Differences between Roaming Profiles and ProfileimagePath

We have and RDS cluster everythings is working fine.

We use roaming profiles, redirection to a share is working as well.

When a user logs on to any RDS node we can see a user folder appear in E:\Users\ of the RDS Server.

When I checked the registry, and i can see 2 keys about profiles :
– you can see that the redirection is OK : Centralprofile (in my exemple \\Sharename\…)
– you can see a ProfileImagePath to E:\Users

So what is :
– A ProfileImagePath ?
– A CentralProfile ?

E:\Users\<username> is the local cache of the roaming profile.  I’ve never seen a setting to avoid caching of the profile on the local system entirely.

There is a group policy setting to automatically delete the cached copy upon user logout. It’s under Computer Configuation->Policies->Administrative Templates->System->UserProfiles->Delete cached copies of roaming profiles.

Plus side : This avoids disk space from caching the users profiles

Down side
It will probably increase the logon time as the full profile will have to copy every time.
When testing, this also cleared out the cache from a custom application which didnt right back to the roaming profile.

Group Policy –Add the Administrator security group to roaming users profiles

Tested on Windows 2008 R2

Create a GPO – “Add the Administrator security group to roaming users profiles”

Computer Configuration > Policies > Administrative Templates > System > User Profiles” and applied to Windows XP / 2003 or later.

Add the Administrator security group to roaming users profiles

This setting adds the administrator ACL to the users roaming profile path on the server when it is first created.

Administrator are able to view users profiles without the need to take ownership

Enable this option as soon as possible as this setting does NOT apply retrospectively to existing users profiles as it only applied the administrators group to the profile when the roaming profile when  it is created on the server for the first time.

Original detail posted by Alan Burchill

 

Check if an AD user has a roaming profile configured (PowerShell) – OneScript Team

Check if an AD user has a roaming profile configured (PowerShell)

This script can query specified active directory users whether or not a roaming profile was configured.

Scenarios

IT admins may care about which users has a roaming profile was configured. This script can help IT admins check whether or not a roaming profile was configured.

Script

Step 1: Run the script in the Windows PowerShell Console, type the command: Import-Module <Script Path> at the prompt.  For example, type Import-Module C:\Script\CheckIfProfileExists.psm1

This is shown in the following figure.

Step 2: Type the command Get-Help Get-OSCADUserRoamingProfile -Full to display the entire help file for this function, such as the syntax, parameters, or examples.

OneScript Team

Temp Profile issue 2008 R2 RDS using roaming profiles

Issue
Some of our users keep getting logged on with a temporary profile.

Scenario
We have an RDS cluster using Window 2008 R2 x64 and users are setup with roaming profiles.

Profiles going to \\server\users\%username% Intermittently the folder is being created in the profile share but the folder is empty.

Permissions checked ok Shares checked ok

Cause
Possibly caused by a server crash corrupting the profiles instead of a natural logoff allowing the profile to write back.

Solution
Browse the registry on your terminal server under :  LM\software\Microsoft\Windows NT\CurrentVerision\ProfileList

Look for any keys under ProfileList with an extension “.bat”
Select key and click delete (export or backup any keys before making changes or deletions first.)

Solution found here : http://www.brianmadden.com/

 

Change user command to switch a Terminal Services server to Install mode.

KB 320185

How to put a Terminal Services server in Install mode.

You will need to switch to install mode, to install or remove programs on a terminal server.

The method I use the most is :
Open command prompt as administrator

Type:         change user /install
This will change the server to install mode.

Now your ready to install applications.

Switch Terminal Services to Execute Mode, when you are finished adding or removing programs.

Open command prompt as administrator

Type:         change user /execute

Users can now log in and start using the new applications

For Loop command to list users with sessions on servers

Problem :  Users/Admins disconnect from sessions on servers. How to get a list of users logged on to server active and disconnected

Simple Solution!

Create a file call servers.txt   – save in c:\temp

(possibly dsquery computer -name * >servers.txt    note your will need to delete all detail except server name)

Create a batch file call : listloggedinUsers.bat   – save in c:\temp

In the listloggedinUsers.bat type the following

for /f %%s in (servers.txt) do (echo %%s & qwinsta /server:%%s)

Save the bat file

Load command prompt as administrator.

