Initial Configuration Using an Active Directory Group Policy Object

Initial Configuration Using an Active Directory Group Policy Object

How the Group Policy Object Settings Work

After installing User Environment Manager, you have a couple of options for configuration. You can use the VMware-provided administrative templates for Active Directory Group Policy Objects, or you can use the XML-based option called NoAD mode.

This section assumes you have chosen to use AD GPOs.

The FlexEngine GPO has required and optional settings, and provides administrators with the flexibility to manage multiple environments. The following Configuring the FlexEngine Group Policy Object topic provides additional detail on the configuration options for the FlexEngine Group Policy Object.
(Approximate read time: 2 minutes)

Copy the Administrative Templates to the Domain Controller

To configure settings for end users, you can use the administrative templates that are provided in the download package.

You must copy the administrative template files to the correct folder on the domain controller.

1. Copy the Administrative Templates Folder to the Domain Controller

The Administrative Templates (ADMX) folder is included in the same download package that contains the User Environment Manager installer. If necessary, you can download this package from the VMware Download page.

2. Copy the Administrative Template Files

Select and copy all the ADMX files inside the Administrative Templates (ADMX) folder.

3. Paste the ADMX Files in the Correct Location

Paste the files in the PolicyDefinitions folder on the domain controller. The location of this folder might vary, but often the location is C:\Windows\PolicyDefinitions.

Note: If you use a central store for administrative templates, you should instead copy the files to the Sysvol share on the primary domain controller, in the following location:

\\<PDC-name>\SYSVOL\<domain-name>\Policies\PolicyDefinitions

In this path, <PDC-name> is the name of the primary domain controller, and < domain-name> is the fully qualified DNS name of the domain in which the domain controller is located.

4. Copy the Language Files

  1. Open the en-US folder included in the Administrative Templates (ADMX) folder.
  2. Select and copy all the ADML files in the en-US folder.

5. Paste the ADML Files in the Correct Location

Paste the ADML files into the en-US folder inside the PolicyDefinitions folder on the domain controller. The location of this folder might vary, but often the location is C:\Windows\PolicyDefinitions\en-US.

Note: If you use a central store for administrative templates, you should instead copy the files to the Sysvol share on the primary domain controller, in the following location:

\\<PDC-name>\SYSVOL\<domain-name>\Policies\PolicyDefinitions\en-US

The following ADMX video provides a detailed demonstration of the steps outlined in this section. If you need additional detail, you can find it here. If you already installed the ADMX and ADML files, feel free to skip the video. This video is 1 minute.

Create and Configure the FlexEngine Group Policy Object

Now that you have copied the User Environment Manager administrative templates to the correct location on the domain controller, you can create a GPO and use the templates with this GPO. In this exercise, you configure all the required policy settings to enable User Environment Manager, and you create some optional policies.

The GPO you create in this exercise applies to an organizational unit (OU) that contains instant-clone virtual desktops. You configure the following policies, some of which are user-based, and some, computer-based:

  • Enable FlexEngine to wait for the network at computer startup and logon – (Required) This computer-based setting ensures that FlexEngine (that is, the User Environment Manager agent) Group Policy client-side extension runs every time a user logs in. If this extension does not run, User Environment Manager settings cannot be applied.
  • Enable Group Policy loopback processing mode – This computer-based setting is necessary because the GPO is applied to an OU containing computer rather than user objects.
  • Set the path to the User Environment Manager configuration share – (Required) This user-based setting is necessary so that the agent can read the configuration file and apply the appropriate application and environment settings for the end user.
  • Enable the FlexEngine to run as a Group Policy extension – (Required) With this user-based setting enabled, the settings that User Environment Manager manages are applied earlier during the login phase than if FlexEngine were instead run from a login script.
  • Set the path to the Profile Archives share – (Required) This user-based setting is necessary so that the agent can read the archive settings for a specific user to apply the correct profile. The agent also saves user settings in this folder.
  • Set the path to the Profile Archives backups – With this user-based setting, you can specify the location and number of backups to retain.
  • Enable FlexEngine logging – With this user-based setting, you can specify the location, logging level, and file size of the log file for the User Environment Manager agent.
  • Enable a logoff script – (Required) With this user-based setting, you specify a command-line command so that when a user logs out, FlexEngine reads the settings configured through the User Environment Manager Group Policy Object and stores the settings.

Prerequisites for Configuring the GPO

Before you begin this exercise, verify the following:

  • You have completed all the Installation exercises, and you know the paths to the User Environment Manager configuration share and the profile archives share.
  • The User Environment Manager ADMX and ADML files are placed on the domain controller, as described in Copy the Administrative Templates to the Domain Controller.
  • You have credentials for a computer that can access the Microsoft Group Policy Management Console (GPMC) and the domain controller.

There are a number of ways to configure and apply GPOs. This exercise provides only one example.

