User Rights Assignment Registry Location Of My Documents

User Profile Wizard FAQs

What does User Profile Wizard do?
User Profile Wizard is a workstation migration tool that will join your machine to a domain, and share your original user profile with your new domain logon so that you can carry on using all your existing data, and keep the same settings that you’ve always had. By using the User Profile Wizard command line interface and the User Profile Wizard Deployment Kit you can build a scalable, enterprise solution to migrate tens of thousands of workstations.

What's a profile?
A profile is where Windows keeps all your personal data and settings. Your profile is where your "My Documents", "My Pictures" and "My Music" files are stored, and where your Internet favorites and cookies are kept. Windows keeps track of your personal settings in your profile, like your desktop wallpaper and the lists of documents you've recently opened. Most of the changes you make to personalize your applications are also kept in your profile, as well as files like dictionaries and playlists.

Why share profiles when migrating to a Windows domain?
As far as Windows is concerned, when you logon to your machine using your domain logon you are a completely different person. Because Windows thinks you're a different person, it sets up a new profile for you and you lose all your personal settings. Not only that, unless your new domain account has Administrator rights on your machine, you lose access to all your data as well. What the User Profile Wizard allows you to do is share your original profile with your new domain logon so that you can carry on using your old settings. This is a major benefit to your users. Installing a Windows Domain infrastructure is a major undertaking but, believe it or not, your end users won't be as excited about it as you: all they want to do is get on with their jobs. Using the User Profile Wizard will significantly reduce disruption to your business.

Why not make everyone an Administrator?
Running as an Administrator would give you access to your old documents, but you would still lose your personalized settings. More importantly, always using your machine with an Administrator account is a bad idea. Making everyone in your organization an Administrator is a seriously bad idea. There are major security risks with this sort of setup. For example, any executable file sent in an email, or any component installed from a web page has complete access to your machine and the data on it. Not only that, but making everyone an administrator is a really good way of pushing up your IT support costs.

Why not just copy the data from the old profile?
Well, you could. But that is going to be a time consuming, labor intensive, not say costly operation. What data do you copy? Even if you copy all your files, what about the configuration information that Windows stores in the registry? Using the User Profile Wizard is just much easier and much less disruptive.

Will I have to visit every machine on my network to run the Wizard?
Absolutely not. The User Profile Wizard has two distinct modes of operation. You can run the Wizard in graphical mode like all the other Wizards you're familiar with in Windows, but you can also run the User Profile Wizard from a command line. This means that the User Profile Wizard can be run from a VB or Java Script, or from a batch file. The User Profile Wizard Deployment Kit can generate a VBScript based on your specific migration requirements. Running the User Profile Wizard from a command line is only possible if you have the Corporate Edition of the User Profile Wizard

What version of Windows does the User Profile Wizard run on?
The User Profile Wizard runs on Windows XP, Windows Vista and Windows 7.

What's the difference between the Corporate Edition and the Personal Edition?
Please see our User Profile Wizard Feature Comparison

What's the difference between User Profile Wizard and User Profile Manager?
User Profile Wizard is primarily a migration tool: it allows an existing profile to be used by a different user account. However, if a profile needs to be used regularly by more than one user account, we would recommend that you consider our User Profile Manager product.

And the User Profile Wizard is FREE?
The User Profile Wizard is free for personal use, subject to the terms of the End User Agreement. To request an evaluation copy of the Corporate Edition, and for pricing information, corporate customers and organizations should contact sales@ForensiT.com. Your organization will pay no more than $2 per seat for the Corporate Edition.

What if I have a problem?
Please see our Support page.

What are the security implications of running the User Profile Wizard?
By running the Wizard you are giving someone access to someone else's data and settings. This means that they will be able to read the person's documents, look at the person's Internet favorites and history, see their lists of recent files, etc. If two (or more) people are sharing a profile then they will all see the same data when they log on. Note that this only applies to data local to the machine: data on other machines, like servers, will still not be accessible. However, with the exception of updating group memberships when joining a domain, this is as much (or as little) as the User Profile Wizard does: it does not change any other security settings.

Can I use the User Profile Wizard with Fast User Switching?
You can still use the User Profile Wizard to share a profile. However, Windows cannot load the same profile for two users at the same time. This means that if you attempt to switch to a user account that shares a profile with an account that is already logged on, you will get an error. In this situation Windows will create a temporary profile for the account.