Type
c:\temp\listloggedinusers.bat >> users_date_time.txt

This out put shows all 3389 connections. ie. RDP sessions

 

Create or Remove A Static Route in a Microsoft Windows OS

Route traffic via a specific NIC and IP in most Microsoft Windows operating systems.

Quick guide to create a static route in windows or remove a static route in a windows OS.

List static routes
Administrator command prompt
route print

Create a Static Route
Administrator command prompt
Add example :
route add -p 192.168.10.31 mask 255.255.255.255 192.168.1.1 if 2 metric 5

“if” is the network card number to route through.
metric is calculating the fastest, most reliable, and least expensive routes
-p Persistent
ipconfig /all (Shows the NIC for “if” number.)

Deleting a Static Route
Administrator command prompt
Delete example :
route delete 192.168.10.31

Remote Desktop Server – Customisation and Useful GPO settings

User cannot change an expired user account password in a remote desktop session that connects to a Windows Server 2008 R2-based RD Session Host server in a VDI environment

Hotfix Download Available

https://support.microsoft.com/en-us/kb/2648402

  1. 1. Open the following file: %systemDrive%/windows/web/rdweb/pages/web.config
  2. Set the following value to TRUE: <!– PasswordChangeEnabled: Provides password change page for users. Value must be “true” or “false” –> <add key=”PasswordChangeEnabled” value=”false” />

 

 

Disable IE security in a GPO using reg change

https://4sysops.com/archives/disable-internet-explorer-enhanced-security-configuration-ie-esc-with-group-policy/

 

 

Set Trust sites

http://deployhappiness.com/managing-internet-explorer-trusted-sites-with-group-policy/

 

 

Setup SSO & disable remote app prompt  

http://social.technet.microsoft.com/wiki/contents/articles/2381.how-to-remove-the-access-messages-and-enable-the-single-sign-on-for-remoteapps.aspx

 

 

Deploying RD Session Host Servers or Farms

http://social.technet.microsoft.com/wiki/contents/articles/5466.deploying-rd-session-host-servers-or-farms.aspx

 

How to Remove the Access Messages and Enable the Single Sign On for RemoteApps

http://social.technet.microsoft.com/wiki/contents/articles/2381.how-to-remove-the-access-messages-and-enable-the-single-sign-on-for-remoteapps.aspx

 

 

Deploy Certificates by Using Group Policy

http://www.ervik.as/microsoft/windows-server-2008-r2/3321-how-to-configure-single-sign-on-for-remote-desktop-services

 

 

Enable RDC Client Single Sign-On for Remote Desktop Services

https://technet.microsoft.com/en-us/library/cc742808.aspx

http://blogs.msdn.com/b/rds/archive/2007/04/19/how-to-enable-single-sign-on-for-my-terminal-server-connections.aspx

https://technet.microsoft.com/en-us/library/cc742808.aspx

 

 

How to resolve the issue: “A website wants to start a remote connection. The publisher of this remote connection cannot be identified.”

http://blogs.msdn.com/b/rds/archive/2011/04/05/how-to-resolve-the-issue-a-website-wants-to-start-a-remote-connection-the-publisher-of-this-remote-connection-cannot-be-identified.aspx

 

 

Do you trust the publisher of this RemoteApp Program? prompt even though the Publisher is trusted?

https://social.technet.microsoft.com/Forums/windowsserver/en-US/f47bcba9-67bf-45d0-af3f-fd9b9982ee2a/do-you-trust-the-publisher-of-this-remoteapp-program-prompt-even-though-the-publisher-is-trusted

 

 

Create a Self-Signed Server Certificate in IIS 7

https://technet.microsoft.com/en-us/library/cc753127(v=ws.10).aspx

 

 

IT: How To Create a Self Signed Security (SSL) Certificate and Deploy it to Client Machines

http://www.howtogeek.com/107415/it-how-to-create-a-self-signed-security-ssl-certificate-and-deploy-it-to-client-machines/

 

 

 

 

 

Makecert.exe (Certificate Creation Tool)

https://msdn.microsoft.com/en-us/library/bfsktky3(v=vs.110).aspx

Tested example (sets the start date to 30.6.15 and the end dates is 20yrs+ later.

