White Paper

User Profile Manager Best Practices Guide

Consulting Solutions Best Practices Guide

User Profile Manager 2.0

Table of Contents

Executive Summary 1

Product Background 1

What is a Profile? 1

Types of Profiles 1

Folder Redirection 2

Accessing Multiple Resources 2

General Recommendations 2

Product Overview 3

How Does User Profile Manager Work? 3

Installation Requirements 3

Planning Your Profile Management Deployment Strategy 3

Getting Started 4

Lab Environment Test Scenarios 5

Use Cases 5

Multiple ICA Sessions 5

Last Writer Wins and Roaming Profile Consistency Issues 6

Deployment Considerations and Best Practices 7

Operating System 7

Folder Redirection 7

Profile Management with Streamed Applications 7

General Best Practices 8

1

Executive Summary

Citrix has made a standing commitment to deliver applications to end users with optimal performance. During application access, the configuration of user profiles has a significant impact on user's log on, log off, and settings data. Aside from the correct configuration of user profiles, the most common issue results from conflicts that arise when users run multiple sessions, resulting in the well known “last writer wins” problem. For example, if a user has multiple XenApp sessions open and makes a change in one session and closes it, that change will be overwritten when the user closes the additional sessions. This document provides the best practices for addressing the “last write wins” issue and key profile use case scenarios that can dramatically benefit with a User Profile Manager solution. A complete administrator’s guide for installation and configuration of User Profile Manager is available at http://support.citrix.com/article/ctx118943.

Product Background

Citrix released User Profile Manager in January 2009. This custom profile offering enables Citrix customers to efficiently address situations where users access multiple resources. However, before discussing User Profile Manager in detail, it is important to first review some baseline information regarding profiles, including common problems and existing solutions.

What is a Profile?

A user profile is a collection of folders, files, and configuration settings that define the environment for a user who logs on with a particular user account. These setting may or may not be customizable by the user, depending on the administrative configuration. Examples of settings that can potentially be customized are:

• Desktop settings such as wallpaper and screen saver • Shortcuts and Start menu setting • Internet Explorer Favorites and Home Page • Outlook signature

Some user settings and data can be redirected by means of folder redirection; however, if folder redirection is not used, these settings are stored within the user profile.

Types of Profiles

Microsoft includes several types of profiles, and these are summarized below:

Profile Type Storage Location Configuration

Location

Application Save Changes?

Local Local device Local device Local device only Yes

Roaming Network Active Directory Any device accessed Yes

Mandatory

(Mandatory Roaming)

Network Active Directory Any device accessed No

Temporary Not Applicable Not Applicable Local device only No

Table 1: Types of Profiles

A temporary profile is only assigned when a specific profile type cannot be assigned. With the exception of mandatory profiles, a distinct profile typically exists for each user. In addition, mandatory profiles do not allow users to save any customizations.

2

For Terminal Server users, a specific roaming or mandatory profile can be assigned to avoid issues that may occur if the same profile is assigned to a user within a terminal server session and a local session.

For further information on profile types and their content, reference the Citrix User Profile Manager Whitepaper (http://www.citrix.com/site/jumpPage.asp?pageID=1453077#top).

Folder Redirection

Active Directory allows folders, such as Application Data or Documents, to be saved to a network location. Thus, the contents of those folders are stored in the designated location and not included within the user profile. Depending on the version of Active Directory in use, the specific folders that can be redirected vary.

In many cases where a network-based profile exists, folder redirection is configured so that the user profile is smaller in size. In addition, where mandatory profiles are employed, configuring folder redirection allows users to save some settings, files, and other data while still enabling the benefits of mandatory profiles. As a general guideline, Citrix recommends enabling folder redirection for all user data which is not accessed regularly within a session if network bandwidth permits.

Accessing Multiple Resources

Profiles become more complex as users access multiple resources. When network-based roaming or mandatory profiles are enabled, Microsoft Windows uses the registry data to describe and preserve the user environment. By default, Windows stores the local profile on the local hard drive, loads a copy of the network-based roaming or mandatory profile when the user logs on, and writes the local copy to the network repository when the user logs off. However, in corporate environments, users may access multiple computers daily. Many users will switch from a desktop to a laptop, while others will use XenDesktops and XenApp to access virtualized resources. Depending on the enterprise requirements and configuration, there is likely a need for user data to move with the user as they logon to different computers.

