How to present two different home directories when one AD account accessing two different server ?

Hi People,

I'd like to know if it is possible for me to do something with Group policy or Citrix XenDesktop feature so that:

1. When my user account logon to Windows 7 VM-A I can access my home directories and normal company File server.

2. When my user account logon to Windows 7 VM-B I can access my other secure home directories and secure company File server without any access to the folder or home directories presented to VM-A

The File Server is Windows Server 2012 R2 Std Edition:

LUN1 is for normal home drive & File server
LUN2 is for secure home drive & Secure file server.

All of the VM is published by Citrix to the user are all Windows 7

How can I achieve that ?

Senior IT System EngineerIT ProfessionalAsked:
Who is Participating?
MaheshConnect With a Mentor ArchitectCommented:
The best way to tackle this situation:

Create new GPO with multiple home drives through GP preferences for all users
This will be achieved via \\server1\home\%logonuser% and \\server2\home\%logonuser%
Further you need to restrict TCP 445 from workstations to opposite shared folders \ LUN

Once you do that, try separating computers with item level targeting. if this is not possible, still you get the required results because since network ports are blocked from workstations to opposite shared folder \ LUNs, opposite mapped home drives will not work due to port restrictions

Please note that you cannot achieve what you want with out of the box, you must use some sort of other infra resources to make this work
Hope that helps

BlueComputeConnect With a Mentor Commented:
How can I achieve that ?

By using two different user accounts.  Why don't you do that?  Or alternatively why don't you set up so that you can access the directories and file server from both VMs?
Senior IT System EngineerIT ProfessionalAuthor Commented:
Hi Blue,

No, I'd like to simplify the access to just using one AD account without too much confusion for the users.

The file server in LUN 1 can only be accessed by VM type 1 and Secure File server in LUN2 can only be accessed by VM type 2

This is due to the security requirement regarding the PCI DSS for Credit Card procesing environment.
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

MaheshConnect With a Mentor ArchitectCommented:
You can give try with GP Preferences
You need to create one GPO and two home drives (1 for A workstation and 1 for B workstation) for users in GP preference
In the properties of Preference Item, go to common tab and set their item level targeting and filter based on specific criteria so that GPO can understand difference between two  type of workstation ( may be network subnets)
Once you done with setting up GPO apply this GPO to OU containing Computers and enable loop back processing in same GPO so that no matter who logged on to computer he will get appropriate home drive based on condition specified
Loop back processing can be found under computer configuration\administrative templates\System\Group Policy.
Enable Group policy loop back processing in replace mode. This is important step.

Check below post to work with GP Preferences and item level targeting

BlueComputeConnect With a Mentor Commented:
OK, in that case I don' think you can do this with the 'Home Directories' feature.  you should be able to achieve the same result by using group policy preferences to map drives and use item level targeting to map different drives depending on which computer they are logged onto.

Item Level Targeting - this will allow you to apply drive maps based on a number of parameters, such as the computer name, OU, OS level etc:

Mapping Drives using Group Policy Preferences:
Seth SimmonsSr. Systems AdministratorCommented:
should also work with login script
something like...

if %COMPUTERNAME%==VM-A net use f: \\server\LUN1
if %COMPUTERNAME%==VM-B net use f: \\server\LUN2
Senior IT System EngineerIT ProfessionalAuthor Commented:

With the login script above, can it be customized to recognized VM name pattern ?
Because this will be used for multiple user account on multiple VMs not one user with two VMs.

Thanks for the reply. Is there anyway to prevent users to access using unc path to the opposite LUN ?
MaheshConnect With a Mentor ArchitectCommented:
If you have standard and secure workstations (VM) in different network segment, you can use GP Preferences based on network segment

If the same user is accessing TWO UNC paths from two different machines, then you can't restrict him from accessing shared paths (Opposite LUN) from active directory permissions \ NTFS permissions
Because ultimately user SID remains same on both shares and he can access the share if he wanted to....You may assign two user accounts per physical user and restrict each user to logon to appropriate workstations only through user AD properties \ accounts tab

The another workaround to this is to restrict TCP 445 (SMB) port from each VM to opposite LUN share

I am not aware how your network architecture is designed, if any hardware network firewall exists between LUNs and workstations, then this is possible


if you have centrally managed Antivirus software like Symantec or Mcafee, you can achieve this through AV rules


If you have LUNs mapped on windows based servers, you can enable windows firewall and block opposite workstation access to shares

Use two accounts, I tells ya.  It's a much more secure approach anyway, and what you are trying to achieve is likely to be a big fat mess.

All Mahesh's comments are valid ways of doing this, but I don't think that what you are attempting to configure is an elegant solution.
Senior IT System EngineerIT ProfessionalAuthor Commented:

I do have 2x different account for the IT Administration purpose as recommended by PCI-DSS v2.0 (soon to be 3.0), it is extra management efforts in managing those accounts. However, for the end user I'd like to give them simplicity in mind by not having to use 2x different user name.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.