08: Group Policy Files

When using a redirected profile, Windows automatically tries to make that location available offline which is handy for typical laptop users but undesirable for VDI. Create a GPO to disable it

New-GPO -Name "Disable Offline Folders"
Set-GPRegistryValue -Name "Disable Offline Folders" -Key "HKLM\Software\Policies\Microsoft\Windows\NetCache" -ValueName "Enabled" -Type DWORD -Value 0

Create a GPO to actually do the redirection

New-GPO -Name "Enabled Folder Redirection – Site1"

I couldn’t find an easy way to set the values from PowerShell so edit the GPO via Group Policy Management which is a real same as it’s a bit laborious

image

Open the properties page and set the setting to basic.  Set the target root path to \\mylab\site1\redirect and on the settings tab I change it as shown

image  image

Create a GPO to clear the cached copies of user profiles held on the individual VM

New-GPO -Name "Delete Cached Profiles"
Set-GPRegistryValue -Name "Delete Cached Profiles" -Key "HKLM\Software\Policies\Microsoft\Windows\System" -ValueName "DeleteRoamingCache" -Type DWORD -Value 1
Set-GPRegistryValue -Name "Delete Cached Profiles" -Key "HKLM\Software\Policies\Microsoft\Windows\System" -ValueName "CleanupProfiles" -Type DWORD -Value 1

Now we need to plan our active directory a little.  I suggest something which divides up sites, users and computers.  Perhaps something as simple as this

dc=mylab.local
├───ou=site1
│   ├───ou=computers
│   └───ou=users
└───ou=site2
    ├───ou=computers
    └───ou=users

Easy enough to create in PowerShell

New-ADOrganizationalUnit "Site1" –path "DC=MyLab,DC=local"
New-ADOrganizationalUnit "Users" –path "OU=Site1,DC=MyLab,DC=local"
New-ADOrganizationalUnit "Computers" –path "OU=Site1,DC=MyLab,DC=local"
New-ADOrganizationalUnit "Site2" –path "DC=MyLab,DC=local"
New-ADOrganizationalUnit "Users" –path "OU=Site2,DC=MyLab,DC=local"
New-ADOrganizationalUnit "Computers" –path "OU=Site2,DC=MyLab,DC=local"

Now link the group policy objects to the OUs created above.  The redirection policy is site specific and since I only created one I’m only going to link one

New-GPLink -Name "Disable Offline Folders" -Target "ou=computers,ou=site1,dc=mylab,dc=local"
New-GPLink -Name "Disable Offline Folders" -Target "ou=computers,ou=site2,dc=mylab,dc=local"
New-GPLink -Name "Delete Cached Profiles" -Target "ou=computers,ou=site1,dc=mylab,dc=local"
New-GPLink -Name "Delete Cached Profiles" -Target "ou=computers,ou=site2,dc=mylab,dc=local"
New-GPLink -Name "Enabled Folder Redirection - Site1" -Target "ou=users,ou=site1,dc=mylab,dc=local"

Create a user and setup their user and profile paths

New-ADUser -Name "Mark Elvers" -UserPrincipalName "mark.elvers@mylab.local" -SamAccountName "Mark.Elvers" -AccountPassword (ConvertTo-SecureString -AsPlainText "Password99" -Force) -ChangePasswordAtLogon $false -Enabled $true -Path "ou=users,ou=site1,dc=mylab,dc=local" -OtherAttributes @{givenName="Mark";sn="Elvers";homeDirectory="\\mylab\site1\users\mark.elvers";homeDrive="h:";profilePath="\\mylab\site1\profiles\mark.elvers"}

Create the USER, PROFILE and REDIRECT folders and set their permissions ensuring the inheritance is disabled

foreach ($f in "users","profiles","redirect") { mkdir \\mylab\site1\$f\mark.elvers ; icacls \\mylab\site1\$f\mark.elvers /inheritance:r /grant:r "Domain Admins:(CI)(OI)F" "mark.elvers:(CI)OI)M" }
move \\mylab\site1\profiles\mark.elvers \\mylab\site1\profiles\mark.elvers.V2