For example, if a user has a local desktop that accesses virtualized applications hosted on XenApp and also accesses a virtualized desktop hosted on XenDesktop, then the user settings will not be uniform across all resources unless appropriately configured. In addition, when accessing multiple resources, the behavior of roaming profiles dictates that the last write wins.

To take the example one step further, let’s say that a roaming profile has been enabled and the user changes the background color of the local desktop. The user then logs onto XenDesktop, logs off the local desktop, and logs off XenDesktop. Because both the local desktop and XenDesktop were open at the same time and the last logoff was from XenDesktop, the settings from the XenDesktop session were the last written to the profile and the background color setting is not retained.

General Recommendations

Where network-based profiles will be employed, Citrix generally recommends that the following solutions be considered in sequential order:

1. Mandatory profiles 2. Roaming profiles 3. User Profile Manager

In all cases, folder redirection is encouraged so that user-specific data is saved separately from the profile.

Please remember that these are general recommendations. Citrix recommends this sequential order for consideration of a profile solution because administrators can generally implement and maintain accordingly based on standard Microsoft knowledge. However, in more complex situations or where these standard solutions cannot address enterprise requirements, User Profile Manager should be considered.

3

Product Overview In a virtualized world, where users can get to their desktops and applications from practically any location or device, administrators need to leverage “user profile” technology to ensure that each user receives a consistent experience every time. When a user logs on to their virtual desktop or launches a virtual application, the user wants to see the environment just as they left it, with their own personal settings, shortcuts, toolbars, templates, desktop wallpapers and favorites. The more complex and varied the user access scenarios, the more challenging it becomes for administrators to manage these user profiles. User Profile Manager is a profile optimization service that provides an easy, reliable way for managing user personalization settings. The profile optimization solution integrates Active Directory GPOs with a Windows service in order to address profile issues associated with last write wins conflicts. Citrix introduced User Profile Manager in January 2009 with the intention of addressing complex profile requirements that could not be fulfilled by standard Microsoft profile solutions. User Profile Manager ensures that the user’s personal settings are applied to the user’s desktop and applications, regardless of the location and end point device. User Profile Manager ensures a consistent experience by maintaining a single profile that follows the user. It auto-consolidates and optimizes user profiles to minimize management and storage requirements and requires minimal administration, support and infrastructure, while providing users with improved logon and logout.

• Last writer wins: When users work on more than one physical or virtual device, their individual personal settings may be overwritten in a seemingly random manner when they log off.

• Profile bloat and logon speed: Profile bloat creates unwieldy growth in user profiles that may result in storage and management issues. Typically during logon Windows copies the user’s roaming profile over the network to the local machine. As a profile grows in size, the logon time is prolonged by the time it takes to transfer the whole profile over the network. The larger the profile, the slower the logons will be.

How Does User Profile Manager Work?

User Profile Manager essentially does the following:

• Supersedes other profile-related GPOs and settings to become the selected profile for the users and corresponding devices based on the designated Organizational Units(OUs). Note that User Profile Manager is invoked based on an Organizational Unit, and the ADM template only applies to Computer Policies.

• Acts like a local profile to the system, but with the advantage of synching net changes a centrally stored profile (user store) during log on and log off.

• When multiple user sessions are opened, only those settings that are changed are written to the profile upon logoff, rather than all settings being written upon logoff. Thus, the sequential order of logging off multiple sessions has no impact unless the same exact setting is changed within two or more open sessions.

Installation Requirements

The installation of User Profile Manager requires the following: • Installation of an MSI on each managed device: This MSI differs based on x86 and x64 systems and is

suitable for installation on Windows XP, Windows Vista, Windows Server 2003 and Windows Server 2008. The MSI installs the necessary binaries for functionality, including the User Profile Manager Service and the INI configuration files.

• Installation of the ADM template: This template should be imported into the desired OU(s) within Active Directory. The ADM template only incorporates Computer Configuration settings. Note that the ADM template can be imported onto the managed device and configured as a local policy; however, this setup is not supported as part of this release.

Planning Your Profile Management Deployment Strategy

4

Once the decision has been made to deploy User Profile Manager, the 19 configuration options incorporated into the ADM template should be reviewed. For a list of the GPOs available within the ADM file, please see http://support.citrix.com/article/ctx118944.

When considering the deployment of User Profile Manager, an administrator should consider the unique qualities of their respective environment and determine the best solution. For example, addressing the questions detailed below will help guide the decision. Please note that the sample answers may or may not be applicable to every environment.

