We help IT Professionals succeed at work.

Remote Desktop/Terminal Services Roaming Profiles on terminal server only

I've got a Windows Server 2008 R2 that I've setup as a terminal server.  Using Group Policy I went to

Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Profiles

I changed the "Set path for Remote Desktop Services Roaming User Profile" to the desire profile path, which is on the d: drive of my terminal server.  

The problem I have is that a profile is indeed being created in the proper location, but a profile is also being created in the c:\users folder for the terminal services.  The main problem I have is the .ost files for my Exchange accounts are going on the C: drive and not the D: drive.  Strangely, if I put a document on the desktop of one of my users, the document appears in both the C: and D:.

I would like there to not be a C: profile of any kind and have everything on the D:

Suggestions?
Comment
Watch Question

have you tried for a new login?

Author

Commented:
yes
DarinTCHSenior CyberSecurity Engineer
CERTIFIED EXPERT

Commented:
there are 2 types of profiles created when using RDS or Term server
you may be seeing the 2 separate componets that combine to create the full profile
are u using citrix or TS by itself

see the MS articles on TS profiles for a lengthier explanantion

Author

Commented:
TS by itself.  Could you be more specific with your solution to this problem?  I have looked at many MS articles.

Commented:
What is being created on C is the Cached profile, there is a Policy where you can say to delete cache on logoff, or you can also limit the cache. However be aware that all Application specific settings would be lost if you clear the cache.

A

Author

Commented:
So are you saying that what I"m trying to do is not possible?  Is there no way to turn off that cached profile?  Losing application settings, etc is not an option.  The main problem I have is that C: drive is smaller, plus I don't want to store any data on it.  The D: drive is very large and is where I would like to store this data.

I was able to accomplish this by another GP policy requiring all users that logged onto the server to use a specific profile (located on the D: drive on my terminal server).  All my data got stored there and no cached profiles were created on the terminal server C:.  However, when the user logs onto his computer, that profile got loaded/synced as well, which is definitely what I want.  

I suppose if worse comes to worse, I could use some generic logon, but that's not what I want to do.  I would think there has to be some way to not store this cached data on the C:

Commented:
Well you are saying that you were able to accomplish that, then what is the question?
If your application settings are working fine then you are all set.

Can you post the policies you made?

A

Author

Commented:
While I was able to accomplish getting the profiles on the D: drive for logging onto the TS, however when the users authenticate through the Domain Controller by logging onto their computers (Not TS), they are also loading that profile.  This is definitely a problem and not something I can leave in place.

Here is where I made the edit in GP

Computer Configuration\Policies\Administrative Templates\System\UserProfiles

I enabled and configured "Set roaming profile path for all users logging onto this computer".

I have since disabled this feature as this is not desired behavior.  I now have the problem described in the original post.

Commented:
Do you have TS in a separate OU?
If not make it, link GPO there & reboot TS.
A

Author

Commented:
I was making that change in the default GPO.  I do have a separate GPO for the TS and can make the change there, but i think I would still have the same problem?  The users aren't logging onto the TS, they are logging via the domain controller?  

Thoughts?

Commented:
My Dear,
If you link the GPO to the OU then the Policy is only applied to the computer in OU, however right now, since you have it at the Domain Level it affects every computer irrespective of the location.

Make a new policy & link it to TS OU, please don't make any changes in Default GPO, it's a sensitve GPO & you should avoid as much touching it.

A

Author

Commented:
OK, I removed the changes in the default GPO, made the desired change in the GPO that is only for the TS.  After doing so, the behavior is now that the profiles are still being stored in both places.  I can tell the proper GPO is in effect because I change the storage location of the profiles on the D: so I would know.  

Commented:
Alright, First things first:
Are you having desired behavior on the Client Workstation? i.e. they are not getting the same profile?

A

Author

Commented:
Sorry, should have mentioned that.  Desired behavior on workstations.  Only local profiles being used..not roaming.

Commented:
so, if my understanding is clear, workstations are OK?

Now, you have the issue with TS? How did you manage earlier to make sure that nothing gets written on C? Because you mentioned that you achieved it earlier?

