View RSS Feed

TheScarfedOne

Start Menu and Desktop Redirection

Rate this Entry
by , 9th October 2011 at 12:00 AM (62208 Views)
Hello again! This one wanders off into slightly differenet territory for my normal blogging - but its one Ive had lots of questions about recently. Its also been a fairly busy one on the forums too, so here is a reasonably definative guide on how to get it working properly...

1. Create a server side copy of your structure
Sounds simple, but how many times this isnt done properly never ceases to amaze me. Now, some poeple I know wont like what Im about to recommend, but trust me - there is a very good reason.

in your NETLOGON folder (\\DomainNameHere\NETLOGON) create a folder called Environment. This will be our nice handy root folder. Why netlogon? Well, first off - it has permissions on it so Domain users and Domain compuers can read it but not mess with it; second, it gets load balanced and sync'd between however many DCs you have. No single point of failure. Now, I know you can craete your own DFS (Distriburted File System) to do the same thing, but there really is no need for most systems. The files you will have in this folder are shortcuts - and are tiny anyway.

Right, in ENVIRONMENT, create Staff and Student subfolders, and then StartMenu and Desktop subfolders within those. You will also need a Programs folder in StartMenu (StartMenu rather than Start Menu - better not to have spaces).

Copythe various shortcuts you want, and create your Desktop and Start Menu as you want them to be (I have only said about Staff and Students, but you could do this for as many other user groups as you want - you will just need extra subfolders).

2. Create your GPO Settings
This one is where people sometimes have issues. Usually, you will have a GPO for Staff and another for Students. I will assume here you do. If not - create them for this purpose.

The settings, in the main are identical. The only difference comes at the folder reference part. For speed - I have included a screenie below of the settings I have used in my previous Schools, as well as at those I have been across to to set this up. You may not want to be as restrictive - the choice is yours.

blogs/thescarfedone/attachments/11582-start-menu-desktop-redirection-redirection.png

blogs/thescarfedone/attachments/11581-start-menu-desktop-redirection-redirection2.png

Then, you need to actually point at your desktop and start menu folders. This is done at User Configuration > Policies > Windows Settings >Folder Redirection > then right clicking the object to redirect and selecting Properties. Choose Basic—Redirect everyone's folder to the same location, and then select Redirect to the following location. Enter your path. Now, you have two options here. I personally redirect to a local copy of the structure I have on the Server. This is maintained by a Startup Script. This I will cover in a 2nd part to this article, including the script used. Alternatively, you can point to the Server path. Note, for Start Menu, do not go down to the Programs level - your path would be \\DomainNameHere\Netlogon\Environment\StartMenu

Then, you must go to the Settings tab. In the Settings tab in the Properties box for a folder, you should change these settings:

Grant the user exclusive rights. This setting is enabled by default and is not the recommended setting for here. Usually, yes, but we dont want to lock others out of it (particularly on the Server sharing scenario)

Move the contents of [FolderName] to the new location. This setting moves all the data the user has in the local folder to the shared folder on the network. We definately dont want this either

Also apply redirection policy to Windows 2000, Windows 2000 Server, Windows XP, and Windows Server 2003 operating systems. This enables folder redirection to work withWindows 7 and Windows Vista, and earlier Windows operating systems. This option applies only to redirectable folders in earlier Windows operating systems, which are the Application Data, Desktop, My Documents, My Pictures, and Start Menu folders. You will want this setting.


3. What often goes wrong

Right, the setting that causes this not to work! The one to watch is
User Configuration > Policies > Admin Templates > Start Menu & Taskbar > Remove User's folders from the Start Menu - this needs to be DISABLED for Windows 7. On XP, it should be Enabled. So... yes - in co-existance you will need two policies, and to use security group filtering to ensure Staff applies to Staff, and Students to Students. Alternatively, careful use of the "Apply to OS" setting can also do this. I will cover this scenario in more detail in Part 2.

Hope this helps - and the screenshot will be added on Monday!

Updated 11th October 2011 at 02:18 PM by TheScarfedOne (Added screenshots)

Categories
Software

Comments

  1. gerardsweeney's Avatar
    We've used what appears to be this method for a good while, but with one variation..

    The local workstation has an environment variable %WSDIRALL% which points to the location, and the GPO just points to %WSDIRALL%

    We did it this way because our environment has multiple "controlled" desktops with different applications in each room.

    Oddly enough, our IT dept balked slightly at the thought of having hundreds of GPOs so doing it this way kept us in their good grace.. And it's child's play to update the environment variable locally/remotely.

    This does of course mean we have multiple desktops/start menus, but it reduces the HD calls of "I'm trying to run appx in room123 and it isn't working" (when appx isn't in room123)

    The only slight drawbacks:

    1. Some MSIs appear to HATE having the common desktop/start menu redirected, so if we're deploying anything I tend to add a couple of lines of code which temporarily puts it back to "factory default"

    2. You need a GPO which gets applied to non-locked down PCs which puts the common start menu/desktops back to normal otherwise moving a PC out of the locked-down GPO would still leave it with the registry changed to the locked down state. If you're doing this with 7, then you need 2 since 7's normal start menu/desktops are in a different location.