Question Sample Answer

Is there a need to implement User Profile Manager based on

distinct operating systems?

Yes, XenDesktop is based on Windows Vista

while XenApp is based on XenApp 5 for

Windows Server 2003.

Which Organizational Unit(s) will house the User Profile

Manager functionality?

The OUs that house the XenDesktops and

XenApp servers will share the GPO, and the

Citrix administrator has rights to configure GPOs

within these OUs.

Where will the user profiles be stored? User profiles will be stored by default in the

same location as the user’s home directory. The

administrator can use an arbitrary UNC-path

instead.

Are there any files and settings that can be excluded from the

profile?

Yes, you can configure UPM to exclude arbitrary

registry keys and file system objects in the user

profile. As the exclusion applies to the user’s

logoff you will not be able to delete these files

and settings from the profile by activating

exclusion lists. There are other tools, like

ProfileNurse which can delete unwanted data

from your users’ profile.

Will the INI file be used for local configuration? It depends. Where feasible, configuring UPM via

GPOs is preferred. However for each setting

which is ‘not configured’ in the GPO, you can set

the corresponding setting in the INI file for the

local machine.

Will folder redirection be used? Documents and Application Data will be

redirected to the user’s home directory. Other

folders may be redirected based on pilot testing.

Table 2: Deployment Questions

Getting answers to the questions listed above will help shape the optimal users profile management solution for the enterprise to ensure that users get the best experience they need while maintaining a manageable users’ profile solution.

Getting Started

User Profile Manager should first be installed in a lab environment to determine functionality and test various scenarios. Citrix User Profile Manager includes 19 Group Policy Object (GPOs_ that can be used to specify functionality. With the exception of the GPO setting that enables User Profile Manager (it is disabled by default) and designation of the network repository for the profile, no other configuration is required in order to enable basic

5

functionality. However, all of the GPOs settings should be reviewed in detail and configured accordingly, as each environment is unique and should be so designated.

Lab Environment Test Scenarios

Folders: Folders that quickly grow in size or contain very large files should be excluded from being synchronized with the user profile because this will impact the logon and logoff process and hence affect the overall users’ experience; folder redirection can be used to redirect user data. In addition, folders containing data which is infrequently used during a user’s a session is a candidate for folder redirection.

Multiple Access Points: Users can access applications from different locations such as:

• Client device with locally installed applications

• Virtual desktop using XenDesktop solution with streamed or locally installed applications

• Published application from Citrix XenApp that are locally installed or streamed to XenApp servers

• Terminal Services

Operating System Variations: Users may access applications from different operating systems, and the variation in operating system can create conflicting settings within a single user profile. The profile settings for Microsoft Windows XP and Windows Server 2003 are interchangeable; therefore, they are referenced as v1 settings. Windows Vista and Windows Server 2008 profile settings are also interchangeable and referenced as v2 settings. The variation in operating system is a key component to any profile solution.

Minimizing differences in the end user experience when accessing resources from various devices is the ultimate goal when implementing users’ profile solution. Prior to User Profile Manager, contents of the users’ registry and files might be different in each case based on the physical device, profile configuration, and/or operating system. For this reason, User Profile Manager should be configured to address the differences between system installations on computers the users will roam between.

Use Cases

Citrix User Profile Manager can be implemented to manage users’ profiles in different scenarios regardless of how applications are delivered to users or where they are housed. The following are examples of these scenarios:

• Citrix XenApp with published applications • Citrix XenApp with published desktop • Citrix XenApp with applications streamed into an isolation environment • Applications streamed to XenDesktop • Applications installed on XenDesktop • Applications streamed to physical desktops • Applications installed locally on physical desktops

Of these, Citrix sees the following as the most common use case scenarios: • Multiple ICA sessions: User accesses multiple XenApp server silos (hence, has multiple ICA sessions open;

however, app isolation/streaming on the server could be explored as an alternative to server silos). • Last write wins and roaming profile consistency issues: Because the last write to the roaming profile

causes all settings to be saved, roaming profiles may not retain the right data if multiple sessions are open and interim changes are made. In addition, settings may not be written correctly to the profile as a result of network, storage issues, or other problems.

