to the profile path.

But then, what do you do with profiles that were created before you made this change and don’t have .domain in the name? Leave them as is. But in this case, how do you know which user this particular profile belongs to? You use permissions to determine that. When the User Profile Service creates a new profile, it gives full control to the user whom this profile is created for. So, if Domain1\Myname has explicit full control permission to the ...\Myname folder, then this profile belongs to me and not to Domain2\Myname. That’s why you have this logic when creating profile names.

Here is the logic you use to create the profile path.

  1. Attempt to locate the ...\username.domain path. If it exists and the user has explicit permissions to it, then use it.

  2. If the user does not have explicit Full Control access to ...\username.domain or this folder does not exist, then try to access ...\username.

  3. If ...\username exists and the user has explicit permissions to it, then use it.

  4. If the user does not have explicit Full Control access to ...\username or the folder does not exist, then use ...\username.domain.

As you can see, by default you always create the folder with ...\username.domain. Only when the ...\username folder exists and the user has explicit Full Control access to it do you use it. Again, it’s always best to include the domain name in the profile path so that two people with the same user name with accounts in different domains can store their profiles in the same central share.

When you’ve set up the profile location, configure the user account to use roaming profiles. This process varies slightly for profiles used with RD Session Host servers and for profiles used with pooled and personal VMs. You will see these differences as you step through this process. It’s easiest if you configure this via Group Policy, but you will also see how to do it on a per-user basis.

Remote Desktop Session Host

To configure a user account to use roaming profiles, perform the following steps.

  1. Open Active Directory Users And Computers, right-click a user’s account, and choose Properties.

  2. For Remote Desktop Session Host situations, navigate to the Remote Desktop Services Profile tab and type the Profile Path location using the format \\servername\share name\%username%.DomainName, as shown in Figure 5-6.

The variable %username% inserts the user account name into the profile path, so you don’t have to customize the path for each person when adding new accounts manually or through a script. You don’t need to add the .V2 extension to this path, either; it will be added automatically because the profile will be a 2008 version profile. The next time the user logs on to the RD Session Host server, he will use the roaming RDS profile.

Figure 5-6

Figure 5-6 Enter the Remote Desktop Services profile path.

NOTE

Windows Server 2008 and later and Windows Vista profiles have a .V2 extension. Older operating systems use V1 profiles, which have no extension associated with the profile folder name.

Virtual Machines

Pooled and personal VMs do not use Remote Desktop Services profiles. A pooled or personal VM is really a virtualized client desktop and acts accordingly—that is, it uses regular profiles. For these VM scenarios, enter the profile share’s UNC path on the Profiles tab of the user account Properties dialog box, shown in Figure 5-7.

Figure 5-7

Figure 5-7 Specify the profile used for pooled and personal VMs on the Profile tab, not the Remote Desktop Services Profile tab.

When the user is configured to use roaming profiles, it’s time to create the profile. This happens when the user first logs on to the RD Session host server (or the pooled/personal VM). When the user first logs on, the following happens.

  1. The User Profile Service creates a profile folder for the user in the specified path.

  2. The User Profile Service copies the default profile on the RD Session Host server or VM to give the user a profile.

  3. When the user logs off, the User Profile Service copies the profile to its storage location in the specified network share. The user will be the owner of the folder and therefore will be the only one to have access to the folder and its contents.

Although a user profile folder is for the user, if Administrators also have permissions they can delete a corrupted profile or perform other maintenance easily. To permit this, give the Domain Admins group Full Control NTFS rights to the parent folder, and pre-create roaming profile folders for each user in the roaming profiles share. Make sure that the user has full control of his profile folder, subfolders, and files and that the user is also the owner of the folder. The simplest way to do this is to use Group Policy; if you keep your RD Session Host servers or pooled VMs in their own organizational unit (OU), you can also create a computer Group Policy object (GPO) with Loopback Processing enabled and give administrators access to profile contents by enabling the following GPO setting.

  • Computer Configuration | Policies | Administrative Templates | System | User Profiles | Add The Administrators Security Group To The Roaming User Profile Share

For more information on Loopback Processing and using Group Policy to create and manage RDS roaming profiles, see the section entitled “Using Group Policy to Manage Roaming Profiles” later in this chapter.

DIRECT FROM THE FIELD

Managing Roaming Profiles Without Admin Access to the File Server

Bohdan Velushchak

Operations Engineer, MSIT

To use roaming profiles, you need a file server to store them on. In a smaller deployment, you can have administrative rights to the file server as well as the terminal servers, but enterprise deployments often segregate ownership. If you aren’t an administrator of the file server, you can’t manage the folders directly—you’ll need to ask the file server administrator. Even the Group Policy setting Add The Administrators Security Group To Roaming User Profiles will not help if the RDS administrator is not a member of the Administrators group on the file server. You could lobby to become a member of the Administrators group on the file server, but this is counter to Least Privilege Access principles.

You can resolve this situation with a logoff script. Use Icacls.exe to include RDS administrators to the user profile’s permissions during logoff from user’s security context. This works because the user has full access permissions to her profile, so she can add necessary permissions for RDS Administrators. For example, the Logoff script might look like this.

Icacls.exe //<profile root>/%username%.%userdomain%.v2 /grant
   <RDS Admins group>:
F /T /Q

Add this script to each user through Group Policy: User Configuration | Windows Settings | Scripts | Logoff Script. Now you can manage that profile folder.

There are two reasons to do this at logoff, not logon. First, if the user is logging on for the first time, the profile folder might not yet exist, so the settings wouldn’t apply until the second time. If the user never logged in again, you couldn’t delete her profile without the help of the file server administrators. Second, if the profile is large, it takes some time for Icacls.exe to go through the whole tree. Users do not like long logon times, so why make them wait to start working? Let the script process permissions when they’re done working and are less concerned about time.

Converting an Existing Local Profile to a Roaming Profile

Sometimes you will want to convert existing local profiles to roaming profiles. This can apply if you are converting a traditional desktop deployment to an all-RDS deployment, and you are willing to risk that the local profile settings are appropriate for the remote work environment.

NOTE

It’s often unwise to convert a local profile that a user has been using on a personal desktop to a Remote Desktop Services roaming profile. The user might have administrative access to her personal computer and could have installed numerous applications and made many customizations that don’t apply to the shared (and more locked-down) world of RD Session Host servers.

Converting local profiles to roaming profiles is really simple. Configure all user accounts to use roaming policies as described earlier, and specify that cached copies of the profile should be deleted. When users log on to the server where their local policy resides and then log off, their local profile will be copied to the network share that you specified. The cache on the server will be deleted and only the roaming profile in the network share will remain.

You might have done this conversion in Windows Server 2008 using the Copy To button in the User Profile Properties dialog box. This is no longer possible on a server running Windows 2008 R2 or a client running Windows 7—the button has been disabled.

DIRECT FROM THE SOURCE

Why the Copy To Button Is Disabled

Kyle Beck

Program Manager, Microsoft

The Copy To button is now disabled, because even though this button was used to overwrite a profile with another profile, it was unsupported to use it to edit the default profile. It was unsupported because the source profile was just copied wholesale into the default profile—the Copy To button performed a complete copy of everything in the source profile over the default profile. This could lead to errors in the registry because references to the source user would persist on any new user created from the new default profile. Because it was an unsupported method, its behavior was updated; the default profile is now the only one that is copyable using this button.

