Citrix Presentation Server FAQ FAQ DATASHEET Profile Management Frequently Asked Questions Table of Contents GENERAL QUESTIONS...2 USER S PROFILE AND SETTINGS... 4 SERVICE INSTALLATION AND CONFIGURATION... 6 ASSIGNING PROFILES... 9 MIGRATING PROFILES... 10 www.citrix.com
GENERAL QUESTIONS How does Profile management work? During logon, the Profile management service manages the user settings in a Citrix user profile. Upon logoff, it merges back only changed user settings to the centrally stored user settings (user s store). Profile management is able to ensure the deltas are tracked correctly and that designated settings are saved based on the latest change only. A more in depth overview of Citrix Profile management is located here: http://community.citrix.com/x/aoeaag Are any changes required with profiles or on the file share? The users must have write access to their centrally stored profile location. It is best to use the existing user s home directory since permissions are already set correctly. But any UNC path may be defined as long as it uniquely and correctly resolves for every user. Since the Profile management service runs before the user logs on, only system environment variables and AD attributes may be used. There are two user environment variables that are allowed by exception. These are %USERNAME% and %USERDOMAIN%. Basically, any variable that is set before a user logs onto a system may be leveraged in the configuration. When do the profile keys get written back to the user s central store? Deltas to the user s profile are written back to the user s central store during logoff. The HKEY_CURRENT_USER registry settings are scanned and only the deltas are merged back to the NTUSER.DAT within the user s central store. Any changes in the file or folders that have been configured to be captured are copied back to the user s central store. Does last writer win? Last writer wins is prevented when it comes to the entire registry hive. Only the last write to defined files, folders, or registry keys win. Profile management is able to detect deltas and thus ensure that only the defined settings are overwritten. Compare this with roaming profiles wherein the entire profile is overwritten and thus the last write wins. Please see this blog for more in depth details: http://community.citrix.com/x/oienag 2
How does Profile management improve logon/logoff performance? FAQ DATASHEET Profile management is capable of reducing user logon time by enabling administrators to exclude (and include) certain files and folders in order to prevent extraneous settings from needlessly being copied with the profile. For example, some applications may create folders and files that account for tens or hundreds of megabytes data that is really not required. By excluding these items, the profile is thus smaller, and smaller profiles load faster. Alternatively, you could elect to only include specific files and folders, thus keeping to a minimum the amount of profile data being managed within the user s profile. There are a couple blogs on this topic: Profile Bloat: http://community.citrix.com/x/a4aaag Improve logon speed: http://community.citrix.com/x/hyxuag How does Profile management address profile bloat? As described in the previous question, Profile management enables administrators to exclude (and include) certain files and folders in order to prevent extraneous settings from needlessly being copied with the profile. For example, some applications may create folders and files in the Application Data profile folder that account for tens or hundreds of megabytes, which are excess baggage. By excluding these files and folders, it minimizes the extra data being stored in a profile. Please refer to this blog for more in depth discussion on Profile Bloat: http://community.citrix.com/x/a4aaag Why do folders I ve excluded still show up in the user s store? A more accurate description of the exclusion capability would have been contents exclusion list. Essentially any folders on the exclusion list will have the contents excluded but the folder structure will still be created in the user store. Is profile corruption reduced or managed better? Often profile corruption occurs from an application improperly creating or writing settings, which is often referred to as profile inconsistency. Less likely to occur is corruption as the result of a network connectivity error which in most cases the OS manages and recovers properly. Corruption exposure of this nature is reduced by minimizing the amount of data that is copied and also limiting the extent of damage to specific data if corruption occurs. Please refer to this blog for more in depth discussion on profile corruption vs. inconsistency: http://blogs.sepago.de/helge/2008/07/02/corrupt-user-profiles-dothey-even-exist/ 3
User s Profile and Settings Where are the user s profile settings and files stored? The user s profile settings can be stored either on an administratively defined UNC path or a path relative to the user s home directory. By default, the folder created in the %HOMESHARE% directory is named Windows but can be any name as defined in the configuration. In both cases, it may include as part of the path variables such as %USERNAME% and %USERDOMAIN%. The user needs write access to this folder. Within this path or folder, there is at least one subfolder named UPM_Profile which contains the user s profile data. When using the extended synchronization capability (please refer to Admin Guide for details), each drive letter will have an additional folder which follows the naming schemata UPM_Drive_<DriveLetter> (e.g. UPM_Drive_E for E:\). Please make note that since the Profile management service must know its configuration before the user logs on, only system environment variables and AD attributes may be used. There are two user environment variables that are allowed by exception. These are %USERNAME% and %USERDOMAIN%. Basically any variable that is set before a user logs onto a system may be leveraged in the configuration. How does folder redirection work with Profile management? Folder Redirection is automatically recognized and Profile management will not sync those folders and files. Folder redirection is recommended to ensure that user data stored in those folders is segregated. How does the files and folder synchronization functionality work? During a session, Profile management monitors files/folders via the NTFS change journal. Any changes are recorded internally. During logoff, a sophisticated algorithm recognizes these deltas and performs only the required actions over the network. Examples: If a file/folder was renamed during a session, it will not be copied again during logoff. Instead, the file or folder on the network will simply be renamed. If the attributes of a file/folder were changed, only the changed attributes are set during logoff. 4
