Configuring Active Directory GPOs in a VDI environment

When beginning a new deployment, it's important to consider how the images will be managed. As a best practice, you should simplify down to one or two images. All typical configuration options and security settings need to be done through Active Directory Organizational Units (ADOUs) and Group Policies. Therefore, when creating virtual desktops in any VDI solution, the desktops should be deployed into predefined Organizational Units (OUs).

Forming predefined OUs with associated Group Policy Objects (GPOs) should be a common practice for any VDI installation.Configuring OUs in Active Directory allows the administrator full control over all settings associated with the desktop, along with the users' desktop experience. Another benefit to this setup is that the VDI deployment can then use technology that has been available in any Microsoft network for many years.

When OUs are created and a GPO is applied to them, then the virtual desktops upon formation are to be placed in these organizational units. The following are example use cases of how Active Directory GPOs have accomplished these previously discussed configuration tasks.

Use Case 1: The Call Center desktop
Description:

• A group of virtual desktops is to be created for about 100 users. These users are lower level Windows users that are to be restricted from viewing certain menus in Windows.
• The Start Menu is to be pared down to remove the Run Menu, Help Menu and Network Places.
• The desktop type is to be non-persistent. (Meaning, when a user logs off and logs back in to the desktop, it will be clean).

Active Directory configuration:

1. Create a new OU called "CallCenterVD".
2. Then create a Group Policy for this OU. The settings that are to be configured for this GPO are:
• Computer Configuration → Windows Settings → Security Settings → Local Policies → User Rights Assignment
• Allow Log On Through Terminal Services = "Domain Users"
  (This is done so anyone can log-in that has domain rights, but the real desktop login control will be done through the VDI solution Connection Broker
• User Configuration → Administrative Templates → Start Menu and Taskbar
• Remove Run Menu from Start Menu = Enable
• Remove Help Menu from Start Menu = Enable
• Prevent Changes to Taskbar and Start Menu = Enable
• Remove and Prevent Access to Shutdown Command = Enable
  (This only allows users to log-off)
• User Configuration → Administrative Templates → Control Panel
• Prohibit Access to Control Panel = Enable

Use Case 2: The typical IT employee
Description:

• A group of virtual desktops is to be created for about 20 IT administrators. The user is a higher-level user that is to be allowed full access.
• The desktop type is to be persistent. (When a user logs on their profile and other user settings are to be redirected to a home directory. When they log off and log in the profile will not need to roam between desktops and they will have their desktop with all saved settings and options).

1. Create a new OU called "PersistentITVD".
2. Then create a Group Policy for this OU. The settings that are to be configured for this GPO are:
• Computer Configuration → Windows Settings → Security Settings → Local Policies → User Rights Assignment
• Allow Log On Through Terminal Services = "Domain Users"
  (This is done so anyone can log-in that has domain rights, but the real desktop login control will be done through the VDI solution Connection Broker)
• User Configuration → Windows Settings → Folder Redirection
• Application Data = Basic, Target Folder = Redirect to Following Location, Root Path = \\<FileShare>\<VDIHOMEDIR>\<AppData>
• Desktop = Basic, Target Folder = Redirect to Following Location, Root Path = \\<FileShare>\<VDIHOMEDIR>\<DesktopSettings>
• My Documents = Basic, Target Folder = Redirect to Users Home Directory
• Start Menu = Basic, Target Folder = Redirect to Following Location, Root Path = \\<FileShare>\<VDIHOMEDIR>\<StartMenuSettings>
• Computer Configuration → Administrative Templates → Offline Files
  • Allow or disallow use of the Offline Files feature = Disabled

These two use case examples are only the beginning of what a virtual desktop planning session needs to contain for OU creation. There are many features and controls in Active Directory that allow the VDI administrator to design numerous configurations. Keep in mind that sometimes a simpler configuration is better, as complexity can cause problems with any deployment.

ABOUT THE AUTHOR:

Brad Maltz Brad Maltz is CTO of International Computerware, a national consulting firm focused on virtualization and storage technologies. He holds certifications from VMware and EMC for many technologies. Brad can be reached at bmaltz@iciamerica.com for any questions, comments or suggestions.

Rate this Tip To rate tips, you must be a member of SearchVirtualDesktop.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Virtual desktop management Top tools for securing a virtual desktop infrastructure The top 5 ways that VDI can help improve your enterprise's security Will Windows 7 fuel desktop virtualization adoption? Rejoice! Citrix modifies its XenDesktop license plans Manage Remote Desktop Services with Windows PowerShell How to back up PCs in a virtual desktop infrastructure Citrix's new licensing scheme could cause price pain The first step toward a virtual desktop infrastructure: The assessment Balance user needs and IT department policy using VDI personalization What is Citrix HDX? Virtual desktop infrastructure and architecture The top 5 ways that VDI can help improve your enterprise's security Will Windows 7 fuel desktop virtualization adoption? The first step toward a virtual desktop infrastructure: The assessment How to set up Remote Desktop Services on Windows 2008 R2 Balance user needs and IT department policy using VDI personalization Citrix blended strategy could drive virtual desktop adoption Citrix to combine desktop virtualization products, lower costs The future of desktop virtualization: Running desktops on the client (gasp!) Desktop virtualization intrigues IT pros despite cost Bank steps up application virtualization with XenApp 5 SP2 Virtual desktop management tips Top tools for securing a virtual desktop infrastructure The top 5 ways that VDI can help improve your enterprise's security Capacity planning for Windows Terminal Services Taking a fresh look at Terminal Services security Manage Remote Desktop Services with Windows PowerShell How to back up PCs in a virtual desktop infrastructure The first step toward a virtual desktop infrastructure: The assessment How to set up Remote Desktop Services on Windows 2008 R2 Balance user needs and IT department policy using VDI personalization Working with Terminal Services RemoteApp RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary desktop virtualization  (SearchVirtualDesktop.com) virtual desktop  (SearchVirtualDesktop.com) virtual hard disk (VHD)  (SearchVirtualDesktop.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.