Bringing virtual desktop's into your enterprise may require a new approach to your desktop
management and deployment methods. One of the most significant configurations to focus on during
installation is that of the GPO for VDI OS images.
When beginning a new deployment, it's important to consider how the images will be managed. As a
best practice, you should simplify down to one or two images. All typical configuration options and
security settings need to be done through Active Directory Organizational Units (ADOUs) and Group
Policies. Therefore, when creating virtual desktops in any VDI solution, the desktops should be
deployed into predefined Organizational Units (OUs).
Forming predefined OUs with associated Group Policy Objects (GPOs) should be a common practice
for any VDI installation.Configuring OUs in Active Directory allows the administrator full control
over all settings associated with the desktop, along with the users' desktop experience. Another
benefit to this setup is that the VDI deployment can then use technology that has been available in
any Microsoft network for many years.
When OUs are created and a GPO is applied to them, then the virtual desktops upon formation are
to be placed in these organizational units. The following are example use cases of how Active
Directory GPOs have accomplished these previously discussed configuration tasks.
Use Case 1: The Call Center desktop
Description:
- A group of virtual desktops is to be created for about 100 users. These users are lower level
Windows users that are to be restricted from viewing certain menus in Windows.
- The Start Menu is to be pared down to remove the Run Menu, Help Menu and Network Places.
- The desktop type is to be non-persistent. (Meaning, when a user logs off and logs back in to
the desktop, it will be clean).
Active Directory configuration:
- Create a new OU called "CallCenterVD".
- Then create a Group Policy for this OU. The settings that are to be configured for this GPO
are:
- Computer Configuration → Windows Settings → Security Settings → Local Policies → User Rights
Assignment
- Allow Log On Through Terminal Services = "Domain Users"
(This is done so anyone can log-in that has domain rights, but the real desktop login control
will be done through the VDI solution Connection Broker
- User Configuration → Administrative Templates → Start Menu and Taskbar
- Remove Run Menu from Start Menu = Enable
- Remove Help Menu from Start Menu = Enable
- Prevent Changes to Taskbar and Start Menu = Enable
- Remove and Prevent Access to Shutdown Command = Enable
(This only allows users to log-off)
- User Configuration → Administrative Templates → Control Panel
- Prohibit Access to Control Panel = Enable
Use Case 2: The typical IT employee
Description:
- A group of virtual desktops is to be created for about 20 IT administrators. The user is a
higher-level user that is to be allowed full access.
- The desktop type is to be persistent. (When a user logs on their profile and other user
settings are to be redirected to a home directory. When they log off and log in the profile will
not need to roam between desktops and they will have their desktop with all saved settings and
options).
Active Directory configuration:
- Create a new OU called "PersistentITVD".
- Then create a Group Policy for this OU. The settings that are to be configured for this GPO
are:
- Computer Configuration → Windows Settings → Security Settings → Local Policies → User Rights
Assignment
- Allow Log On Through Terminal Services = "Domain Users"
(This is done so anyone can log-in that has domain rights, but the real desktop login control
will be done through the VDI solution Connection Broker)
- User Configuration → Windows Settings → Folder Redirection
- Application Data = Basic, Target Folder = Redirect to Following Location, Root Path =
\\<FileShare>\<VDIHOMEDIR>\<AppData>
- Desktop = Basic, Target Folder = Redirect to Following Location, Root Path =
\\<FileShare>\<VDIHOMEDIR>\<DesktopSettings>
- My Documents = Basic, Target Folder = Redirect to Users Home Directory
- Start Menu = Basic, Target Folder = Redirect to Following Location, Root Path =
\\<FileShare>\<VDIHOMEDIR>\<StartMenuSettings>
- Computer Configuration → Administrative Templates → Offline Files?
- Allow or disallow use of the Offline Files feature = Disabled
These two use case examples are only the beginning of what a virtual desktop planning session
needs to contain for OU creation. There are many features and controls in Active Directory that
allow the VDI administrator to design numerous configurations. Keep in mind that sometimes a
simpler configuration is better, as complexity can cause problems with any deployment.
ABOUT THE AUTHOR:
Brad Maltz is CTO of International Computerware, a national consulting firm focused on
virtualization and storage technologies. He holds certifications from VMware and EMC for many
technologies. Brad can be reached at [email protected] for any
questions, comments or suggestions.