makecert.exe -r -pe -n “CN=rdscluster.test.world.com” -eku 1.3.6.1.5.5.7.3.1 -b 06/30/2015 -ss my -sr localmachine -sky exchange -sp “Microsoft RSA SChannel Cryptographic Provider” -sy 12 “E:\Media\Cert\rdscluster.test.world.com.cer”

 

 

About Digitally Signing RemoteApp Programs

https://technet.microsoft.com/en-gb/library/cc754499.aspx

 

 

Create RDS Farm – Check list

https://technet.microsoft.com/en-us/library/cc753891.aspx

 

 

Install the RD Connection Broker Role Service

https://technet.microsoft.com/en-us/library/cc732076.aspx

 

 

Add Each RD Session Host Server in the Farm to the Session Broker Computers Local Group

https://technet.microsoft.com/en-us/library/cc753630.aspx

 

 

Configure an RD Session Host Server to Join a Farm in RD Connection Broker

https://technet.microsoft.com/en-us/library/cc771383.aspx

 

 

Configure DNS for RD Connection Broker Load Balancing

https://technet.microsoft.com/en-us/library/cc772506.aspx

 

 

Limit Profile Size

http://www.techrepublic.com/blog/the-enterprise-cloud/limit-profile-size-with-group-policy/

 

Note Files deleted from a network share do not go to the recycle bin. They are deleted permanently

https://social.technet.microsoft.com/Forums/windowsserver/en-US/7119aafa-fe55-470c-ae20-568b80c5dcb4/files-deleting-over-the-network-share-drive-is-not-going-to-the-recycle-bin-it-permanently-delete?forum=winservergen

 

https://social.technet.microsoft.com/Forums/windowsserver/en-US/db181312-bc96-4c3d-b7d6-daa0250b5552/applying-quota-for-user-profile-in-terminal-server

 

Empty recycle bin at log off… GPO log off script –

User Configuration – POLICIES. WINDOWS SETTINGS – SCRIPTS – Logon/Logoff

Add Empty recycle bin batch

http://www.cryer.co.uk/brian/windows/batch_files/how_to_empty_recycle_bin.htm

e:

cd \$RECYCLE.BIN

del /s /q .

 

Types of profiles

http://blogs.msdn.com/b/rds/archive/2009/06/02/user-profiles-on-windows-server-2008-r2-remote-desktop-services.aspx?Redirected=true

 

 

User Configuration – Administrative Templates – System – Logon/Logoff

 

 

SHOW and HIDE ALL DRIVES

      1. A Create one policy for admins with show all drives https://support.microsoft.com/en-us/kb/231289
      2. Create a second policy for all users with hide all drives and a deny apply policy for admins https://support.microsoft.com/en-us/kb/816100
      3. Third policy has all the terminal server config details

 

 

Temporary Profiles Loading

http://social.technet.microsoft.com/wiki/contents/articles/3571.windows-user-profiles-service-event-1511-windows-cannot-find-the-local-profile-and-is-logging-you-on-with-a-temporary-profile.aspx

How to remove a file lock manually in Microsoft Server 2008

How to remove a file lock manually in MS Server 2008

Open Administrative Tools -> Share and Storage Management.

From the Actions pane, click Manage Open Files.

All locked files and folders should be visible on this server.

To clear a lock, select the relevant file and click “Close Selected”.

Note only use this method if other option to close / unlock a file have been tried and a user definitely not using the the file, otherwise data loss may occur.

Sysprep Windows Server 2008

I wanted to sysprep an image of Windows Server 2008 after cloning a Windows Server 2008 VM in VMware Workstation.

Followed by a quick google to jog the memory, I found http://jameskovacs.com/2008/10/15/how-to-sysprep-windows-server-2008/

Sysprep is installed by default on Windows Server 2008.

Default location : c:\Windows\System32\sysprep\sysprep.exe

Simply run sysprep.exe

The tool pops up.

Check the “Generalize” checkbox (regenerates system SID), change the Shutdown Options to “Shutdown” or “Restart”, and click OK.

The system will go through the sysprep process and shut itself down or restart.
I was only running sysprep after a clone. So restart was ok

Use shutdown if you wan to create cloned servers afterwards by simply by creating linked servers and booting the clone.

Note the SIDs weren’t being regenerated with out the “check” in the Generalize checkbox to make that happen.