Citrix 4.5 Presentation Server

rakkad
rakkad used Ask the Experts™
on
I am new to Citrix 4.5 Presentation Server.   Can someone tell me how tsprofiles are configured in the citrix environment i.e. within the citrix farm where is the setup location path?

Thanks
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
The profile is not Citrix related, it's Windows terminal server related.

Unless you have them directed in a GPO on on the Terminal Servers tab of ADU&C, they will be local profiles.

As you say PS4.5, I assume you are running on 2003?  If so, profiles will be in C:\Documents and Settings.
User profiles are a very complex subject.  Take a look at this: http://www.dabcc.com/downloadfile.aspx?id=950.

There are a lot of factors in determining the best profile solution and then configuring it correctly is another step.

If you don't configure anything, you will be using local profiles, which is very seldom a good answer.  Unfortunately, user profiles can get pretty ugly if not done right, so take the time to learn about them!

Author

Commented:
As it stands, the terminal services profile tab is not set for any user within AD, so when a user accesses Citrix the tsprofiles are written to \\cslwinprn01\tsprofiles$\???? where ???? is the windows login user-Id. First question is when a user accesses CItrix how does it write to \\cslwinprn01 and second question the profile needs to access the c:\windows\system directory, how can I do this? Thanks for your help
How to Generate Services Revenue the Easiest Way

This Tuesday! Learn key insights about modern cyber protection services & gain practical strategies to skyrocket business:

- What it takes to build a cloud service portfolio
- How to determine which services will help your unique business grow
- Various use-cases and examples

Commented:
Not entirelt true. AD uses 2 profile locations, de default user profile, which you configure on the users "profile" tab in ADU&C and the one in the Terminal Server Profile in the corresponding tab. If both ar blank, you automatically disable roaming profiles, and the profiles will only be created and maintained on the computer the user logs in to, that is his workstation and/or his Terminal server session.

To answer your first question: you should create a directory tsprofiles on the \\cslwinprn01 machine (which you obviously have allready, and share it as you did as tsprofiles$, making it hidden. Now assign the users who access the Terminal server FULL rights on that share. Do not forget to als give them FULL FileSystem rights on the directory too. Normaly you will use a domain securitygroup "Terminal Server Users" for this purpose, and you then add this domain group to the LOCAL group Remote desktop users on the Terminal server. What will happen is that a new user logging in in has suffficient rights to create his own profile dir, with him as owner. Other users, might the be clever to guess the path to the hidden share might see the created profile dirs of these users, but they would not have access to these directories, because the rights of the above directory are not inherited on the lower level.

Then answering you second question: If for some reason, the users need acces to the c:\windows\system dir (some bad constructed programmes just want this, i know) you have to create a Terminal server police in AD, and assign this policy to the OU for Terminal Servers. Place youre Terminal server in that OU, cause you dont want other computers to get this policy :-) In your Terminal Server policy, browse to computer policy, rules, windows settings,  security settings, filesystem. Then in the right pane, click your right mouse button, click new file. Browse to the windows\system dir, click OK. The ACL of that directory will open, add youre Security group Terminal Server USers to that ACL and assign them the rights you want them to have.  It then will ask you how this rights should be applied. Read this very carefully, so you make the right choice. (btw, i only have the dutch interface in front of me, so it might be a slightly different english i wrote here ;-)

The reaseon why you use a policy is that the policy automatically will refresh. So if you assign thes rights in fact on the filesystem of the terminal server, the lack of the setting in any of the applied GPO's will delete the rights you might have set on the filesystem.

Hope this helps !

KG

Author

Commented:
Thanks for this.  I have noticed that we have set a policy - 'Prevent access to specified drives in My Computer' for all local drives (ABCDEOnly).   By doing the above, would this still work, if we have restricted access to the local drives on the citrix server?

