Citrix User Profile Management (UPM) deployment | I Just Do IT.eu http://ijustdoit.

eu/citrix-user-profile-management-upm-deployment/

I Just Do IT.eu
Active Directory, VMware, Citrix

PRIMARY MENU

Citrix User Profile Management (UPM) deployment

POSTED ON DEC EMBER 7, 2015 BY ŁUKASZ ŚLEMP

One of the key features that leverages proper user’s experience in application provisioning or
VDI environments is profile management. Whenever users log on to their VD or provisioned
applications they are expecting to see things as they left it – that starts with desktop personal-
ization, regional settings, wallpaper and ends up with complex application specific settings
like AutoCAD or Catia preferences, shortcuts or hot-keys. Depending on delivered infrastruc-
ture type – profile management may be simple, but it also may become complex and challeng-
ing for IT.

Unfortunately – some things cannot be achieved with Windows Roaming Profiles – example
from my eperience is Microsoft Outlook which holds user settings (like signature, font styles,
views, etc) in user’s AppData/Local folder which is not synchronized by default (and we don’t
want it’s all content which can be done in registry). Luckily, Citrix engineers gave us an option
to specify folders / files to synchronize across all user’s profile directory. Below you can find a
list of Citrix UPM benefits.

Consistent Experience: Increases user satisfaction and improves productivity

Reliable roaming experience: Ensures that personal settings, documents, shortcuts,

templates, desktop wallpapers, cookies and favorites always follow the user across differ-
ent Windows environments on any device.

1 de 12 16/02/2017 18:47
Citrix User Profile Management (UPM) deployment | I Just Do IT.eu http://ijustdoit.eu/citrix-user-profile-management-upm-deployment/

Faster logon times: Provides the ability to control and reduce the profile size, which
improves the logon times.

Better Management: Reduces administrative burden

Inclusion by default: By default all settings are captured, reducing the amount of time
and effort spent in identifying what should be captured in a profile. Administrators only
need to focus on the items to be excluded from a profile, such as conflicting settings, files
or folders that bloat the profile.
Profile size control: Enables administrators to only include specific files and folders or
exclude unnecessary ones that account for tens or hundreds of megabytes, minimizing the
amount of data being managed and stored in the profile and decreasing network over
head.
Robust profiles: Automatically detects and stores all modified profile settings in the
registry and file system and can be configured to capture any kind of registry and file sys
tem modification within the profile. Prevents the unintentional overwriting of user pro
files by using built-in logic to determine which data should be kept.
Extended synchronization: Allows administrators to synchronize files and folders for
poor-performing applications that do not store user-related content within the user profile
but somewhere on the device hard disk.
Detailed reports: Logs detailed information on all actions being performed in an easy
to read and understandable format, simplifying the troubleshooting and analysis process.
Easy to implement and simple to maintain: Enables administrators to automati-
cally migrate existing user settings and choose at a granular level which profile informa-
tion to keep or discard. It runs as a system service, and does not require any additional
servers, services, or databases or changes to logon scripts.

I allowed myself to mark some of the key features with green color. Having that knowl-
edge and complete understanding of UPM advantages / disadvantages over Windows Roam-
ing Profiles, we can start UPM installation and configuration.

Citrix UPM Installation

First of all, you should obtain latest version of Citrix UPM (at the moment it’s 5.2.1, which is
available under following URL – Citrix UPM Download). Inside downloaded package locate
*.msi packages and install appropriate version (x64 or x86) on your XenApp Servers/ Xen-
Desktop images.

2 de 12 16/02/2017 18:47
Citrix User Profile Management (UPM) deployment | I Just Do IT.eu http://ijustdoit.eu/citrix-user-profile-management-upm-deployment/

In the same folder you will find ADMX / ADM (group policy definitions) files – all of
these should be copied to your central store \\domain.local\sysvol\domain.local\Policies\Pol-
icyDefinitions. Otherwise, when central store is not configured in your environment, just copy
these files to %windir%\PolicyDefinitions on the machine you are using for Group Policy
management. Keep in mind that *.admx files should be placed outside of langauge folders –
meaning, make sure that *.admx files are located directly in your PolicyDefinitions folder.

