Using GPO to force local profiles on a terminal server

F

FiZi

Sorry for the double post. I should have cross-posted this into both
microsoft.public.windows.group_policy and
microsoft.public.windows.terminal_services

We've got a Windows 2003 R2 Domain with Windows XP desktops and a Windows
2008 Terminal Server.

A standard user account has a roaming profile compatible with Windows XP. XP
roaming profiles are incompatible with Windows Vista/2008 I believe. When a
user with an XP based roaming profile logs into our 2008 Terminal Server they
get a profile error message and a temporary profile.

We want to prevent users from loading their roaming profiles when they login
to the Terminal Server and instead get a "permanent" local profile on the
server.

We configured a GPO with Computer -> Administrative Templates -> System ->
User Profiles -> Only Allow local user profiles = Enabled and applied it to
the OU the server is located in. We also have GPO loopback processing mode
enabled and set to 'Merge'.

This GPO worked for about 1-2 weeks. It seems after our last reboot for
patch Tuesday on Sept 16th users are now being reverted back to temporary
profiles. If a user previously logged into the server while the GPO was
applied and working they can manually convert their "roaming profile" to a
"local profile" and the message will go away. Any new user logging in simply
gets a temporary profile which is gone when they logoff and they are unable
to manually change it to a local profile.

If I run a manual 'gpupdate /force' I can see in the event log that GPO is
applied successfully with no errors but the problem persists. I've run
'rsop.msc' and I can see everything in my GPO being applied EXCEPT for the
"Only Allow local user profiles" setting.

I've reviewed the notes for the Windows 2008 Updates that were installed and
I don't believe any of them are the culprit.

Anyone have any idea why this one GPO setting suddenly stopped apply? Is
there a better method to do this that I haven't thought of?
 
L

Lanwench [MVP - Exchange]

FiZi wrote:
> Sorry for the double post. I should have cross-posted this into both
> microsoft.public.windows.group_policy and
> microsoft.public.windows.terminal_services
>
> We've got a Windows 2003 R2 Domain with Windows XP desktops and a
> Windows 2008 Terminal Server.
>
> A standard user account has a roaming profile compatible with Windows
> XP. XP roaming profiles are incompatible with Windows Vista/2008 I
> believe.

Yes - and moreover, you shouldn't try to share roaming & TS profiles.

> When a user with an XP based roaming profile logs into our
> 2008 Terminal Server they get a profile error message and a temporary
> profile.
>
> We want to prevent users from loading their roaming profiles when
> they login to the Terminal Server and instead get a "permanent" local
> profile on the server.
>
> We configured a GPO with Computer -> Administrative Templates ->
> System -> User Profiles -> Only Allow local user profiles = Enabled
> and applied it to the OU the server is located in. We also have GPO
> loopback processing mode enabled and set to 'Merge'.
>
> This GPO worked for about 1-2 weeks. It seems after our last reboot
> for patch Tuesday on Sept 16th users are now being reverted back to
> temporary profiles. If a user previously logged into the server while
> the GPO was applied and working they can manually convert their
> "roaming profile" to a "local profile" and the message will go away.
> Any new user logging in simply gets a temporary profile which is gone
> when they logoff and they are unable to manually change it to a local
> profile.
>
> If I run a manual 'gpupdate /force' I can see in the event log that
> GPO is applied successfully with no errors but the problem persists.
> I've run 'rsop.msc' and I can see everything in my GPO being applied
> EXCEPT for the "Only Allow local user profiles" setting.
>
> I've reviewed the notes for the Windows 2008 Updates that were
> installed and I don't believe any of them are the culprit.
>
> Anyone have any idea why this one GPO setting suddenly stopped apply?
> Is there a better method to do this that I haven't thought of?

What you really need to do is set the GPO for the Terminal Services Profile
path, so that any user logging into TS gets a TS profile configured at
\\fileserver\tsprofiles$\%username% ....

I forget the exact location of this policy setting right now but it's the
way to go.
 
F

FiZi

"Lanwench [MVP - Exchange]" wrote:

> FiZi wrote:
> > Sorry for the double post. I should have cross-posted this into both
> > microsoft.public.windows.group_policy and
> > microsoft.public.windows.terminal_services
> >
> > We've got a Windows 2003 R2 Domain with Windows XP desktops and a
> > Windows 2008 Terminal Server.
> >
> > A standard user account has a roaming profile compatible with Windows
> > XP. XP roaming profiles are incompatible with Windows Vista/2008 I
> > believe.
>
> Yes - and moreover, you shouldn't try to share roaming & TS profiles.
>
> > When a user with an XP based roaming profile logs into our
> > 2008 Terminal Server they get a profile error message and a temporary
> > profile.
> >
> > We want to prevent users from loading their roaming profiles when
> > they login to the Terminal Server and instead get a "permanent" local
> > profile on the server.
> >
> > We configured a GPO with Computer -> Administrative Templates ->
> > System -> User Profiles -> Only Allow local user profiles = Enabled
> > and applied it to the OU the server is located in. We also have GPO
> > loopback processing mode enabled and set to 'Merge'.
> >
> > This GPO worked for about 1-2 weeks. It seems after our last reboot
> > for patch Tuesday on Sept 16th users are now being reverted back to
> > temporary profiles. If a user previously logged into the server while
> > the GPO was applied and working they can manually convert their
> > "roaming profile" to a "local profile" and the message will go away.
> > Any new user logging in simply gets a temporary profile which is gone
> > when they logoff and they are unable to manually change it to a local
> > profile.
> >
> > If I run a manual 'gpupdate /force' I can see in the event log that
> > GPO is applied successfully with no errors but the problem persists.
> > I've run 'rsop.msc' and I can see everything in my GPO being applied
> > EXCEPT for the "Only Allow local user profiles" setting.
> >
> > I've reviewed the notes for the Windows 2008 Updates that were
> > installed and I don't believe any of them are the culprit.
> >
> > Anyone have any idea why this one GPO setting suddenly stopped apply?
> > Is there a better method to do this that I haven't thought of?
>
> What you really need to do is set the GPO for the Terminal Services Profile
> path, so that any user logging into TS gets a TS profile configured at
> \fileservertsprofiles$%username% ....
>
> I forget the exact location of this policy setting right now but it's the
> way to go.
>
>
>

