| Author | Messages | |
Frank
Posts:3
 | | 08/14/2010 1:57 PM |
| Hey GPO Guy,
I have a VDI environment with a profile solution that mounts a .vhd file onto a virtual desktop to allow users their own personal space. The problem I'm having is that I don't want to apply a user's GPO to the VDI desktop, but I want the user's GPO to apply to their workspace. Both the VDI desktop and the profile are joined separately to the domain and need to remain this way for single sign-on to function correctly. I can't block inheritance to the users or I would lose this functionality in both environments.
My thoughts are to somehow restrict GPO's applying at the machine level by disabling some service, permission, etc., on the VDI desktop and have them re-apply when their profile solution is mounted and joined to the domain as part of the login process, but I'm having no luck in doing so. Any thoughts?
Please help!
Thank you,
FRANK CHIARAMONTE | CONSOL ENERGY
ADMINISTRATOR / WINDOWS SERVERS
1000 Consol Energy Drive | Canonsburg, PA 15317
Office: (724)-485-4151 | Mobile: (412)327-8365
"This communication, including any attachments, may contain confidential and privileged information that is subject to the CONSOL Energy Inc.'s Business Information Protection Policy. The information is intended solely for the use of the intended recipient(s). If you are not an intended recipient, you are prohibited from any use, distribution, or copying of this communication. If you have received this communication in error, please immediately notify the sender and then delete this communication in its entirety from your system."
| | | |
| dmarelia
Posts:394
| | 08/16/2010 3:08 AM |
| Frank-
Can you describe what you mean by profile solution and vhd file mounted onto the virtual desktop. It sounds like you're saying that they are running a 2nd instance of Windows that just contains the profile data but that doesn't sound right.
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Chiaramonte, Frank
Sent: Friday, August 13, 2010 12:18 PM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Hey GPO Guy! VDI question
Hey GPO Guy,
I have a VDI environment with a profile solution that mounts a .vhd file onto a virtual desktop to allow users their own personal space. The problem I'm having is that I don't want to apply a user's GPO to the VDI desktop, but I want the user's GPO to apply to their workspace. Both the VDI desktop and the profile are joined separately to the domain and need to remain this way for single sign-on to function correctly. I can't block inheritance to the users or I would lose this functionality in both environments.
My thoughts are to somehow restrict GPO's applying at the machine level by disabling some service, permission, etc., on the VDI desktop and have them re-apply when their profile solution is mounted and joined to the domain as part of the login process, but I'm having no luck in doing so. Any thoughts?
Please help!
Thank you,
FRANK CHIARAMONTE | CONSOL ENERGY
ADMINISTRATOR / WINDOWS SERVERS
1000 Consol Energy Drive | Canonsburg, PA 15317
Office: (724)-485-4151 | Mobile: (412)327-8365
"This communication, including any attachments, may contain confidential and privileged information that is subject to the CONSOL Energy Inc.'s Business Information Protection Policy. The information is intended solely for the use of the intended recipient(s). If you are not an intended recipient, you are prohibited from any use, distribution, or copying of this communication. If you have received this communication in error, please immediately notify the sender and then delete this communication in its entirety from your system."
| | | |
| Frank
Posts:3
| | 08/16/2010 12:24 PM |
| That's about right. The profile does "borrow" services and certain functionality from the underlying O.S., but it is also a separate windows instance this is joined to the domain.
Here is quick rundown:
* User logs into a desktop pool through a connection broker using their current windows domain user/pass.
* When the user selects a pool assigned to them they are given a non-persistent virtual desktop to use. This is a striped down version of Windows with just the core services and functions and no additional applications, etc.
* Their profile is then "mounted" to this non-persistent desktop and the user then is given their own personal workable space then can install applications, etc.
* Both of these instances are joined and need to be joined to the domain for single sign-on to function correctly.
Let me know if you have any other questions or ideas on how to get around my GPO problem.
Thanks,
Frank
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
Sent: Sunday, August 15, 2010 9:52 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Hey GPO Guy! VDI question
Frank-
Can you describe what you mean by profile solution and vhd file mounted onto the virtual desktop. It sounds like you're saying that they are running a 2nd instance of Windows that just contains the profile data but that doesn't sound right.
