2

I'm currently building an environment that will host about 5,000 users over 20 AppServer. I have finalized my GPOs but I'm experiencing an issue with the user's local profile when roaming profiles is implemented. The roaming part works perfectly, as the user's profile is stored and updated in a centralized network location. My only problem is when a user logs off, their local profile under C:\Users is not deleted. Since I want to minimize the AppServer's C:\ space, I'm looking for a GPO that will remove the local profile cleanly during log off. That is, it will remove the folder C:\Users\%username% and the user's registry entry on the AppServer.

I tried implementing the following GPO (see below) but unfortunately it does not work.

Computer Configuration -> System -> User Profiles
"Delete cached copies of roaming profiles"

By the way folder redirection is working and setup to move AppData and Documents to the Roaming Profile's network share.

I have also read that adding my users to the Domain Guest group will automatically delete the profile from C:\Users during log off. However I have no clue what other issues I could encounter by adding my users to such group. So I'm wondering if there are other alternatives. I could always write a PS script but I would like to avoid setting up a log off script. - Thanks.

RHQ
  • 63
  • 1
  • 2
  • 8

1 Answers1

2

OK, so adding the user to the Domain Guest group has actually solve my problem in terms of cleanly removing the C:\Users\%username% folder and its registry entry on the AppServer. Folder redirection and Roaming Profiles do not seem to be affect by adding the user to the Domain Guest group. I have tested user's daily functionality and I have not found any problems.

I have also ran the Group Policy Modeling and Group Policy Results and all GPO have successfully been implemented.

At this point in time I could say that the "Domain Guest solution" works, but its something that I will NOT recommended as I'm sure this implementation is not following best practices. If someone needs to implement the above solution I would recommend that adequate tests are run prior to deploying it to a production environment.

PS - If someone else knows of potential problems or risks please advise - Thanks

RHQ
  • 63
  • 1
  • 2
  • 8
  • Did you find any issue with this? Have you tried to add your users to the local guest group? Just guessing, but this could add the functionality you need, without changes in your domain. To ease the maintenance in your 20 servers, you could do that with a setting Restricted Groups through GPO. – curropar Mar 15 '16 at 09:48
  • Just tried it for myself, and local guest group works :D – curropar Mar 15 '16 at 10:01
  • We had this problem in Windows Server 2016 RDS and adding the users to Domain Guests (still) "solves" the problem. – Erik Feb 12 '18 at 13:23