OU GPO - Problem setting TS Profile Path for users under a specifi

  • Thread starter Thread starter dudeDad
  • Start date Start date
D

dudeDad

Guest
Here is what I am trying to accomplish:

I have 3 different OUs : OU1, OU2, OU3 each with its own set of users. I
want all users in OU1 to use the same Mandatory Profile. I want all users in
OU2 to use a mandatory profile that is configured just for OU2, ...etc...

I try to accomplish this by using a GPO at the OU level to set the TS
Roaming profile. Unfortunately, it is not working. When i log in for the
first time with one of the child users, it just creates a local account off
the default user.

Here is the setup:

Each of these OUs has several user account defined under them:
OU1 --> User11, User12, User13
OU2 --> User21, User22, User23
OU3 --> User31, User32, User33

Each OU gets a unique Mandatory Profile Path that each of its child users
will use

OU1 --> \\ts\Profiles\User1Series
OU2 --\\ts\Profiles\User2Series
OU3 --> \\TS\Profiles\User3Series

I set up a GPO on the OU and properly configure Computer
Configurations\AdminTemplates\WindowsComponants\TermServices\Set Path for TS
Roaming Profile

I properly share the Profiles Directory

I had followed the proper procedures to create a mandatory profile (
MyComputer/Manager\Advance\Users\Copy To & Permission Everyone and then
change ntuser.dat to ntuser.MAN

The TS is in its own OU with a GPO that has LoopBack processing turned on
(Merge)

All of this and yet it does not work as expected. What happens is that
each time one of the users logs it, it goes ahead and creates a profile based
on the default user.

Any thoughts?

Another strange (related?) thing.... I set the OU GPO also to start a
specific application when the conneciton is made. When I do this using the
/Computer Setting/AdminTemp/Windowscomponants/Start Program on connection
.... it doesn't do it! However, if I also make the same configuration under
User Configurations it does start the program (full screen) but does not show
any desktop behind it! Strange!
 
Re: OU GPO - Problem setting TS Profile Path for users under a specifi

You are configuring settings under Computer Configuration in a GPO
which is linked to an OU which contains user accounts. These
settings will never be applied.
Computer Configuration settings are applied to computers, not
users, and vice versa. That's also the reason that your starting
application isn't applied when defined as a Computer Configuration
setting. The fact that the desktop isn't displayed in the
background of the starting application is the whole idea with this
setting. It's considered a feature.

I think that you have misunderstood the functionality of the
loopback processing setting of the GPO linked to the OU which
contains the Terminal Server machine account.
It causes all settings, both Computer and User Configurations, to
be taken from any GPOs applied to the TS-OU, not from the Users-OU.

So you'll have to redesign your GPOs. TS settings go into the TS-
GPO, settings which should apply to your users when they logon to
their workstation go into the Users-GPO.

231287 - Loopback Processing of Group Policy
http://support.microsoft.com/?kbid=231287

Note that you can accomplish different settings for different user
groups by using security filtering of the GPOs:

816100 - How To Prevent Domain Group Policies from Applying to
Administrator Accounts and Selected Users in Windows Server 2003
http://support.microsoft.com/?kbid=816100

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?ZHVkZURhZA==?= <dudeDad@discussions.microsoft.com> wrote
on 26 apr 2008 in microsoft.public.windows.terminal_services:

> Here is what I am trying to accomplish:
>
> I have 3 different OUs : OU1, OU2, OU3 each with its own set of
> users. I want all users in OU1 to use the same Mandatory
> Profile. I want all users in OU2 to use a mandatory profile
> that is configured just for OU2, ...etc...
>
> I try to accomplish this by using a GPO at the OU level to set
> the TS Roaming profile. Unfortunately, it is not working.
> When i log in for the first time with one of the child users, it
> just creates a local account off the default user.
>
> Here is the setup:
>
> Each of these OUs has several user account defined under them:
> OU1 --> User11, User12, User13
> OU2 --> User21, User22, User23
> OU3 --> User31, User32, User33
>
> Each OU gets a unique Mandatory Profile Path that each of its
> child users will use
>
> OU1 --> \\ts\Profiles\User1Series
> OU2 --\\ts\Profiles\User2Series
> OU3 --> \\TS\Profiles\User3Series
>
> I set up a GPO on the OU and properly configure Computer
> Configurations\AdminTemplates\WindowsComponants\TermServices\Set
> Path for TS Roaming Profile
>
> I properly share the Profiles Directory
>
> I had followed the proper procedures to create a mandatory
> profile ( MyComputer/Manager\Advance\Users\Copy To & Permission
> Everyone and then change ntuser.dat to ntuser.MAN
>
> The TS is in its own OU with a GPO that has LoopBack processing
> turned on (Merge)
>
> All of this and yet it does not work as expected. What happens
> is that each time one of the users logs it, it goes ahead and
> creates a profile based on the default user.
>
> Any thoughts?
>
> Another strange (related?) thing.... I set the OU GPO also to
> start a specific application when the conneciton is made. When
> I do this using the /Computer
> Setting/AdminTemp/Windowscomponants/Start Program on connection
> ... it doesn't do it! However, if I also make the same
> configuration under User Configurations it does start the
> program (full screen) but does not show any desktop behind it!
> Strange!
 
Re: OU GPO - Problem setting TS Profile Path for users under a specifi

Vera Noest [MVP] said:
So you'll have to redesign your GPOs. TS settings go into the TS-
GPO, settings which should apply to your users when they logon to
their workstation go into the Users-GPO.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: Terminal Server and Citrix troubleshooting
___ please respond in newsgroup, NOT by private email ___ [/color]
Click to expand...


Thanks... Most of what you said was very helpful. Removing loopback from a few locations helped with a related problem (setting the active desktop wallpaper)

However, my problem with your advice regarding TS Profile Path is that TS Roaming Profile is only definable as a Computer configuration... not as a User configuration (which seems strange to me)

So when I go to the OU1 and I create a GPO to implement the "settings that should apply to the user when they log on to thier workstations" and one of those settings I want to set is the TS roaming Profile path (so they hit a standard mandatory profile for that group of users) , the only choice I have is to define it at a computer configuration in that "user OU" . When I actually do this, and I log in as User11 (which lives in that OU1 "user ou") it does not result in the user actually ending up with the mandatory profile.

Thoughts?
 
Re: OU GPO - Problem setting TS Profile Path for users under a spe

Re: OU GPO - Problem setting TS Profile Path for users under a spe

"Vera Noest [MVP]" wrote:

> You are configuring settings under Computer Configuration in a GPO
> which is linked to an OU which contains user accounts. These
> settings will never be applied.
> Computer Configuration settings are applied to computers, not
> users, and vice versa.

> So you'll have to redesign your GPOs. TS settings go into the TS-
> GPO, settings which should apply to your users when they logon to
> their workstation go into the Users-GPO.

So here is my problem, then:

TS Roaming Profile Path can only be set as as a Computer Configuration.

If I go into the "user ou" (OU1) and define a GPO called "Set TS Roaming
PRofile" and edit it by going User
Configurations/AdminTemp/WindowsComponants/Terminal Services/ there is no
option for setting the TS Roaming Profile Path.

However, If I do the same thing but under Computer configurations, there is
a setting "Set path for TS Roaming Profile"


Remember, I want to have each "group" of users to share a single manditory
profile that is different from another "group" of users.

I can make this happen if go into the user record and manually set it on the
"Terminal Server Profile" tab. But this is not scalable for my application.
I need all users within a group (OU) to use the same manditory profile.


Would filtering help me here?
 
Re: OU GPO - Problem setting TS Profile Path for users under a specifi

dudeDad <dudeDad.38hs4a@news.home.local> wrote on 26 apr 2008 in
microsoft.public.windows.terminal_services:

>
> 'Vera Noest [MVP Wrote:
>> ;742308']
>> So you'll have to redesign your GPOs. TS settings go into the
>> TS- GPO, settings which should apply to your users when they
>> logon to their workstation go into the Users-GPO.
>> _________________________________________________________
>> Vera Noest
>> MCSE, CCEA, Microsoft MVP - Terminal Server
>> TS troubleshooting: 'Terminal Server and Citrix
>> troubleshooting' (http://ts.veranoest.net)
>> ___ please respond in newsgroup, NOT by private email ___
>>
>
>
> Thanks... Most of what you said was very helpful. Removing
> loopback from a few locations helped with a related problem
> (setting the active desktop wallpaper)
>
> However, my problem with your advice regarding TS Profile Path
> is that TS Roaming Profile is only definable as a Computer
> configuration... not as a User configuration (which seems
> strange to me)
>
> So when I go to the OU1 and I create a GPO to implement the
> "settings that should apply to the user when they log on to
> thier workstations" and one of those settings I want to set is
> the TS roaming Profile path (so they hit a standard mandatory
> profile for that group of users) , the only choice I have is to
> define it at a computer configuration in that "user OU" .
> When I actually do this, and I log in as User11 (which lives in
> that OU1 "user ou") it does not result in the user actually
> ending up with the mandatory profile.
>
> Thoughts?[/color]

