If you’ve supported a terminal server or a Citrix MetaFrame
environment, you have surely come across the need to set up roaming or
mandatory profiles at one time or another. But were you able to set up multiple
profiles? If you followed the standard Windows roaming profile setup, you realized
that it’s not possible. However, with a little tweaking, you can indeed get
this to work.
Why would I need to use multiple user profiles?
In a terminal server or Citrix MetaFrame environment, more
often than not, servers are built based on applications. For example, an
accounting application with approximately 300 users would need between five to
10 terminal servers. These servers would run this application with any
supported apps it needed, such as Excel or Word.
Assume this application has several executables that the
user needs to run in order to accomplish a certain task. For example, the user might
need to run one executable in order to operate the accounting package itself,
and yet another executable to run reports or do budgeting.
In a Citrix environment, when an application suite has more
than one or two icons, it becomes too complicated for the users because they
would have to launch several applications and run several sessions on the
server. Instead, you can publish the desktop to the users and place all the
icons on it. The best way to implement this would be to use a mandatory user
profile so that every user who logs in to these servers gets these icons. This
is also a good approach if you’re enforcing tight security, which you should be
doing. Because the desktop is locked down, users have access only to icons that
are available through the mandatory user profile.
But what happens if your company has purchased a new application
suite that also has more than one executable, and you have to publish the
desktop again? Now you need to use mandatory user profiles again to push the
icons to the users. But remember that you configured the mandatory user profile
to point to the first application. In the user account properties, you can set only
one path for roaming or mandatory user profiles.
So what can you do? You have several options. First, you can
set up folder redirection in Group Policy and then add the users of every
application to a unique group. You configure the Group Policy so that if users
are members of one group, the policy gives them one set of icons. But if
users are members of another group, the policy gives them the second set of
What if a user is a member of both groups? In that case, you’ll
have to separate your terminal servers into separate organizational units (OUs).
From there, you implement what is known as a loopback Group Policy and set folder redirection at that level.
This isn’t necessarily a good thing. A loopback
Group Policy means that users logging into these servers will get the policy
applied at this OU level; any higher Group Policy will be disregarded. That may
negate any security settings you’ve placed in Group Policies in other parts of
Active Directory. Another drawback is that Group Policy folder redirection places
icons on a share and then redirects the folders to that share. The server
constantly needs to refresh the icons from the server share, consuming network
traffic and, in some cases, rendering everything slow.
Another way to deal with multiple profiles is by writing a
script. The problem with this approach is that the script would be very
complicated. If a user is a member of both groups, the script would have to
check the server name that the user is logging in to before making the decision
of which set of icons to present. On top of that, you would have to constantly
edit and manage the list of servers for the script.
A better way
What if you could create multiple roaming or mandatory user
profiles based on the server the user logs in to? That would simplify
everyone’s life and solve your problem. You can do this by creating on every
server an environmental variable that points to a different location. For
Servers 1 to 5 have an environmental variable called %PROFILEPATH% that points to FS01\PROFILE1
Whereas Servers 6 to 10 have the same environmental variable pointing to %PROFILEPATH%=FS01\PROFILE2
Now in the user account properties, all the users would have
the following in the profile path:
Depending on which server the user logs in to, the
%PROFILEPATH% will resolve differently and will present the user with a
different set of icons.
So how do you set this up?
The first step is to create the shares on a file server
where these profiles will point to. For the purposes of this example, I’ll
create two shares on the server FS01. The first share is PROFILE1 and holds all
the icons for the first application; the second share is PROFILE2 and holds all
the icons for the second application.
Next, set up the environmental variable on the servers. Right-click
My Computer and click on Properties. Select Advanced and click on Environmental
Variables. In the System Variables window, click on New and type the name of
your variable and its value, as shown in Figure
At this point, you’ve manually created the environmental
variable Profilepath and its value of \\FS01\PROFILE1. You can do this on all
servers that need the same set of icons, and then repeat the process on the
second batch of servers—except make sure the variable value is set to \\FS01\PROFILE2.
You can test whether the variable works by opening a command
prompt, typing @echo %profilepath%,
and pressing [Enter]. It should resolve that with the path, based on which
server you’re logged in to. You can also double-click My Computer, type %profilepath% in the address bar, and press
[Enter]. That should take you to the path specified as well.
If you have a lot of servers, the process of creating this
variable becomes time-consuming, at which point you can use scripting to deploy
this variable either via registry key or simply by editing or creating the
USRLOGN1.CMD on the terminal server. USRLOGN1.CMD is a machine script that runs
only when a Terminal Services user logs in and is machine-specific.
Now edit the file and add the following line:
Save the file and then copy it to all the terminal servers
that should point to the share PROFILE1. Do the same for the second batch of
servers after modifying the share to point to PROFILE2, then copy the script to
all of your terminal servers. When a user logs in to either batch of servers,
he or she will be directed to a different profile depending on the server
logged in to.
Now, on the domain controller, all you have to do is go into
the properties of your user accounts and click on Terminal Services Profile.
Edit the field for User Profile, as shown in Figure B.