The removal of this functionality doesn’t prevent you from converting local profiles to roaming profiles or even overwriting one user’s profile with another’s. Removing the functionality prevents you from overwriting the default user profile with another user profile. People often overwrote the default user profile with a customized one from another user to deploy customized profiles to new users. As described in the Direct from the Source sidebar entitled “Why the Copy To Button Is Disabled,” doing this was unsupported (although popular) as far back as Windows XP, because although this “worked” for many people, it actually was not a clean process. It could lead to problems if that profile had been used at all, and it would also “tattoo” the profile with inappropriate settings and naming, such as the following.

  • A list of that user’s frequently run programs.

  • The user’s documents folders will be incorrectly called Administrator’s Documents.

  • The user might have access to Administrative Tools (this is incorrect for regular users).

  • Windows 7 libraries will be broken.

ON THE COMPANION MEDIA

There are other implications to overwriting the default user profile with a user profile by way of the Copy To button. See this article (also on the companion media) for more information: http://blogs.technet.com/deploymentguys/archive/2009/10/29/configuring-default-user-settings-full-update-for-windows-7-and-windows-server-2008-r2.aspx. This article also discusses some options for customizing the default profile in Windows 7.

Customizing a Default Profile

Customizing the default profile is one way to ensure that all new RDS users start with the same settings. The only supported method for customizing the default profile is to use the Sysprep.exe tool (built into Windows 7 and Windows Server 2008 R2) to overwrite the default profile with the profile that you are logged onto when you run Sysprep.exe. Here are the steps.

  1. Log on as an administrator and customize the profile as needed. This is the profile that will be copied over the default user profile.

  2. Create an Unattend.xml file and add a line of code to it to tell it to copy the profile of the user logged on over the default profile when the system reboots. The line you add is

    <CopyProfile>true</CopyProfile>

    The following is example code for a 64-bit version Unattend.xml file with the extra line of code added.

    <?xml version="1.0" encoding="utf-8"?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
<settings pass="specialize">
<component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64"
publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS"
   xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State"
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<CopyProfile>true</CopyProfile>
</component>
</settings>
<cpi:offlineImage cpi:source="catalog:e:/clg files/64-bit/install_windows 7
   ultimate.clg" xmlns:cpi="urn:schemas-microsoft-com:cpi" />
</unattend>

  3. Save this Unattend.xml file to C:\Windows\System32\Sysprep.

  4. After you have the Unattend.xml file in place, open a command prompt and type the following command.

    sysprep.exe /oobe /reboot /generalize /unattend:unattend.xml

NOTE

The article at http://support.microsoft.com/kb/973289 explains how to do this, but at the time of this writing, the syntax is incorrect. Use the one provided here.

After you run this command, the server will reboot. When it comes back up, the default profile will be overwritten with the one that was logged in when you ran Sysprep. Now you can highlight the default profile and use the Copy To button to copy the profile to a network share to be used for roaming profiles.

CAUTION

Don’t run Sysprep on a production machine. The Sysprep command resets the computer SID as well as eliminating system-specific data like the computer name and the domain affiliation. It can also remove unique hardware drivers and can reset the Windows activation key. If you are using VMs, then one workaround is to take a snapshot of the VM before running Sysprep. After you are done running Sysprep, rebooting, and copying the default profile to another location, apply the snapshot and the VM will be rolled back to its prior state.

Creating a Default Network Profile

You have already learned (in the section titled “How Profiles Are Created” earlier in this chapter) when a network default user profile would be used to create new user profiles. Using a default network profile to create new roaming profiles might benefit your roaming profiles implementation because it ensures that when new profiles are created, they all stem from the same source.

Reasons Not to Create a Network Default Profile

Creating a network default profile can work well to deploy customized profiles in low-complexity environment. But it’s not always the best solution.

First, there is no way to distinguish when a network default profile should be used to create a new roaming user profile. As discussed earlier in this chapter, in complex remoting scenarios, it’s possible for people to have more than one remoting profile, and if you point them to the same starting point, they will start with the same profile in all scenarios. For example, a new profile created when the user logs on to a Windows 7 pooled VM would stem from the same network default user profile that is used to create a new user roaming user profile for use in an RD session host server environment. Depending on how you implement profiles, this might or might not be acceptable.

In short, Windows doesn’t allow you to specify more than one default profile location. So unless it’s okay to use the same default profile to build all roaming profiles, we recommend applying customizations through Group Policy or scripting.

Assuming that you can use a network default profile for all your scenarios, on Windows 2008 (and Windows 7) you can copy a local default profile to the NETLOGON share on a domain controller, following these steps.

  1. Log on to the server with an admin account.

  2. From the Run box, browse to the domain controller: \\DOMAIN CONTROLLER\ NETLOGON

  3. Create a folder in the NETLOGON share and name it Default User.v2.

  4. From Server Manager, click Change System Properties, navigate to the Advanced tab, and then click the Settings button in the User Profiles section.

  5. Select the Default Profile from the list of profiles stored on the server and click Copy To.

  6. Browse to or type the network path \\DOMAIN CONTROLLER\NETLOGON Default User.v2.

BEST PRACTICE

Ensure that the profile doesn’t contain any unnecessary data. A large default network profile will slow down the initial profile creation process because new profiles have to pull this large amount of data across the network.

Using Group Policy to Manage Roaming Profiles

You’ve seen how to dictate who uses roaming profiles by settings this up on a per user basis in Active Directory Users And Computers. If you have more than a few users, it’s easiest to create a GPO that dictates the RDS roaming profile location for everyone who logs on to a farm. This section explains how to do this and how to set up the Group Policy infrastructure that you’ll need.

The single most important part of successfully using roaming profiles with RD Session Host servers is to set up the RD Session Host server environment OU and create the GPOs correctly. Group Policy has many different uses, but it all comes down to making changes to many computers or many users all at once.

There are two broad categories of Group Policy: computer settings and user settings. Computer settings are applied at boot time, or on an RD Session Host server (see Chapter 2, “Key Architectural Concepts for Remote Desktop Services,” for more details), when a session starts (to apply the settings to the session). User settings are applied when the user logs on to the session. Because settings are applied to users at logon, they don’t have to be saved as part of a user’s account properties. Because they’re applied second, settings applied to a user will control when there’s a conflict.

Because of the order in which user and computer Group Policy is applied, when managing RD Session Host server settings, you’ll almost always use an additional GPO to enforce loopback policy processing. In short, loopback policy reapplies the user-specific settings that are placed on the OU where Loopback Processing is enabled after the normal user GPOs are applied. The result is that settings placed on the RD Session Host server OU will always take precedence in case of a conflict. If you have blocked GPO inheritance on the RDS OU, then only the user policies that you place on the OU will be implemented for your users. You’ll find out more about loopback policies in the section entitled “The Ins and Outs and Ins of Loopback Policy Processing” later in this chapter.

There’s some overlap between the computer- and user-specific settings in Group Policy, but you’ll generally find that you’ll need both to configure the users’ working environment. When setting up an RD Session Host server environment, where it’s important not just that you are logging on but that you’re using an RD Session Host server, you’ll definitely need both.

