Lock down a desktop by setting up multiple mandatory profiles in a terminal server and MetaFrame environment

When you have multiple applications on multiple terminal servers, keeping track of the user environment can become a headache. Here's how multiple mandatory profiles can help.

If you've supported a terminal server or a Citrix MetaFrame environment, you have surely come across the need to set up roaming or mandatory profiles at one time or another. But were you able to set up multiple profiles? If you followed the standard Windows roaming profile setup, you realized that it's not possible. However, with a little tweaking, you can indeed get this to work.

Why would I need to use multiple user profiles?

In a terminal server or Citrix MetaFrame environment, more often than not, servers are built based on applications. For example, an accounting application with approximately 300 users would need between five to 10 terminal servers. These servers would run this application with any supported apps it needed, such as Excel or Word.

Assume this application has several executables that the user needs to run in order to accomplish a certain task. For example, the user might need to run one executable in order to operate the accounting package itself, and yet another executable to run reports or do budgeting.

In a Citrix environment, when an application suite has more than one or two icons, it becomes too complicated for the users because they would have to launch several applications and run several sessions on the server. Instead, you can publish the desktop to the users and place all the icons on it. The best way to implement this would be to use a mandatory user profile so that every user who logs in to these servers gets these icons. This is also a good approach if you're enforcing tight security, which you should be doing. Because the desktop is locked down, users have access only to icons that are available through the mandatory user profile.

But what happens if your company has purchased a new application suite that also has more than one executable, and you have to publish the desktop again? Now you need to use mandatory user profiles again to push the icons to the users. But remember that you configured the mandatory user profile to point to the first application. In the user account properties, you can set only one path for roaming or mandatory user profiles.

So what can you do? You have several options. First, you can set up folder redirection in Group Policy and then add the users of every application to a unique group. You configure the Group Policy so that if users are members of one group, the policy gives them one set of icons. But if users are members of another group, the policy gives them the second set of icons.

What if a user is a member of both groups? In that case, you'll have to separate your terminal servers into separate organizational units (OUs). From there, you implement what is known as a loopback Group Policy and set folder redirection at that level.

This isn't necessarily a good thing. A loopback Group Policy means that users logging into these servers will get the policy applied at this OU level; any higher Group Policy will be disregarded. That may negate any security settings you've placed in Group Policies in other parts of Active Directory. Another drawback is that Group Policy folder redirection places icons on a share and then redirects the folders to that share. The server constantly needs to refresh the icons from the server share, consuming network traffic and, in some cases, rendering everything slow.

Another way to deal with multiple profiles is by writing a script. The problem with this approach is that the script would be very complicated. If a user is a member of both groups, the script would have to check the server name that the user is logging in to before making the decision of which set of icons to present. On top of that, you would have to constantly edit and manage the list of servers for the script.

A better way

What if you could create multiple roaming or mandatory user profiles based on the server the user logs in to? That would simplify everyone's life and solve your problem. You can do this by creating on every server an environmental variable that points to a different location. For example:

Servers 1 to 5 have an environmental variable called %PROFILEPATH% that points to FS01\PROFILE1 
Whereas Servers 6 to 10 have the same environmental variable pointing to %PROFILEPATH%=FS01\PROFILE2

Now in the user account properties, all the users would have the following in the profile path:


Depending on which server the user logs in to, the %PROFILEPATH% will resolve differently and will present the user with a different set of icons.

So how do you set this up?

The first step is to create the shares on a file server where these profiles will point to. For the purposes of this example, I'll create two shares on the server FS01. The first share is PROFILE1 and holds all the icons for the first application; the second share is PROFILE2 and holds all the icons for the second application.

Next, set up the environmental variable on the servers. Right-click My Computer and click on Properties. Select Advanced and click on Environmental Variables. In the System Variables window, click on New and type the name of your variable and its value, as shown in Figure A.

Figure A

At this point, you've manually created the environmental variable Profilepath and its value of \\FS01\PROFILE1. You can do this on all servers that need the same set of icons, and then repeat the process on the second batch of servers—except make sure the variable value is set to \\FS01\PROFILE2.

You can test whether the variable works by opening a command prompt, typing @echo %profilepath%, and pressing [Enter]. It should resolve that with the path, based on which server you're logged in to. You can also double-click My Computer, type %profilepath% in the address bar, and press [Enter]. That should take you to the path specified as well.

If you have a lot of servers, the process of creating this variable becomes time-consuming, at which point you can use scripting to deploy this variable either via registry key or simply by editing or creating the USRLOGN1.CMD on the terminal server. USRLOGN1.CMD is a machine script that runs only when a Terminal Services user logs in and is machine-specific.

Now edit the file and add the following line:


Save the file and then copy it to all the terminal servers that should point to the share PROFILE1. Do the same for the second batch of servers after modifying the share to point to PROFILE2, then copy the script to all of your terminal servers. When a user logs in to either batch of servers, he or she will be directed to a different profile depending on the server logged in to.

Now, on the domain controller, all you have to do is go into the properties of your user accounts and click on Terminal Services Profile. Edit the field for User Profile, as shown in Figure B.

Figure B

Editor's Picks

Free Newsletters, In your Inbox