Monday, November 3, 2014

Configuring Citrix Profile Management 5.2.0 for XenApp 7.5 / 7.6

Citrix Profile Management 5.2.0 which is bundled with XenDesktop or XenApp 7.5 / 7.6 hasn’t changed much other than the agent now included when the VDA (Virtual Delivery Agent) is installed onto your application server:

C:\Program Files\Citrix\User Profile Manager

image

… but as I had to configure it for an environment I recently deployed, I thought I’d screenshot the configuration process so I have a updated Citrix Profile Management post to refer to.  More information about Profile Management 5.x can be found at the following URL: http://support.citrix.com/proddocs/topic/user-profile-manager-5-x/upm-wrapper-kib.html

Obtaining the Profile Management Active Directory ADM

The adm template for the Profile Management configuration settings can be found in the following folder of the XenDesktop / XenApp 7.5 / 7.6 installation media:

\x64\ProfileManagement\ADM_Templates\en

… or:

\x86\ProfileManagement\ADM_Templates\en

image

Note that Citrix has also included the ability to configure Profile Management settings directly from within the CItrix Studio’s policy node as shown here:

imageimage

The reason why I prefer to use Active Directory GPO rather than the Citrix policy node in the Studio is because an Active Directory GPO is always going to be visible as compared to policies defined within Citrix which means a regular non-Citrix administrator that does not have access to the Citrix Studio would see an Active Directory GPO and know that a set of settings are being applied to these computer objects.

Setting up File Share to store Profiles

I’ve written a previous blog post for setting up the share to store the Profile Management so I’ll simply refer to it rather than rewrite the instructions:

Setting Share and NTFS permissions for redirected profile and home folders with commands
http://terenceluk.blogspot.com/2012/11/setting-share-and-ntfs-permissions-for.html

Creating a new Profile Management Active Directory GPO

Locate the Organization Unit that contains the application servers that you will published with the XenApp 7.6 Delivery Controllers and create a new GPO:

image

image

Note that if you haven’t blocked inheritance for the OU containing your application servers then I would suggest you do as it is recommended to block inheritance so computer configuration GPOs are not unintentionally applied to the application server (i.e. software install, various configurations):

image

Configuring the Profile Management GPO

With the GPO created and assigned to the OU containing the application server, open the properties of the GPO, select the Administrative Templates node, click on the Action tab and then Add/Remove Templates…:

image

Click on the Add… button in the Add/Remove Templates window:

image

Navigate to the folder containing the ctxprofile5.2.0.adm file and open the file:

image

Continue and click on the Close button with the policy template loaded:

image

Navigate to Computer Configuration –> Policies –> Administrative Templates –> Classic Administrative Templates –> Citrix –> Profile Management:

image

Configure the following settings in the Profile Management node:

Enable Profile management –> Enabled 
Processed groups –> Disabled
Process logons of local administrators –> Enabled
Path to user store –> Enabled 
Absolute path or path relative to the home directory: \\<fileServer>\<shareName>\%username%
Active write back –> Enabled

image

Navigate to the Profile handling node and enable the following settings:

  • Delete locally cached profiles on logoff
  • Local profile conflict handling
    • Select Rename local profile for Citrix user profile in the user store both exist:

image

image

Note that the reason why I enable the Local profile conflict handling and set the configuration to rename the file is because if you’re implementing this policy after the application has been in production for a while, users will notice that the first server they log onto will get their profiles relocated to the file server but when they log onto a second server their local profiles would continue to load.  Enabling this configuration will ensure that the roamed profiles will get applied to every server.

Navigate to the File system node and open the Exclusion list – directories setting:

image image

Add the following directories into the exclusion list:

  • AppData\Local
  • AppData\LocalLow
  • Local Settings
image

With the configuration above set, Citirx Profile Management should start maintaining the same profile for users logging onto the application servers.

Additional GPO Configuration

One of the common issues I’ve come across during my previous XenApp deployments is that blocking the Computer Configuration GPOs may not be enough because users also have User Configuration GPOs that may affect the logon or overall operational performance of the application server.  To reduce the risk that User Configuration policies creating unintentional effects, we can use the a loopback policy set to replace mode by navigating to Computer Configuration –> Policies –> Administrative Templates –> System –> Group Policy and enable the Configure user Group Policy loopback processing mode:

image

image

Any required User Configuration settings that need to get re-applied to the user can be configured in the same Profile Management GPO or create a new GPO but with the loopback mode enabled set to Merge.

MISC Item

I’m not sure what it is but I’ve had 2 environments where as soon as I turn on Profile Management, users’ profiles would have the Use check boxes to select items configuration automatically enabled:

image

image

While not an issue that would render the server inaccessible, I find it extremely annoying so I’m going to include the GPO settings here in case I run into this issue again in the future.

image

Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

image

10 comments:

virtualrush said...

Great post, as usual. Thanks, Terence!

@rushealy

Anonymous said...

These settings worked great for most things, however, after setting them in Server 2012 R2, I found that IE will no longer respond. I get no errors in the eventvwr, it just doesnt respond, then closes. Anyone else run into this?

Anonymous said...

Have the same issue on 2012 R2 with IE. Any advice?

Daniel said...

Great post, but several comments have made me hesitant to implement this regarding the IE problem with 2012R2 and the profiles not getting domain admin rights for XenApp 7.6

Alekhya said...

Great post, thank you Terence

Anonymous said...

In a parallel upgrade from 6.5 I have 2 questons:
1_ Will importing the new Profile Management ADM impact existing Citrix GPO's?
2. Is it feasible to put the new 7.6 VDA machines in with the older 6.5 machines? How will the different ADM's be handled?

SentTech said...

Great post. Thanks, Terence

SentTech said...
This comment has been removed by the author.
Anonymous said...

I have a VDI environment with Windows 7 and applications in 2012 R2.
Are dieferentes Operating Systems with different profile settings.
I need to set up a profile manager for each OS or a single profile manager it automatically saves the profile and and windows 2012 r2 separately?

Thank you!

@lsantiagos

Abdul Raof said...

Great Post, Thanks to you Terence