Yes, the behaviour that you describe is by design.
That's how settings in GPOs are applied. When a user logs on to a
computer (be it a workstation or a TS) the following settings apply
(without loopback processing):
1. the Computer Configuration settings from the GPO linked to the
OU which contains the computer account
2. the User Configuration settings from the GPO linked to the OU
which contains the user account

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
 
Re: OU GPO - Problem setting TS Profile Path for users under a spe

Re: OU GPO - Problem setting TS Profile Path for users under a spe



"Vera Noest [MVP]" wrote:
>
> Yes, the behaviour that you describe is by design.
> That's how settings in GPOs are applied. When a user logs on to a
> computer (be it a workstation or a TS) the following settings apply
> (without loopback processing):
> 1. the Computer Configuration settings from the GPO linked to the
> OU which contains the computer account
> 2. the User Configuration settings from the GPO linked to the OU
> which contains the user account
>

Yes, I get that... (and am resigned to that fact :-) )

I am now trying to figure out how to "skin the cat" a different way.

Basically, I want to use Active Directory to make a group of users act as
if I manually went into each of their user properties and manually
configured the Terminal Server Profile Tab's Terminal Server Profile Path/Set
Path"

Right now, the only thing I can think of is setting a GPO at the "user OU"
level that makes a login script run that somehow automagically sets that user
to mandatory profile. At the moment , I don't know how to write that script.

Any thoughts on the script? Or other ways to skin the cat?

Regards

Ken

(btw as an aside, I got the "run program with desktop behind it" behavior I
wanted by using the userconfig setting "run program at login" rather than the
conputer config "run program at connection)


> _________________________________________________________
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> TS troubleshooting: http://ts.veranoest.net
> ___ please respond in newsgroup, NOT by private email ___
>
>
>
 
Re: OU GPO - Problem setting TS Profile Path for users under a spe

Re: OU GPO - Problem setting TS Profile Path for users under a spe

Vera:

So after thinking about my strategy again, your comments made me realize a
few things.... that has helped me to resolve my difficulties.

Basically, I changed my opinion as to if I really needed a different
mandatory profile for each group of users. I decided to that i could "go
with the flow" and use a single mandatory profile for all users on the TS in
order to get the "no saved data/no saved state" functionality. I then will
implement the other more fine grained functionality I was hoping to do with
specific profiles, by using other methods... mostly (hopefly) GPOs and
perhaps sone regedits


Thanks

"dudeDad" wrote:

>
>
> "Vera Noest [MVP]" wrote:
> >
> > Yes, the behaviour that you describe is by design.
> > That's how settings in GPOs are applied. When a user logs on to a
> > computer (be it a workstation or a TS) the following settings apply
> > (without loopback processing):
> > 1. the Computer Configuration settings from the GPO linked to the
> > OU which contains the computer account
> > 2. the User Configuration settings from the GPO linked to the OU
> > which contains the user account
> >
>
> Yes, I get that... (and am resigned to that fact :-) )
>
> I am now trying to figure out how to "skin the cat" a different way.
>
> Basically, I want to use Active Directory to make a group of users act as
> if I manually went into each of their user properties and manually
> configured the Terminal Server Profile Tab's Terminal Server Profile Path/Set
> Path"
>
> Right now, the only thing I can think of is setting a GPO at the "user OU"
> level that makes a login script run that somehow automagically sets that user
> to mandatory profile. At the moment , I don't know how to write that script.
>
> Any thoughts on the script? Or other ways to skin the cat?
>
> Regards
>
> Ken
>
> (btw as an aside, I got the "run program with desktop behind it" behavior I
> wanted by using the userconfig setting "run program at login" rather than the
> conputer config "run program at connection)
>
>
> > _________________________________________________________
> > Vera Noest
> > MCSE, CCEA, Microsoft MVP - Terminal Server
> > TS troubleshooting: http://ts.veranoest.net
> > ___ please respond in newsgroup, NOT by private email ___
> >
> >
> >
 
Re: OU GPO - Problem setting TS Profile Path for users under a spe

Re: OU GPO - Problem setting TS Profile Path for users under a spe

That sounds like a wise decision to me!