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Chiaramonte, Frank
Sent: Friday, August 13, 2010 12:18 PM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Hey GPO Guy! VDI question
Hey GPO Guy,
I have a VDI environment with a profile solution that mounts a .vhd file onto a virtual desktop to allow users their own personal space. The problem I'm having is that I don't want to apply a user's GPO to the VDI desktop, but I want the user's GPO to apply to their workspace. Both the VDI desktop and the profile are joined separately to the domain and need to remain this way for single sign-on to function correctly. I can't block inheritance to the users or I would lose this functionality in both environments.
My thoughts are to somehow restrict GPO's applying at the machine level by disabling some service, permission, etc., on the VDI desktop and have them re-apply when their profile solution is mounted and joined to the domain as part of the login process, but I'm having no luck in doing so. Any thoughts?
Please help!
Thank you,
FRANK CHIARAMONTE | CONSOL ENERGY
ADMINISTRATOR / WINDOWS SERVERS
1000 Consol Energy Drive | Canonsburg, PA 15317
Office: (724)-485-4151 | Mobile: (412)327-8365
"This communication, including any attachments, may contain confidential and privileged information that is subject to the CONSOL Energy Inc.'s Business Information Protection Policy. The information is intended solely for the use of the intended recipient(s). If you are not an intended recipient, you are prohibited from any use, distribution, or copying of this communication. If you have received this communication in error, please immediately notify the sender and then delete this communication in its entirety from your system."
"This communication, including any attachments, may contain confidential and privileged information that is subject to the CONSOL Energy Inc.'s Business Information Protection Policy. The information is intended solely for the use of the intended recipient(s). If you are not an intended recipient, you are prohibited from any use, distribution, or copying of this communication. If you have received this communication in error, please immediately notify the sender and then delete this communication in its entirety from your system."
| | | |
| dmarelia
Posts:394
| | 08/16/2010 3:26 PM |
| Frank-
Ok. I think I get it (btw, which VDI solution are you using?). How about setting no user policy on the user account, and then setting the Workspace instance in loopback replace. That way, you could have no user policy apply normally but when they workspace comes up, they get user policy by virtue of the loopback policy?
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Chiaramonte, Frank
Sent: Monday, August 16, 2010 4:07 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Hey GPO Guy! VDI question
That's about right. The profile does "borrow" services and certain functionality from the underlying O.S., but it is also a separate windows instance this is joined to the domain.
Here is quick rundown:
* User logs into a desktop pool through a connection broker using their current windows domain user/pass.
* When the user selects a pool assigned to them they are given a non-persistent virtual desktop to use. This is a striped down version of Windows with just the core services and functions and no additional applications, etc.
* Their profile is then "mounted" to this non-persistent desktop and the user then is given their own personal workable space then can install applications, etc.
* Both of these instances are joined and need to be joined to the domain for single sign-on to function correctly.
Let me know if you have any other questions or ideas on how to get around my GPO problem.
Thanks,
Frank
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
Sent: Sunday, August 15, 2010 9:52 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Hey GPO Guy! VDI question
Frank-
Can you describe what you mean by profile solution and vhd file mounted onto the virtual desktop. It sounds like you're saying that they are running a 2nd instance of Windows that just contains the profile data but that doesn't sound right.
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Chiaramonte, Frank
Sent: Friday, August 13, 2010 12:18 PM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Hey GPO Guy! VDI question
Hey GPO Guy,
I have a VDI environment with a profile solution that mounts a .vhd file onto a virtual desktop to allow users their own personal space. The problem I'm having is that I don't want to apply a user's GPO to the VDI desktop, but I want the user's GPO to apply to their workspace. Both the VDI desktop and the profile are joined separately to the domain and need to remain this way for single sign-on to function correctly. I can't block inheritance to the users or I would lose this functionality in both environments.
My thoughts are to somehow restrict GPO's applying at the machine level by disabling some service, permission, etc., on the VDI desktop and have them re-apply when their profile solution is mounted and joined to the domain as part of the login process, but I'm having no luck in doing so. Any thoughts?
Please help!
Thank you,
FRANK CHIARAMONTE | CONSOL ENERGY
ADMINISTRATOR / WINDOWS SERVERS
1000 Consol Energy Drive | Canonsburg, PA 15317
Office: (724)-485-4151 | Mobile: (412)327-8365
"This communication, including any attachments, may contain confidential and privileged information that is subject to the CONSOL Energy Inc.'s Business Information Protection Policy. The information is intended solely for the use of the intended recipient(s). If you are not an intended recipient, you are prohibited from any use, distribution, or copying of this communication. If you have received this communication in error, please immediately notify the sender and then delete this communication in its entirety from your system."
