Re: User Profiles

You can use Folder redirection for the Start Menu, exactly in the
same way as you used Folder redirection for the Desktop.
Also make sure that you delete unwanted shortcuts from the C:
\Documents and Settings\All Users\Start Menu on the Terminal
Server.

Exactly what icons are you getting from the Default Domain Policy,
and in which GPO setting are they defined?
Have you tried "undoing" them by configuring the same setting in
your GPO with a value of "Disabled"?
You could block policy inheritance, but that's normally not a good
idea. A Default Domain Policy should only contain settings which
*must* be configured for the whole domain. If that's not true, the
setting is configured at the wrong level.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?RmVyYmFsZXg=?= <Ferbalex@xxxxxxxxxxxxxxxxxxxxxxxxx>
wrote on 27 sep 2007 in
microsoft.public.windows.terminal_services:

Thank you very much, it worked great. Just one thing, I have
disabled evrything I can find in the GPOE but cant restrict the
start button, My Computer in the start menu, or Printers and
Faxes in the start menu. Is it not possible to restrict these?
In My Computer users still have access to System Task and Other
Places? I also have two icons appearing from the Default Domain
Policy. Is it possible to restrict this without editing the
domain policy? Windows Server 2003. Thanks again for your great
advice.



"Vera Noest [MVP]" wrote:

Since your new GPO settings don't work, and you still see the
effects of another GPO (redirection of My Documents), maybe all
you have to do is to run "gpupdate" on the Terminal Server, in
a command window.
If that doesn't help, use Resultant Set of Policies (RSoP) to
see which GPOs affect user1 on the TS.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?RmVyYmFsZXg=?= <Ferbalex@xxxxxxxxxxxxxxxxxxxxxxxxx>
wrote on 26 sep 2007 in
microsoft.public.windows.terminal_services:

Hi, this is different from the first suggestion but looked
shorter so gave it a try.

Created 1 security group in AD the TS Group- put one user1 in
it - created 1 shared folder on the TS server and put
shortcut icons in it, gave TSGroup access to it - created 1
GPO linked to OU that has TS Svr in it, no users - in GPO
redircted desktop to the shared folder - enabled various
other settings - enabled GPO loopback/replace - allowed the
TS Svr and the TS group in the security filtering.

Logged into the TS Svr via TS client, as user1, 'my
documents' redirected to Home folder (not specified in the TS
settings) but no other changes take place, same as logging
into the server directly. Deleted everything and tried it
all again - same result.

Thanks for your help - any ideas would be appreciated


"Vera Noest [MVP]" wrote:

From
http://ts.veranoest.net/ts_faq_configuration.htm#desktopredir
ect ion

Q: How can I configure different TS desktops, based on user
group membership?

A: There are a number of 3rd party add-ons which can do this
for you, but it is also possible with native Windows
techniques, using Group Policies.

Let's assume you have 3 different user groups, which need
different desktop icons.

1. Create 3 security groups in your AD and populate them
with the user accounts
2. Create 3 different shared folders on a file server and
populate the folders with the desktop icons (shortcuts)
which you want the user groups to see
3. Create 3 different GPOs, linked to the OU which contains
your Terminal Server computer account (but not the user
accounts!) 4. In each of the GPOs, configure redirection of
the desktop to one of the custom desktop folders which you
created in step 2. This is done in User Configuration -
Windows Settings - Folder Redirection 5. Configure each of
the GPOs with loopback processing of the GPO, with the
"Replace" option. This is done in Computer Configuration -
Administrative Templates - System - Group Policy - "User
Group Policy loopback processing mode" 6. Configure the
security settings on each of the GPOs so that only the
appropriate user group and the TS machine account is allowed
to read and apply the GPO

Further reading:

231287 - Loopback Processing of Group Policy
http://support.microsoft.com/?kbid=231287

816100 - How To Prevent Domain Group Policies from Applying
to Administrator Accounts and Selected Users in Windows
Server 2003 http://support.microsoft.com/?kbid=816100

Another way to do this is by using Access Based Enumeration,
which is a free add-on to Windows Server 2003.
For a detailed example of using ABE, see:

Build a start menu with ABE
http://www.datacrash.net/howtos/howto/build-a-start-menu-with
- abe.html

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?RmVyYmFsZXg=?=
<Ferbalex@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote on 26 sep 2007 in
microsoft.public.windows.terminal_services:

Thanks Jeff and good article. Having got to the end of
it, I now have the TS server in its own OU, two policies,
machine and users in the OU, user and machine disabled
where needed, and the loopback enabled. From here I would
like to have users log onto the server and receive various
different secure desktops. If I edit the user policy, I
would think that effects all users logging on. How would
I differentiate between them for different desktops??
Many Thanks for your help -
much appreciated

"Jeff Pitsch" wrote:

when you say normal users do you mean their normal
desktop? Read my article on loopback processing and group
policy and see if that helps. As well if you could be
more specific on what your trying to do and what you've
done that would help as well.

See this link and Understanding Group POlicy in a TS
environment:
http://www.jeffpitschconsulting.com/downloads.aspx?c=13&ty
pe= dow nload

Jeff Pitsch
Microsoft MVP - Terminal Server
Citrix Technology Professional
Provision Networks VIP

Forums not enough?
Get support from the experts at your business
http://jeffpitschconsulting.com

Ferbalex wrote:
Currently running TS where all users load one
application - our business system.
I'm now trying to allocate individual desktops to
certain users but, with a Group Policy only suceeded in
restricting normal users to no start button and no
icons!! Im obviously missing the point - could someone
please direct me to a simple step by step starter??
.