Avatar of Line One
Line One
 asked on

Terminal Services/RDS policies - folder redirection

Folks,

Up until now I have been using the steps at the bottom for creating Terminal Services and as a result have 3 GPO's when I set up a Terminal Server system.  I have had it suggested to me that with Windows 2008 R2 I should have a separate Folder Redirection GPO as this somehow makes things more efficient but it's not been clearly explained how that works. If somebody could look over what I have in place below and address the question of what a separate policy for Folder Redirection would buy me I would appreciate it. Please feel free to critique what I have if not applicable/optimal for 2008 R2.


1) Create a separate Terminal Services OU in the domain

2) Under the TS OU create two OU's - Terminal Servers and Terminal Server User Groups

3) Create 3 GPO's and apply to the Terminal Servers OU

a) TSServers

Enable Block Policy inheritance
Disable User Configuration Settings
Permission: Authenticated Users System TS-Admins

Full Control

Read Allow Allow Allow
Write Allow Allow
Create Child Objects Allow Allow
Delete Child Objects Allow Allow
Apply Group Policy Allow


Loopback Policy - replace mode
Delete Cached Copies of Roaming Profiles

b) AllTSUsers Policy (Includes Admin)
Disable Computer Configuration Settings

Permission: Authenticated Users System TS-Admins

Full Control Allow

Read Allow Allow Allow

Write Allow Allow
Create Child Objects Allow Allow
Delete Child Objects Allow Allow
Apply Group Policy Allow Allow

Enable: Do Not Track Shell Shortcuts During Roaming
Enable: Disable UI to Change Menu Animation Settings
Enable: Add Logoff to the Start Menu
Enable: Disable and REmove the Shut Down Command
Enable: Do Not Use the Search-based Method When Resolving Shell Shortcuts
Enable: No Screen Saver
Enable: Group Policy Refresh Interval - 1440 (24 hours)

c) RegularTSUSERS (not including Admins)


Disable Computer Configuration Settings

Permission: Authenticated Users System TS-Admins

Full Control

Read Allow Allow Allow
Write Allow Allow
Create Child Objects Allow Allow
Delete Child Objects Allow Allow
Apply Group Policy Allow Deny

Wndows Settings\Folder Redirection - I redirect My Documents and Application Data to a network share

Administrative Templates\Windows Components\Windows Explorer
Enable: Removes the Folder Options Menu From the Tools Menu
Enable: Hide Hardware Tab

Administrative Templates\Start Menu & Taskbar
Enable: Disable and Remove Links to Windows Update
Enable: Remove Network & Dial-up
Enable: Disable Changes to Taskbar and Start Menu Settings

Administrative Templates\Desktop
Enable: Prohibit User From Changing My Documents Path

Administrative Templates\Control Panel
Enable: Disable Control Panel

Administrative Templates\Systems
Enable: Disable Registry Editing Options
Active DirectoryWindows Server 2008

Avatar of undefined
Last Comment
Line One

8/22/2022 - Mon
Darius Ghassem

Really you would not get any benefit but organization. Some admins like to break their gpos up this way for better descriptions for each GPO. Really not required.
Line One

ASKER
I understood that Folder Redirection in a TS environment means that there is less 'weight' to roaming profiles on TS - the profile being loaded is smaller and hence might be more efficient.
Darius Ghassem

Folder redirection is folder redirection if on TS or on desktop
Your help has saved me hundreds of hours of internet surfing.
fblack61
Line One

ASKER
So folder direction makes profiles  less 'weighty'? Is that why it's used? What Group Policies do you use on your TS's? You don't break them up? Everything I've ever read or seen other colleagues do has been based on having these multiple GPO's so I would be curious as to what you do if you do it different.
Line One

ASKER
Here's the type of thing I was talking about as far as reasons I have heard for redirection.

http://www.grouppolicy.biz/2010/08/best-practice-roaming-profiles-and-folder-redirection-a-k-a-user-virtualization/

Any comment?
Darius Ghassem

Roaming profiles are can be bigger the folder redirections which need to be downloaded everytime user logs in but profiles stay the same throughout the network. Folder redirection can still be heavy depending on what users store and how much they store in the redirected folders.

Depends on the type of environment some customers want to lock down the TS server. Some want wide open. GPOs are customized per site really because businesses have different polices. What you want to do is sit down and figure out what you want a user to be able to do and what you don't want users doing from there you can configure GPOs.

I split some GPOs a part and some I have clumped together. For example for security GPOs I will put all in one GPO.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Line One

ASKER
"Roaming profiles are can be bigger the folder redirections which need to be downloaded everytime user logs in but profiles stay the same throughout the network. "

Not sure what the above means.
Darius Ghassem

Roaming profile is a profile that roams with you so when you logon to a workstation you get the same profile this can take time though since this profile has to be downloaded to local computer when you logon.

Folder redirection redirects you files to a file server so you are saving files not actually to your My Docs instead to a network location
Line One

ASKER
Thanks. I understand those concepts - I just didn't understand what you meant. I must be having trouble as well communicating what I am looking for as I don't feel my question has been answered as well. Here is what I asked:

" If somebody could look over what I have in place below and address the question of what a separate policy for Folder Redirection would buy me I would appreciate it. Please feel free to critique what I have if not applicable/optimal for 2008 R2."

I don't feel I've gotten a real answer to that question. Ditto for the request for the comment on the link as to why somebody would use Folder Redirection.

I was hoping for a much more in-depth 'conversation' about my post - - advantages/disadvantages of different methods as opposed to simply stating there are different ways to do things.  

I would like to open this up for a few more people to put in their two bits if you're ok with that as it seems for you most of this is cosmetic - it may very well be but from what I have read it seems there are non-cosmetic reasons for  doing these things one way or another and perhaps there will be a few other Experts who will make clearer the arguments for that view.
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
Darius Ghassem

Here is the thing you want an specific answer to your question but really there is not one. Multiple GPOs or just having one GPO with multiple settings within the gpo is fine there is no perfect answer to this. Really this is the preference of the Admin or policy of the company.

There are no spelled out advantages or disadvantages really. With multiple GPOs you can order by priority, you can security filter by group, etc. Small admin things.

http://www.dslreports.com/forum/r23301072-One-big-group-policy-or-multiple-small-group-policies
Line One

ASKER
Thanks for the link - I will take a look at it. Actually I don't want a specific answer - I wanted a pros and cons for different approaches in different situations such as  more servers/ less servers, more sites/less sites, more users/less users, more remote access/less remote access, thick computing/thin computing.  

As I indicated it seems to me that you are of the view that there are no significant differences - that it's 'aesthetics'. However you do write:

"There are no spelled out advantages or disadvantages really. With multiple GPOs you can order by priority, you can security filter by group, etc. Small admin things."

That is sort of the type of discussion I was hoping for, more elaboration on the 'etc. Small admin things." Etc. is a big category. So is 'small admin things'.
ASKER CERTIFIED SOLUTION
Darius Ghassem

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
Line One

ASKER
Did not seem to connect with Expert - seemed to be going in circles - where I kept wanted elaboration and could not get it.  I wanted to open the question to further input with Experts permission but Expert did not seem keen on it.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.