Computer-specific desktop shortcuts and Folder Redirection

Moltuae

Moltuae

Rest In Peace
Reaction score
3,669
Location
Lancs, UK
This is one that has always frustrated me because there seems to be no elegant solution. I have used one or two workarounds in the past, which I'll get to in a moment, but I'd like to hear any thoughts or solutions y'all might have ...

So a very common setup for me is to use Folder Redirection (for obvious reasons) and have one or more RDSH servers (usually virtual). The RDSH (or RDSH collection) serves 2 purposes; it provides a virtual desktop for remote users (over VPN) and it provides access to certain applications to local users in the form of published RemoteApps.

I have numerous GPOs that create desktop shortcuts but of course the RemoteApp shortcuts should ideally only appear on the user's desktop when they're logged into a local workstation, not when they're logged into an RDSH. For example, when a member of the 'Accounts' security group log in, they need to get a shortcut to the Sage 50 Accounts application when logged into the RDSH and to the Sage 50 Accounts RemoteApp when logged into a workstation (because Sage 50 Accounts is not installed on every workstation). The problem is, thanks to Folder Redirection, both shortcuts appear, regardless of GPO user/computer targetting or whether the user is logged into the RDSH or a workstation, which isn't ideal.

Now I realise I can use the "Remove this item when it's no longer applied" property to remove the relevant unwanted shortcuts at login, but here's the problem with that:
  • User logs into a workstation.
  • Shortcuts for the RDSH-installed applications are removed from the desktop.
  • Shortcuts for the RemoteApps are added to the desktop (OK so far ...).
  • (But then ... ) User opens a RemoteApp, which essentially means they're logging in to an RDSH.
  • RDSH login policy triggers, removing the RemoteApp shortcut from the user's desktop.
One workaround I have used is to make a single 'smart' shortcut, one which (to the end user) appears to be a regular program shortcut but is in fact a shortcut to a batch script I wrote, such as this (below), which checks to see if the program's folders exist before reverting to launching the RemoteApp. Alternatively the batch script might check where it's running from by using tell-tale signs such as the computer's name ...

Code: 
@Echo Off

:: Local App Target
SET LocalApp=C:\Program Files (x86)\Sage\Accounts\SBDDesktop.exe
:: Local App Arguments
SET LocalArgs={DAF725D1-AA29-4801-9FD8-A3C6E51B3B5A}
:: Local App 'Start In'
SET LocalStart=C:\Program Files (x86)\Sage\Accounts\

:: Remote App Alias
SET RemoteApp=SBDDesktop

:: Check if app exists locally first
IF EXIST "%LocalApp%" (
    :: Use locally installed copy instead
    cd "%LocalStart%"
    "%LocalApp%" "%LocalArgs%"
    EXIT
)

(This is part of a longer script -- I've omitted the irrelevant stuff and the part that starts the RemoteApp)


Thinking about this as I write, I suppose one solution would be to not use the desktop at all and instead create pinned Taskbar or Start Menu shortcuts. But I prefer to let users choose what they want to pin and I think most users prefer a desktop shortcut.

Any thoughts or suggestions?
 
I gave up on redirected folders and roaming profiles years ago, they just don't work correctly unless you throw too much server at them.

But as for your problem, why aren't you using recursive policies assigned to the RDS computer accounts? That's how you get user policies on the RDS servers that only apply to users when they log into the RDS servers. You can do the same thing with an account with computer members on the desktop side.
 
Sky-Knight said:
I gave up on redirected folders and roaming profiles years ago, they just don't work correctly unless you throw too much server at them.
Click to expand...
I don't use roaming profiles either (definitely too unreliable IMO, and vulnerable to corruption) but I always use Folder Redirection. Never had any issues with Folder Redirection, ever. And (without it) how else would you keep user data from being stored on the workstations?

Sky-Knight said:
But as for your problem, why aren't you using recursive policies assigned to the RDS computer accounts? That's how you get user policies on the RDS servers that only apply to users when they log into the RDS servers. You can do the same thing with an account with computer members on the desktop side.
Click to expand...
I am. The problem is, because the shortcuts are in a folder that is subject to Folder Redirection (in this case the desktop), the shortcuts are redirected too. Which, like I said, can usually be overcome by implementing the "Remove this item when it's no longer applied" property in the GPO, but that's also problematic when using RemoteApps, as I explained in my OP.
 
So make a set of shortcuts that aim at a mapped drive, and change that drive depending on which endpoint?

As for the data on the workstations, that's what OneDrive is for. I don't do squat, that's the user's problem. I provide protected storage, they either use it or they don't. Management puts the onus on the employee to know WTF they are doing and where things are stored. We don't want user data in user folders, that's impossible to be found later when a new employee needs it. Departmental shares are used, and enforced.
 