User store configuration

Create new file share especially for Citrix profiles (even if you already have windows roaming
profiles share – just don’t mix them up, it will become messy). In order to allow users creating
their own profiles and at the same time prevent them from accessing other profiles, follow
these steps:

SMB Share:

Everyone:
Read only
Citrix_UPM_Users_Group:
Full Control

NTFS Permissions:

CREATOR OWNER:
Full Control (Apply onto: Subfolders and Files Only)
System:
Full Control (Apply onto: This Folder, Subfolders and Files)
Domain Admins:
Full Control (Apply onto: This Folder, Subfolders and Files)
Citrix_UPM_Users_Group:
Create Folder/Append Data (Apply onto: This Folder Only)
Citrix_UPM_Users_Group:
List Folder/Read Data (Apply onto: This Folder Only)
Citrix_UPM_Users_Group:
Read Attributes (Apply onto: This Folder Only)
Citrix_UPM_Users_Group:
Traverse Folder/Execute File (Apply onto: This Folder Only)

3 de 12 16/02/2017 18:47
Citrix User Profile Management (UPM) deployment | I Just Do IT.eu http://ijustdoit.eu/citrix-user-profile-management-upm-deployment/

In case of any issues, you may and even should follow Microsoft Knowledge Base Articles on
roaming profiles permissions best practices (https://msdn.microsoft.com/en-us/library
/cc757013(v=ws.10).aspx). In the example above I used Citrix_UPM_Users_Group as our
group of users, that will create profiles, but you may want to change it to either “Authenticated
Users”, “Domain users” or maybe, just “Everyone”. It’s up to you, but if it’s possible – stick to
the principle of least privilege. One more thing that you may consider running Windows base
File Server is Access Based Enumeration which will significantly improve your security model.
As far as I know, this feature is currently also available for file shares hosted on NetApp ar-
rays.

Group Policy configuration

Group policy configuration is one of available ways for UPM customization (other is, which is
used by default *.ini config file) – this can be done either through Microsoft’s GPMC or Citrix
Studio. This article will be covering GPMC usage as I simply feel more comfortable within it

Using Group Policy Management Console, create new policy object and move to it’s Computer
Configuration -> Administrative Templates -> Citrix -> Profile Management:

Key things that you should configure here:

Enable Profile Management (Enabled) – Enable/Disable profile handling by Citrix UPM.

Kinda obvious.
Excluded Groups (Enabled) – Groups that shouldn’t be configured with roaming profiles
(for example Administrators, domain-admins, help-desk or any other group that is meant
to lose all settings / personalization upon logoff). Groups specified “DOMAIN\Domain-
Admins”
Process logons of local local administrators (Disabled) – similar to previous setting. That’s
obvious we don’t want our local administrator account to roam between servers (profile is-
sue will lead to logon issues on all affected servers).

4 de 12 16/02/2017 18:47
Citrix User Profile Management (UPM) deployment | I Just Do IT.eu http://ijustdoit.eu/citrix-user-profile-management-upm-deployment/

Path to user store (Enabled) – UNC path to the store we created in previous steps. Use fol-
lowing syntax \\FQDN\userstore$\#SAMAccountName# – you may also use other user
environment variables (for example %profilever% for in2k3) except from %username%
and %userdomain%.
Active write back (Enabled/Disabled) – This setting allows concurrent writes to user pro-
file. When you use Windows Roaming Profiles there’s a rule that last session wins, mean-
ing settings from last closed window are saved in user profile (in simple words). You defi-
nitely should enable this setting if your users are connecting to multiple servers at the
same time – this will preserve all their settings. Otherwise – when there’s only one
opened server session at a time, you may want to disable this setting as it may slightly in-
crease performance.

Moving on to Computer Configuration -> Administrative Templates -> Citrix -> Profile Man
agement -> File System you can configure files that are included or excluded from profile syn
chronization. There are some defaults in the *.ini configuration file – you should put them in
the policy whenever you want to add custom exclusion. INI file can be found under %program
files%\Citrix\User Profile Manager directory (UPMPolicyDefaults_all.ini).

File system -> Exclustion list – directories (Enabled). You may want to customize it for
your environment and basing on user profiles size. I’ll get back to this subject at the end of
this article.

$Recycle.Bin=
AppData\LocalLow=
!ctx_roamingappdata!\Microsoft\AppV\Client\Catalog=
!ctx_localappdata!\Microsoft\Office\15.0\Lync\Tracing=
Tracing=
!ctx_localappdata!\Packages=
!ctx_localappdata!\Microsoft\Windows\Application Shortcuts=
!ctx_localappdata!\Microsoft\UEV=
!ctx_localappdata!\GroupPolicy=
!ctx_internetcache!=
!ctx_localappdata!\Microsoft\Windows\Burn=
!ctx_localappdata!\Microsoft\Windows\CD Burning=
!ctx_localappdata!\Microsoft\Windows Live=
!ctx_localappdata!\Microsoft\Windows Live Contacts=
!ctx_localappdata!\Microsoft\Terminal Server Client=

5 de 12 16/02/2017 18:47
Citrix User Profile Management (UPM) deployment | I Just Do IT.eu http://ijustdoit.eu/citrix-user-profile-management-upm-deployment/