Can I use the User Profile Wizard with Roaming Profiles?
The Corporate Edition of User Profile Wizard allows you to share the local copy of a roaming profile between accounts, or migrate the profile to a new domain account. The free version of User Profile Wizard does not support roaming profiles.

I've run the Wizard to join a domain and now I'm getting "Access denied" when I try to open some of my folders.
The wizard does not "reflow" rights on profile folders, nor does it scan your machine for explicitly defined permissions on files or folders. This means that any specific user rights assignments that you have made will remain in place. Remember, if you're logging onto a machine with a domain account you're a different person as far as Windows is concerned, and if your domain account hasn't been given any rights to a particular folder, running the User Profile Wizard won't change anything

What about my encrypted data?
The user account that has been given access to a profile will not be able to read any files or folders encrypted by the original owner of that profile. If you're migrating to a Windows domain and you want your new domain account to access your encrypted data, you will need to decrypt your data using your old account, and then encrypt it again when you logon with your new account.

What about group membership?
When migrating to a domain, the User Profile Wizard automatically adds the account that will share the profile to the same groups as the local account whose profile you want share. This is to help in the migration to the domain. So for example, if your local machine account is a member of the "Power Users" group, the User Profile Wizard will add your domain account to the "Power Users" group. If you are sharing profiles between local accounts, group membership is not effected.

What's the Command Line mode for?
User Profile Wizard Corporate Edition has a powerful command line interface which, together with the User Profile Wizard Deployment Kit, will enable you to automate an enterprise-wide migration of your workstations to a new domain.

How do I use the Command Line?
Please refer to the User Profile Wizard User Guide for details on using the Command Line interface.

Note: Refer to CTX139331  - Citrix Virtual Desktop Handbook 7.x for the latest information.

This article contains Microsoft and Citrix options for the design of user profiles in a XenApp environment.

An effective design of user profiles can make a significant difference in the performance and manageability of a XenApp environment. Many of the issues commonly seen in large or complex XenApp environments (including slow logon, loss of user settings, profile corruption, and excessive administrative effort) are often the result of sub-optimal user profile designs. A solid design and implementation of user profiles can maintain the integrity of user settings, eliminate issues requiring administrator intervention, and ensure high-performance user logon.

User Profile Background

Windows User Profiles Defined

At this point, it is useful to provide background information on the profile types available within Windows Terminal Services environments, and how they apply to Citrix XenApp. This document focuses only on Terminal Services profiles and how they relate to XenApp.
Microsoft provides several types of profiles that can be used in Windows Terminal Services/XenApp environment:
  • Local Profiles

  • Mandatory Profiles

  • Roaming Profiles

Local Profiles are stored on each XenApp server and are initially created based on the default user profile. Therefore, a user accessing applications creates an independent profile on each server. Users are able to retain changes to their local profile on each individual server, but changes are only accessible for future sessions on that server. Local profiles require no configuration; if a user logging into a XenApp server does not have a profile path administratively defined, a local profile is used by default.

Roaming Profiles are stored in a centralized network repository for each user. Roaming profiles differ from local profiles making the information in the profile (whether it is a printer, a registry setting, or a file stored in the Documents folder) available to user sessions accessed from all XenApp servers in the environment. Configuring a user for a roaming profile requires an administrator to designate the Terminal Server Profile Path of the user to a particular location on the network. The first time the user logs onto a XenApp server, the default user profile is used to create the roaming profile of the. During logoff, the profile is copied to the administrator-specified network location.

Mandatory Profiles, sometimes called roaming mandatory profiles, are also stored in a centralized network location for each user. They differ from roaming profiles by not retaining the users’ changes at logoff. Configuring a user for a mandatory profile requires an administrator to create a mandatory profile file (NTUSER.MAN) from an existing roaming or local profile, and assign users’ Terminal Services profile path to the location where the file can be accessed.

Additional User Profile Options

In addition to these basic profile types provided by Microsoft, there are other profile options that can be applied in a XenApp environment. These include the following:
  • Multiple Profiles

  • Citrix User Profile Management

  • Other

Multiple Profiles combine two or more of the three basic profile types (local, roaming, or mandatory) for the same user. Multiple profiles are useful in environments with application silos. For example, in a XenApp farm with two application silos serving SAP and a custom application, users can be configured to use a mandatory profile for the SAP servers and a roaming profile for the custom application servers. Multiple profiles are also useful for farms that span WAN connections, so that profiles can be accessed from local file servers instead of having to traverse the WAN. Multiple profiles can be implemented in a number of different ways, and the details of these options are discussed later in this white paper.