ON THE COMPANION MEDIA

The following explanations assume that you have permission to manage Group Policy for your RD Session Host servers. If this is not the case, you’ll need to provide the instructions to the administrator controlling Group Policy for your organization and let him or her fit them into corporate management policy. This is one way to organize your RD Session Host server GPOs, but it is not the only possible model. GPO architecture is unique to the particular situation. For example, for some organizations, blocking inheritance might not be an option for business policy reasons. For more information on Group Policy modeling, see “Design Considerations for Organizational Unit Structure and Use of Group Policy Objects,” located at http://technet2.microsoft.com/windowsserver/en/library/2f8f18cf-a685-48db-a7be-c6401a8fb6341033.mspx?mfr=true. (This article was written for Windows Server 2003, but it still applies.) You can also find the link on this book’s companion media.

Controlling Group Policy Processing for an RDS Environment

When you have multiple users working on one computer, you need to control the environment as much as possible. The easiest way to do this is to perform the following steps.

  1. Put RD Session Host server farms and all VMs pools into their own OUs.

  2. Block inheritance of all GPOs that are not specifically enforced. (You might not have this option, depending on company policy.)

  3. Place computer and user GPOs on these OUs to specify the settings to be implemented for each pool and farm.

Here’s how to do all this.

Organize Farms and Pools Into Ous

First, create an OU for each RD Session Host farm or VM pool. (Because all members of a farm or pool are homogenous, they should all be in the same OU.) Open Active Directory Users And Computers, right-click the domain, and choose New, Organizational Unit. Name it after the farm (for example, RDSH Farm1) and then drag all computer objects in the farm or pool into the OU (see Figure 5-8).

Figure 5-8

Figure 5-8 Create OUs for your RD Session Host server farms and VM pools.

Block GPO Inheritance

Next, if possible in your organization, block GPO inheritance for this OU. This ensures that only computer settings set by GPOs linked to this OU will apply to the computers in this OU. It also ensures that with Loopback Processing enabled, only user settings set by GPOs linked to this OU will be applied to users logging on to the computers in this OU; other GPOs set at the domain or site level will not be applied.

To block inheritance for a farm or pool OU, open the Group Policy Management console (GPMC; do this by clicking Start, Programs, Administrative Tools, and Group Policy Management), right-click the RD Session Host server’s OU, and choose Block Inheritance. If possible, also do this for your pooled VM OUs. Personal VMs can be controlled like this, but more likely they will act as regular desktops in your environment and will treated as such in the case of Group Policy processing.

IMPORTANT

Company policy might prevent you from blocking inheritance. You can still know exactly what policies are going to be applied to the users and computers in your OUs; it will just take more effort because you will have to know about all Group Policies applied at higher levels.

Create GPOs for User and Computer Settings

There are multiple ways to set up policies, but it is usually easiest if you separate computer-and user-specific settings into different policies. Although one policy might contain both user- and computer-specific settings, it’s simplest to isolate the two types of settings unless your environment is very small or your user base is very homogenous. This allows you to create a consistent model of RD Session Host server management while still allowing you the flexibility to apply different policies to different groups of users and computers (that is, using a GPO on multiple OUs if the functionality is needed in multiple places). Create two different types of GPOs: a computer GPO and user GPOs, as shown in Figure 5-9.

Figure 5-9

Figure 5-9 Create separate user and computer GPOs for the RDS environment.

To create the GPOs, open the GPMC (by clicking Start, Programs, and Administrative Tools). Right-click the Group Policy Objects folder in the left pane, found under your domain folder, and choose New to open the dialog box shown in Figure 5-10.

Name the computer policy something descriptive, such as RDS Computer GPO, and then click OK.

Figure 5-10

Figure 5-10 Create an RD Session Host server computer policy.

Next, create another policy that will hold user-specific settings, naming it something like RDS User GPO. Click OK, and you will be back in the GPMC, with a list of available policy objects that includes the ones you just created, as shown in Figure 5-11.

Figure 5-11

Figure 5-11 Create computer- and user-specific GPOs.

Next, ensure that each GPO is specific to one type of settings—computer or user. This is optional, but this will give you more control over your RDS environment.

Click the Details tab in the upper portion of the right pane. Here, there’s a GPO Status drop-down list with four options: All Settings Disabled, Computer Configuration Settings Disabled, Enabled, and User Configuration Settings Disabled. For your computer-specific GPOs, make sure that no user-specific settings will be applied by setting the Status to User Configuration Settings Disabled. Follow the same process to create a new user-specific GPO. For the User GPO, navigate to the drop-down menu on the Details tab and set the GPO Status to Computer Configuration Settings Disabled.

Updating Group Policy

Active Directory Domain Services (AD DS) does not immediately send user Group Policy changes down to the computers to which they apply. The Group Policy engine on the computer actually pulls the GPO changes from AD DS at specific intervals, called the refresh interval. By default, the refresh interval is 90 minutes (plus a random time ranging from 0 to 30 minutes). To immediately see the effects of changes that you make to GPOs, you can force this refresh. Open a command prompt on your RD Session Host server and type gpupdate /force. Most computer policies can be updated just by doing this; a few (like Folder Redirection) will require a reboot.

The Ins and Outs and Ins of Loopback Policy Processing

Outside an RD Session Host server environment, you often apply Group Policy based on the persona of the user logging on. If you don’t want Adam Barr to open Control Panel, for example, you probably feel much the same way about this whether Adam Barr is logged on to his desktop computer or his laptop. Similarly, if you don’t care whether he is running Control Panel, then you continue not to care whether he’s logged on to his desktop or his laptop. It’s his space—let him mess it up. (The Help desk might feel differently about this, but that’s another matter.)

As discussed in “Using Group Policy to Manage Roaming Profiles” earlier in this chapter, the computer policy will always be applied first, then the user policy. If a user policy and a computer policy conflict, the user policy will “win,” because it’s applied last. Any Group Policy stored locally on the computer is applied first. Next, policies placed at these levels are applied in order (local, Site, Domain, OU), as shown in Figure 5-12.

In case of conflicts, the policy applied last wins. For example, computer policies set on a computer OU will override conflicting policies set at the domain level. And user policies will overwrite computer policies in conflicting situations (some settings can be set for a computer and also for a user) because they are applied after computer policies.

Figure 5-12

Figure 5-12 Group Policies get applied from the top down.

On a personal computer, it’s perfectly acceptable to have the identity of the person logging on define the final settings for Group Policy. But RD Session Host server farms and pooled VMs are location-specific or context-specific situations in which where you are matters even more than who you are. For example, you might decide that it’s acceptable for users to use clipboard redirection when connecting to personal VMs, but for security reasons, you don’t want them using clipboard redirection when connecting to an RDS server farm hosting sensitive data. You need policies applied based on which computer you are logged on to. In this case, you will apply loopback policy processing to tell the Group Policy engine to apply the user GPOs that are applied to a computer OU (for example, to an RDS farm OU) after applying the user GPOs that are normally applied during logon. With loopback policy processing enabled, GPO processing will now work as shown in Figure 5-13.

Figure 5-13

Figure 5-13 Loopback Processing changes the effective Group Policy results.