!ctx_localappdata!\Microsoft\Messenger=
!ctx_localappdata!\Microsoft\OneNote=
!ctx_localappdata!\Microsoft\Outlook=
!ctx_localappdata!\Microsoft\AppV=
!ctx_localappdata!\Windows Live=
!ctx_localappdata!\Sun=
!ctx_localsettings!\Temp=
!ctx_roamingappdata!\Sun\Java\Deployment\cache=
!ctx_roamingappdata!\Sun\Java\Deployment\log=
!ctx_roamingappdata!\Sun\Java\Deployment\tmp=
!ctx_localappdata!\Google\Chrome\User Data\Default\Cache=
!ctx_localappdata!\Google\Chrome\User Data\Default\Cached Theme Im-
ages=
!ctx_localappdata!\Google\Chrome\User Data\Default\JumpListIcons=
!ctx_localappdata!\Google\Chrome\User Data\Default\JumpListIconsOld=
!ctx_startmenu!=

File system -> synchronization -> Directories to synchronize (Enabled). This setting al-
lows you to synchronize non-default folders that are not a part of roaming profile. Exam-
ple? Microsoft’s Outlook settings (signature, language, style, etc.); Saved Passwords in In-
ternet Explorer. Below you can find a list of my directories.

Next step, Log Settings. *Only* four options to configure:

6 de 12 16/02/2017 18:47
Citrix User Profile Management (UPM) deployment | I Just Do IT.eu http://ijustdoit.eu/citrix-user-profile-management-upm-deployment/

Enable Logging (Enabled) – when enabled, saves debug information in default location
(%SystemRoot%\System32\Logfiles\UserProfileManager).
Log Settings (Enabled) – Detailed log settings, you may select specific actions that should
be logged. Definitely you want to log following:
Logon
Logof
Personalized user information
Common warnings
Common information
Maximum size of the log file (Enabled) – by default it’s 1MB, you can change it to some-
thing bigger if your environment hosts more sessions and 1MB won’t catch enough data.
Path to log file (Enabled) – Few options here. You may use default value (which is applied
when this setting is disabled); you also may use local path, i.e. C:\UPMLog or, last thing
you may do over here (and is easiest for log browsing) is UNC path to network share. If
you decide to stick with UNC path, remember about appropriate NTFS / Share permis
sions so only authorized users are allowed to view log contents.

Something cool right now, Computer Configuration -> Administrative Templates -> Citrix ->
Profile Management -> Profile handling:

Delete locally cached profiles on logoff (Enabled) – Enabling this setting will cause local
copies of user profiles being deleted at the session logoff. To be honest, I like this setting
for two reasons – it saves disk space and what’s more important – it makes me sure,
that there’s only one copy of user’s profile and it’s saved in central store so UPM
will never have a chance to use any local, cached copy of profile (which at some point may
lead to profile inconsistency)
Local profile conflict handling (Enabled) – What will happen when user JohnDoe logs on
to the server which already has a local profile for JohnDoe user? I went for “Delete local
profile”. But if you are not sure about that, you may stick with “Rename local profile”
Migration of existing profiles (Enabled/Disabled) – if you are moving from Windows
Roaming profiles you may want to enable this setting so all user data / personalization is
copied to newly created UPM profile. If you are starting from a scratch – I suggest you to
disable this setting.
Template profile – this one is up to you. It’s nothing more than Windows Mandatory Pro-
file. Meaning you can create a profile with all required settings, maybe printers, maybe
files and make users work using this profile only (their customization won’t be saved any-
where at logoff). It’s really useful in some circumstances.

7 de 12 16/02/2017 18:47
Citrix User Profile Management (UPM) deployment | I Just Do IT.eu http://ijustdoit.eu/citrix-user-profile-management-upm-deployment/

Next thing that you may consider if you want to decrease logon times is Profile streaming and
caching of bigger files. Let’s move to Computer Configuration -> Administrative Templates ->
Citrix -> Profile Management -> Streaming user profiles:

Profile streaming (Enabled) – Enabling this will synchronize only user’s registry entries,
while rest of the files and folders are cached only when accessed by users. In short words –
better logon times, less network traffic.
Always cache (Enabled) – optionally you can enable this setting to cache files at specified
size (or larger) immediately after logon (in background). Setting this to 0 will cache com-
plete profile immediately after logon.

That was Group Policy part. Only thing you need to do now is to link this policy in Servers /
VDI OU.

