When working in a Windows and Citrix environment, things can get a little complicated. It’s not super complicated, but just enough when a simple setting change makes all the difference in when a profile is copied locally or to a remote location. Allow me to explain using my history of profiles.
Up until virtual desktops were deployed at work, all profiles were local. Anyone who logged onto another machine, had no files, and no appdata. This was perfectly fine since we had the idea that each person pretty much had their own computer. Well, introduce XenDesktop 5, with no PvD and randomly pooled desktops. In this case, you must enable folder redirection or use Citrix Profile Manager. After some issues, we went with folder redirection via GPO. This worked fine for the most part, except everything was redirected. EVERYTHING. This caused conflicts with appdata and link folders when applications installed stuff to them. Now after this had been in place for a year or so, I come into the picture and decided to rebuild the virtual environment from the ground up. New folder redirection scheme, new file server, etc. I introduced folder redirection as well. Only I redirected only part of the profile
- Desktop (Because local government employees like sticking large files on the desktop instead of an organized folder)
That was it. The reasoning behind no redirecting appdata was simple. We are small enough, we do not need to do this, and it can and will conflict with other computers down the road. It is nice because a lot of data transfers nicely, but has the potential to be disastrous.
Anyone who has configured folder redirection knows that is user based. I knew that when I first set it up, and it caused me some grief. Our AD environment was setup to be organized as best as possible. Servers, physical machines, virtual machines, and employees all got their own OU’s that allowed me to assign proper policies on a very detailed level. The employee structure when something along the lines of building->department->user sections. Since our structure as a city was set up based on buildings. we don’t have accountants in the police department and public works. They are in one location, which makes our structure very easy to set up. So under each department(if configured with virtual desktops) was a OU for folder redirection. This effectively split up our users. No problem really, they are already organized under their department OU. The problem is when a user with folder redirection logs onto another computer. For the most part, their profile is directed just fine, and it works. In cases with laptops, and computers with slow connections, such as VPN’s, it makes management a nightmare. So I went ahead and tried to find a solution, which involved pulling a WMI request for if the computer was a server (for worker servers) or a laptop. If it was, overwrite their policy for redirected profile and assign a local one. This pretty much double the login time. We kept this policy in place for a number of months until recently I have been getting fed up with some weird issue that kept copying my redirected profile to a local one, and removing it from the server. I finally began to research other options.
Well I found something that works perfectly for our company. Folder redirection based on computers. Now, before you ask yourself, isn’t this what he did before? Well… it kind of is, but this one is a lot better. I’ll explain.
Using the power of GPO loopback, I can assign user options to anyone who logs onto a computer. Can you see where I am going from here? Basically, if any user logs onto a computer that has folder redirection enabled (App servers and virtual desktops) then give them a redirected profile. While this does now make two profiles in some cases, it is way easier to manage than hunting down a lost profile that has been copied to a local machine. In addition, over time, desktops may have folder redirection enabled by default. This will allow for even better integration. But for the time being, it allows me to have tight control on which machines can get redirection and which ones cannot. obviously Windows tablets and laptops need local profiles (because I do not like offline files) and simply need to be in an OU that does not allow folder redirection. What makes it better is when John Doe wants to use Suzanne’s laptop, he won’t get redirected either.
All in all, this choice has helped me un-clutter my AD environment and improve login times. It gives me a better degree of control on when profiles are redirected and when they are not. While this solution is not for everyone, it works for me, and I think we will continue to use it.