This blog post contains a high-level overview of different types of profiles, considerations for choosing a profile solution for your deployment, highlights of new profile features in Windows Server 2008 R2, and a best practices recommendation for deploying roaming user profiles with folder redirection in a Remote Desktop Services environment.
Below are some basic definitions for background understanding of different types of profiles and folder redirection.
· Local user profiles
A local user profile is created the first time a user logs on to a computer. The profile is stored on the computer's local hard disk. Changes made to the local user profile are specific to the user and to the computer on which the changes are made.
· Roaming user profiles
A roaming user profile is a copy of the local profile that is copied to, and stored on, a server share. This profile is downloaded to each computer a user logs onto on a network. Changes made to a roaming user profile are synchronized with the server copy of the profile when the user logs off. The advantage of roaming user profiles is that users do not need to create a profile on each computer they use on a network.
· Mandatory user profiles
A mandatory user profile is a type of profile that administrators can use to specify settings for users. Only system administrators can make changes to mandatory user profiles. Changes made by users to desktop settings are lost when the user logs off. Mandatory profiles can be created from roaming or local profiles.
· Temporary user profiles
A temporary user profile is issued each time an error condition prevents the user's profile from loading. Temporary profiles are deleted at the end of each session, and changes made by the user to desktop settings and files are lost when the user logs off. Temporary profiles are only available on computers running Windows 2000 and later.
· Folder redirection
Folder redirection is a client-side technology that provides the ability to change the target location of predetermined folders found within the user profile. This redirection is transparent to the user and gives the user a consistent way of saving their data, regardless of its storage location. Folder redirection provides a way for administrators to divide user data from profile data. This division of user data decreases user logon times because Windows downloads less data. Windows redirects the local folder to a central location, giving the user immediate access to their data when they save it, regardless of the computer they are using. This immediate access removes the need to update the user profile.
There are two primary benefits to Folder Redirection as it applies to profile data:
First logon to a machine in a server farm is typically slow because of synchronous Group Policy processing, and subsequent logons are faster when Group Policy is asynchronous. In WS08 R2, the GP cache is roamed between the servers of the farm so users should only experience the delay during first farm logon and get a faster logon experience for subsequent logons to all members of the farm.
An RDS environment can potentially have hundreds of distinct users. Whereas caching of roaming user profiles is enabled for a better user experience, this profile cache can grow very large and may potentially overrun the available disk space on the server. Controlling the cache size of individual user profiles may not be effective on the RDSH server, because there can be hundreds of new, distinct users.
A new Group Policy setting is available for RDS in WS08 R2 that limits the size of the overall roaming profile cache (located in %systemdrive%\users directory). If the size of the profile cache exceeds the configured size, RDS deletes the least recently used copies of roaming profiles until the overall cache goes below the quota. The policy setting is found in the following location: Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Profiles\Limit the size of the entire roaming user profile cache.
Prior to WS08 many customers downloaded the UPHClean service to prevent profile corruption problems caused by applications and processes maintaining connection to registry keys in the user profile after logoff.
In WS08 and Vista, there is no need for UPHClean because this functionality (and more) is now performed by the User Profile Cleanup Service that is built into the operating system. Thus you will not be able to find a version of this tool for Vista/WS08.
There are three major considerations/trade-offs when deploying user profiles in a Remote Desktop Services environment:
Central management of user data and settings
User data management method
Local user profiles
Not suitable for RDS farm scenarios
Faster logon experience
Does not introduce app compatibility issues
Roaming user profiles
-User data and settings backed up centrally
-Recommended in RDS farm scenarios
Roaming profile downloaded over network, can slow down logon/logoff
Applications may bloat profile size
-Changes to users settings not preserved since a standard profile is applied
-Can be useful in locked-down environments
Standard profile size ensures consistent logon performance
-User data backed up centrally (but not registry)
-Used in combination with different profile types
Can help improve logon speed when roaming profiles are deployed by reducing the size of roaming profile
Redirection of AppData folder may cause application compatibility issues – details in step 5 below
Step-by-step best practices guide to deploying profiles on RD Session Host:
Configure roaming user profiles for registry settings and folder redirection for user and application data folders to improve logon and logoff performance while centrally managing user data and settings. It is best to keep the size of roaming user profiles small because they are downloaded at logon and uploaded back to the server at logoff, increasing logon and logoff times.
