Some Mandatory Profile Best Practices *** Updated April 16th 2010.

August 7, 2009

There are a number of different ways that you can capture a profile that you want to subsequently use as a mandatory profile. My preferred approach is to logon as a non-administrative test user, run whatever applications are needed and configure as appropriate, logoff and then take the resulting ntuser.dat, obviously renamed to ntuser.man, as the mandatory profile’s registry hive. I generally do not have any folders in the folder specified for the mandatory profile – it just contains the ntuser.man file and nothing else. *** Update:  However, on Vista, Win7 and WS08, the empty folder AppData\Roaming does need to be created. In addition, if none of the folders that by default are used for items such as “My Pictures” and “My Music” exist in the base profile, these special folders will not be available to the user who is assigned this mandatory profile. However, it is strongly recommended that folder redirection is used to provide these special folders, if required, rather than using the defaults provided in the locally cached profile folder hierarchy. ***

Once the ntuser.man file has been copied away, I load it as a hive in regedit and then check various elements of it; namely:

  1. Security – the Access Control Entries (ACEs) for the user used to generate the profile should be removed and an Everyone – Full Control ACE added in its place. It is not actually ideal to open up security to this extent but since we don’t know what user is going to use the profile, we cannot lock it down much further although it could be done with a tool such as subinacl.exe [http://www.microsoft.com/downloads/details.aspx?FamilyID=e8ba3e56-d8fe-4a91-93cf-ed6985e3927b] at logon. For VDI environments, which are necessarily single user, it probably doesn’t matter but for Terminal Services, it means that a user with access to HKEY_USERS through regedit or other tools/scripts/macros can read and write/delete any other logged on user’s registry settings.
  2. Search the hive for the username of the user used to generate the hive and delete/replace the values as appropriate.  Note that there is no guarantee that changing a REG_SZ value to a REG_EXPAND_SZ and using “%Username%” or “%UserProfile%” in place of the actual username or locally cached profile folder respectively will work since it is up to the application that reads the value to implement environment variable expansion. Don’t be tempted to delete a whole key unless you are prepared to test that no ill effects occur. For instance, deleting the key “HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders”, because it contains values with the path to the generating user’s locally cached profile folder, will cause problems at logon whereas deleting all of the values in the key, but not the key itself, does not cause issues.
  3. Delete all policy registry keys such as “HKCU\Software\Microsoft\Windows\CurrentVersion\Policies” and “HKCU\Software\Policies” (unless of course you want to apply GPO like lockdown this way but it can cause confusion).
  4. Strip out anything that you do not want – the best mandatory profiles are generally the simplest. There is, unfortunately, no easy way of deciding what should be stripped out. I tend to focus on Most Recently Used (MRU) lists such as those for opened documents, searches, runs and so on. The benefit of starting with the default user profile rather than a “contaminated” user profile is that this step, generally, is not required.
  5. Check all autorun locations, such as “HKCU\Software\Microsoft\Windows\CurrentVersion\Run” and “RunOnce”. It is usually best to have nothing in these keys and have things run at logon via other means.
  6. Set application defaults, such as disabling splash screens, either by running the application and configuring it or by directly editing the registry if you know what keys/values need setting.

Once you have unloaded the hive and quit regedit, delete all .log and similar files that may have been created when the hive was loaded. Also check that the folder containing the ntuser.man file and the file itself are owned by the local administrators group and have no write/delete access for non-administrators. This is particularly important if the mandatory profile will be local to the system it is used on rather than through a share since share level permissions can also help protect the hive from accidental or deliberate damage.

Finally, thoroughly test the mandatory profile works as desired when assigned to a representative, non-administrative, user and the available applications are run.

I hope this has been of use, and if you have any questions or comments, please do let us know.


Citrix Session & Application Timeouts, a Great Solution

July 21, 2009

I had a great day on Tuesday. An AppSense client had an issue where their remote workers experienced their Citrix applications timing out on them.

After connecting, and using application 1, by the time they go to use application number 2, it had timed out, and when they try to restart it, Web Interface had timed out as well.

So the clients question was  “How can AppSense help me?!”.

Enter “ENVIRO-MAN” from the left of screen. All dressed in pretty green and looking surprisingly like the Environment Manager Product Manager :-)

“Your session timeouts do not scare me” he roared as he landed awkwardly on the photocopier, injuring his knee.

While “ENVIRO-MAN” proceeded to bore one of the office staff with stories about the mighty Blackpool Football Club, I decided to dig in and fix the problem.

Session Timeouts are controlled by a number of parameters – as examples, there are some per server settings based on type of connection (RDP or ICA) and some user based settings set in Active Directory.

However, if you require more granularity, that’s where AppSense Environment Manager lives…

By using a Group Policy Action (Set ADM Policy / Set ADMX Policy), I was able to load in the ADM settings from the “C:\Windows\inf” directory.  I then typed “session” into the filter, and up came the Terminal Server Session Timeout setting…  Magic :-)

By using EM Rules/Conditions I could now vary the Session timeouts based on IP address, Client Name, or even by integrating it into the results of Citrix AAC filters :-)

I demoed it to the client (they were blown away), thanked ENVIRO-MAN for his help and left to help the next client in need.

All in a good days work :-)


Group Policy Objects (GPO’s) & AppSense Environment Manager

July 1, 2009

Background information on GPO’s
Group Policy Objects are a common part of most organizations IT policy, while they are a needed tool for controlling the desktop, applications and security settings presented to a user, they are also one of the most complicated and time consuming policies to set up and maintain in an enterprise environment.

The main challenge with GPO’s is quite simply the management overhead required to keep on top of the ever changing requirements of the enterprise. Given that Policy is typically applied [within the AD] at Domain level, Computer Organizational Unit (OU) level and at User OU level, it can easily and rapidly become a management nightmare to ensure that the complexity does not overcome the needs of policy configuration in the first place. This along with the GPO’s inability to have fine enough granularity (limited to AD Groups and OU as the means of depicting whether Policy is applied) make GPO’s a difficult method to accurately deliver the policy to the corporate end points and end users.
Managing GPO’s with AppSense Environment Manager.
AppSense Environment Manager resolves the above issues, reducing complexity and saving on time and cost by completely replacing the admin intensive process with an easy to use graphical user interface, complete with wizard based actions.

Actions can be selected and then applied at a user or device level, based on environment variables, without the need for any complex scripts. Furthermore, the GUI ensures consistency between Administrators, meaning any other support worker can quickly troubleshoot and amend any existing configuration.

AppSense Environment Manager builds on the GPO technology, but instead of relying on complex scripting and applying settings at an OU level or computer level, Environment Manager uses a GUI interface to present the administrator with an easy to read list of ADM templates and GPO settings, and then enables them to be applied at a user level based on a flexible rules list.

With the Environment Manager flexible rule set, Group Policy actions need not be applied at a group level.. but instead, to whoever or whatever you want..