How to make user profiles delete themselves in any VDI environment
Do you need to keep Windows profiles but delete virtual desktops from shared machines? Nonpersistent desktops and these Active Directory tricks can help.
One of my customers recently had a very common problem: The organization wanted to create an environment for people using common machines, but it didn't want user profiles to exist after each person logged off the desktop. However, each user needed his own profile so that his home drive could be mapped and his basic Group Policy Objects could be applied.
There are two ways to solve problem: You can use nonpersistent desktops in a product such as View or XenDesktop or you can use some Active Directory tricks.
The nonpersistent desktop is very straightforward in VMware View. When creating a pool of desktops, use linked clones. While creating the desktop pool, click "delete after logoff" in the configuration. Each desktop will then destroy itself after the user logs off, creating an environment that will always present a new desktop.
In Citrix XenDesktop, the disk has to be set to nonpersistent, resetting the desktop each time the virtual machine rebooted. Of course, this method requires the organization buy VMware View Premier with linked clones. What about the organizations that did not go with View or XenDesktop?
More on virtual desktop management
-
Core Parking for VM host servers in Windows
-
Building fault tolerance is essential for virtual desktop pools
-
Calculating power savings from virtualization
Well, there are three other ways to do this, but I have found one to be the simplest. The first Active Directory trick is to use mandatory profiles. Note that they are basically a form of roaming profiles, which many virtual desktop infrastructure (VDI) architects have been trying to get away from. A mandatory profile is basically a predefined roaming profile that is applied for all users when they log in. When they log off, you would delete their profiles and reset them to re-download on login. In this scenario, mandatory profiles must be created and managed.
The second trick is to use a Microsoft tool called Delprof.exe. The User Profile Deletion Utility can delete all profiles on a Windows machine to clean it up. The only problem is that this tool has to be run as an administrator. Therefore, it is harder to run forever upon user login or logoff, but it is easier to run it on a nightly schedule.
My favorite way to set up nonpersistent desktops is to place the user in two different organizational units (OUs). Users can belong to their standard OUs, and they can be placed in "Domain Guests" OU. The Domain Guests OU will force users to be treated as guests, with many restrictions such as the automatic deletion of their profiles upon exiting. The only problem that I have found is that a small set of folders gets left behind, but they can be cleaned up on a periodic basis.
When design criteria require user profiles and the deletion of desktops, there are multiple ways to accomplish this through new technology as well as some built-in tricks.
Author's note: I would like to thank IT experts Ron Oglesby and Rob Zylowski in helping me to test multiple solutions.
ABOUT THE AUTHOR
Brad Maltz is CTO of International Computerware, a national consulting firm focused on virtualization and storage technologies. He holds certifications from VMware and EMC for many technologies. Maltz can be reached at [email protected] for any questions, comments or suggestions.