A

Author

Commented:
Yes, workstations are fine.  To get nothing written on C, I used the following

Computer Configuration\Policies\Administrative Templates\System\UserProfiles

I enabled and configured "Set roaming profile path for all users logging onto this computer".

However, when I do that, the workstations are not fine and begin using that roaming profile.

Commented:
& you have the policy on OU which ha TS only?
Can you post Screen Shot of your OU structure?
A

Author

Commented:
Here you go
Screen.jpg

Commented:
There is the problem.
Make an OU call it TS, drag your terminal server in it & link the policy on that OU. Delete the policy from where you have now & then reboot your TS

A

Author

Commented:
I'm not sure I understand what the problem is or how that would be any different that what I have.  I created an OU called TS.  I have that OU along with the Default Domain Policy only now.  You wanted me to put my terminal server in that OU?  Isn't that what I already have?

Author

Commented:
I must be missing something obvious

Commented:
From what I have seen in the Screen Shot, you don't have any OU as TS. The only thing I see is that you have a GPO called "Terminal Server Policy" which is linked at Domain Level.

This GPO will affect every computer irrespective of where it is.

Do as following
1) Right Click on aston.local (the server's icon under domain) > New > Organisational Unit (OU) & name it as TS
2) Drag your TS computer in that
3) Delete the link Terminal Server Policy where it is now
4) On the new TS OU Link the Terminal Server Policy
5) Reboot the TS Computer.

A

Commented:
I know what you are missing & I also know why.

What you are missing I told you above.
Answer to Why is, just be patient & all will fall in place.

A

Author

Commented:
Similar behavior.  I'm still getting the profile created locally.  I attached the screenshot with your suggested changes.
Screen.jpg

Commented:
Can you please do two things:
1) On Workstation run : gpupdate /force OR Reboot
2) After Reboot or Gpupdate /force, run this Gpresult /v > C:\result.txt
This will create a text file called result on your C drive, please post it so we can know what is going on.

Trust me you are close....

A
DarinTCHSenior CyberSecurity Engineer
CERTIFIED EXPERT

Commented:
I'll second this approach - so you will feel more confident...
profiles are tricky but a thorough understanding eventually makes it clear....

Author

Commented:
FYI, I've done a gpupdate /force after each test/change that I've made.


result.txt

Author

Commented:
I really appreciate all the help.

Commented:
Is this from Workstation or Terminal Server?

A

Author

Commented:
terminal server

Commented:
I understood you want to troubleshoot the Workstation first?

Can you please do the same & post it from Workstation?

A

Commented:
As from it, the Roaming Profile is not applied on Terminal Server, thought the policy you made is getting applied.

Did you Reboot the Terminal-Server machine after moving it to the OU?

A

Author

Commented:
I didn't reboot after adding it to the OU.  I must have missed that.  Rebooting now.  Attached file from workstation
result.txt

Commented:
Hold On with everything..... Don't do anything before we come to an understanding.

I think I just saw that you have in the Screen Shot Terminal-Server under Security Filtering?

Why did you do so?



A

Author

Commented:
That was a my mistake I'm guessing from the previous GPO.  Per your instructions I linked it to the new OU.  I assumed you saw that.  I can replace that with authenticated users?  That my problem?

Commented:
K, your Workstation is working fine, it should not get the Profile what you have defined in the GPO.
It shows that your are getting a local profile, however the problem is in your Terminal-Server as it's not getting the Roaming Profile.

Please tell if this is correct?

Would you be willing if I give you Remote Support?

Moderators, I am not aware if this is allowed so please correct me if the procedure of doing Remote Support is not allowed?

A

Author

Commented:
I would really appreciate the remote support.  Might cut to the chase a little bit.  Perhaps you could email me at ck1380@gmail.com.  That's junk email address I use from time to time

Commented:
Check your Junk Mail...

Author

Commented:
Haven't gotten anything yet

Commented:
bill.clinton@me.com
this is my email, send me your no with country code to call.

A

Author

Commented:
just sent you an email

Author

Commented:
This solved my problem....you are the man!

Commented:
Thanks for points.

Explore More ContentExplore courses, solutions, and other research materials related to this topic.