User Profile optimization

Last thing you should do (if you don’t want to be killed or at least yelled by your Storage /
Network admins) is profile monitoring and optimization. What I have learned while working
on roaming profiles is that they are growing. And they are growing really fast, especially if
users are not restricted from some functions. My suggestion here – if you already have win-
dows roaming profiles, scan them using software like windirstat that will give you deep infor-
mation about profile contents. You should be concerned about too big files, too big folders for
apps that are not in use in your XenApp / XenDesktop servers. Example output based on
about 30 users is shown below:

8 de 12 16/02/2017 18:47
Citrix User Profile Management (UPM) deployment | I Just Do IT.eu http://ijustdoit.eu/citrix-user-profile-management-upm-deployment/

Having that, we can understand a lot. For sure there’s one user that has extremely big file (up-
per left corner, blue color) which does not repeat for anybody, should be checked. Another
thing – there are around 350MB of Microsoft Word files just for 30 users, meaning each user
has around 15MBs of unneeded files in his/her profile. Same about .xls files.

In total you may find that there’s a lot of additional user data (.doc, .xls, .pdf, .zip, .rar files)
that are stored in folders like Downloads, Documents, Music, Videos, Desktop or any other lo-
cations (maybe something in appdata\local or roaming). Such analysis gives you a hint where
you should configure folder redirection (desktop, downloads, documents, etc) so this data
won’t be copied to user store within user profile but will be still available for user when he logs
on to the citrix server; and second thing – sometimes you may just want to use Citrix UPM
policies to exclude synchronization of default roaming folders (appdata\roaming\…) – this
may affect IE / Firefox / Chrome cached webpages, recycle bin or things like that.

Doing such analyzes periodically should let you keep profile size at reasonable level (I mean
something between 5-15 MB). This will also save some storage space and network traffic.

Links:

Cleaning up Profile Management Store – scripts written by Muralidhar Maram. These will
help you cleaning up your profile store when you apply some directory / file exclusion when
the profiles are already existing.
Delprof2 – User Profile Deletion Tool – If user profiles are not removed from your servers
properly, you may use this tool.
UPM Troubleshooter – This powershell script examines live Profile management system and
determines wheather it is optimally configured.
windirstat – Application that will help you analyzing user profiles. If somebody smuggled big
files, this app will find it.

Share this:

Like this:

9 de 12 16/02/2017 18:47
Citrix User Profile Management (UPM) deployment | I Just Do IT.eu http://ijustdoit.eu/citrix-user-profile-management-upm-deployment/

Be the first to like this.

Related

Skype For Business IM / Video Internet Explorer 11 - applying Powershell: Collect informa-
/ Audio restrictions proxy settings over GPO tion about locked AD Accounts
in SQL Database

Tags: Citrix, profile, roaming, upm, xenapp, xendesktop

POSTED IN CITR IX

TAGGED C ITR IX , PROFILE , R OAMING , UPM , XENAPP , XENDESKTOP

Automated change of DNS hosts on multiple servers in AD How to import PST file to Exchange 2013 Mailbox
Organizational Unit

Leave a Reply

Categories

Active Directory

Certificate Authority

Citrix

DNS

Exchange

Group Policy

10 de 12 16/02/2017 18:47
Citrix User Profile Management (UPM) deployment | I Just Do IT.eu http://ijustdoit.eu/citrix-user-profile-management-upm-deployment/

Internet Explorer

Network

PowerCLI

Powershell

Uncategorized

VMware

Windows 2012R2

XenDesktop

Tag cloud

ISTG NVIDIA GRID Microsoft Skype network share HP tools Arbitration XenServer virtualization Harm ful ESXi ILO Citrix DNS

server Group Policy nltest au tom otiv e industry Mailbox Active Directory PowerCLI powershell LACP HP driv ers

AGPM Exchange GPO nslooku p NetApp Intranet Zone Certificate Request DC xendesktop DNS application directory Delegate perm issions repadm in

FQDN env ironm ents Enterasy s WIFI controllers certificate tem plate Jav a Internet Explorer Sy stem s Adm inistrator GPMC HP ProLiant

VMware

Top Posts

Changing default search provider in Internet Explorer 11 using Group Policies

Citrix User Profile Management (UPM) deployment

Centralized management of Java Exception Site List - Simple version

AD - Delegate permissions to add / delete / move / modify computer objects

Internet Explorer 11 - applying proxy settings over GPO

VMware ESXi - changing HP ILO password from ESXi CLI

11 de 12 16/02/2017 18:47
Citrix User Profile Management (UPM) deployment | I Just Do IT.eu http://ijustdoit.eu/citrix-user-profile-management-upm-deployment/

Skype For Business IM / Video / Audio restrictions

ESXi enable SSH and ESXi Shell using PowerCLI

Citrix XenDesktop 7.6 - The Citrix servers do not trust the server.

How to import PST file to Exchange 2013 Mailbox

PR OUDLY POWER ED BY WOR DPR ESS

THEME: SOSIMPLE BY FERNANDO VILLAMOR JR..

12 de 12 16/02/2017 18:47