If the content of a file was changed, the file will be copied during logoff. How are the changes to files and folders tracked during the user s session? Profile management monitors the NTFS change journal. In order to be able to resolve relative file names to the absolute paths, the file system has to be scanned once, which takes typically 10-20 seconds. In order to avoid scanning during every subsequent startup, a cache file is used. It is called UserProfileManager_<DriveLetter>.cache and is located in the installation directory. It's possible that there are environments where the system is not allowed to write to this directory or the admin does not want software to write to this location and therefore you can change the location by group policy. 5
Service Installation and Configuration Where should the Profile management service be installed? The MSI package contains the service and supporting DLLs. This package should be installed on any machine that will process the user s logon, such as the XenDesktop virtual machines and XenApp servers. Which OS and profile versions are supported? Currently Windows XP, Vista, Windows Server 2003, Windows Server 2008 (including R2) and Windows 7 are supported. Windows XP and Windows Server 2003 are known as v1 profiles while Vista, Windows Server 2008 and Windows 7 are referred to as v2 profiles (profile folder names are usually ended in.v2). The operating system does not allow these profile versions to be shared across platforms. Please refer to this FAQ for more details around cross platform support. How does the service retrieve its settings? The service checks the GPO settings first, then secondarily the INI within the same folder (where the service was installed) and then resorts to internal defaults. The INI file exists in the same directory as the service executable (default location is \Program Files\Citrix\User Profile Manager\). Any setting that is not configured via group policy object will be looked up in the INI file e.g. if it is Not Configured in GPO and there is an entry in the INI, it will use the INI. If neither the GPO nor INI exists, the service will use its internal defaults. Please note that in most customer scenarios, the INI file is not used to configure settings. What are the internal default settings? By default, if no policy settings are configured, the configuration is read from the INI file that corresponds to the local system s language and version. Example: UPMPolicyDefaults_V1Profile_en.ini for an English XP/Server 2003 system. The INI file contains default settings that should work in most environments with minimal modifications (e.g. enable the service). Profile management will save / restore the user s registry settings and files/folders inside the profile. Some files/folders/registry keys that typically do not contain relevant data are excluded by default. 6
If policy settings are not configured and an INI file is not present, Profile management will synchronize the whole HKCU hive from the registry and everything in the user profile. Are local policies supported? Yes. Although they present a similar challenge to INIs in having to centrally manage their deployment. Also be aware that local policies carry the least precedence when multiple policies apply. Please refer to this Microsoft article on precedence. When will the service use the INI setting versus the GPO? Using the Profile management group policy template, you can specify the exact behavior of Profile management and adapt it to your environment. This is how most customers configure Profile management. The INI files settings will be used for any list setting not explicitly set (e.g. Enabled or Disabled) in the GPO. When using group policy to configure Profile management, it is recommended to rename the INI files (e.g. UPMPolicyDefaults_V1Profile_en.OLD) to ensure the INI file settings are not unintentionally applied. All settings will be read from the INI file if not configured via policy. Is the installed service able to be cloned as part of a base image? Yes. For example, Citrix Provisioning Services has successfully been tested. Although I have activated the debug mode, not all of the information seems to be written into the log file. Activating the debug mode does not automatically enable full logging. Verify the checkboxes for all events you want to be logged in the configuration. Please note to scroll down to enable the couple checkboxes that are below the horizontal scroll area. I have changed an option in the GPO for Profile management but this setting does not seem to be operative on the computer. Group policies are not refreshed immediately but instead based on specific events or intervals. If you want them to be refreshed immediately, run gpupdate on the computer. 7
I'm using "Folder Redirection" with my roaming profiles already. What do I have to consider when using Profile management? You can easily combine Folder Redirection from the operating system with Profile management s folder synchronization. If folders are redirected, Profile management will ignore them.. In fact, Citrix recommends using folder redirection to ensure that type of user data is segregated from the profile. 8
