Some Mandatory Profile Best Practices *** Updated April 16th 2010.

August 7, 2009

There are a number of different ways that you can capture a profile that you want to subsequently use as a mandatory profile. My preferred approach is to logon as a non-administrative test user, run whatever applications are needed and configure as appropriate, logoff and then take the resulting ntuser.dat, obviously renamed to ntuser.man, as the mandatory profile’s registry hive. I generally do not have any folders in the folder specified for the mandatory profile – it just contains the ntuser.man file and nothing else. *** Update:  However, on Vista, Win7 and WS08, the empty folder AppData\Roaming does need to be created. In addition, if none of the folders that by default are used for items such as “My Pictures” and “My Music” exist in the base profile, these special folders will not be available to the user who is assigned this mandatory profile. However, it is strongly recommended that folder redirection is used to provide these special folders, if required, rather than using the defaults provided in the locally cached profile folder hierarchy. ***

Once the ntuser.man file has been copied away, I load it as a hive in regedit and then check various elements of it; namely:

  1. Security – the Access Control Entries (ACEs) for the user used to generate the profile should be removed and an Everyone – Full Control ACE added in its place. It is not actually ideal to open up security to this extent but since we don’t know what user is going to use the profile, we cannot lock it down much further although it could be done with a tool such as subinacl.exe [http://www.microsoft.com/downloads/details.aspx?FamilyID=e8ba3e56-d8fe-4a91-93cf-ed6985e3927b] at logon. For VDI environments, which are necessarily single user, it probably doesn’t matter but for Terminal Services, it means that a user with access to HKEY_USERS through regedit or other tools/scripts/macros can read and write/delete any other logged on user’s registry settings.
  2. Search the hive for the username of the user used to generate the hive and delete/replace the values as appropriate.  Note that there is no guarantee that changing a REG_SZ value to a REG_EXPAND_SZ and using “%Username%” or “%UserProfile%” in place of the actual username or locally cached profile folder respectively will work since it is up to the application that reads the value to implement environment variable expansion. Don’t be tempted to delete a whole key unless you are prepared to test that no ill effects occur. For instance, deleting the key “HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders”, because it contains values with the path to the generating user’s locally cached profile folder, will cause problems at logon whereas deleting all of the values in the key, but not the key itself, does not cause issues.
  3. Delete all policy registry keys such as “HKCU\Software\Microsoft\Windows\CurrentVersion\Policies” and “HKCU\Software\Policies” (unless of course you want to apply GPO like lockdown this way but it can cause confusion).
  4. Strip out anything that you do not want – the best mandatory profiles are generally the simplest. There is, unfortunately, no easy way of deciding what should be stripped out. I tend to focus on Most Recently Used (MRU) lists such as those for opened documents, searches, runs and so on. The benefit of starting with the default user profile rather than a “contaminated” user profile is that this step, generally, is not required.
  5. Check all autorun locations, such as “HKCU\Software\Microsoft\Windows\CurrentVersion\Run” and “RunOnce”. It is usually best to have nothing in these keys and have things run at logon via other means.
  6. Set application defaults, such as disabling splash screens, either by running the application and configuring it or by directly editing the registry if you know what keys/values need setting.

Once you have unloaded the hive and quit regedit, delete all .log and similar files that may have been created when the hive was loaded. Also check that the folder containing the ntuser.man file and the file itself are owned by the local administrators group and have no write/delete access for non-administrators. This is particularly important if the mandatory profile will be local to the system it is used on rather than through a share since share level permissions can also help protect the hive from accidental or deliberate damage.

Finally, thoroughly test the mandatory profile works as desired when assigned to a representative, non-administrative, user and the available applications are run.

I hope this has been of use, and if you have any questions or comments, please do let us know.


VDI Personalization and Configuration: Profile Management & Logon Scripts – not enough for multiple delivery mechanisms & OS platforms?

July 24, 2009

As a leading user environment management vendor, AppSense are in a unique position in that we have been involved many VDI projects and rollouts, of which the majority vary in architecture, technology and requirements.  One thing that does however remain the same between such projects is that of the requirement for user personalization management.

For many years the roaming profile provided user personalization in SBC environments, however as VDI deployments become more and more complex, with varying methods of desktop and applications delivery, along with multiple desktop operating systems and subsequently, profile versions, the roaming profile is no longer able to provide the user with their required settings in such (complex?) scenarios.

Furthermore, these desktops must now be constructed and configured based on the context of the user and/or connecting device.  i.e. mapping specific printers local to the user and device dependent on the location of the user logging on, or applying security policies to hide or remove access to network drives, folders, data and functionality such as copy and paste or print, again, based on the location of the user.  Whereby the desktop delivered to a user when connected locally inside the corporate LAN is different to that of the desktop delivered to the same user when connecting remotely from outside of the LAN.

One more point to consider is that of enabling the user to freely roam between the server hosted or provisioned virtual desktop, and the users local desktop device such as their PC or roaming laptop.  How do you as IT enable user settings to automically follow the user between different platforms?

AppSense Environment Manager was designed from the ground-up with functionality to accommodate the above requirements, making it, or, other user environment management solutions essential to the mass adoption of VDI on an enterprise scale.  In essence, AppSense provides the ability to encompass multiple delivery technologies and OS platforms by allowing the user to roam between the paradigms without any noticeable change to their desktop or user experience, enabling IT and the organization to benefit from flexibility, agility and lower TCO.  I do at this point want to highlight that this is different to the personalization management provided by the leading VDI vendors (Citrix, Microsoft, VMware etc), as their in-built functionality is typically designed for their delivery platform, not each other’s.   In essence, further to the advanced personalization and simplification of desktop management, AppSense also enables an organization to use combinations of both existing technologies, and (potentially) more importantly, any future VDI delivery technologies and vendors.
 
