Solved

RDS Desktop per each OU

Posted on 2013-01-16
9
289 Views
Last Modified: 2013-03-02
Hello Experts,

I have an Windows 2008 R2 environment using RDS and I want to make different Desktops per OU or based on member groups.

My current setup is that I have an OU named RDS - Users and move users to this OU when I deploy a thin client for them.   I want each department to have their own desktop because departments are removing other departments shortcuts (not nice).

Can anyone please provide me details of the best way to organize this separation?
0
Comment
Question by:tucktech
  • 5
  • 4
9 Comments
 
LVL 23

Assisted Solution

by:Coralon
Coralon earned 400 total points
ID: 38790330
The best way is by security groups.  You would publish the various desktops to the various security groups.

A lot depends on how many "different" desktops you want to provide.  If it is fairly minimal, you can redirect the desktop to a read-only folder for each department, which keeps them from seeing non-relevant icons and keeps them from deleting things they shouldn't.  If they need read/write access to the desktop, then I would redirect to either their own home directories (optimal), or maybe a department directory.  Then you would place the "read only" icons in c:\users\public\desktop, which will keep them from being deleted.

I typically do not bothering moving the users - it's burdensome, and can cause issues if they are not *always* going to be on that RDS host.  it's better to configure an OU for the RDS hosts, and use loopback processing on the group policies, so that that OU controls the GPO settings.  

Coralon
0
 

Author Comment

by:tucktech
ID: 38802162
So, should I create my overall RDS group policy at a domain level with loopback processing and then create a department group policy where I change desktop redirection?

Currently I have a gpo at an OU level and the a specific folder redirection for desktop, documents etc.  I guess I could remove the desktop and change it for the individual OUs.

Your thoughts..
0
 
LVL 23

Assisted Solution

by:Coralon
Coralon earned 400 total points
ID: 38808297
You would do the RDS loopback policy at the OU level, as low as possible.  
From your response, it sounds like you want folder redirection specific to an OU?  You may be able to use the WMI targeting with registry settings, but it would be far simpler to just use the advanced folder redirection for different security groups.

Coralon
0
 

Author Comment

by:tucktech
ID: 38808344
Can you elaborate on the advanced folder redirection?  Not sure I understand the details.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 23

Assisted Solution

by:Coralon
Coralon earned 400 total points
ID: 38810545
When you set up the Folder Redirection in a GPO, you have to select the "level".
1. None
2. Basic - all users to the same location
3. Advanced - different groups of users to different locations.

In basic, you might redirect My Documents to \\server\share.  In that case, each person gets their own directory like \\server\share\coralon\documents.  (The dialog will show you an example).

In advanced you will select various groups, and pick the shares for each of those groups.

Coralon
0
 

Author Comment

by:tucktech
ID: 38875994
Sorry for the late responses.  I will be working on my test server to try these out.  It will take me about a week to get this problem again.
0
 

Author Comment

by:tucktech
ID: 38902237
Hello, I am not understanding the group setting for redirection of desktop.

I have an OU called - RDS-Users.  I have a Security Group - Global named "Billing-Grp".  I have added redirection for both the RDS-User and Billing-Grp.  My user has is a member of both.

My GPO are all under RDS-Users as I am trying to avoid setting up a major GPO for each department for RDS.

When I login I get the desktop for RDS-USers and I want Billing-GRP desktop.
0
 
LVL 23

Accepted Solution

by:
Coralon earned 400 total points
ID: 38903988
You should not have overlapping users.  You have to decide how you want to lay it out.. if you are going to use groups for your redirection, either pick unique groups, or make unique groups.  If you have overlap, then it gets into policy priority as for who gets what & where.

but, if everyone is on one server, then you can stick with the basic.

Coralon
0
 

Author Closing Comment

by:tucktech
ID: 38945191
I am trying all these suggestions in a lab.  I believe you have provided solid advise but I think I have to test it out to get a real life feel.  My users are going to change requirements at a whim as they already have (i.e. I don't want to be able to delete ICONS, oh by the way how come I can't delete ICONs..... arrgh).  Yes, I need to step back and get better business agreement.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Scenario:  You do full backups to a internal hard drive in either product (SBS or Server 2008).  All goes well for a very long time.  One day, backups begin to fail with a message that the disk is full.  Your disk contains many, many more backups th…
In this article, I'll explain how to setup a Plex Media Server (https://plex.tv/) on a Redhat (Centos) 7 based NAS with screenshots to help those looking for assistance.  What is Plex? If you aren't familiar with Plex, it’s a DLNA media serv…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now