When the RD Session Host server starts, computer GPOs are applied. When the user logs on to the RD Session Host server, the User GPOs are applied to the session. Then, because loopback policy processing is enabled, User GPOs that are applied to the RD Session Host server OU are applied last. In addition, if you have blocked inheritance, it’s possible that the only GPOs that will be applied are computer and user GPOs that are placed specifically on the OU.

To enable Loopback Processing, right-click the Computer GPO applied to the RD Session Host server OU and choose Edit. The Group Policy Management Editor opens the GPO. Go to Computer Configuration, Policies, Administrative Templates, System, and Group Policy and find the User Group Policy Loopback Policy Processing Mode node in the pane on the right. Double-click it and you will see the dialog box shown in Figure 5-14.

Figure 5-14

Figure 5-14 Enable loopback policy processing from the User Group Policy Loopback Processing Mode Properties dialog box.

HOW IT WORKS

Applying Loopback Policy

Loopback policy can apply to users in one of two ways: Merge Mode and Replace Mode.

  • In Merge Mode, loopback policy processing will apply the user GPOs placed on the RD Session Host server OU along with the other normal user GPOs applied from the OU where the user account resides. If there is a conflict, then the user GPOs applied to the RD Session Host server OU will prevail.

  • In Replace Mode, the Group Policy engine ignores all other user GPOs from the User OU and applies only the user GPOs applied to the RD Session Host server OU.

Merge Mode and Replace Mode affect only GPOs placed on the OU where the user account resides. User GPOs placed at higher levels (for example, at the domain level) will still be applied unless you have specifically blocked inheritance on the OU where the computers reside.

Whether you choose Merge Mode or Replace Mode depends on your goals and how you’ve set up the rest of your environment. If users are using the same GPOs to log on to the RD Session Host servers and to their local desktops, their user settings might not mesh well with a shared environment. If that’s the case, then you’d pick Replace Mode. If you want the user experience to be as similar as possible for both local and remote logons, then Merge Mode might be more appropriate because it will preserve user-specific policies. The main thing you’ll need to watch out for is that GPO settings from the GPOs applied to the user do not cause problems for your user when she is logged on to an RD Session Host server (or pooled VM). Using Merge Mode is more work because it requires a lot of considering of individual policies and their effect on a remote workspace.

Fine-Tuning GPOs with Security Filtering

A GPO works because by default, anyone in the Authenticated Users group can use it, and Authenticated Users means “anyone who is logged on to the domain.” (Computers also log on to the domain, so they’re also members of Authenticated Users.)

If you have groups of users with specific needs controlled by Group Policy, you can create a User Policy for each user group and then use Security Filtering to apply each User GPO to a specific user group. For example, this technique could come in handy if you give access to multiple applications in one farm but only have licensing enough for a subset of users. You could block certain users from running that application, thus meeting software licensing compliance requirements. To narrow the scope of to whom (or to what) these policies will apply, double-click the GPO in the Group Policy Objects folder and navigate to the Scope tab in the right pane. In the Security Filtering section on this tab, modify Security Filtering to include the specific users group for which you want settings in the GPO to apply, as shown in Figure 5-15.

Figure 5-15

Figure 5-15 Add users to the GPO Security Filtering section of the ASH TS Users Policy.

Using Group Policy to Define the Roaming Profile Share

After you have a Group Policy infrastructure set up, you can create a policy to create roaming profile folders in the proper folder share location automatically.

The Group Policy setting to set the path for RDS roaming profiles is a computer setting. Right-click your Computer Policy GPO and choose Edit. Expand the GPO to Computer Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host | Profiles. In the pane at right, double-click Set Path For Remote Desktop Services Roaming User Profile, shown in Figure 5-16.

NOTE

It might seem counterintuitive to set the RDS roaming profile path for computers, not for users. But the RD Session Host servers must know where to find the roaming profile so the User Profile Service can load it when a user logs on.

Figure 5-16

Figure 5-16 Set the path for Remote Desktop Services Roaming User Profile storage.

Select the Enabled option and type the RDS roaming profile share location in the Profile Path text box. If you use Group Policy to set the RDS roaming profile path, then the profile folders that are created take the form of username.domainname.V2; you do not need to add the %username% variable, the domain name, or the .V2 extension. This is in contrast to defining the path to the Remote Desktop Services profile folder by editing the user account properties through scripting or through Active Directory Users And Computers, where you must specify the username and domainname variables to create the folder properly.

NOTE

If you already have profiles stored in the profile path and the profile folders do not include the domain name (perhaps they take the form of username.V2), change the names to include the domain name. Otherwise, the server will not see the existing profile, and the service will create a new one in the format username.domainname.V2.

If the profile folders are created automatically when the user logs on, then the user gets sole access to the profile and is also set as the owner of the profile folder. To permit administrators to access the profile, enable the following GPO setting: Computer Configuration | Policies | Administrative Templates | System | User Profiles | Add The Administrators Security Group To Roaming User Profiles. With this GPO setting enabled, the following permissions are placed on newly created user folders.

  • User Full Control, owner of folder

  • SYSTEM Full Control

  • Administrators Full Control (This is the local administrators group of the server where the profiles are stored, which also contains the Domain Admins group.)

You can also pre-create user profile folders and set permissions as required. For more information about profile folder permissions, see the section entitled “Converting an Existing Local Profile to a Roaming Profile” earlier in this chapter.

With this GPO setting configured, users accessing the RD Session Host servers in this OU now have a roaming profile created and stored in the designated share.

Configuring Roaming Profile Paths for VMs

Pooled and personal VMs will run client operating systems. Setting an RDS roaming profile path on these machines simply won’t work. They are client machines, and for the most part, they should be treated as such. To configure the roaming profile path for client machines, use this GPO setting: Computer Configuration | Policies | Administrative Templates | System | User Profiles | Set Roaming Profile Path For All Users Logging On To This Computer.

Enter the share name where your profiles are stored and add the %username% variable to the end of the path so that each user gets a unique profile folder, as follows.

\\servername\sharename\%username%

Speeding Up Logons

One of the biggest challenges that IT professionals face in an RDS environment is to provide a user experience that feels as much like a local computer as possible. Users want to log on quickly, work steadily, get their job done, and get out. If they find that they have to wait longer to log on than they like, the Help desk will hear about it, or people will look for ways to circumvent the data center.

Roaming profiles are usually the best choice for RDS. Centralizing the profile on a network share makes it possible to always have the same experience no matter what RD Session Host server or VM a user is logged into—even new ones that were just added. Centralizing also simplifies backups. However, if you don’t take steps to avoid it, profiles grow over time. By default, a profile contains not only configuration data but also user documents. Assuming that a user saves files to the folders there for that purpose, the profile will grow. Big profiles slow down logons and logoffs due to the massive amounts of data that must be copied to the remote location.

There are several things you can do to speed logons.

  • Take advantage of the new behavior of Group Policy caching among servers in a farm to reduce the time needed for the first login.

  • Enable Folder Redirection.

  • Manage policy caching.

  • Limit profile size.

Let’s start with the one that requires no configuration.