Sky-Knight said:
So make a set of shortcuts that aim at a mapped drive, and change that drive depending on which endpoint?
Click to expand...
Not a bad idea. With the shortcuts inside a folder you mean? Or do you mean create 'shortcuts to shortcuts' (desktop shortcuts that link to shortcuts in the mapped drive)? That might work. Although it would probably be necessary to use locally stored shortcut icons (which is trivial enough of course) since Windows has a habit of not displaying/refreshing desktop icons unless they're immediately available at login.

Sky-Knight said:
As for the data on the workstations, that's what OneDrive is for. I don't do squat, that's the user's problem. I provide protected storage, they either use it or they don't. Management puts the onus on the employee to know WTF they are doing and where things are stored. We don't want user data in user folders, that's impossible to be found later when a new employee needs it. Departmental shares are used, and enforced.
Click to expand...

You use OneDrive for backing up user data and files in a domain environment? But surely that means the data is stored on the workstations and that you have to manually log each user into their OneDrive accounts and configure them? I suppose as long you're using full drive encryption and strong login passwords, workstation data security isn't too much of an issue. But what do you use to encrypt/decrypt 'at rest' user data held on OneDrive's servers? And how do you handle data storage scalability on all the local drives? That all seems like a lot of extra work and maintenance to me. We use OneDrive but only to enable staff to share files with people outside of the organisation and they are warned that they must not store anything sensitive/confidential in their OneDrive account (at least not without encrypting it first).

I like to keep everything centrally managed in any domain environment. Folder Redirection ensures that no user files are held on the workstations, which helps make them expendable. If a workstation develops an issue, dies or even gets stolen, it merely gets replaced. Business continuity is restored in the time it takes to swap the workstation for a new one and log the user in (or instantly if there's a vacant workstation they can use).

At login, all the user's files, software and settings are restored by the GPs. Backups, versioning and restoration/recovery actions are greatly simplified because redirected user data is held in one parent folder (often duplicated across multiple servers using DFSR, but there's still just one folder to backup). And the data itself is held on each server in a separate RAID-protected SSD volume that has ample storage, yet it can easily be hot-swap upgraded if/when necessary.

For shared data, I use hierarchical (eg Directors, Management, Office, Accounts, Staff, etc) and departmental shares, with access granted to users by security group membership. New users are granted access to any necessary files simply by making them members of the appropriate group(s). If a member of staff leaves 'abruptly' and a new user needs access to something that was stored in the previous staff member's private folders (ie not already shared), the relevant files can simply be copied from one redirected folder to the other, all performed from the server, remotely, without even having to disturb any members of staff (I just 'msg' the users or drop them an email after the event, eg: "You should find the files you need are now on your desktop in a folder called ....").
 
Last edited:
OneDrive is on Azure, all of Azure is encrypted at rest by default. It's defended via multi-factor authentication. And yes, it is a ton of extra work, and it cannot be easily automated, and it's on the user to keep their junk straight. I provide departmental and individual shares for people to use for permanent storage, many just work out of that space. I leave how to do their jobs up to the individual in question.

I love Group Policy, but it's dead... You cannot use Microsoft365 on a domain environment, it must be Azure AD, which isn't AD, and GPO has been replaced by InTune. The writing on the wall says AD is dead too... :(

I get what you're doing and why you're doing it I really do, but it's just not the way things must work in the future, and it's too hard to maintain on cheaper systems. Heck, redirected folders were DESTROYED with the 1809 rollout, that's why that version of Win10 was held back! That should tell you all you need to know about what Microsoft thinks of that feature.

But back to the topic at hand, yes put desktop shortcuts in the profiles that link to a mapped drive somewhere, that has symlinks in it to the actual things. That way you can use GPOs to swap the drive letter in question, and thus redirect the shortcuts to the thing you actually want.

I suppose it might be simpler to just use the subst command via login script to build the target folder... But all of this seems very hackish. There's got to be a more elegant solution.
 
Sky-Knight said:
I love Group Policy, but it's dead... You cannot use Microsoft365 on a domain environment, it must be Azure AD, which isn't AD, and GPO has been replaced by InTune. The writing on the wall says AD is dead too... :(
Click to expand...

For smaller organisations (just 1 or 2 DCs or physical servers), I think you're right; Microsoft will likely get their way, especially in the US. But, overall, domain-controlled networks and Active Directory aren't going away any time soon. Domain environments and group policy controls are still used extensively in larger organisations, and will be for the foreseeable future, especially outside the US. While Microsoft may be attempting to railroad organisations into using their cloud-based services, larger enterprises that must comply with GDPR, or those that value their data and prefer to remain in full control of it, will not succumb that easily.

I have some larger business customers with their own small data centres (around 10 physical servers and 20+ virtual). These organisations choose to operate their own private data centres for numerous reasons, not least because they value their data and independence. They don't wish to be at the mercy of their internet connectivity or some cloud-based services. Most also prefer to invest in their own infrastructure rather than rent shared resources on someone else's infrastructure. Not only does that ensure that their critical infrastructure is not controlled by a third party, but also that it can't be held to ransom by the service provider should rental fees escalate. All things considered, domains and AD are far from dead. In my experience, many larger enterprise organisations would rather switch to Linux than be forced to use Microsoft's cloud-based services.

