Remote Desktop Service: User Profiles & Folder Redirection

This topic is as old as the hills. Hopefully you have a better memory than me or you’re a consultant that visits Greenfield sites on a regular basis, you probably won’t remember all of these settings.

User Profiles

There seems to be a lot of discussion over whether to redirect or roam the user profile. I guess it all depends on your environment; link latency, types of devices, size of profile etc… This article gives a lot of food for thought, including covering the different types of profile:

    • Local user profile – Stays on the computer, even after log off. Probably best for laptops where the files need to stay with the device. Something like GoodSync is useful to make sure files are backed up.
    • Roaming user profile* – Stored on a central server but copied to the server at log on.
    • Mandatory user profile** – Essentially customising the “default user” profile, exactly the way you want it, making it read-only, storing it on a central server and copying to the server at log on.
    • Temporary user profile – Something’s gone wrong and the server cannot load the proper user profile. This does not persist and all settings and files are lost at log off.
    • Folder redirection – stored and accessed from a central location. Two topics here but under the banner of profiles, we’re most likely considering “AppData (Roaming)”.If you’re on a fast network, and / or run directly from a thin client with very limited space, this may be beneficial. Not so good if your users operate at the end of a high-latency link. Isn’t that why you replace RDS with Citrix in the first place?

      GPO: AppDate(Roaming)

      GPO: AppDate(Roaming)

An excellent reference with pros and cons can be found here.

* If your users have large profiles, this is clearly going to impact log on times. You could, instead redirect the entire profile, however this is no use for high-latency links. There are tools out there such as AppSense Personalisation that aim to provide the best of both worlds. In a nutshell, Personalisation stores all the user’s settings in a MS SQL database. Parts of the profile are then only loaded as and when needed. For instance, the Outlook profile is only copied to the server when Outlook is launched.

** A disadvantage of a mandatory profiles is that the user’s customisations will not persist after log off. Another feature in AppSense’s bag is to allow the Engineer to determine which settings the user can change. These settings are then written back to the database. For instance, you may not wish the user to replace your corporate branded desktop background with their holiday snaps, however, it would be decidedly inconvenient and inhibit the user experience if they had to keep modifying the way Outlook’s panes are configured. I like my reading pane below, whereas the OOB setting is for it to be to the right. Of course, you could change this in the “default user” profile, but that would then persist for all users. The trick of a “locked-down” desktop is to make the user think they’re in control. We’re not running a dictatorship here – although lots of users seem to think that is what IT are about!

In general, all these profiles can be set on a per-user basis in ADUC on the “Remote Desktop Service” profile tab, or through GPO. I’ve put together a little tool that visually shows where the settings are in both ADUC and Group Policy Editor below. A good MS reference to the various GPO settings can be found here.

Please feel free to leave a comment...