Citrix User Profile Management is a profile type that supersedes all other profiles for the user and is a unique type of profile. It addresses “last write wins” wins issues by only capturing the changes and recording those changes within the profile, rather than writing the entire profile at logoff. Thus, the obstruction that results from making profile changes when accessing multiple XenApp servers is minimized or eliminated.

Other third-party profile solutions exist but are beyond the scope of this document.

Analyzing Design Requirements

Now that the available profile types have been defined, it must be determined which one is right for use in a particular XenApp environment. To make the determination of the appropriate profile type, the requirements of a particular environment need to be carefully analyzed. Following are questions that need to be answered to define these requirements:
  • Do users need to save their settings?

  • Do applications store settings in the registry?

  • How will printers be made available, and how will printer settings be handled?

  • What is the farm design? Are applications streamed or segregated into application silos?

Now consider each of these questions to help determine an effective user profile design.
  1. Do users need to save their settings?

User requirements and expectations play a large part in which user profile type to use. An administrator must first determine which settings need to be saved and where those settings are stored. If users need to save settings that can be stored in redirected folders, such as Documents, AppData, or other folders, then folder redirection should be considered. Folder redirection can be used with all profile types discussed in this document, and are generally recommended.

  1. Do applications store settings in the registry?

If the application being deployed does not reference the HKEY_CURRENT_USER (HKCU) hive in the registry, then a mandatory profile solution can be considered. However, many applications do access this hive, so testing is required.

  1. How will printers be made available, and how will printer settings be handled?

The printing requirements have an impact on the user profile design. Printers are typically enabled through logon scripts or XenApp policies; here we will only discuss the latter.

In order to enable printing, it cannot otherwise be disabled in another Terminal Services or XenApp policy. If printing will be enabled through XenApp policies, administrators can choose where to save client-side settings. Where printer properties (File > Print > Preferences > Local Settings) can be retained has a direct bearing on the type of user profile that has been configured.

In the XenApp Advanced Configuration Console (formerly Presentation Server Console), the Citrix policy named Printer properties retention should be set accordingly. Following are available options:

  • Held in profile only if not saved on client (default)

  • Saved on the client device only

  • Retained in user profile only

Of course, if mandatory profiles are administratively configured, the last option would not be feasible because the printer properties could not be retained; however, if the properties can be retained on the client device, then mandatory profiles are a viable option.

  1. How is the XenApp farm designed? Are applications in silos?

In farms based on multiple application silos, having roaming profiles increase the likelihood of profile setting loss due to “last write wins” issues. For example, users simultaneously accessing SAP and a custom application hosted on different servers will overwrite roaming profile settings made in the custom application session if the user logs off from the custom application session before the SAP session. This effect can therefore be termed the “last write wins” condition. Citrix User Profile Management must be considered as an alternative to roaming profiles if users experience this issue.

Design Practices

When designing your XenApp environment, once the analysis of requirements has been performed, the appropriate profile type(s) needs to be selected.

Comparing Profile Options

The following table is useful for comparing the relative benefits of each profile type when analyzing the design requirements:

Profile Type

Benefits

Disadvantages

Local Profile

  • No requirement for centralized repository for profile storage
  • Not susceptible to corruption
  • Settings are inconsistent across servers and sessions
  • Consumes local disk space

Roaming Profile

  • User profile accessible from any XenApp server
  • Settings are saved across sessions
  • Susceptible to “last write wins” and resultant settings loss where application silos exist

Mandatory Profile

  • No settings are susceptible to loss
  • Settings are not saved across sessions

Multiple Profiles

  • Benefits of both mandatory and roaming profiles without the disadvantages of each
  • Potential for additional file server space requirements
  • Administrative expertise and maintenance required

Citrix User Profile Management

  • Allows for the most control over settings
  • Addresses “last write wins” issue
  • Space requirements are minimal
  • Administrative effort and skills to implement and maintain

Using Active Directory Group Policies

Active Directory includes a number of group policies--including a subset of Terminal Services policies--that can be applied to a XenApp environment to optimize performance and stability. Terminal Services profiles are commonly configured within these Group Policy Object (GPO) options. Active Directory based on Windows Server 2003 SP2 and higher, as well as Windows Server 2008, allows Terminal Services mandatory profiles to be configured as a GPO.