    This may be the mickey-mouse method we used as I'm talking about the MACHINE level (all users) start menu/desktop.. And our method is straight-out reg hacks since the days of NT4
  2. browolf's Avatar
    we have redirected start menus but we have constant issues with delays over the icons appearing. In the worst cases this can be 20 seconds. Even when users only have read access to the shared folders. Icons sometimes mysteriously disappear or the target ends up directed to a random machine on the network. The later really slows things down. Considering making a system to maintain local icons as that's a lot more foolproof.
  3. gerardsweeney's Avatar
    One possible suggestion here..

    When you created your "controlled" desktop/start menu - did you disable the shortcut tracking on the PC which you copied the shortcuts up to the shared folder?

    We found that with the out-the-box setup, you would end up with shortcuts that look like:

    c:\program files\app\app1.exe
    but was really pointing to
    \\pcname\c$\program files\app\app1.exe

    We disabled the shortcut tracking, and it worked after that.

    You can also - if memory serves - use shortcut.exe to strip the "clever" redirect out of the shortcuts.
  4. TheScarfedOne's Avatar
    @Browolf - the latency you mention is the hazard of using a network path for the redirect. I actually use a local path - with some scripts that keep this up to date. I will do an updated copy of this post with the changes I actually use...
    Updated 15th November 2011 at 02:14 PM by TheScarfedOne
  5. burgemaster's Avatar
    Just out of interest this is a USER policy so placed in the student or staff OU.
    How do you deal with different locations? e.g. In the library students need a different start menu to the ICT Suite.

    Currently with have loopback processing enabled and a GP in the COMPUTER OU for that group?
    Is there a better way? GPP ?
  6. TheScarfedOne's Avatar
    I have two separate sets of policy.

    Users > Staff
    Users > Students

    and

    Computers > Terminal Servers > Staff (Loopback)
    Computers > Terminal Servers > Students (Loopback)

    As regards different start menus for specific parts of the site - no. Most software is accross site. Yes there will be some "dead links" but there arent many.

    Ive tried GPP for start menus, but it does add to the logon/startup time. As ours dont change much - and we can roll out changes either by script of SCCM, there are better ways of managing it.
  7. lafleur1977's Avatar
    Thanks for the post of start menu redirection - I found it useful to confirm I have been setting mine up right. I am having one problem though with windows 7/2008. Start menu redirects fine, as the event log confirms, but the second time a user logs in the start menu shortcuts from the redirected start menu seem to go 'inactive'. Its really strange but they are present with icons and when you click on them the start menu closes instantly. I have set it up as you have in netlogon with the same group policy settings. Works absolutely fine on XP... Any ideas?

    Thanks
    Updated 15th May 2012 at 11:35 PM by lafleur1977
  8. GrahamCT's Avatar
    Quote Originally Posted by lafleur1977
    Thanks for the post of start menu redirection - I found it useful to confirm I have been setting mine up right. I am having one problem though with windows 7/2008. Start menu redirects fine, as the event log confirms, but the second time a user logs in the start menu shortcuts from the redirected start menu seem to go 'inactive'. Its really strange but they are present with icons and when you click on them the start menu closes instantly. I have set it up as you have in netlogon with the same group policy settings. Works absolutely fine on XP... Any ideas?

    Thanks
    I'm getting this exact fault too at one of our sites. We've got redirected start menus/desktops with Win7 at numerous sites but this one seems to be the only one with this problem so think it's more of a peculiar quirk rather than a Win7/redirected start menus fault.

    On first login all shortcuts are fine from the redirected start menu but on second login those in the root (\\servername\share$\startmenu\programs\) are inactive as you say. Not able to launch or even right click. We've also found programs within folders (for example \\servername\share$\startmenu\programs\MS Office) are fine.

    If we delete the locally cached profile then the start menu will be fine on the next login but on subsequent logins the fault returns. Also found that on second logins (and beyond) the search programs bar from the start menu doesn't find any programs whist it does on first login.

    I don't think this is a security fault because if I create a shortcut on the users desktop to the redirected start menu they are able to launch all shortcuts perfectly.

    Something must be changing in the local profile from 1st to 2nd login which breaks this part of the start menu. :-/
  9. lafleur1977's Avatar
    @GrahamCT

    I have since fixed this problem. I was storing the start menu folders in netlogon so I tried creating a new dedicated share on another server called redirection. I used the domain users security group for share and security permissions and then created various subfolders in the directory for different users start menu and desktops. One thing I did notice was regarding the share permissions. I initially gave domain users 'read' but the original problem on second login then occurred so I had to grant domain users 'change'. On security permissions I gave domain users 'read'. E.g.

    server\redirection$\staff\start menu
    \desktop
    server\redirection$\students\start menu
    \desktop

    Hope this helps.
  10. GrahamCT's Avatar
    Ahh yes!

    Change permissions on the share was the fix. Once this was added the fault vanished.

    Cheers Lafleur1977.
  11. Darylrese's Avatar
    Anyone know how to populate the start menu rather than just the all programs menu??
  12. chazmaniac888's Avatar
    I found this a really great article. Am hoping that a part 2 has been written?

    "I personally redirect to a local copy of the structure I have on the Server. This is maintained by a Startup Script. This I will cover in a 2nd part to this article, including the script used." -

    Would love to know more about this as I generally use an UNC to the server but this takes sometimes quite a while on network that I have managed before.

Trackbacks

Total Trackbacks 0
Trackback URL: