Group policy for remote users 1

[iconSYS1]

Hello,
I'm working with a client who is adding 5 remote users. The 5 remote employees will connect to the main office via Remote Desktop Services. 50 internal employees also use the same RDS servers.
All Domain controllers are Windows Server 2008 R2. A GPO is set for the RDS servers and is applied to the "RDS SERVERS" OU which contains the 4 RDS servers. The internal users get drive mappings, roaming profile redirection and startup programs via that GPO.
The new remote users are right now in a OU named "remote users" which is inside a OU named "users" which all the other users are inside. The remote users will need a different set of drive mappings and totally different startup programs when they log into the same RDS servers. I'm trying to figure out the "correct" way of making this work for now and in the future when they add new remote users. Ideas are appreciated. Thanks.

 

[baddos]

I would use regular active directory security groups and group policy drive mappings for the drive mapping. When you setup the policy preference for the drive mapping, you would select item level targeting and then select "Security Group" and then browse to the appropriate group. I'd call it something that would allow you to easily remember it's purpose like "Remote Desktop Drive Mapping" or something along those lines.

You can continue to use the OU route, but my feeling is that a group would be more flexible because the dynamic of who is using that service could change a lot more frequently and you probably wouldn't want to be bouncing users around between various OUs.

 

[iconSYS1]

Thanks for the response Baddos.

The drive mapping seems to work fine, but trying to start up seperate programs is becoming a real headache. Inside the GPO i've gone to User Configuration>Preferences>Control Panel Settings>Scheduled Tasks and created a new scheduled task which runs on user login.

The programs start ONLY one time (for the first user who logs in) and ONLY if that user is an administrator. Is this not intended for terminal servers? These terminal server users are locked down, no access to "Startup" folder, how can I add startup programs via GPO for these remote users?

 

[baddos]

Yes you can, you have a couple of options.

You can set startup programs via group policy for terminal services connections.

http://technet.microsoft.com/en-us/library/cc736643(v=ws.10).aspx

You could manually or via script create shortcuts in the user profile's startup folder. This should work even for a mandatory profile.

You could create a login script with vbs and launch via the registry (HKLM\...\CurrentVersion\Run) or group policy.

 

[iconSYS1]

So I went with half of your first solution and half of the second. I made a GPO called 'Startup' and applied it to the OU with the RDS servers. In GPMC under user configuration>Windows Settings>Registry I added a key to HKCU>Software>Microsoft>Windows>CurrentVersion>Run for each startup program needed for each different group and then used item level targeting to apply the keys to the security groups needed. Then added the drive maps and also used item level targeting for those. I've tested it with about 6 different users in different security groups/OUs and it seems to be holding up.

Thanks much for the responses Baddos. Have a star!

 

[baddos]

Awesome glad it works out for you. I think GPO and GPO preferences are the way to go in the MS world. Makes troubleshooting a lot more consistant.