With VMware View and RDP the administrator can redirect the client drives to the virtual desktop through a standard RDP function. The client drives are connected as network drives. Without any additional configuration all local client drives will be redirected to the virtual desktop.
In the screenshot you can see the My Computer window on a virtual desktop where the local client drives from the connecting client are redirected (A,D,C on WINXP). In this case the user can access all data stored on his client device. Sometimes this is undesired and needs to be prohibited. There are two ways to do that:
- Using the client.adm GPO template on the client device delivered with the View installation
- Using a standard Active Directory Policy applied to the virtual desktop
There are some differences between the both solutions:
View Policy ( VDM_Client.adm)
The VDM_Client.adm file is a template for the Active Directory GPO’s. The ADM can be opened and centrally managed with the Microsoft Group Policy Editor. The filename does already describe where to apply it! vdm_client.adm is used on the connecting device, the vdm_agent.adm on the View Agent, the virtual desktop. This policy is user-based, not machine-based.
What does that mean?
It means that the client needs to be a member of the Active Directory to get the policies applied to the desktop operating system. That’s no problem in a LAN, but what when the client connects over the Internet? Also the policy must be applied to the user OU and not to the machine OU. Seen on the VMware web forums this is a common issue when evaluating or configuring a View environment.
(The RDP settings for the client are user-based and needs to be applied to a user and not a machine)
Integrated Active Directory Policy
In the Active Directory there is already a group policy object which can control the client drive access on a centralized basis. Compared to the vdm_client.adm file this policy is machine-based and not user-based what means that it needs to be applied on a machine basis. Additionally the policy is not applied to the client device, it needs to be applied to the virtual desktop. In this case there is no requirement for the client device to be a member of the Active Directory domain.
If you apply the policy to the desktops organizational unit the client drives will no longer be redirected.
When using the client ADM file there are sometimes issues due to the wrong usage of the file. Mostly the administrators try to apply the policy to the virtual desktop, what in case of the vdm_client.adm file is wrong. The file is user-based and needs to be applied to the user or user OU.