I'm using roaming profiles in a XenApp 5 system with around 1000 users. No
problems whatsoever. I think a lot of the common "wisdom" about not using
roaming profiles is a combination of bad history and FUD spread by vendors of
profile management software.
Not using roaming profiles sounds good in theory, but may be problematic in
practice. If you have a user base with very simple requirements, a mandatory
profile can work well - you only need to back up and restore a few settings
from the registry (Outlook profiles, default printer, etc). Otherwise, roaming
profiles make life much easier.
I'll try to highlight the group policy I have in place:
User lockdown - implemented via loopback - Set security to deny apply of this
GP for admin users.
Turns off most of the things in control panel
Hide Desktop "network locations"
Hide network connection settings
Disable offline files
Disable connection wizard
Remove shutdown, sleep, and hibernate from start button.
Turn off "Getting Started".
Hide A,B,C, and D drives in "My Computer".
Hide the C drive in file dialog boxes (This can cause error messages in Office
apps).
Hide Windows update.
System policies
Turn off Customer Experience Improvement Program and error reporting.
Add "Administrators" security to roaming profiles.
Delete cached profiles.
Do not check for ownership of roaming profiles.
Turn on timezone redirection.
Set the roaming profile path.
Turn off Windows Defender.
Registry settings policy
Create HKLM\CurrentControlSet\Control\Print\DisableWERLogging DWORD 1 (if you
don't do this, the print spooler will occasionally fill your C: disk up with
error logs).
Create HKLM\CurrentControlSet\Control\FileSystem\NtfsDisableLastAccessUpdate
DWORD 1 - NOTE! You may not want to do this - research before implementing.
DELETE this key HKEY_USERS\.DEFAULT\Software\Hewlett-Packard -
Do this if you use HP printers. Trust me.
DELETE this key HKCU\Software\Hewlett-Packard - Ditto
User settings - implemented via loopback
Set folder redirection
Create
HKCU\Softare\Policies\Microsoft\Office\12.0\Common\Toolbars\QuickAccessToolbarRoaming
DWORD 1 See http://support.microsoft.com/kb/958062 for details.
Create
HKCU\Softare\Policies\Microsoft\Office\14.0\Common\Toolbars\CustomUIRoaming
DWORD 1 See http://support.microsoft.com/kb/958062 for details.
Create HKCU\ Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\3\1A10 DWORD 1 - This sets IE privacy to default
Application blacklist
Blacklist all of the common updaters (Java, Adobe, etc)
Blacklist VMWare tools (if you are running under VMWare)
Blacklist your Antivirus user interface agent (you don't want
users kicking off scans of your C: drive)
Blacklist c:\windows\syswow64\IME\IMEJP10\IMJPDSVR.EXE - It
eats CPU.
I'd be happy to export my policies and email them to you, if you like.
From: [email protected] [mailto:[email protected]]
Sent: Thursday, February 21, 2013 2:45 PM
To: NT System Admin Issues
Subject: Re: Remote Desktop Server (Formerly known as Terminal Server)
Roaming profiles are terribly problematic in any modern environment in my
experience. Profile bloat, profile corruption, load failures - these issues
plague any SBC solution where they are implemented.
As mentioned there are a nation of profile management tools that can address
these issues. Citrix UPM provides a simple lightweight solution but if you're
not using Citrix it's not really viable. There are many others but what you
need to identify is how much time you are spending addressing profile issues
based against the extra cost of a real solution.
At the end of the day its all about how your apps perform and what settings
need to roam. Without knowing much about your environment I can pretty much say
the only GPO I'm sure you will need to configure is the Loopback Policy
Processing.
Are you publishing desktops, applications, or a combination of both?
Sent from my Blackberry, which may be an antique but delivers email RELIABLY
________________________________
From: Kelli Sterley
<[email protected]<mailto:[email protected]>>
Date: Thu, 21 Feb 2013 12:32:14 -0500
To: NT System Admin
Issues<[email protected]<mailto:[email protected]>>
ReplyTo: "NT System Admin Issues"
<[email protected]<mailto:[email protected]>>
Subject: Remote Desktop Server (Formerly known as Terminal Server)
I currently have a 2003 Terminal Server which is getting ready to be replaced
with the 2008 R2 Remote Desktop Server.
Currently we are using roaming profiles and redirecting some user folders.
Does anyone use roaming profiles anymore? Why or why not?
I am also in the process of editing a group policy for both the server and
users. Are there any policies I should add for sure .. Anyone willing to share
their GP's with me?
Also, I have been searching the internet for some good "best practices" for the
new setup but have found little with regards to 2008.
I want it set up as simple as possible so any ideas would be great.
Thanks so much - Kelli
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to
[email protected]<mailto:[email protected]>
with the body: unsubscribe ntsysadmin
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to
[email protected]<mailto:[email protected]>
with the body: unsubscribe ntsysadmin
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to [email protected]
with the body: unsubscribe ntsysadmin
