Virtual Desktop.com

Configuring Active Directory GPOs in a VDI environment

By Brad Maltz

Bringing virtual desktop's into your enterprise may require a new approach to your desktop management and deployment methods. One of the most significant configurations to focus on during installation is that of the GPO for VDI OS images.

When beginning a new deployment, it's important to consider how the images will be managed. As a best practice, you should simplify down to one or two images. All typical configuration options and security settings need to be done through Active Directory Organizational Units (ADOUs) and Group Policies. Therefore, when creating virtual desktops in any VDI solution, the desktops should be deployed into predefined Organizational Units (OUs).

Forming predefined OUs with associated Group Policy Objects (GPOs) should be a common practice for any VDI installation.Configuring OUs in Active Directory allows the administrator full control over all settings associated with the desktop, along with the users' desktop experience. Another benefit to this setup is that the VDI deployment can then use technology that has been available in any Microsoft network for many years.

When OUs are created and a GPO is applied to them, then the virtual desktops upon formation are to be placed in these organizational units. The following are example use cases of how Active Directory GPOs have accomplished these previously discussed configuration tasks.

Use Case 1: The Call Center desktop
Description:

• A group of virtual desktops is to be created for about 100 users. These users are lower level Windows users that are to be restricted from viewing certain menus in Windows.
• The Start Menu is to be pared down to remove the Run Menu, Help Menu and Network Places.
• The desktop type is to be non-persistent. (Meaning, when a user logs off and logs back in to the desktop, it will be clean).

Active Directory configuration:

1. Create a new OU called "CallCenterVD".
2. Then create a Group Policy for this OU. The settings that are to be configured for this GPO are:
   • Computer Configuration → Windows Settings → Security Settings → Local Policies → User Rights Assignment
     • Allow Log On Through Terminal Services = "Domain Users"
       (This is done so anyone can log-in that has domain rights, but the real desktop login control will be done through the VDI solution Connection Broker
   • User Configuration → Administrative Templates → Start Menu and Taskbar
     • Remove Run Menu from Start Menu = Enable
     • Remove Help Menu from Start Menu = Enable
     • Prevent Changes to Taskbar and Start Menu = Enable
     • Remove and Prevent Access to Shutdown Command = Enable
       (This only allows users to log-off)
3. User Configuration → Administrative Templates → Control Panel
   • Prohibit Access to Control Panel = Enable

Use Case 2: The typical IT employee
Description:

• A group of virtual desktops is to be created for about 20 IT administrators. The user is a higher-level user that is to be allowed full access.
• The desktop type is to be persistent. (When a user logs on their profile and other user settings are to be redirected to a home directory. When they log off and log in the profile will not need to roam between desktops and they will have their desktop with all saved settings and options).

Active Directory configuration:

1. Create a new OU called "PersistentITVD".
2. Then create a Group Policy for this OU. The settings that are to be configured for this GPO are:
   • Computer Configuration → Windows Settings → Security Settings → Local Policies → User Rights Assignment
     • Allow Log On Through Terminal Services = "Domain Users"
       (This is done so anyone can log-in that has domain rights, but the real desktop login control will be done through the VDI solution Connection Broker)
3. User Configuration → Windows Settings → Folder Redirection
   • Application Data = Basic, Target Folder = Redirect to Following Location, Root Path = \\<FileShare>\<VDIHOMEDIR>\<AppData>
   • Desktop = Basic, Target Folder = Redirect to Following Location, Root Path = \\<FileShare>\<VDIHOMEDIR>\<DesktopSettings>
   • My Documents = Basic, Target Folder = Redirect to Users Home Directory
   • Start Menu = Basic, Target Folder = Redirect to Following Location, Root Path = \\<FileShare>\<VDIHOMEDIR>\<StartMenuSettings>
4. Computer Configuration → Administrative Templates → Offline Files?
   • Allow or disallow use of the Offline Files feature = Disabled

These two use case examples are only the beginning of what a virtual desktop planning session needs to contain for OU creation. There are many features and controls in Active Directory that allow the VDI administrator to design numerous configurations. Keep in mind that sometimes a simpler configuration is better, as complexity can cause problems with any deployment.

ABOUT THE AUTHOR:
Brad Maltz is CTO of International Computerware, a national consulting firm focused on virtualization and storage technologies. He holds certifications from VMware and EMC for many technologies. Brad can be reached at [email protected] for any questions, comments or suggestions.