Multiple ICA Sessions

Especially in large environments, it may be necessary for users to open multiple ICA sessions to access different applications that are housed on different XenApp servers, whether in the same farm or multiple farms. Where possible, Citrix Administrators should consider application isolation/streaming in order to house applications on the same XenApp server to allow users to access all applications from a single server and thus a single ICA session. However, this may not be possible if a business unit controls specific servers or applications cannot be streamed.

6

Once it has been determined that it is indeed necessary for users to access applications from various XenApp servers, the impact on profiles should be ascertained.

For example, Mary has the need to access AppA, AppB, and AppC and she is routed to Server 1, Server 8, and Server 12 respectively. Upon logon to each application, her Terminal Services roaming profile is loaded onto each server and folders are redirected for each session. When she is logged onto AppA on Server1, Mary changes Setting1 and logs off that session. She then completes her work in the other two applications and logs off.

Upon logoff, the change that Mary made within her ICA session on Server 1 is overwritten because the settings within the last closed session are retained, not the interim change. When Mary logs onto AppA the next day, she is frustrated because the change she made is not visible.

User Profile Manager can generally prevent this situation from occurring. User Profile Manager only writes back the specific settings that were changed during a session; all other unchanged settings remain untouched. Thus, the only potential conflict that would arise is if Mary changed Setting1 within another session. However, the user would likely expect that the most recent change was retained.

Last Writer Wins and Roaming Profile Consistency Issues

Similar to the first scenario described above, last write wins issues can present themselves in a variety of ways, and user frustration can mount as the number of devices accessed increases. In short, taxing the roaming profile can have an adverse effect.

Because the roaming profile retains all profile data, with the exception of folders that have been redirected, the user profile can grow quite large. Not only does this cause additional time for the user log on because the profile must be downloaded, the potential for consistency grows during the write phase of the user log off, especially where network issues exist.

User Profile Manager enables specific data to be excluded from the user profile, enabling the user profile to be kept to a minimal size. Because only the deltas are written to the profile, the write phase of the logoff involves less data and is faster. The design component can be beneficial for applications that use the profile for temporary data but do not ensure profile clean up upon application termination.

Figure 1: Multiple ICA Sessions

7

Deployment Considerations and Best Practices Once the decision has been made to implement User Profile Manager, the following deployment considerations and best practices should be evaluated:

Operating System

Based on the difference in the profile structure between Windows XP and Windows Vista, Citrix recommends creating a separate profile for Windows XP based systems and an additional separate profile for Windows Vista based systems. The user profile namespace used in Windows XP is identical to the namespace used in Windows 2003, making interoperability between the operating systems transparent. However, there have been some changes in the Windows Vista profile namespace create a challenge. Citrix recommends using Folder Redirection with roaming profiles to help ensure profile interoperability, but within an environment where Windows Vista and Windows XP must co-exist, it is even more important.

Folder Redirection

In general, folder redirection should be used in conjunction with User Profile Manager in order to minimize the size of the profile and segregate user data from the profile. Folder redirection is configured within Active Directory and should point to the user’s home directory (i.e., a stable network share that is accessible to the user from all required devices). Please note that Active Directory based on Windows Server 2008 allows for folder redirection of additional folders not included within Active Directory based on Windows Server 2003.

Not all folders which can be redirected are directly accessible via Active Directory. All folders which can be redirected on a specific operating system can be found in the registry under "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders".

It is very important to understand that before Windows Vista and Windows 2008, the profile folder structure or namespace was different. This folder structure has been changed in Windows Vista and Windows Server 2008 to provide user specific folders isolated for user and application data. Previously (in Windows XP/ Windows Server 2003), Windows stored user profiles in the root folder, “Documents and Settings”. This location has changed as Windows Vista stores user profiles in a more intuitively named folder called “Users”. For example, the “AppData\Local” folder in Windows Vista/Windows Server 2008 is the same as the “Documents and Settings\username\Local Settings\Application Data” folder in Windows XP/Windows Server 2003.

For more information related to the differences in Windows XP/Windows Server 2003 and Windows Vista/Windows Server 2008 please reference http://download.microsoft.com/download/3/b/a/3ba6d659-6e39-4cd7-b3a2-9c96482f5353/Managing%20Roaming%20User%20Data%20Deployment%20Guide.doc

Profile Management with Streamed Applications

User Profile Manager can be used to mange profiles in an environment where applications are being streamed to either user’s client devices directly or streamed to XenApp servers and then published to users.