Lockdown with mandatory profiles:
Remote Desktop farm considerations:
RD Virtualization Host:
Please see blog here for info on creating a default profile: http://blogs.technet.com/deploymentguys/archive/2009/10/29/configuring-default-user-settings-full-update-for-windows-7-and-windows-server-2008-r2.aspx
I am setting up remoteapps and plan to use the rdweb for customers to access them over the internet. My question is do I need rdgateway as well?
To provide access over internet you would also need to configure RD gateway unless you already have VPN, Direct Access or some other solution setup to let clients from internet to access internal company sites/shares/etc.
I am sorry this is still not clear to me. I believe, if the RDweb has an external ip mapped to it and I could access it over the internet, I would not need RDgateway. Is there another reason for RDgateway, say for security, is RDweb secure in of itself? All the documents for RDgateway seem to be written with remote desktop in mind and not remoteapps.
Thank you for your quick response.
Yes, RD Web Access is secure. You can use form-based authentication to connect to RD Web Access and acces both desktop and applications.
RDWeb only delivers RDP files and an activeX client, it does NOT provide a secure tunnel to a RSDH or VDI host. Without RD Gateway, you'd need to open 3389 to eacdh RDP host, and have a public IP for each. Bad idea, and RD Gateway is free.
> Roaming profiles should be configured separately for each RD session farm. They should not be shared between farms or user’s physical desktops since profile corruption and data loss may occur if a user is simultaneously logged into two machines that load the same user profile.
Sorry, I think I din't get it. Say we've implemented Roaming user profiles enterprise-wide. Is it okay for a user to be simultaneously logged on into his laptop and desktop?
I fully understand that only one version of a roaming user profile can be stored/written at the same time. So if I log off my laptop and log off my desktop in five minutes then only the set of profile customizations made on my destkop will be present when I log on anywhere next time.
But keeping in mind this limitation I believe that simultaneous log on into different computers with the same roaming profile is supported. So what's wrong if one of these computers is RD Server?
As you mentioned that when you share a profile across laptop, desktop, you will lose customizations made on whichever machine you logged off first (since only last write will be saved). Same will apply if that first machine you log off of is the RD server - if you make any customizations during your session, you will lose them when you log off your 2nd machine later. This is very confusing to users (imagine you spent quite a bit of time customizing your Word defaults like font size, colors, etc. in your RD session and then you lose them if your roaming profile is shared with your physical desktop on which you didn't even use Word). The situation would get even worse if for some reason you didn't redirect your documents folders via FR.. users would then lose data.
Okay, I think I finally got the point.
If we aren't supposed to make (or reliably keep) any profile customizations there's no real problem to be simultaneously logged on into multiple computers (whether they are RD servers or not). But in this case there's nearly no value of centrally stored profiles at all. We could achieve a similar result by just copying the same default profile to all the computers or something like that.
If we expect the profile changes to be saved and want to log on into multiple PCs simultaneously then it's becoming too complex and too hard to educate a user that first he/she needs to log off all the computers but the one from which he/she wants the profile to be finally saved. And new background profile upload feature (which is certainly a good thing) makes this even more complex.
I have a simple RDP server with about 25 users that does not run active directory. Since I can't run active directory I am having trouble finding a way to create profiles for connections to this server using RDP. When I ask I am always told just use active directory but I can't. Is there a way to do this without using active directory?
Does anyone know how to lock down roaming profiles for Remote Desktop Services.
profiles are stored on a network drive, and currently if a authenticated user browses to that UNC, they can see everyones profiles. ideally i would like for someone to only see their folder.