In a Windows Active Directory Domain additionally to having userprofiles on a server you can have a seperate user profile.

This profile is called terminalserver-profile and hence the name is only used if the user is working on a terminal server.

This way you only have to have one account per user, have a personalized profile optimized for working on a terminal server and the user has to remember just one Account / Password. (!)

If you want to roll out this sort of profile in an existing domain, depending on its size, it can become a very tiring job.
Jobs like this are perfect for scripting and in Windows this means Powershell.

A sad fact is that this profile path cannot be set using Get-Aduser and Set-Aduser.

Powershell Fu

We define a variable $user and provide using [ADSI]“LDAP://“ the canonical name of the users an.
In my example I point to the AD-Account tstest in the OU SBSUsers.

$user = [ADSI]”LDAP://CN=tstest,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=xxx,DC=local

If you do not want to read this value manually from the ADSI Editor, first save the ad user object to a variable using get-aduser.

$findme = get-aduser -Identity tstest

Another way to do this:

$findme = Get-ADUser -Filter {(Name -Like “tstest*”)}

This object has the “DistinguishedName” property, access it:

$usersCN = ($findme.DistinguishedName)

Now we build the complete canonical name:

$user = [ADSI]”LDAP://$usersCN

The property “terminalservicesprofilepath” of the user tsts (stored on the object $user) can now be changed using $user.psbase.Invokeset(“Property”,”New Value”).


Finally we have to write the changes to the AD:




Blow you will find an example script.