I have just found a very nice blog covering the functionality of not only AppSense Environment Manager, but also the base technology inherent within the leading VDI service providers – Citrix, VMware and Microsoft.  Hopefully from this blog post, and the information over at GenerationV, you will see how AppSense bridges the gap between the roaming user and a dynamic, flexible VDI model..

For more information on this, the GenerationV Profile Management blog can be found here


AppSense Technical University Training For Partners

July 22, 2009

I am excited about writing this one, the much awaited 2009 AppSense Technical University is soon upon us! It will take place in October and November!!  Following on from our previous events, there are some exciting new developments at AppSense that we would like to share with you; amongst other topics:

  • User Introduced Applications (UIA) Technology – do we need, and how do we enable, users to install applications into non-persistent VDI sessions, and have the applications (and settings and preferences) remain available in the next non persistent vdi session?!
  • AppSense Management Suite Version 8.1 Product RoadMap
  • ‘Policy & Personalization’ best practices across virtual and multi OS platform environments

Uni

 

Why attend the AppSense Technical University?

The AppSense University is a ‘free of charge’ event to our AppSense Certified Solution Partners, and is a great chance to meet up with the AppSense Technical teams, as well as your peers from within the community. As a valued member of our Certified Solutions Partner program, you are invited to this comprehensive technical update and networking event.

The 2 day event will include in-depth, hands on training designed to enable you to provide consultancy services and implement the AppSense Management Suite for prospects and customers.

Register for further information

As always, AppSense is hosting several Technical University events in locations around the globe. If you are interested in attending an AppSense Technical University, click on the country or region most relevant to you and we will keep you informed of the event details:

United States, November 2009 

United Kingdom, October 2009

Norway, November 2009

DACH Region, November 2009

BeNeLux, November 2009

Australia, October/November 2009

We look forward to seeing you there!

Best Regards,

The AppSense Technical University Team.

Website: http://www.appsense.com
Email: university@appsense.com
Telephone: +44 (0)1928 793 444


Review of AppSense Environment Manager 8 by vExpert Tom Howarth

July 8, 2009

Tom Howarth (a VCP/vExpert specializing in Thin Client & Virtualization solutions) and author of www.PlanetVM.net has published a comprehensive review of AppSense Environment Manager Version 8.0

Tom is well known and highly respected within the VMware and Citrix communities and as such, this positive review comes with high regards.  In Tom’s concluding words he describes AppSense Environment Manager as, “It is a Ronseal product – it does what it says on the tin.”

The article can be viewed at http://planetvm.net/blog/?p=122


Profile Corruption, Last Write Wins, And Profile Rollback

July 2, 2009

One of the biggest problems in a SBC (Microsoft Terminal Services or Citrix XenApp) and VDI (Citrix XenDesktop and VMware View) environment is that of the issues caused by the dreaded Roaming Profile.  One such issue which plagues both users and IT Support desks alike is Profile Corruption.

Profile corruption is seen as innevitabele when using roaming profiles, and can leave a user locked out of their desktop for hours, support desks inundated and overwhelmed with support cases, and is a huge drain on resources at great cost to a business.

AppSense Environment Manager not only prevents Profile Corruption, but also enables IT Support desks to reduce other profile related support cases from being a 2 hour resolution process, to just 5 or 10 minutes.  This not only improves user satisfaction, but makes for a more efficient, and lower cost support desk.

Profile corruption can occur through the overwriting of user settings as a user logs off from concurrent working sessions and settings made in each separate desktop try and write back to a central store.  Often overwriting each other, causing conflict, and leading to corruption

With AppSense Environment Manager, when a user launches an application, regardless of how it is delivered to a user (local install, Citrix, Microsoft App-V, VMware ThinApp, InstallFree etc…), we inject a Profile Virtualization Component (PVC) into the running process which allows any personalized settings, i.e. writes to the registry or file system, to be virtualized and therefore effectively redirected to a ‘local virtualization cache’ located on the user’s endpoint or within the user session itself (in the case of TS/XenApp).  This is an automated process, no need for manually specifying which registry keys or settings to capture. 

When the application is closed (not just at user logoff), the contents of the ‘local virtualization cache’ (only those [delta] changes made by the user during this running instance of the application) are then synchronized to a back-end database server so that a centralized copy of the user’s personalization settings is now available and able to be streamed back into open concurrent sessions or across multiple delivery mechanisms.

This eliminates the last write wins at the session level by not writing back to NTUSER.DAT at logoff. Significantly reducing the window for corruption as settings are syncronized back throughout the user session, not all in their entirity at logoff. 

So now as an additional benefit, settings can be shared across concurrent sessions as the next time the user launches the same application, be it from the same or a different concurrent session, the contents of the ‘local virtual cache’ are checked to see if the settings are up-to-date.  If they are, the user will get their latest personalization settings from the local cache.  If the settings are out-of-date, then the new delta user personalization settings for that specific application will be streamed down to the endpoint device on-demand.

With remediation tools such as Profile Rollback, application settings (which are stored in the SQL database at a per application level for each user) can be rolled back with just a couple of clicks in the AppSense console.  This takes 2 hour support calls down to just 5 or 10 minutes, and the beauty is, as the user settings are virtualized and so are not part of the desktop itself, the user need not log off their session for the rollback to occur.  Merely close and re-open the application in question..


Follow

Get every new post delivered to your Inbox.