"This communication, including any attachments, may contain confidential and privileged information that is subject to the CONSOL Energy Inc.'s Business Information Protection Policy. The information is intended solely for the use of the intended recipient(s). If you are not an intended recipient, you are prohibited from any use, distribution, or copying of this communication. If you have received this communication in error, please immediately notify the sender and then delete this communication in its entirety from your system."
| | | |
| omar
Posts:75
| | 08/16/2010 3:31 PM |
| I have a question:
Why the requirement for the core os that you load?
Sounds like instead of providing a core os and then hosted applications- you are doing a core then layering another instance on top?
Anyway- it seems like your core os and the "profile" are really two separate computer objects joined to the AD domain is that right?
So cant you separate the core os computer objects in AD into a separate OU and on that OU create a GPO and configure both user and computer settings (as necessary) for those virtual desktops and within that GPO enable loopback processing for users in Replace mode.
This way the core os user policy is the same for all- as defined on the user based settings on that GPO- assigned to the core os computer OU.
No changes are necessary for the profile/application desktop as those are working as you are expecting, right?
http://support.microsoft.com/kb/231287
Omar
________________________________
From: xxxxxxxxxxxxxxxx [xxxxxxxxxxxxxxxx] On Behalf Of Chiaramonte, Frank [xxxxxxxxxxxxxxxx]
Sent: Monday, August 16, 2010 4:06 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Hey GPO Guy! VDI question
That’s about right. The profile does “borrow” services and certain functionality from the underlying O.S., but it is also a separate windows instance this is joined to the domain.
Here is quick rundown:
· User logs into a desktop pool through a connection broker using their current windows domain user/pass.
· When the user selects a pool assigned to them they are given a non-persistent virtual desktop to use. This is a striped down version of Windows with just the core services and functions and no additional applications, etc.
· Their profile is then “mounted” to this non-persistent desktop and the user then is given their own personal workable space then can install applications, etc.
· Both of these instances are joined and need to be joined to the domain for single sign-on to function correctly.
Let me know if you have any other questions or ideas on how to get around my GPO problem.
Thanks,
Frank
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
Sent: Sunday, August 15, 2010 9:52 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Hey GPO Guy! VDI question
Frank-
Can you describe what you mean by profile solution and vhd file mounted onto the virtual desktop. It sounds like you’re saying that they are running a 2nd instance of Windows that just contains the profile data but that doesn’t sound right.
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Chiaramonte, Frank
Sent: Friday, August 13, 2010 12:18 PM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Hey GPO Guy! VDI question
Hey GPO Guy,
I have a VDI environment with a profile solution that mounts a .vhd file onto a virtual desktop to allow users their own personal space. The problem I’m having is that I don’t want to apply a user’s GPO to the VDI desktop, but I want the user’s GPO to apply to their workspace. Both the VDI desktop and the profile are joined separately to the domain and need to remain this way for single sign-on to function correctly. I can’t block inheritance to the users or I would lose this functionality in both environments.
My thoughts are to somehow restrict GPO’s applying at the machine level by disabling some service, permission, etc., on the VDI desktop and have them re-apply when their profile solution is mounted and joined to the domain as part of the login process, but I’m having no luck in doing so. Any thoughts?
Please help!
Thank you,
FRANK CHIARAMONTE | CONSOL ENERGY
ADMINISTRATOR / WINDOWS SERVERS
1000 Consol Energy Drive | Canonsburg, PA 15317
Office: (724)-485-4151 | Mobile: (412)327-8365
"This communication, including any attachments, may contain confidential and privileged information that is subject to the CONSOL Energy Inc.'s Business Information Protection Policy. The information is intended solely for the use of the intended recipient(s). If you are not an intended recipient, you are prohibited from any use, distribution, or copying of this communication. If you have received this communication in error, please immediately notify the sender and then delete this communication in its entirety from your system."