Assigning Profiles What are the methods to assign a profile to a user? Leaving Profile management aside for a moment, Microsoft enables users to be assigned profiles numerous ways. Either via their User Account Properties in Active Directory, through Group Policy and even Terminal Service specific profiles (again through the User Account Properties or Group Policy). Some methods are only available for a specific type of operating system. TS PROFILE: The GPO setting for assigning a Terminal Server profile is located in Computer Configuration/Administrative Templates/Windows Components/Terminal Services (Set path for TS Roaming Profiles). You may use the Use mandatory profiles on the terminal server to force mandatory profile usage The Terminal Server profile setting can also be set on individual accounts within the User Account Properties pages within Active Directory e.g. configured on an individual user basis. Typically it is much better to make this assignment via group policy. Windows XP and Vista: The user s roaming profile setting can be set on individual accounts within the User Account Properties pages. Additionally Windows Server 2008 Active Directory and Vista devices,, a GPO settings based on computers may be used. This GPO setting is located at Computer/Admin Templates/System/User Profile (Set roaming profile path for all users logging onto this computer). What is the priority order for settings profiles for domain users if more than one method is used? When Profile management is used to manage a user s profile, it will take precedence over any other profile assignment. For users not assigned to Profile management, the user may be assigned a profile using multiple methods. The actually profile that will be used is based on the following precedence order: Profile management profile Terminal Services profile GPO Terminal Services profile User Property Roaming profile GPO (only Windows 2008 AD and Vista) Roaming profile User Property 9
Migrating Profiles Will Profile management migrate my user s profile to a Citrix user profile? Profile management may be configured to automatically migrate existing roaming and local profiles when the user logs on. You can also use a template profile or even the default windows profile to create new Citrix user profiles. This behavior is part of the configuration either using the INI file or GPO. Migrating mandatory profiles or even the default windows profile by means of the template profile will be discussed below. The document UserProfileManagerLogonLogoffChart.pdf can assist you in planning and setting up your Profile management migration scenario(s). Which profiles may be migrated to Profile management? Profile management is capable of migrating Local and Roaming profiles. Mandatory Profiles (.man profiles) are ignored by Profile management. To ensure Profile management works correctly, deactivate the assignment of mandatory profiles to all users. BUT you could still leverage your mandatory profile for creating new profiles via the Template Profile capability in Profile management. The next question covers this scenario. This is in a way, a route to migrate the existing mandatory profile as a basis in creating all users new profiles. How do I use the template profile in Profile management? Profile management allows you to specify a template profile to be used as a basis for the creation of new Citrix user profiles. Typically, a user having a profile created for the first time will have it based on the Default User profile of the Windows device they are logging onto. While this may be ok, it also means any variations between the various devices Default User profiles will result in differences in the base profile created for those users. Thus you can view the Template Profile capability as essentially a Global Default User profile. To use a template profile the following settings must be configured: Enable the Template profile Group Policy setting Set Path to the template profile to the roaming, local, or mandatory profile you want to use as a template (you will need to rename the NTUSER.MAN to NTUSER.DAT before using a mandatory for template) Optionally, select the check boxes to override existing user profiles 10
Ensure the template profile does not contain any user-specific data. How do I use my existing Mandatory profile for creating new user profiles? Profile management allows you to specify a template profile to be used as a basis for the creation of new Citrix user profiles. To use your mandatory profiles as the template profile the following settings must be configured: Enable the Template profile Group Policy setting Set Path to the template profile to the mandatory profile you want to use as a template (you will need to rename the NTUSER.MAN to NTUSER.DAT before using a mandatory for template) Optionally, select the check boxes to override existing user profiles Please make note that since you have to rename the NTUSER.MAN to NTUSER.DAT, you cannot use the same location for both a mandatory and template profile. 11
www.citrix.com About Citrix Citrix Systems, Inc. (NASDAQ: CTXS) is the global leader and the most trusted name in Application Delivery. More than 230,000 organizations worldwide rely on Citrix to deliver any application to users anywhere with the best performance, highest security and lowest cost. Citrix customers include 100 percent of the Fortune 100 companies and 99 percent of the Fortune Global 500, as well as hundreds of thousands of small businesses and prosumers. Citrix has approximately 8,000 partners in more than 100 countries. Annual revenue in 2007 was $1.4 billion. 2009 Citrix Systems, Inc. All rights reserved. Citrix, Citrix XenApp, Citrix Presentation Server and Citrix XenDesktop TM are registered trademarks of Citrix Systems, Inc. in the United States and other countries. Microsoft, Windows, and Sharepoint are registered trademarks of Microsoft Corporation in the United States and other countries. All other trademarks and registered trademarks are the property of their respective owners.