Client-side application virtualization technology in Citrix XenApp is based on application streaming which automatically isolates the application. The application streaming feature enables applications to be delivered to XenApp servers and/or client devices and run in a protected virtual environment. There are many reasons to isolate the applications that are being streamed to users such as controlling how applications interact on the user device to prevent application conflicts. For example, isolation of user settings is required if different versions of the same application maybe present, such as Office 2003 is installed locally and Office 2007 is being streamed to user’s client device. Not isolating user settings will create conflict and could severely affect the functionality of both applications (streamed and locally installed).

8

When configuring the application streaming feature in conjunction with User Profile Manager, the XenApp Plug-in for Streamed Apps 1.3.1 or higher should be installed. The streaming plug-in 1.2 changed the location of per-user disk storage for streamed application related settings. With the streaming plug-in 1.3.1 or higher, the user’s application streaming related settings is stored in %LOCALAPPDATA%, and the settings will follow the user from machine to machine without requiring any special configurations within User Profile Manager.

General Best Practices • Thoroughly test User Profile Manager in a lab environment prior to production deployment. • Because User Profile Manager designates the user store based on the computer configuration instead of the

user configuration, use the #SamAccountName# variable to properly designate the user store location. • User Profile Manager is disabled by default and must be enabled within the GPO. It should not be enabled for

general user use until all configurations and testing has been completed. • Local administrators are not processed by default. They can be added to processing by means of a policy, and

generally this policy should remain disabled. • Processed groups include members of all user groups unless specifically designated otherwise. Thus, an

entry should be made within this policy to designate those user groups to which User Profile Manager will be applied.

• For any GPO settings that are not configured, the INI file settings will be used. If there is no intention to use the INI file, rename it so that it is not invoked.

• If a mandatory profile is currently used as a base for UPM, it must be renamed and configured to be used as a template profile. This will result in users having their Citrix UPM profile created based on the mandatory profile settings. There is no means of converting a mandatory profile to a Citrix User Profile.

• If a conflict between the local profile and User Profile Manager arises by default always the local profile will be used. If it is desirable to use the Citrix User Profile, select the option to rename the local profile rather than deletion until there is absolute certainty. If deletion is opted, there is no recourse for accessing the profile.

• Especially during testing and early deployment, enable logging to minimize any troubleshooting efforts. • Any registry settings, directories, or files that can be excluded from the Citrix profile will cause the profile to be

smaller in size and thus load and unload faster.

9

Revision History

Revision Change Description Updated By Date

0.1 Initial Draft Solution Center November 2008 0.2 Incorporate Use Case Solution Center January 2009 1.0 Final Draft Solution Center February 2009

www.citrix.com

Citrix Worldwide Worldwide Headquarters Citrix Systems, Inc. 851 West Cypress Creek Road Fort Lauderdale, FL 33309 USAT +1 800 393 1888 T +1 954 267 3000 Regional headquarters Americas Citrix Silicon Valley 4988 Great America Parkway Santa Clara, CA 95054USA T +1 408 790 8000 Europe Citrix Systems International GmbH Rheinweg 9 8200 Schaffhausen Switzerland T +41 52 635 7700 Asia Pacific Citrix Systems Hong Kong Ltd. Suite 3201, 32nd Floor One International Finance Centre 1 Harbour View Street Central Hong Kong T +852 2100 5000 Citrix Online division 6500 Hollister Avenue Goleta, CA 93117 USA T +1 805 690 6400 www.citrix.com

About Citrix Citrix Systems, Inc. (Nasdaq:CTXS) is the global leader and the most trusted name in application delivery infrastructure. More than 200,000 organizations worldwide rely on Citrix to deliver any application to users anywhere with the best performance, highest security and lowest cost. Citrix customers include 100% of the Fortune 100 companies and 99% of the Fortune Global 500, as well as hundreds of thousands of small businesses and prosumers. Citrix has approximately 6,200 channel and alliance partners in more than 100 countries. Annual revenue in 2007 was $1.4 billion. ©2009 Citrix Systems, Inc. All rights reserved. Citrix®, Citrix XenApp™, Citrix XenServer™ are trademarks of Citrix Systems, Inc. and/or one or more of its subsidiaries, and may be registered in the United States Patent and Trademark Office and in other countries. Microsoft® and Windows® are registered trademarks of Microsoft Corporation in the United States and/or other countries. UNIX® is a registered trademark of The Open Group in the United States and other countries. All other trademarks and registered trademarks are property of their respective owners.