?
Solved

RDS Desktop per each OU

Posted on 2013-01-16
9
Medium Priority
?
300 Views
Last Modified: 2013-03-02
Hello Experts,

I have an Windows 2008 R2 environment using RDS and I want to make different Desktops per OU or based on member groups.

My current setup is that I have an OU named RDS - Users and move users to this OU when I deploy a thin client for them.   I want each department to have their own desktop because departments are removing other departments shortcuts (not nice).

Can anyone please provide me details of the best way to organize this separation?
0
Comment
Question by:tucktech
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 25

Assisted Solution

by:Coralon
Coralon earned 1600 total points
ID: 38790330
The best way is by security groups.  You would publish the various desktops to the various security groups.

A lot depends on how many "different" desktops you want to provide.  If it is fairly minimal, you can redirect the desktop to a read-only folder for each department, which keeps them from seeing non-relevant icons and keeps them from deleting things they shouldn't.  If they need read/write access to the desktop, then I would redirect to either their own home directories (optimal), or maybe a department directory.  Then you would place the "read only" icons in c:\users\public\desktop, which will keep them from being deleted.

I typically do not bothering moving the users - it's burdensome, and can cause issues if they are not *always* going to be on that RDS host.  it's better to configure an OU for the RDS hosts, and use loopback processing on the group policies, so that that OU controls the GPO settings.  

Coralon
0
 

Author Comment

by:tucktech
ID: 38802162
So, should I create my overall RDS group policy at a domain level with loopback processing and then create a department group policy where I change desktop redirection?

Currently I have a gpo at an OU level and the a specific folder redirection for desktop, documents etc.  I guess I could remove the desktop and change it for the individual OUs.

Your thoughts..
0
 
LVL 25

Assisted Solution

by:Coralon
Coralon earned 1600 total points
ID: 38808297
You would do the RDS loopback policy at the OU level, as low as possible.  
From your response, it sounds like you want folder redirection specific to an OU?  You may be able to use the WMI targeting with registry settings, but it would be far simpler to just use the advanced folder redirection for different security groups.

Coralon
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:tucktech
ID: 38808344
Can you elaborate on the advanced folder redirection?  Not sure I understand the details.
0
 
LVL 25

Assisted Solution

by:Coralon
Coralon earned 1600 total points
ID: 38810545
When you set up the Folder Redirection in a GPO, you have to select the "level".
1. None
2. Basic - all users to the same location
3. Advanced - different groups of users to different locations.

In basic, you might redirect My Documents to \\server\share.  In that case, each person gets their own directory like \\server\share\coralon\documents.  (The dialog will show you an example).

In advanced you will select various groups, and pick the shares for each of those groups.

Coralon
0
 

Author Comment

by:tucktech
ID: 38875994
Sorry for the late responses.  I will be working on my test server to try these out.  It will take me about a week to get this problem again.
0
 

Author Comment

by:tucktech
ID: 38902237
Hello, I am not understanding the group setting for redirection of desktop.

I have an OU called - RDS-Users.  I have a Security Group - Global named "Billing-Grp".  I have added redirection for both the RDS-User and Billing-Grp.  My user has is a member of both.

My GPO are all under RDS-Users as I am trying to avoid setting up a major GPO for each department for RDS.

When I login I get the desktop for RDS-USers and I want Billing-GRP desktop.
0
 
LVL 25

Accepted Solution

by:
Coralon earned 1600 total points
ID: 38903988
You should not have overlapping users.  You have to decide how you want to lay it out.. if you are going to use groups for your redirection, either pick unique groups, or make unique groups.  If you have overlap, then it gets into policy priority as for who gets what & where.

but, if everyone is on one server, then you can stick with the basic.

Coralon
0
 

Author Closing Comment

by:tucktech
ID: 38945191
I am trying all these suggestions in a lab.  I believe you have provided solid advise but I think I have to test it out to get a real life feel.  My users are going to change requirements at a whim as they already have (i.e. I don't want to be able to delete ICONS, oh by the way how come I can't delete ICONs..... arrgh).  Yes, I need to step back and get better business agreement.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This article explains how to install and use the NTBackup utility that comes with Windows Server.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question