1. Create a GPO for an OU That Contains Virtual Desktops

  1. Open Microsoft GPMC.
  2. Browse to an OU containing the computer object that contains your virtual desktops.
  3. Create a new GPO, and link it to this OU.

2. Enable FlexEngine to Wait for the Network

  1. Edit the new GPO in the Group Policy Management Editor.
  2. Navigate to Computer Configuration > Policies > Administrative Templates > System > Logon.
  3. Edit the policy setting Always wait for the network at computer startup and logon and set it to enabled.

This setting ensures that the FlexEngine Group Policy client-side extension runs every time a user logs in. For more information, see Troubleshoot GPO Settings.

3. Enable Loopback Processing

  1. Navigate to Computer Configuration > Policies > Administrative Templates > System > Group Policy.
  2. Edit the policy setting Configure user Group Policy loopback processing mode and set it to enabled.

4. Locate the Flex Config Files Policy

  1. Navigate to User Configuration > Administrative Templates > VMware UEM > FlexEngine.
  2. Double-click the Flex config files policy setting.

Note: If you cannot find the VMware UEM FlexEngine policies, verify that you copied the administrative templates to the correct location, as described in Copy the Administrative Templates to the Domain Controller.

5. Configure the Flex Config Files Policy

  1. Enable the policy. This is a mandatory setting to enable FlexEngine.
  2. Provide the path to the configuration share you created as part of the exercise Create and Configure the User Environment Manager Configuration Share.

    Be sure to append General to the end of the path because this folder is automatically created by User Environment Manager.

6. Set FlexEngine to Run as a Group Policy Extension

  1. In the Group Policy Management Editor dialog box, navigate to User Configuration > Administrative Templates > VMware UEM > FlexEngine, and double-click the Run FlexEngine as Group Policy Extension policy setting.
  2. Enable the policy. This is a mandatory setting to enable FlexEngine.

It is required to either enable this policy or configure a policy to run FlexEngine as a Logon script. We recommend enabling this policy rather than running FlexEngine as a Logon script.

7. Configure the Profile Archives Policy

  1. In the Group Policy Management Editor dialog box, navigate to User Configuration > Administrative Templates > VMware UEM > FlexEngine, and double-click the Profile archives policy setting.
  2. Enable the policy. This is a mandatory setting to enable FlexEngine.
  3. Provide the path to the profile archives share you created as part of the exercise Create and Configure the Profiles Share.

    Be sure to append %username%\Archives to the end of the path so that a unique subfolder can be created for each user. The personal user settings are read from this share at login or at application start and are written back at application exit or at logout.

The policies circled in the following figure represent a minimum configuration for FlexEngine.

8. Configure the Profile Archives Backup Policy

  1. In the Group Policy Management Editor dialog box, navigate to User Configuration > Administrative Templates > VMware UEM > FlexEngine, and double-click the Profile archives backups policy setting.
  2. Enable the policy. This policy is recommended but not required.
  3. Provide the path to the profile archives share you created as part of the exercise Create and Configure the Profiles Share.
    Append %username%\Backups to store the profile backups in the user directory. For this example, the following path is used: \\file\UEM_Profiles\%username%\Backups
  4. Enter 5 for the number of backups.

9. Configure FlexEngine Logging

  1. In the Group Policy Management Editor dialog box, navigate to User Configuration > Administrative Templates > VMware UEM > FlexEngine, and double-click the FlexEngine logging policy setting.
  2. Enable the policy. This policy is recommended but not required.
  3. Provide the path to the profile archives share you created as part of the exercise Create and Configure the Profiles Share.
    Append %username%\Logs\FlexEngine.log to store the log files in the user directory. For this example, the following path is used: \\file\UEM_Profiles\%username%\Logs\FlexEngine.log
  4. Set the log level to Debug.

Important: Setting the log level to Debug should only be used for evaluation or troubleshooting purposes. For production implementations of User Environment Manager, consider enabling debug logging for individual users as described in the VMware KB article Enabling debug logging for a single user in VMware User Environment Manager (2113514).

The following figure shows the recommended FlexEngine policies to enable and configure for User Environment Manager.

10. Add a Windows Logoff Policy

  1. Navigate to User Configuration > Policies > Windows Settings > Scripts (Logon/Logoff).
  2. In the right pane, double-click Logoff to open the Logoff Properties window.
  3. Select Add.

11. Configure the Logoff Script

  1. Enter the path to the location where FlexEngine.exe is installed on the Windows virtual desktops.
    The default path is C:\Program Files\Immidio\Flex Profiles\FlexEngine.exe.
  2. Enter -s in the Script Parameters field.

The -s flag tells FlexEngine to store the settings configured through the User Environment Manager Group Policy Object. The settings are stored in the Archives folder for the user on the profile archives share.

The following ADMX video provides a detailed demonstration of the steps outlined in this section. If you need additional detail, you can find it here. This video is 1 minute.