Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Citrix roaming profiles questions

Posted on 2008-11-13
12
Medium Priority
?
1,338 Views
Last Modified: 2013-11-21
Hello

I would like to enable roaming profiles for my users. We have about 10 Citrix 4.5 Servers in our farm.

I have a couple of questions I was hoping someone could help me with;

a) Am I correct in thinking that roaming profiles (RP's) are enabled by entering the profile storage location within their AD properties for profile path?

b) Will this mean that they won't have a local profile on the server they log onto? There's no need to delete any local profiles they also create?

c) Can I lock down how big their roaming profile can be?

d) Can I restrict what sort of files they can save in their roaming profile?

e) Will they pick up this profile wherever they log on from (as long as they are using AD, even in a multi-domain forest)?

Thanks!
0
Comment
Question by:bruce_77
  • 5
  • 3
  • 2
  • +1
12 Comments
 
LVL 8

Expert Comment

by:Herrmannator
ID: 22954221
0
 
LVL 18

Expert Comment

by:exx1976
ID: 22954259
A - yes
B - No more local profiles for Citrix logins.  Just make sure you set the Terminal Services Profile Path, not the regular Profile Path.  Proile Path is used for roaming profiles with workstations (XP/2k)
C - possibly with disk quotas, but I wouldn't recommend this..  Just keep an eye on them and use GPO's to redirect my documents (and anythign else you want moved) to their home directory
D - not that I'm aware of, but that doesn't mean there's not some third party app that can do this
E - see answer B


HTH,
exx
0
 
LVL 18

Expert Comment

by:mgcIT
ID: 22954302
B - actually there will always be a local profile.  there is no way to avoid this.  When a user logs into a server the roaming profile is copied down to the local citrix server and will appear under C:\Documents and Settings\username.

so yes, you would want to set the policy to delete this local profile when the user logs out unless you think disk space on the citrix server won't be an issue (depens on how many different users log into citrix).
0
Free recovery tool for Microsoft Active Directory

Veeam Explorer for Microsoft Active Directory provides fast and reliable object-level recovery for Active Directory from a single-pass, agentless backup or storage snapshot — without the need to restore an entire virtual machine or use third-party tools.

 
LVL 8

Expert Comment

by:Herrmannator
ID: 22954327
a) GPO is easier.  See the previous link.

b) The GPO can/should also specify that local profiles are deleted when the user logs off.  So it is copied down when they log in, then deleted when they log off.

c) If you put a quota on the size you may cause problems, but instead you can redirect portions of the profile to other spots.  One thing I do is have a script run at logon which moves anything they put on their desktop over to their home directory in a folder called "from citrix desktop".  This helps keep their roaming profile small which helps minimize logon time.

d) I would go with moving certain file types instead (via script at logon or log off).

e) I think all the accounts loging into this should be in the same domain, but perhaps trusted domains would work if you've used universal groups.
0
 
LVL 18

Expert Comment

by:exx1976
ID: 22954355
mgcIT - I think we've muddied the waters here..


OP - the expanded answer for B is that the "local" profiles that they used to have (ie, each different for each server that they logged onto) will cease to exist, HOWEVER, there will be LOCALLY STORED COPIES of the roaming profile.  The effect of this is to standardize the user experience across multiple physical servers, not to reduce disk space utilization.

Also, make sure you install UPHClean on your Citrix servers, you'll need it.  And I'd also schedule DelProf, too..

And for E, the users that you've configured with a roaming profile will continue to use that roaming profile, no matter what domain the machine is a member of, as long as they can authenticate to their domain, and they have connectivity and can resolve the name of the fileserver/share that hosts their profile.

0
 
LVL 2

Author Comment

by:bruce_77
ID: 22954767
Thanks guys!

To be honest, I'm still a little confused by B.

Ok, let's say I enable roaming profiles via GPO/the AD setting...I then build a new Citrix server. No users have previously logged onto this, so there aren't any existing profiles.

If a user launches an ICA session to this server, will their profile be created on

a) The path specified in the GPO/ AD setting for term svs profile
b) The path above *and* the new Citrix server?
0
 
LVL 18

Assisted Solution

by:mgcIT
mgcIT earned 400 total points
ID: 22954866
yea both... the profile is actually stored where you specify in the GPO/AD setting.  This "roaming profile" will be copied down to any citrix/terminal server that user logs into.  When they log out, any changes to their profile will be copied back to the roaming profile location so that the settings are saved.

on the citrix server you'll see the profile folder under C:\docs and settings\ but of course you can have this automatically deleted when the user logs off if you choose.
0
 
LVL 18

Assisted Solution

by:exx1976
exx1976 earned 400 total points
ID: 22954950
Also, when you create the profile directories, you need to be aware that either the local administrator account of the file server OR the user themselves need to be the owner of the directory, otherwise it won't work..
0
 
LVL 8

Expert Comment

by:Herrmannator
ID: 22955123
And you can specify in the GPO to add the admin group to the local profile when it is created.  A couple other tips:
1) Be sure you disable "Offline Files" on the share where you store these roaming profiles (helps prevent profile corruption).
2) Heres a good read on configuring folder re-direction:
http://www.msterminalservices.org/articles/Configure-Folder-Redirection.html?printversion
0
 
LVL 2

Author Comment

by:bruce_77
ID: 22955250
Thanks, just one final question..

Just one final question...what is the easiest way to implement this? Our Citrix servers are in an OU already, is it best to just create a GPO that specifies roaming profiles? I assume that the copy that is held on the server can be deleted by setting a GPO object too?
0
 
LVL 8

Expert Comment

by:Herrmannator
ID: 22955275
Yes -- you'd want 2 GPO's probably (1 for user settings and 1 for computer settings).  You'd apply both GPO's to the OU that contains the Citrix Servers.  Will send you a link to a detailed article on this.
0
 
LVL 8

Accepted Solution

by:
Herrmannator earned 1200 total points
ID: 22955292
Here you go.  As described in the article, you specify "loop back" processing on the  GPO so that the User Policies get applied no matter what user logs in (even though their user accounts are not in the OU where the Citrix servers reside and the GPOs are applied).  
http://www.brianmadden.com/blogs/gabeknuth/archive/2008/02/26/group-policy-best-practices-for-citrix-and-terminal-server-environments.aspx
 
0

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
High user turnover can cause old/redundant user data to consume valuable space. UserResourceCleanup was developed to address this by automatically deleting user folders when the user account is deleted.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Suggested Courses

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question