Roam Group Policy Cache Between RD Session Host Farm Servers

Group Policy is cached on a computer to speed up logon times. The first time someone logs on to an RD Session Host server, her Group Policy settings won’t be cached there. A new feature of Windows Server 2008 R2 copies the Group Policy cache to all servers in a farm. That way, once a user has logged on to one member of the farm, her GP cache will be available on all servers in the same farm.

Enable Folder Redirection

When a user logs on to an RD Session Host server, his roaming profile has to be copied to that RD Session Host server. When the user logs out, the changed profile must be copied back to the roaming profile storage location. Note that you are writing the entire profile back, not just the changes to the profile. Imagine if one of your users saved 30 GB of data in his Documents folder. He would log on to the RD Session Host server and then go get a cup of coffee (or even go to lunch) while waiting for the profile to copy itself to the server. Now imagine if all your users had that much data stored in their Documents folder. If they all come in at 9 A.M. and try to log on to the RD Session Host server, logons could quickly consume all your network bandwidth. Soon the water cooler or break room would be very popular, and no one would get any work done.

Profile caching also suffers if you experience profile bloat. Profile caching saves a copy of the user profile on the RD Session Host server so that, if the network is slow to retrieve the saved profile from its file share, the user can still log on using the cached copy. (When you log on to an RD Session Host server, a copy of your profile is saved there as a matter of course. If you enable profile caching, the profile isn’t deleted when you log off.) However, if the profiles in the cache are too large, the space allocated for them will fill up, and people won’t be allowed to log on because there’s no room to store their profiles. There are Group Policies to remove older data in the cache if room runs out, but it’s better if you can avoid this problem entirely.

The simplest step that you can take to avoid profile bloat is to enable Folder Redirection. Folder Redirection has two advantages: it keeps user data out of the profile to keep the profile smaller, and it allows differential synching (so that if only part of a file is changed, that part will be saved to the central location, rather than copying the entire file). You’ll learn how to set up Folder Redirection in the section “Centralizing Personal Data with Folder Redirection” later in this chapter.

Limit Profile Size

One way to reduce the impact of caching profiles on the RD Session Host servers is to limit the size of the profiles. Although too many profiles can still fill up the hard disk, smaller cached profiles have less impact. To limit profile size, open your RDS User GPO and browse to User Configuration | Policies | Administrative Templates | System | User Profiles. Locate the policy Limit Profile Size and enable it.

If you’re redirecting folders, the size of the profile shouldn’t be a major concern. NTUSER.DAT is a fairly small file. The exact size depends on the profile, but it’s not much; check the size of some representative NTUSER.DAT files to gauge the space needed to allocate space for profiles.

Manage the Profile Cache on RD Session Host Servers

Another way to keep the size of the cache on the RD Session Host servers from getting too large is to delete old copies of the user roaming profiles. You can also limit the profile cache size if you’re concerned about running out of room on the servers.

Programmatically Managing the Cache

You can use two computer Group Policy settings to delete unused cached profiles on RD Session Host servers in the RD Session Host Farm OU automatically. Both policies are located in Computer Configuration | Policies | Administrative Templates | System | User Profiles.

  • Delete Cached Copies Of Roaming Profiles Enabling this setting deletes a user’s cached profile when the user logs off. This setting ensures that the loaded profile is always the most recent. However, the cached profile provides a fallback configuration to load if the actual profile isn’t available for some reason. If you delete cached profiles, then if the actual profile can’t be loaded, the user will get a temporary profile and any changes he makes to it will be discarded when the user logs off.

  • Delete Unused Profiles Windows Server 2008 R2 has a new Group Policy setting that limits the size of the overall roaming profile cache (located in the %SystemDrive%\ Users directory). If the size of the profile cache exceeds the configured size, RDS deletes the least recently used copies of roaming profiles until the overall cache goes below the quota. The policy setting is found in Computer Configuration | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host | Profiles | Limit The Size Of The Entire Roaming User Profile Cache.

NOTE

Although you can apply the Delete Cached Copies Of Roaming Profiles GPO setting to pooled and personal VMs, it doesn’t accomplish anything useful. Pooled VMs get rolled back (if set up to do so) when a user logs off, so the user profile cache is cleared as part of the rollback function. And personal VMs are, well, personal. They will have one profile cached on the machine. You will have enough room for one user profile cache in this instance. Deleting the profile cache on a personal desktop will just increase logon time and has no advantages.

Another way to make sure that your servers do not run out of disk space due to an overgrown profile cache is to put a cap on the cache size. If the size of the entire cache exceeds the limit set by this policy, the server will delete the oldest profile in the cache until the overall size drops below the threshold you set. The GPO setting is located at Computer Configuration | Administrative Templates | Windows Components | Remote Desktop Services | RD Session Host | Profiles | Limit The Size Of The Entire Roaming User Profile Cache.

Enable this setting and enter the following numbers.

  • A monitoring Interval (in minutes): The interval at which the profile cache size is checked.

  • Maximum cache size (in GB): This is the threshold. If the cache grows beyond this number, the oldest profiles start getting deleted.

Deleting Cached Profiles Manually

Deleting cached profiles manually sounds too simple to bother explaining, but it’s more subtle than it might appear. Cached profiles are kept in the %SystemDrive%\Users directory. However, the obvious approach doesn’t work. If you do the obvious—look at the profiles, check the dates, note that some profiles haven’t been used in a while, and delete them—you will prevent the owners of those deleted profiles from being able to log on to the RD Session Host server and load their roaming profiles, at least without some help from you. See the section entitled “The Consequences of Deleting a Profile Folder from Windows Explorer” later in this chapter for more information. For now, let’s see how you can avoid extra work.

The problem is that cleaning up old profiles isn’t just a matter of deleting some old directories. The registry maintains a list of profiles in HKLM\Software\Microsoft\Windows NT\ CurrentVersion\ProfileList. Sort through that key (see Figure 5-17), and you’ll see entries for everyone who currently has a profile cached on the server. Although the keys themselves are identified by the SIDs of the user accounts, you can see the names of the profile paths by examining the contents of the keys.

Figure 5-17

Figure 5-17 When you cache a profile on a server, it automatically creates a corresponding registry entry.

NOTE

Examining this key can also help you troubleshoot profile problems. If a user seems to be getting his standard profile to log on to the RD Session Host server, check the contents of CentralProfile (see Figure 5-17). If this entry is blank, that person is using a local profile.

If you just delete the profile from Windows Explorer, the entries in the registry remain, which confuses the server, as explained in the next section.

The cleanest way to delete unused profiles is to let Group Policy delete the old and unused profiles. You can also delete cached roaming user profiles from the User Profiles section of System Properties on the RD Session Host server. Log on to the RD Session Host server as an administrator. Go to Start, Control Panel, System, and click Change Settings. The System Properties dialog box will appear. Select the Advanced tab. In the User Profiles section, click Settings... to open the User Profiles dialog box, shown in Figure 5-18.

Figure 5-18

Figure 5-18 The User Profiles dialog box displays the profiles stored on the computer.

Highlight the roaming profile that you want to delete and then click Delete. When you see a dialog box confirming that you want to delete the profile, click Yes and the roaming profile cache is deleted. Click OK.

The Consequences of Deleting a Profile Folder from Windows Explorer

Just in case you decide to try deleting a profile folder from Windows Explorer, here’s what will happen. If you delete an unused profile folder from Windows Explorer, the next time that user with that folder logs on, he will be unable to load his roaming profile. A temporary roaming profile will be created for him, profile changes that he makes will be discarded at logoff, and Event ID 1511 is logged in the Windows Application event log stating that Windows cannot find the local profile and is logging him on with a temporary profile.

Deleting that directory caused a problem because you didn’t clean up the cached profile completely. For each cached profile stored in %SystemDrive%\Users\%UserName%, the User Profile Service creates a registry entry for this profile at HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList, shown in Figure 5-19. This registry key is named according to the user SID.

Figure 5-19

Figure 5-19 The RDS roaming profile cache registry entry for user Adam Barr

The ProfileImagePath key in this folder indicates the cache location, which by default is %SystemDrive%\Users\%UserName%. (The network location where the roaming profile is stored is in the CentralProfile key.)

If you delete the user’s locally cached profile folder and that user starts a session on that RD Session Host server, he will get a temporary profile. The registry entry corresponding to the user’s cached profile is renamed. The SID part stays the same, but it is given an extension of .bak, as shown in Figure 5-20.

Figure 5-20

Figure 5-20 The old registry key for the profile that was deleted incorrectly now has a .bak extension.

In addition, a new key is created in its place. The newly created registry entry is named after the user SID just as before. However, the ProfileImagePath key inside the new folder now points to %SystemDrive%\Users\TEMP, as shown in Figure 5-21.

Figure 5-21

Figure 5-21 A new registry entry is created, but the ProfileImagePath key points to %SystemDrive%\Users\TEMP.

Therefore, the entry that used to work now has a .bak extension and is not usable, and the profile actually being used is a temporary profile. When the user logs off, his temporary profile is not copied back to the central profile storage location on the fileserver.

Deleting the profile from the System Properties dialog box User Profiles section no longer works either. Most likely, the profile will not even be listed in the dialog box. If it is, it most likely means that the user has not logged off completely. If you do manage to select it and click Delete, you get an error message: “Profile not deleted completely. Error – The system cannot find the file specified.”

To rectify this, you must manually delete the abandoned registry entry that has the .bak extension. You might also need to reboot the server. Only then can the user log on to the RD Session Host server and have his roaming profile correctly cached once again on the server.

Centralizing Personal Data with Folder Redirection

The single biggest thing that you can do to affect profile size, simplify backups, and speed logons and logoffs is to redirect user-specific storage out of the user profile. By default, user data folders such as Documents are in the profile, but they don’t have to be. Instead you can create a pointer to a network share where the data actually lives. Users will still store files in their personal folders, but the user data won’t be roamed, so it will not affect the time required to load the profiles at logon.

Folder redirection is fundamentally very simple. If you go to HKCU\Software\Microsoft\ Windows\CurrentVersion\Explorer\User Shell Folders, you’ll see every folder in your profile and the current location of that folder. If Folder Redirection is not turned on, then all entries will look like this: %USERPROFILE%\Music. The goal is to get rid of the %USERPROFILE% variable and replace it with a new location.

You can’t redirect all folders, but you can redirect the ones with the biggest impact on profile size. These folders are

  • AppData(Roaming) Contains a user’s application settings that are not computer-specific and therefore can roam with the user

  • Desktop Contains any items a user places on his desktop

  • Start Menu Contains a user’s Start menu

  • Documents Contains documents saved to the default location

  • Favorites Contains a user’s Internet Explorer favorites

  • Music Contains a user’s music files saved to the default location

  • Pictures Contains a user’s pictures saved to the default location

  • Video Contains a user’s video files saved to the default location

  • Contacts Contains a user’s contacts saved to the default location

  • Downloads Contains a user’s downloads saved to the default location

  • Links Contains a user’s Favorite links from Internet Explorer

  • Searches Contains a user’s saved searches

  • Saved Games Contains a user’s saved games

Before you redirect these folders, you need a place to redirect them to. Create a shared folder on the server where you want to store the redirected folders and set permissions on this folder according to the user profile folder permissions that were described in Table 5-5.

To redirect the folders to this share, open the GPMC, create or select an existing user GPO, right-click it, and choose Edit. Go to User Configuration | Policies | Windows Settings | Folder Redirection, as shown in Figure 5-22.

Figure 5-22

Figure 5-22 Set the Folder Redirection policy.

Right-click the AppData(Roaming) folder and choose Properties to open the dialog box shown in Figure 5-23.

Figure 5-23

Figure 5-23 AppData(Roaming) Folder Redirection properties dialog box

To specify the location of the AppData(Roaming) folder, choose between two options in the Setting drop-down menu.

  • Basic Redirect Everyone’s Folder To The Same Location This means just what it says; all AppData(Roaming) folder data for every user will go to the same location.

  • Advanced Specify Locations For Various User Groups To store user data in different locations based on user group membership, choose this option.

The menu contents will vary depending on the type of folder redirection you choose. If you choose Basic, then you get a Target folder location drop-down menu with three choices.

  • Create A Folder For Each User Under The Root Path Choose this option to put each user’s profile data into a folder under the root path named according to the user name. In the Root Path text box, specify the location of your designated Folder Redirection share. In most cases, this is the best option.

  • Redirect To The Following Location Choose this option to redirect all user data to the same location. You’d do this if you wanted all users to use the same Desktop or Start Menu folder. Choose this option only if you want everyone to write to the same user-specific folders.

  • Redirect To The Local Profile Location Don’t choose this option. Your profiles roam, and you want your profile folders redirected to the network share.

Click the Settings tab, as shown in Figure 5-24.

Figure 5-24

Figure 5-24 Grant The User Exclusive Rights To AppData(Roaming) is enabled by default. Clear this check box to let administrators manage the redirected folder.

By default, Grant The User Exclusive Rights To AppData(Roaming) is enabled. If you leave it this way, then the user will own this folder, and only she will be able to access this data. To enable managing this folder, clear this box so that the rights from the parent folder will be inherited. For example, if you give Domain Admins full control of the parent folder, then this group will have access to the redirected user folders as well.

If your users already have these folders before you set up Folder Redirection, then you must set up the existing folders in one of two ways (otherwise, Folder Redirection will fail).

  • The user needs to be the owner of the folder and can be granted exclusive rights to the folder.

  • If the user does not need to be the owner of the folder, clear this box.

All the folders listed in this GPO section have the same choices to pick from, except for the Pictures, Music, and Video folders. These folders have an extra setting that you can choose for the location of the folder: Follow The Documents Folder. This means that these folders will be stored in the user’s Documents folder, wherever that folder is redirected.

To move the contents of the existing folder to the new folder outside the profile, select the Move The Contents Of “The Name Of The Folder Being Redirected” check box to the new location.

ON THE COMPANION MEDIA

When redirecting a folder using Group Policy, one of the options is Move The Contents. Unless you select this option, a duplicate link will be left behind, even when that folder is completely empty, meaning that users will see two Documents folders, two Music folders, and so forth. For tips on how to avoid the “duplicate link” problem, see http://blogs.technet.com/deploymentguys/archive/2008/05/01/dealing-with-duplicate-user-profile-links-in-windows-vista.aspx. You can also find the link on this book’s companion media.

