Blocking TS Profile Path

[blueboy1894]

Hi

I'm basically in the middle of a migration programme and have a weird, temporary Terminal Services environment I need to support. The usual behaviour is that the Terminal Services profile tab in the AD object is filled in with the user's path to their profile folder so that the user can log onto either TS in its NLB cluster and receive its profile OK.

I now have a third Terminal Server in another domain in the AD Forest I wish to have users log onto and NOT receive their profile, as this server has been built in a substantially different fashion, and indeed, supports a different set of apps.

The NLB cluster has its own OU, with a GPO attached to it. If I remove the profile path from the AD User and specify the TS Profile share in the Group Policy then log the user on the profile type changes from Roaming to Local. Is this right? Previously the profile showed up as Roaming.

If I leave the path in the AD User then all Terminal Servers, including the third server receives the profile, which I don't want.

How do I ensure that only the Terminal Servers with the NLB GPO in the NLB OU receive the TS Profile?

[AdamV]

It sounds wrong to me, but I have not done it this way personally.

Is this pointing to the share which already existed? If there are any permission issues and the user can't connect to <share you define in the policy>\username you might come unstuck and get bumped down to a regular local profile. ANd you shoudl not use any kind of placeholder like %username% in the policy setting

Do you have folders already for these profiles, and are they named exactly the same as the username?

Alternative might be to flip this round and leave the AD properties and use this GP set to disable and applied to your new server in the other domain

[blueboy1894]

Hi Adam, thanks for posting back.

Found it - basically this was all down to which GPOs were being applied from which DC in which domain.

The Terminal Servers are currently in Domain A. I am migrating Users to Domain B which is a child domain of Domain C. Users in Domain B still needed to access the Terminal Servers in Domain A (until the servers are migrated to Domain B - there are still other users in Domain A waiting to be migrated) and still receive their TS profile, but not receive it in Domain C's Terminal Servers.

I forgot that the GPO for Domain A's Terminal Servers is still applied from the DC in Domain A, until the servers are moved, not Domain B. The GPO for Domain C's Terminal Servers is applied for Domain B's users from Domain B (I have filtered it for the computernames). When I removed the TS Profile path from the user object in Domain B, and updated BOTH domains' GPO's everything works OK. To fool Domain C's Terminal Servers into using a local profile, I entered a non-existent sharename into the GPO - as a result, you only get a local profile. I will eventually install the relevant hotfix to ensure that I can specify a mandatory profile for any users logging onto Domain C's Terminal Servers from Domain B.

Confusing but just needed a good examine with gpresult.

Ta