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?ZHVkZURhZA==?= <dudeDad@discussions.microsoft.com> wrote
on 27 apr 2008 in microsoft.public.windows.terminal_services:

> Vera:
>
> So after thinking about my strategy again, your comments made me
> realize a few things.... that has helped me to resolve my
> difficulties.
>
> Basically, I changed my opinion as to if I really needed a
> different mandatory profile for each group of users. I decided
> to that i could "go with the flow" and use a single mandatory
> profile for all users on the TS in order to get the "no saved
> data/no saved state" functionality. I then will implement the
> other more fine grained functionality I was hoping to do with
> specific profiles, by using other methods... mostly (hopefly)
> GPOs and perhaps sone regedits
>
>
> Thanks
>
> "dudeDad" wrote:
>
>>
>>
>> "Vera Noest [MVP]" wrote:
>> >
>> > Yes, the behaviour that you describe is by design.
>> > That's how settings in GPOs are applied. When a user logs on
>> > to a computer (be it a workstation or a TS) the following
>> > settings apply (without loopback processing):
>> > 1. the Computer Configuration settings from the GPO linked to
>> > the OU which contains the computer account
>> > 2. the User Configuration settings from the GPO linked to the
>> > OU which contains the user account
>> >
>>
>> Yes, I get that... (and am resigned to that fact :-) )
>>
>> I am now trying to figure out how to "skin the cat" a different
>> way.
>>
>> Basically, I want to use Active Directory to make a group of
>> users act as if I manually went into each of their user
>> properties and manually configured the Terminal Server Profile
>> Tab's Terminal Server Profile Path/Set Path"
>>
>> Right now, the only thing I can think of is setting a GPO at
>> the "user OU" level that makes a login script run that somehow
>> automagically sets that user to mandatory profile. At the
>> moment , I don't know how to write that script.
>>
>> Any thoughts on the script? Or other ways to skin the cat?
>>
>> Regards
>>
>> Ken
>>
>> (btw as an aside, I got the "run program with desktop behind
>> it" behavior I wanted by using the userconfig setting "run
>> program at login" rather than the conputer config "run program
>> at connection)
 
Re: OU GPO - Problem setting TS Profile Path for users under a spe

Re: OU GPO - Problem setting TS Profile Path for users under a spe

=?Utf-8?B?ZHVkZURhZA==?= <dudeDad@discussions.microsoft.com> wrote
on 27 apr 2008 in microsoft.public.windows.terminal_services:

> "Vera Noest [MVP]" wrote:
> >
>> Yes, the behaviour that you describe is by design.
>> That's how settings in GPOs are applied. When a user logs on to
>> a computer (be it a workstation or a TS) the following settings
>> apply (without loopback processing):
>> 1. the Computer Configuration settings from the GPO linked to
>> the OU which contains the computer account
>> 2. the User Configuration settings from the GPO linked to the
>> OU which contains the user account
>
> Yes, I get that... (and am resigned to that fact :-) )
>
> I am now trying to figure out how to "skin the cat" a different
> way.
>
> Basically, I want to use Active Directory to make a group of
> users act as if I manually went into each of their user
> properties and manually configured the Terminal Server Profile
> Tab's Terminal Server Profile Path/Set Path"
>
> Right now, the only thing I can think of is setting a GPO at the
> "user OU" level that makes a login script run that somehow
> automagically sets that user to mandatory profile. At the
> moment , I don't know how to write that script.
>
> Any thoughts on the script? Or other ways to skin the cat?

That won't work, you can't set the profile in a login script, it's
far too late then.

I'd write a small script to automate the user account property
setting. Some thing along the lines:
if user is member of security group SecUser1 then Terminal Server
Profile Path = \\server\path1

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
 
Back
Top