Sharing Personal Folders Between Local and Remote Environments

Because the RemoteApp programs are designed to blur the line between the remote computer and the local computer, it might make sense for you to help this along by using the same folder to store user-specific documents. This eliminates the problem of having to remember whether you were saving a file from a local or a remote application to know where the file would be stored.

Sharing Folders Between Windows Server 2003 and Windows Server 2008 R2 Roaming Profiles

The easiest profile environment to manage is homogenous: All users work only in RD Session Host servers, and all servers of sessions are running Windows Server 2008 R2. However, there are good reasons why you might need to support both V1 and V2 profile structure at the same time.

  • Some users work both on the RD Session Host server and on VMs running Windows XP (perhaps because they’re using RemoteApp on Hyper-V).

  • You’re migrating to Windows Server 2008 R2 RDS from Windows Server 2003 Terminal Services, and some of the older servers are still in use as you convert.

V1 profiles and V2 profiles are not compatible. Therefore, if you have some active 2003 RD Session Host servers, you will need to keep two sets of profiles for your users—one to log on to the 2003 servers and one to log on to the 2008 servers. And you might need even more profiles if users are also using pooled and personal VMs, and/or RemoteApp programs on Hyper-V. However, Folder Redirection can be used to bridge the gap.

Not all 13 folders that can be redirected in Windows Server 2008 R2 can be redirected in Windows Server 2003, but some can. You can share the data in these folders between the 2003 profiles and the 2008 profiles. On the Settings tab of each folder in the Folder Redirection container is an option called Also Apply Redirection Policy To Windows 2000, Windows 2000 Server, Windows XP And Windows Server 2003 Operating Systems. For some folders, this option is available, but on others (the ones that will not redirect for downlevel operating systems), it appears dimmed and is unavailable. Table 5-6 shows which of the folders can be redirected for Windows 2000, Windows XP, and Windows Server 2003.

Table 5-6 Profile Folder Redirection Capabilities for Various Versions of Windows

Folder

Can the Folder be Redirected for Earlier Operating Systems?

Details

AppData(Roaming)

Yes

If you enable the setting Also Apply Redirection Policy To Windows 2000, Windows 2000 Server, Windows XP, And Windows Server 2003 Operating Systems, the following folders within AppData(Roaming) are not redirected: Start Menu, Network Shortcuts, Printer Shortcuts, Templates, Cookies, and Sent To. These folders are redirected if you do not enable this setting.

Desktop

Yes

Start Menu

Yes

In Windows Server 2003, the contents of the Start Menu folder are not copied to the redirected location. It is assumed that the Start Menu folder has been precreated. Therefore, if you do not pre-create the Start Menu folder and place it in the redirected location, the default Start Menu folder located in the user’s Windows Server 2003 roaming profile location is used instead.

Documents

Yes

Pictures

Depends

If the check box for Documents is selected, this folder will follow the Documents folder for earlier operating system profiles. If Documents is not redirected, however, then this folder cannot be redirected.

Music

Depends

If the check box for Documents is selected, this folder will follow the Documents folder for earlier operating system profiles. If Documents is not redirected, then this folder cannot be redirected.

Video

Depends

If the check box for Documents is selected, this folder will follow the Documents folder for earlier operating system profiles. If Documents is not redirected, then this folder cannot be redirected.

Favorites

No

NA

Contacts

No

NA

Downloads

No

NA

Links

No

NA

Searches

No

NA

Saved Games

No

NA

ON THE COMPANION MEDIA

For more information on Windows Server 2003 and Windows XP Profiles and Folder Redirection, see http://technet2.microsoft.com/windowsserver/en/library/06f7eebc-2ebb-47c5-8361-1958b58078cc1033.mspx?mfr=true. You can also find the link on this book’s companion media.

NOTE

Some custom applications might not respond well to having the AppData folder redirected. But not redirecting AppData could lead to profile bloat, especially if your applications write a lot of data to this location. For situations like this, consider using App-V to deploy the problem application. For technical resources on sequencing with App-V, see http://www.microsoft.com/systemcenter/appv/dynamic.mspx.

Setting Standards with Mandatory Profiles

One issue with roaming profiles is that users can change them. On the one hand, that’s the point. On the other hand, changes can cause problems. If users can change their profiles, they can delete icons, accidentally resize their toolbar so that it disappears, add wallpaper that slows their logon time, and so on.

One way to avoid this is to set policies controlling what users can and cannot do, and Chapter 7, “Molding and Securing the User Environment,” explains how to do this. Another way to prevent users from making permanent changes to their profile is to make the user profile read-only. A user can change settings, but those settings will not be saved when the user logs off the RD Session Host server.

Profiles that don’t change are called mandatory profiles. Mandatory profiles on a central store are copied to the RD Session Host server at logon, but they are not copied back at logoff. Any profile changes that occur are discarded at the end of the user session. Many companies will not implement mandatory profiles because users find them too constricting, but combined with Folder Redirection, they might give your users enough flexibility. Some third-party profile solutions also require the use of mandatory profiles—it depends on how the products are implemented.

Although it’s possible to give every user a unique mandatory profile, it’s not ideal. One of the best things about mandatory profiles is that because the profile will never be changed, all users can use a single mandatory profile, creating much less maintenance work for administrators. If a change needs to happen to the profile, there is only one place to make the change, instead of many if every user had his or her own individual profile.

Mandatory profiles are great in many respects, but you need to be careful when implementing them to make sure each user who logs on will not be susceptible to registry changes from other users. See the Direct from the Field sidebar that follows for more details.

DIRECT FROM THE FIELD

Mandatory Profiles: Insecure By Default?

Helge Klein

IT Architect, sepago

Mandatory profiles are generally considered fast and secure because they usually are small in size and cannot be modified by the user. Although that is true—mandatory profiles stay pristine indefinitely—there is more to security than read-only access.

Mandatory profiles are a variant of roaming profiles: A master copy on a file server is copied to the RDS session host during logon. The resulting local copy is secured with file system ACLs that grant full access to the user, but to no one else (except administrators and SYSTEM). All is safe and secure—except in the case of mandatory profiles.

A user profile consists not only of file system data, but also of a registry hive (stored in the file NTUSER.MAN) that is mounted to HKU\<SID> and accessible from within a session via the well-known name HKCU. In contrast to the file system, registry permissions are not changed during logon because that is not necessary—at least with roaming profiles where the master copy of each hive already has the correct permissions.

Not so with mandatory profiles. The creation of a mandatory profile involves changing registry permissions on the master copy to full access for “Everyone.” And because many users are logged on simultaneously to an RDS session host, each server’s registry consists of many users’ hives that are readable and writeable by everyone, not just the owner of the individual user profile.

So on an RD Session Host server where mandatory profiles are used, a user can simply open Regedit (if not blocked from doing so), navigate to HKU\<Some other user’s SID>, and read/write at will.

Consequences

Users being able to read/write somebody else’s HKCU hive poses a potentially grave security problem. At least two types of attacks can be envisioned: eavesdropping and damaging. Here are some simple examples.

Many applications store a list of most recently used (MRU) files in HKCU (for example, Word: HKCU\Software\Microsoft\Office\12.0\Word\File MRU). By reading such lists, attackers can gain information about which documents another user is editing.