I guess we could configure that and create a share on the terminal server
itself. The thing is we only have one Terminal Server and we don't really
care about making them available via the network. We also don't want the
overhead of having to create profile directories and setting up security.

We're quiet happy with local profiles. The trick is keeping them local.
 
L

Lanwench [MVP - Exchange]

FiZi wrote:
> "Lanwench [MVP - Exchange]" wrote:
>
>> FiZi wrote:
>>> Sorry for the double post. I should have cross-posted this into both
>>> microsoft.public.windows.group_policy and
>>> microsoft.public.windows.terminal_services
>>>
>>> We've got a Windows 2003 R2 Domain with Windows XP desktops and a
>>> Windows 2008 Terminal Server.
>>>
>>> A standard user account has a roaming profile compatible with
>>> Windows XP. XP roaming profiles are incompatible with Windows
>>> Vista/2008 I believe.
>>
>> Yes - and moreover, you shouldn't try to share roaming & TS profiles.
>>
>>> When a user with an XP based roaming profile logs into our
>>> 2008 Terminal Server they get a profile error message and a
>>> temporary profile.
>>>
>>> We want to prevent users from loading their roaming profiles when
>>> they login to the Terminal Server and instead get a "permanent"
>>> local profile on the server.
>>>
>>> We configured a GPO with Computer -> Administrative Templates ->
>>> System -> User Profiles -> Only Allow local user profiles = Enabled
>>> and applied it to the OU the server is located in. We also have GPO
>>> loopback processing mode enabled and set to 'Merge'.
>>>
>>> This GPO worked for about 1-2 weeks. It seems after our last reboot
>>> for patch Tuesday on Sept 16th users are now being reverted back to
>>> temporary profiles. If a user previously logged into the server
>>> while the GPO was applied and working they can manually convert
>>> their "roaming profile" to a "local profile" and the message will
>>> go away. Any new user logging in simply gets a temporary profile
>>> which is gone when they logoff and they are unable to manually
>>> change it to a local profile.
>>>
>>> If I run a manual 'gpupdate /force' I can see in the event log that
>>> GPO is applied successfully with no errors but the problem persists.
>>> I've run 'rsop.msc' and I can see everything in my GPO being applied
>>> EXCEPT for the "Only Allow local user profiles" setting.
>>>
>>> I've reviewed the notes for the Windows 2008 Updates that were
>>> installed and I don't believe any of them are the culprit.
>>>
>>> Anyone have any idea why this one GPO setting suddenly stopped
>>> apply? Is there a better method to do this that I haven't thought
>>> of?
>>
>> What you really need to do is set the GPO for the Terminal Services
>> Profile path, so that any user logging into TS gets a TS profile
>> configured at fileservertsprofiles$%username% ....
>>
>> I forget the exact location of this policy setting right now but
>> it's the way to go.
>>
>>
>>
>
> I guess we could configure that and create a share on the terminal
> server itself.

I wouldn't - don't use the TS box to do anything but serve remote users.
Not a file server, etc. Put these profiles on a file server in the domain.

> The thing is we only have one Terminal Server and we
> don't really care about making them available via the network.

I don't really follow....

> We
> also don't want the overhead of having to create profile directories
> and setting up security.

You don't have to - it happens on its own. All you need to do is set up the
parent share (\\fileserver\tsprofiles$) and set the share permissions to
everyone = full, and the NTFS permissions will sort themselves out. If you
want administrators to have access to this data as well I think you can use
the GPO option to 'add administrators group to profiles' - I know it works
for roaming profiles.
>
> We're quiet happy with local profiles. The trick is keeping them
> local.

You still need the TS profile path set. And use folder redirection for my
docs, desktop, and application data.

Basically treat these users as you would roaming desktop users.
 
You must log in or register to reply here.

Similar threads

A
User roaming profiles migration
Replies
0
Views
49
Abdulaziz ALHAKMANI
A
P
GPO is not changing a registry entry during login but if I force it using gpupdate /force, it works.
Replies
0
Views
52
Paulo Puhl
P
G
How to stop Windows 10 Enterprise from using logged in user's credentials for wireless
Replies
0
Views
48
G_781
G
S
"Run the profile as Administrator" option not present in Windows Terminal profile settings
Replies
0
Views
7
ShaneAndrews
S
P
How to create Local Admin on Server 2022 with right privileges
Replies
0
Views
25
Princeapr9
P
Back
Top Bottom