Understanding Windows Group Policy management for virtual desktops

Windows Group Policy management can help you keep virtual desktops and their profiles consistent. Just watch out for disk consumption.

Windows Group Policy is a great way to apply consistency to a group of virtual desktops.

Virtual desktop infrastructure (VDI) is made up of numerous desktops that a group of users accesses. One of the challenges is to minimize the number of different base VM builds required to run those virtual desktops. IT must maintain and update each image separately, so the fewer images there are, the less work for administrators.

IT can use a variety of tools that allow different groups of users to use the same base image. Application virtualization technology, for instance, can set a standard build for applications that a small subset of users accesses. Group Policy is another way to apply unique settings to groups of desktops based on who is using them or which desktop a user is accessing.

What's Windows Group Policy got to do with it?

Group Policy is one of the cornerstones of a good desktop management strategy. VDI is a great fit for Windows Group Policy management because there is little variation between the OS and application builds in each desktop, making it easy to apply Group Policies consistently. Plus, the desktop VMs are all in the data center with high-speed connectivity to domain controllers that hold the Group Policy, making Group Policy application even more reliable.

There are a number of things IT can control through Windows Group Policy management in a VDI environment. It starts with managing user profiles and maintaining consistency among them.

Roaming profile paths. First, set up a roaming profile location. This allows the changes users make to their desktops to persist even when the desktop VM does not.

A useful Group Policy setting is to have a different roaming profile path when users log on to virtual desktops or their original desktops, especially during the migration phase or for staff who only use VDI for part of their jobs. This way, the VDI roaming profile doesn't get contaminated with a legacy profile and vice versa. It's also useful when the old desktop doesn't use roaming profiles. If you didn't like roaming profiles with Windows XP it might be time to try again with Windows 7 and VDI.

Profile size. You can also use Windows Group Policy to minimize the Windows roaming profile size, which directly affects desktop logon and logoff times. Implementing folder redirection keeps the profile size down. The user's My Documents, Favorites and other data files can remain on a network file share yet appear in their usual locations inside Windows. Every megabyte of redirected files saves storage transactions inside the VM, providing a fast logon that users greatly appreciate.

The redirected files also reduce the growth of virtual desktop disk files, because these contain every file that is copied into the VM. Fewer user data files copied means less disk file growth.

More on Windows Group Policy management

Changes to Group Policy in Windows Server 2012

Managing Terminal Services with Group Policy

Group Policy preferences that can replace logon scripts

User restrictions. Another common use for Windows Group Policy with VDI is to restrict users, protecting them from doing damaging things that IT told them not to do. One restriction is hiding the C: drive in Windows Explorer, so they cannot accidentally save files to a location that isn't going to be there when they next log on.

Group Policy can also hide the Start Menu options such as Shutdown and Disconnect so users don't leave their desktops in the wrong state. There are other Group Policy settings to remove the run command from the Start Menu and limit which Control Panel items the user is able to access.

Branding the desktop. You can also use Windows Group Policy for corporate branding, applying the same desktop background and screen saver to every desktop. Just make sure you find a balance between fully branding the desktop and ensuring an enjoyable end-user experience on the virtual desktop. Also keep in mind that using drawn images rather than photos for the desktop background is much more remote-display friendly because they compress better.

Assigning applications. Group Policy inherits group membership from Active Directory, so you can use Group Policy to assign new applications to users automatically, even when they move to a new role or project. Most VDI products also allow you to connect users to a printer that is close to their desk when they log on, which is especially useful for staff that work from multiple offices over the course of a week or month.

How Group Policy affects disk usage

Be aware that applying Group Policy to a desktop is not completely free of charge. It won't cost you money, but there is a disk transaction impact whenever the Group Policies are refreshed -- by default every 90 minutes.

That isn't a concern on a PC with its own hard disk but in a VDI environment hundreds of desktops share a set of disks, so overwhelmed disks can be a problem that affects every desktop. If there are settings that apply to every desktop and will seldom change, then they should be applied to the master VM image's registry.

A VDI deployment is an ideal place to use Windows Group Policy to manage user profiles, restrictions and applications, especially for large numbers of desktops and users. Group Policy settings help make the desktop VMs disposable while maintaining the uniqueness of the user's desktop environment -- and delivering on the “better management” promise of VDI.

Dig Deeper on Virtual desktop management