"This communication, including any attachments, may contain confidential and privileged information that is subject to the CONSOL Energy Inc.'s Business Information Protection Policy. The information is intended solely for the use of the intended recipient(s). If you are not an intended recipient, you are prohibited from any use, distribution, or copying of this communication. If you have received this communication in error, please immediately notify the sender and then delete this communication in its entirety from your system."
| | | |
| Frank
Posts:3
| | 08/16/2010 8:38 PM |
| I can't say I had any knowledge of the loopback policy, but I was able to make this change in local policy on our linked-clones and I am currently testing in DEV. I've been able to see a 25% login time reduction so far. Thanks for all your help!
By the way- we're using VIEW as our VDI solution (non-persistent) linked-clone desktop pools with vDesk by Ringcube as our profile solution.
Thanks again,
Frank
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
Sent: Monday, August 16, 2010 10:09 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Hey GPO Guy! VDI question
Frank-
Ok. I think I get it (btw, which VDI solution are you using?). How about setting no user policy on the user account, and then setting the Workspace instance in loopback replace. That way, you could have no user policy apply normally but when they workspace comes up, they get user policy by virtue of the loopback policy?
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Chiaramonte, Frank
Sent: Monday, August 16, 2010 4:07 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Hey GPO Guy! VDI question
That's about right. The profile does "borrow" services and certain functionality from the underlying O.S., but it is also a separate windows instance this is joined to the domain.
Here is quick rundown:
* User logs into a desktop pool through a connection broker using their current windows domain user/pass.
* When the user selects a pool assigned to them they are given a non-persistent virtual desktop to use. This is a striped down version of Windows with just the core services and functions and no additional applications, etc.
* Their profile is then "mounted" to this non-persistent desktop and the user then is given their own personal workable space then can install applications, etc.
* Both of these instances are joined and need to be joined to the domain for single sign-on to function correctly.
Let me know if you have any other questions or ideas on how to get around my GPO problem.
Thanks,
Frank
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
Sent: Sunday, August 15, 2010 9:52 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Hey GPO Guy! VDI question
Frank-
Can you describe what you mean by profile solution and vhd file mounted onto the virtual desktop. It sounds like you're saying that they are running a 2nd instance of Windows that just contains the profile data but that doesn't sound right.
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Chiaramonte, Frank
Sent: Friday, August 13, 2010 12:18 PM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Hey GPO Guy! VDI question
Hey GPO Guy,
I have a VDI environment with a profile solution that mounts a .vhd file onto a virtual desktop to allow users their own personal space. The problem I'm having is that I don't want to apply a user's GPO to the VDI desktop, but I want the user's GPO to apply to their workspace. Both the VDI desktop and the profile are joined separately to the domain and need to remain this way for single sign-on to function correctly. I can't block inheritance to the users or I would lose this functionality in both environments.
My thoughts are to somehow restrict GPO's applying at the machine level by disabling some service, permission, etc., on the VDI desktop and have them re-apply when their profile solution is mounted and joined to the domain as part of the login process, but I'm having no luck in doing so. Any thoughts?
Please help!
Thank you,
FRANK CHIARAMONTE | CONSOL ENERGY
ADMINISTRATOR / WINDOWS SERVERS
1000 Consol Energy Drive | Canonsburg, PA 15317
Office: (724)-485-4151 | Mobile: (412)327-8365
"This communication, including any attachments, may contain confidential and privileged information that is subject to the CONSOL Energy Inc.'s Business Information Protection Policy. The information is intended solely for the use of the intended recipient(s). If you are not an intended recipient, you are prohibited from any use, distribution, or copying of this communication. If you have received this communication in error, please immediately notify the sender and then delete this communication in its entirety from your system."
"This communication, including any attachments, may contain confidential and privileged information that is subject to the CONSOL Energy Inc.'s Business Information Protection Policy. The information is intended solely for the use of the intended recipient(s). If you are not an intended recipient, you are prohibited from any use, distribution, or copying of this communication. If you have received this communication in error, please immediately notify the sender and then delete this communication in its entirety from your system."
"This communication, including any attachments, may contain confidential and privileged information that is subject to the CONSOL Energy Inc.'s Business Information Protection Policy. The information is intended solely for the use of the intended recipient(s). If you are not an intended recipient, you are prohibited from any use, distribution, or copying of this communication. If you have received this communication in error, please immediately notify the sender and then delete this communication in its entirety from your system."
| | | |
| frevere
Posts:18
| | 08/17/2010 2:38 PM |
| Hey Frank,
If I may ask, what are you gaining using vDesk when you already have all
these capabilities in VMware View? View allows for a delta disk for the
user's desktop that can be stored as it's own .vmdk. Are you not just
duplicating your effort and costs?
