RDS Desktop per each OU

Hello Experts,

I have an Windows 2008 R2 environment using RDS and I want to make different Desktops per OU or based on member groups.

My current setup is that I have an OU named RDS - Users and move users to this OU when I deploy a thin client for them.   I want each department to have their own desktop because departments are removing other departments shortcuts (not nice).

Can anyone please provide me details of the best way to organize this separation?
tucktechAsked:
Who is Participating?
 
CoralonConnect With a Mentor Commented:
You should not have overlapping users.  You have to decide how you want to lay it out.. if you are going to use groups for your redirection, either pick unique groups, or make unique groups.  If you have overlap, then it gets into policy priority as for who gets what & where.

but, if everyone is on one server, then you can stick with the basic.

Coralon
0
 
CoralonConnect With a Mentor Commented:
The best way is by security groups.  You would publish the various desktops to the various security groups.

A lot depends on how many "different" desktops you want to provide.  If it is fairly minimal, you can redirect the desktop to a read-only folder for each department, which keeps them from seeing non-relevant icons and keeps them from deleting things they shouldn't.  If they need read/write access to the desktop, then I would redirect to either their own home directories (optimal), or maybe a department directory.  Then you would place the "read only" icons in c:\users\public\desktop, which will keep them from being deleted.

I typically do not bothering moving the users - it's burdensome, and can cause issues if they are not *always* going to be on that RDS host.  it's better to configure an OU for the RDS hosts, and use loopback processing on the group policies, so that that OU controls the GPO settings.  

Coralon
0
 
tucktechAuthor Commented:
So, should I create my overall RDS group policy at a domain level with loopback processing and then create a department group policy where I change desktop redirection?

Currently I have a gpo at an OU level and the a specific folder redirection for desktop, documents etc.  I guess I could remove the desktop and change it for the individual OUs.

Your thoughts..
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
CoralonConnect With a Mentor Commented:
You would do the RDS loopback policy at the OU level, as low as possible.  
From your response, it sounds like you want folder redirection specific to an OU?  You may be able to use the WMI targeting with registry settings, but it would be far simpler to just use the advanced folder redirection for different security groups.

Coralon
0
 
tucktechAuthor Commented:
Can you elaborate on the advanced folder redirection?  Not sure I understand the details.
0
 
CoralonConnect With a Mentor Commented:
When you set up the Folder Redirection in a GPO, you have to select the "level".
1. None
2. Basic - all users to the same location
3. Advanced - different groups of users to different locations.

In basic, you might redirect My Documents to \\server\share.  In that case, each person gets their own directory like \\server\share\coralon\documents.  (The dialog will show you an example).

In advanced you will select various groups, and pick the shares for each of those groups.

Coralon
0
 
tucktechAuthor Commented:
Sorry for the late responses.  I will be working on my test server to try these out.  It will take me about a week to get this problem again.
0
 
tucktechAuthor Commented:
Hello, I am not understanding the group setting for redirection of desktop.

I have an OU called - RDS-Users.  I have a Security Group - Global named "Billing-Grp".  I have added redirection for both the RDS-User and Billing-Grp.  My user has is a member of both.

My GPO are all under RDS-Users as I am trying to avoid setting up a major GPO for each department for RDS.

When I login I get the desktop for RDS-USers and I want Billing-GRP desktop.
0
 
tucktechAuthor Commented:
I am trying all these suggestions in a lab.  I believe you have provided solid advise but I think I have to test it out to get a real life feel.  My users are going to change requirements at a whim as they already have (i.e. I don't want to be able to delete ICONS, oh by the way how come I can't delete ICONs..... arrgh).  Yes, I need to step back and get better business agreement.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.