Applications and the operating system itself need and expect write access to HKCU. Because a user always has write access to HKCU, programs do not handle the absence of such permissions well. By changing permissions on another user’s hive (for example, removing write access), an attacker could effectively break another user’s session, making it impossible to start and use even the most trivial programs—most applications that store their settings in HKCU would be affected.

How to Fix

The following workarounds can help fix this security vulnerability.

  1. Make sure that remote registry editing is limited to administrators.

  2. Block access to the registry via software restriction policies. This includes, but is not limited to, Regedit.exe, Cmd.exe, Reg.exe, scripts and batch files, and other custom (downloaded) tools. In essence, in order to avoid this problem exclusive white-listing is required.

  3. Re-ACL (change the security permissions on) each registry hive after it is loaded and replace “Everyone” with the current user.

Converting Existing Roaming Profiles to Mandatory Profiles

Setting up mandatory profiles is very similar to setting up roaming profiles using Group Policy. To convert a roaming profile to a mandatory profile, you first need to have roaming profiles working, either by setting the RDS Roaming Profile path in the user’s account properties in Active Directory Users and Computers, or by using Group Policy. For information on how to set up roaming profiles, see the section entitled “Using Group Policy to Manage Roaming Profiles”, earlier in this chapter.

Assuming you have roaming profiles implemented, when a user logs on, her profile is stored in a subdirectory of the designated roaming profile share. To make the user’s profile mandatory, in the user’s profile folder, locate NTUSER.DAT and change its extension to .man (see Figure 5-25). Then change the NTFS permissions for the user from Full Control to Read & Execute (so she can’t change the extension back). The next time the user logs on, she will be using a mandatory profile.

Figure 5-25

Figure 5-25 To convert a roaming profile to a mandatory profile, change its extension.

No changes that the user makes to the profile will be saved. But combining mandatory profiles with Folder Redirection will give users some control over their session and allow them to change their Favorites, Documents, Desktop, and other settings without compromising the configuration data loaded in HKCU.

Creating a Single Mandatory Profile

If you have many users, you probably won’t want to convert each roaming profile to a mandatory one—that would negate one of the main reasons to implement mandatory profiles: less configuration and maintenance. To give everyone the same experience, you can create one mandatory profile for everyone to use. Here are the steps to do so.

  1. Create a network share to store the mandatory profile (for example: //Colfax/ASH-Mandatory-Profile). Make sure to configure the permissions on this folder correctly. Table 5-7 and Table 5-8 outline the necessary share and NTFS permissions that need to be set on this folder.

    Table 5-7 Share Permissions for a Mandatory Profile Storage Folder

    User Account

    Share Permissions

    Administrators

    Full Control

    Authenticated Users

    Read

    Table 5-8 NTFS Permissions for User Accounts for a Mandatory Profile Storage Folder

    User Account

    NTFS Permissions

    SYSTEM

    Full Control, this folder, subfolders, files

    Administrators

    Full Control, this folder, subfolders, files, Owner

    Authenticated Users

    Read & Execute, this folder, subfolders, files

  2. Create a folder within the folder created in Step 1, name it something appropriate to indicate it is a mandatory profile, and append the .V2 extension (for example: ASH.RDS.MAN.V2).

  3. Because using the Copy To button now works only for the Default user profile, this is the profile you will copy to the share you created in Step 1. On the RD Session Host server, from Server Manager, click Change System Properties and select the Advanced tab. In the User Profiles section, click Settings. Highlight the Default User, and click Copy To. In the Copy To dialog box, type or browse to the shared folder location that you created in Step 1. Click Permitted To Use, add Everyone, and click OK.

    NOTE

    If you choose to create a customized mandatory profile, use Sysprep to overwrite the Default User profile on the machine that you will copy from. For more on customizing the default user profile and using the Copy To button, and how to use Sysprep to customize the Default User Profile, see the sections earlier in this chapter entitled “Converting an Existing Local Profile to a Roaming Profile” and “Customizing a Default Profile”.

  4. Rename NTUSER.DAT in the resulting profile (in the file share created in Step 1) to NTUSER.MAN. You will need to change the folder options to show hidden files and folders to see this file.

  5. Create appropriate GPOs by doing the following.

    • Edit the Computer GPO setting as follows: Computer Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host | Profiles | Set Path For Remote Desktop Services Roaming User Profile to point to the share created in Step 2, for example: //colfax/ ash-rds-mandatory-profile/ASH.RDS.MAN). Do not include the .V2 extension.

    • Enable the Computer GPO policy setting as follows: Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host | Profiles | Use Mandatory Profiles On The RD Session Host Server

    • Enable the Computer GPO settings as follows: Computer Configuration | Policies | Administrative Templates | System | User Profiles | Add The Administrators Security Group To Roaming User Profiles

  6. Apply the GPOs to the RD Session Host Server OU (in Group Policy Manager on a domain controller).

  7. Reboot the RD Session Host servers and test by logging in as a regular user.

Creating a Safe Read-Only Desktop

One curious side effect to not being able to save anything to a mandatory profile is that any folders remaining in the profile (that is, not redirected) will not save changes either. For example, if you do not redirect the Desktop folder and if users save files to the desktop, those files will be discarded when they log off. There won’t be any error, and the file will be on the desktop during the session, but the files won’t be there when the users log on again. To put it mildly, this could be confusing. However, if you’re using Remote App programs, you don’t really want people saving files to the desktop because not being able to see the desktop will make those files hard to find.

To keep the desktop read-only but make sure people know it is read-only, redirect the desktop to a read-only folder as described in the section entitled “Centralizing Personal Data with Folder Redirection” earlier in this chapter. This will both prevent users from saving files to the desktop (which you want) and alert them to the fact that they can’t save files to the desktop (which you also want). If they try, they will get an error. They still can’t save anything to the desktop, but at least they will know that they can’t.

Decrease Logon Times with Local Mandatory Profiles

The main reason to house a mandatory profile on a network share is to make it easier to update when you have a farm environment. But it’s also worth noting that logon times can be decreased significantly by keeping a mandatory profile local to the server because the profile doesn’t get pulled down from the network share when the user logs on.

Maintaining local mandatory profiles is more work, because any changes to the mandatory profiles will need to be made to the mandatory profile on each server. But the increase in logon speed might make this worthwhile to you, especially if you have only a few RD Session Host servers in a farm or you don’t often need to change the profile. Again, testing this fully in your environment will tell you if it makes sense for your setup.

To use local mandatory profiles, perform the following steps.

  1. Create a folder on each machine called something like “Mandatory_Profile.V2” and set the appropriate NTFS profile folder permissions as specified in Table 5-8.

  2. Copy a default profile to the new Mandatory Profile folder, giving Everyone permission to use it when you perform the copy.

  3. Convert this local profile to a mandatory profile by changing the extension of NTUSER.DAT to make it NTUSER.MAN.

  4. Enable the GPO setting as follows: Computer Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host | Profiles | Use Mandatory Profiles On The RD Session Host Server.

  5. Enable the Computer GPO setting as follows: Computer Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host | Profiles | Set Path For Remote Desktop Services Roaming User Profile. Point to the local mandatory profile location, such as C:\Mandatory_Profile. Do not include the .V2 extension.

  6. Do this on each machine in the farm or pool.

Save to your account

This chapter is from the book