Francis
________________________________
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Chiaramonte, Frank
Sent: Monday, August 16, 2010 3:23 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Hey GPO Guy! VDI question
I can't say I had any knowledge of the loopback policy, but I
was able to make this change in local policy on our linked-clones and I
am currently testing in DEV. I've been able to see a 25% login time
reduction so far. Thanks for all your help!
By the way- we're using VIEW as our VDI solution
(non-persistent) linked-clone desktop pools with vDesk by Ringcube as
our profile solution.
Thanks again,
Frank
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
Sent: Monday, August 16, 2010 10:09 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Hey GPO Guy! VDI question
Frank-
Ok. I think I get it (btw, which VDI solution are you using?).
How about setting no user policy on the user account, and then setting
the Workspace instance in loopback replace. That way, you could have no
user policy apply normally but when they workspace comes up, they get
user policy by virtue of the loopback policy?
Darren
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Chiaramonte, Frank
Sent: Monday, August 16, 2010 4:07 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Hey GPO Guy! VDI question
That's about right. The profile does "borrow" services and
certain functionality from the underlying O.S., but it is also a
separate windows instance this is joined to the domain.
Here is quick rundown:
* User logs into a desktop pool through a connection
broker using their current windows domain user/pass.
* When the user selects a pool assigned to them they are
given a non-persistent virtual desktop to use. This is a striped down
version of Windows with just the core services and functions and no
additional applications, etc.
* Their profile is then "mounted" to this non-persistent
desktop and the user then is given their own personal workable space
then can install applications, etc.
* Both of these instances are joined and need to be
joined to the domain for single sign-on to function correctly.
Let me know if you have any other questions or ideas on how to
get around my GPO problem.
Thanks,
Frank
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
Sent: Sunday, August 15, 2010 9:52 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Hey GPO Guy! VDI question
Frank-
Can you describe what you mean by profile solution and vhd file
mounted onto the virtual desktop. It sounds like you're saying that they
are running a 2nd instance of Windows that just contains the profile
data but that doesn't sound right.
Darren
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Chiaramonte, Frank
Sent: Friday, August 13, 2010 12:18 PM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Hey GPO Guy! VDI question
Hey GPO Guy,
I have a VDI environment with a profile solution that mounts a
.vhd file onto a virtual desktop to allow users their own personal
space. The problem I'm having is that I don't want to apply a user's
GPO to the VDI desktop, but I want the user's GPO to apply to their
workspace. Both the VDI desktop and the profile are joined separately
to the domain and need to remain this way for single sign-on to function
correctly. I can't block inheritance to the users or I would lose this
functionality in both environments.
My thoughts are to somehow restrict GPO's applying at the
machine level by disabling some service, permission, etc., on the VDI
desktop and have them re-apply when their profile solution is mounted
and joined to the domain as part of the login process, but I'm having no
luck in doing so. Any thoughts?
Please help!
Thank you,
FRANK CHIARAMONTE | CONSOL ENERGY
ADMINISTRATOR / WINDOWS SERVERS
1000 Consol Energy Drive | Canonsburg, PA 15317
Office: (724)-485-4151 | Mobile: (412)327-8365
"This communication, including any attachments, may contain
confidential and privileged information that is subject to the CONSOL
Energy Inc.'s Business Information Protection Policy. The information is
intended solely for the use of the intended recipient(s). If you are not
an intended recipient, you are prohibited from any use, distribution, or
copying of this communication. If you have received this communication
in error, please immediately notify the sender and then delete this
communication in its entirety from your system."
"This communication, including any attachments, may contain
confidential and privileged information that is subject to the CONSOL
Energy Inc.'s Business Information Protection Policy. The information is
intended solely for the use of the intended recipient(s). If you are not
an intended recipient, you are prohibited from any use, distribution, or
copying of this communication. If you have received this communication
in error, please immediately notify the sender and then delete this
communication in its entirety from your system."
"This communication, including any attachments, may contain
confidential and privileged information that is subject to the CONSOL
Energy Inc.'s Business Information Protection Policy. The information is
intended solely for the use of the intended recipient(s). If you are not
an intended recipient, you are prohibited from any use, distribution, or
copying of this communication. If you have received this communication
in error, please immediately notify the sender and then delete this
communication in its entirety from your system."
| | | |
|
|