Sky-Knight said:
Heck, redirected folders were DESTROYED with the 1809 rollout, that's why that version of Win10 was held back! That should tell you all you need to know about what Microsoft thinks of that feature.
Click to expand...
And the issue was repaired again presumably? I wasn't even aware of any issues and I experienced no Folder Redirection problems, but then that's why feature updates are delayed in enterprise environments.

Sky-Knight said:
OneDrive is on Azure, all of Azure is encrypted at rest by default. It's defended via multi-factor authentication. And yes, it is a ton of extra work, and it cannot be easily automated, and it's on the user to keep their junk straight. I provide departmental and individual shares for people to use for permanent storage, many just work out of that space. I leave how to do their jobs up to the individual in question.
Click to expand...

MFA only protects against the use of stolen/guessed login credentials. MFA is like putting extra locks on your front door; they might work well until you accidently leave a window open. Real hackers don't use the front door. When a major Microsoft hack happens (and it will; with such a large target, it's only a matter of time) the hackers will more likely exploit a security vulnerability, or use leaked inside information to gain administrative-level access.

Cloud-based services are custodial services. While they may offer 'at-rest' encryption as a feature, it's important to remember that they're the ones encrypting (and decrypting) the data. In other words, the cloud service holds the keys and they (or anyone who gains admin access) have access to your data. There could be someone sifting through your cloud-stored data right now and you would even know. If you want to ensure data remains private, you should ensure that it is encrypted before it is uploaded to custodial services. Your keys, your data -- their keys, their data.

Sky-Knight said:
But back to the topic at hand, yes put desktop shortcuts in the profiles that link to a mapped drive somewhere, that has symlinks in it to the actual things. That way you can use GPOs to swap the drive letter in question, and thus redirect the shortcuts to the thing you actually want.

I suppose it might be simpler to just use the subst command via login script to build the target folder... But all of this seems very hackish. There's got to be a more elegant solution.
Click to expand...
Precisely what I was thinking (that there has to be a more elegant solution). Mapped drives and symlinks is a good idea though. I might stick to my custom scripted-shortcuts for now, but I like that idea and might play around with it. Thanks very much for the suggestions and input :)
 
Last edited:
Can you just deploy the shortcuts to the computer, using the Public desktop? Or should users of the same computers be getting different shortcuts?
 
@Moltuae, the vulnerabilities in the Azure cloud that can allow for container breaches currently are all coming from issues in the CPUs on the hosts themselves. All these speculative execution bugs are a huge problem... But here's the rub...

They apply no matter where you are, and if you're colocating stuff in a datacenter you're working under the same risk. I don't care what the hypervisory fabric is made out of...

Though I do like the idea of some sort of file encryption system that runs on the client's own endpoint... I'll have to dig into that at some point because it would alleviate several potential risks. As for the business going splat when the Internet going down? That's what fiber Internet connections are for. Or redundant connections, as the location may be. But before I even recommend those, I need clients to install generators that can power the entire building, because once on a single fiber line out here, the power is out far more frequently than Internet access.
 
Last edited:
trevm999 said:
Can you just deploy the shortcuts to the computer, using the Public desktop? Or should users of the same computers be getting different shortcuts?
Click to expand...

Yep, different shortcuts for different groups unfortunately. There are a few common shortcuts, but those are already being deployed to the public desktop.


Sky-Knight said:
They apply no matter where you are, and if you're colocating stuff in a datacenter you're working under the same risk.
Click to expand...
True. But a custodial cloud-storage service such as OneDrive presents a MUCH bigger target and offers far greater rewards for hackers than a small data centre that (for example) runs a couple of retail establishments. It's also easier to monitor and check the security of on-premise systems and to verify that no intrusions have occurred. When you entrust your data to cloud services you have to take their word for it that they will keep it secure. And hacking threats aside, such services might have any number of employees who are granted the power to access your private/sensitive data, not to mention the usual 3-letter agencies.
 
Last edited:
@Moltuae, preaching to the choir my friend, I've been advocating for investing in your own infrastructure my entire life. Sadly, people just arne't buying it. They just don't CARE about the 3 letter agencies here... Land of the free, we are not!
 
You must log in or register to reply here.

Similar threads

Velvis
Best way to facilitate roaming users for M365
Replies
3
Views
183
YeOldeStonecat
YeOldeStonecat
SimonB
Microsoft 356 MFA Issue
Replies
12
Views
359
britechguy
britechguy
G
[REQUEST] Sync Windows Outlook Calendar with iPhone 12
Replies
10
Views
480
Sky-Knight
Sky-Knight
Blue House Computer Help
One Drive personal - Shared folder - no option to "Add to my OneDrive"
Replies
10
Views
521
britechguy
britechguy
Velvis
Question about 2FA
Replies
11
Views
481
YeOldeStonecat
YeOldeStonecat
Back
Top