Folder Redirection policies can be used with mandatory or roaming profiles to maintain a centralized location for specific folders and is generally recommended to exclude that data from the user profile. The folders that can be redirected are dependent upon the version of Active Directory in use. Where folder redirection is used, the AppData and Documents folders are redirected at minimum.

Without folder redirection, user data is stored within the profile. When folder redirection is enabled, user files stored in the selected folders are segregated from the user profile. As a result, user logins proceed as quickly as possible, and the impact on the profile is minimized.

For profile folders, such as Documents and Desktop, it is generally best to redirect them to the user’s home directory location, under subdirectories with the same profile folder names (such as: Desktop). Folder redirection paths can be in a UNC format (such as: \\servername\share\%username%\Desktop) or using a drive letter (such as: H:\Desktop). Use of a drive letter provides flexibility if home directories are stored across multiple file servers.

Depending on the profile solution selected, policies exist to exclude data from the user profile:

  • Roaming Profile: Exclude directories in roaming profile

  • Citrix User Profile Management: Registry exclusion list and File system exclusion list

In addition, deleting locally cached profiles on logoff can be configured for Microsoft profiles, as well as Citrix User Profile Management. By configuring appropriately, profiles are not cached on each XenApp server at logoff. In addition, a consistent user experience is assured and disk space is used efficiently.

Specifying Multiple Profiles

As discussed previously, a single user in a XenApp environment may be configured to use different profile types depending on the server being accessed. In a farm employing application silos, this can be useful. However, the administrative effort to configure and maintain multiple profiles needs to be weighed against the expected benefit. For example, a farm may have three different application silos and use different profile types within each silo.

The benefit of this approach is reduction in logon time and profile corruption, while maintaining the administrative benefits of application silos. Multiple profiles can be configured for users in one of several ways. The options are:

  • Environment variables

  • Only allow local user profile

  • Terminal Services profile per application silo

These three methods are described below.

The environment variables method involves setting the users’ profile paths to a value with an environment variable, for example: %profilepath%\%username%. On each server, the %profilepath% environment variable will be created. For a farm with two application silos running Microsoft Office and Lotus Notes, the variables could be specified using the SETX utility as follows:

  • Microsoft Office servers: %profilepath% = \\fileserver\office-profiles

  • Lotus Notes: %profilepath% = \\fileserver\lotus-profiles

When users log on to the Microsoft Office servers, profiles are loaded from \\fileserver\office-profiles\%username% as denoted by the user profile path and the value of the environment variable on those servers. This method also allows a user to have multiple mandatory profiles, or a blend of roaming and mandatory profiles by copying a mandatory profile (NTUSER.man file) into each specified profile path for every user.

Note: When implementing persistent environment variables using the SETX utility, a reboot might be required.

The Only allow local user profiles policy prevents a user’s roaming profile from downloading, and instead creates a local profile for the user. This option is useful in situations where a multiple application silo approach is used, such as, when published applications are run within published desktops. For example, if an application silo hosting a published desktop requires a roaming profile and a secondary application silo is accessed via a pass-thru ICA connection, it may be necessary to configure this setting. The Only allow local user profile policy therefore allows a blend of roaming and local profiles to be used. In Windows Server 2003 and Windows Server 2008, this policy is available in Active Directory (under the Computer Configuration > Administrative Templates > System > User Profiles settings).

Alternatively, within Citrix User Profile Management, distinct profiles can be designated based on the Organizational Unit (OU) structure.

Finally, where application silos are designated based on computer-based OU, the Terminal Services profile per application silo can be configured accordingly. Using this technique, users can have different roaming profiles depending on the GPOs that are applied to specific servers.

The policy Set Path for TS Roaming User Profile (available under Computer Configuration > Administrative Templates > Windows Components > Terminal Services) can be specified.

An easier means of configuring multiple profiles is by means of Citrix User Profile Management. Because the profile configuration is based on Active Directory OUs, a distinct profile can be designated per application silo so long as each silo is in its own child OU.

Additional Resources

CTX119036 - User Profile Manager Deployment Best Practices 
Knowledge Center Highlights: App Virtualization & VDI (July Edition)

0 Thoughts to “User Rights Assignment Registry Location Of My Documents

Leave a comment

L'indirizzo email non verrà pubblicato. I campi obbligatori sono contrassegnati *