Thanks

Commented:
Yes. What that  policy actually does is removing the local drives from explorer and the user session. Programs and services, who usually use other (local) credentials, like the Systemaccount can stillwrite to the local disks. In fact youre user session will also write to the local disks when createing the local profile dir (documents and settings etc).

However, when assigning rights the way I described above, it can be handy you could browse the filesystem, or you should type the path completely

KG
Clarifying a couple things:
1. On Terminal Servers (Citrix is simply an add-on to it therefore all that applies to TS applies to Citrix) on Active Directory Users and Computers, if there is a PROFILE set, the TS will use that as a Roaming Profile. If both the PROFILE and the TS Roaming Profile are set, the TS will use the TS one. For this reason we always make sure a profile is set on the TSs.
2. This can be accomplished by changing the user properties on AD, on the Terminal Services Profile Path OR (much easier) by Policy. It is a Computer Policy, under Windows Components | Terminal Services. By setting this on a policy, all TSs get the path where to look for a roaming profile from it.
3. Finally, if you want to learn how to do all this, step-by-step in an easy to follow guide, download the guide I wrote,  "Terminal Services from A to Z" off my website, http://www.wtslabs.com. It covers this in detail plus a LOT more so you can actually learn all the best practices for TS and how to implement these.

Cheers.

Cláudio Rodrigues
Citrix CTP
Microsoft MVP - RDS

Author

Commented:
I have noticed that with certain user logins to access citrix applications the windows drive is represented, e.g.

\\cslwinprn01\tsprofiles$\tst-tma.NBS\.....

Application Data
Desktop
Favourites
My Documents
NetHood
PrintHood
Recent
SendTo
Start Menu
Templates
WINDOWS
NTUSER.DAT
NTUSER.DAT.LOG
ntuser.ini
Sti_Trace.log

However, certain other user-ids when logged into citrix, the WINDOWS\system directory is not present...

Any ideas why this be the case?  My application that works in Citrix requires the WINDOWS directory to be present.

Thanks

Carl WebsterCitrix Technology Professional - Fellow
Top Expert 2010

Commented:
What you are seeing is not THE %SYSTEMROOT% version of WINDOWS but one that is placed in each user's profile when something is needed to be placed there.  The users who don't have it, haven't needed it to be created.

Author

Commented:
Is there a policy I could enforce then, that would ensure that a WINDOWS directory is written to each user's citrix profile?
Carl WebsterCitrix Technology Professional - Fellow
Top Expert 2010

Commented:
Not that I am aware of.  Look at the permissions on one of the existing WIndows folders in a users profile.  Make a logon script that says if the folder tree doesn't exist, create it and then assign the appropriate permissions.

Author

Commented:
I have created three test user account profiles and a group policy in the existing Terminal Service policy, which basically copies the WINDOWS directory to the each of these profiles, this works fine, as it relies on the BCS.INI file, which contains port numbers etc.., but the policy does not copy the WINDOWS directory to ordinary users

Is there anything in the Citrix environment, that is preventing WINDOWS directory to be copied to the users citrix profiles directory? and therefore it cannot be read?

Thanks

Author

Commented:
Application was re-configured not to use Citrix
CoralonSenior Citrix Engineer

Commented:
It may be too late, but Citrix does *not* copy the windows directory in to the user's home directory.

What happens is that when a user logs into the TS server, Windows reads the location of the home directory and creates a Windows directory underneath it.  This new location is what is used for %WINDIR% in normal execute mode.

However, if a home directory is not assigned in AD or by GPO, then the user's profile is used as the home directory and a Window directory is created underneath it.

Once the user's Windows directory is created then whatever available INI files that are in %systemroot% are copied into the Windows directory.  

Once the INI files are copied, they are generally kept 'in sync' with the primary INI files at login time, with changes to the primary files written to the user's files unless a flag is set to not do that.

Coralon

Author

Commented:
I found that citrix profiles needed to be changed so it reads it from the GPO policy

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial