Unsolved
This post is more than 5 years old
2 Posts
0
142427
Mandatory Profile - vWorkspace policies not applying
I'm wondering if anyone has ever seen something like this below. I have three terminal servers (2008 R2) all delivering the same published desktop and app. I had eveyrone using it setup for mandotory profiles. Recently, one of the servers has stopped applying Quest defined policies and published apps to anyone logging in with a mandatory profile defined. The other 2 servers are still working fine. I have rebuilt the mandatory profile, uninstalled/reinstalled the Quest Terminal Services role on the problem server, but nothing works.
Anyone have any thoughts? Any help and/or suggestions are appreciated......Thanks!
mwehr
34 Posts
0
February 4th, 2013 22:00
Hello Brian
With Windows Policies (GPO or LGPO) and Mandatory Profiles you will have Problems if you create the mandatory Profile in a not supported way (the sysprep-copyprofile method only)
Load ntuser.man in regedit.exe and look at the permissions on
HKEY_USERS\myprofile\Software\Policies
HKEY_USERS\myprofile\Software\Microsoft\Windows\CurrentVersion\Group Policy
HKEY_USERS\myprofile\Software\Microsoft\Windows\CurrentVersion\Policies
The Group Policy Client will modify the permissions if you load the Profile.
You can however adjust permissions on these keys each time you manually modify the Profile.
Also mandatory profiles can lead to privacy issues on Terminal Servers since users could open the users hive of other logged users.
best regards
Markus
btiller
2 Posts
0
February 5th, 2013 12:00
Markus,
Thanks for the reply. I did check the permissions on the hive and made sure that it was set correctly. One thing of note however.........the below keys do not exist:
HKEY_USERS\myprofile\Software\Microsoft\Windows\CurrentVersion\Group Policy
HKEY_USERS\myprofile\Software\Microsoft\Windows\CurrentVersion\Policies
I compared the resgistry settings with what is on this server to the ones that are working on the other servers. They are all the same, in other words, those registry entries also do not exist on the other terminal servers that are working without issue.
Going off of what you said, I copied the mandatory profile settings (including the hive) from one of the servers that is working just fine onto the problem servers, loaded the hive into the registry and reset the permissions and unloaded the hive. After doing this, it seems to working correctly now, allowing logons and applying Quest policies to user accounts that have the mandatory profile defined.
However, I'm not sure what caused the issue in the 1st place. In other words, I have it working but no clue as to why it stopped working.
Thanks again........any further insights are welcome!
-Brian