Can't get Citrix Universal Profile Management to work in XenApp 6.5 (Server 2008 R2)

I have recently deployed Citrix Profile Management on my XenApp 6.5 (Server 2008 R2) host.

The ADM template has been installed on my DC and the appropriate settings have been configured in GPO.

There are 3 shares that have been created for the users profiles.
1. HomeDirs - folder redirection for each users my docs, desktop etc.
2. Profiles - Roaming Profile store
3. CitrixProfiles - Citrix profile settings store

Each of these 3 folders has the following permissions:
Share: -
* Administrators - full
* Authenticated users - full

* Creator Owner - Full
* System - Full
* Administrators - Full
* Authenticated users - Full

Prior to installing Citrix Profile Management, each user was able to write to the central profile store fine. However after installed CPM, the users session does not write to either the Central profile store, or the new Citrix Profile store.

The user can logon fine initially without error, but when they logoff, the profile is not written back to the profile stores. So when the user tried to login the next time, it still cannot write to the profiles stores. however this time a temp profile is loaded due to the local profile still remaining on the host since the last login attempt. I can blow away the profile and log in without error the next time, however the problem reoccurs again after that.

I am able to browse the UNC path to each of the profile locations without issue. I can also create, delete files & folders. So looks like permissions seem to be OK.

The events that are generated are as follows:
An error occurred while trying to reset security permissions on the registry hive for user 'Username'.  Cause: It is likely that there are permission issues with the registry in the default or template profile used to create this Citrix user profile.  Action: If appropriate, reset the security permissions on the user's registry hive in the Profile management user store using a third-party utility such as SetAcl.

One of the documents I read suggested copying the default profile from one of the hosts to a network share, then configure the GPO setting to point to this new store. However the same issue occurs.

I initially created the default profile on this host. I created a local user account, configured all of the settings and then copied to the default profile using "Windows Enabler".

The reason I have not used the XML script way is that I don't really want to keep running sysprep on my gold images. You can only run it 3 times in server 2008 r2 before you have to rebuild the image from scratch again.

Over the past few years I have had a few attempts at Citrix Profile Manager over the various versions that have been released, however it never works! Looks like many others feel the same.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Tony JLead Technical ArchitectCommented:
I think your permissions are wrong - too many rights can cause untold problems on profile shares.

The ones you require are here:

Also when you copied the profile, did you just copy the folder across and change permissions (incorrect) or go via the computer properties (properties, advanced, user profiles settings, copy to)? The latter allows you to chose everyone as having access and will ensure permissions are set correctly.

By the way - the three times for running sysprep, is a bit of a common misnomer. There are circumstances where it's practically unilmited depending, amongst other things, on licensing.


Resetting Windows Activation
When you install Windows with a single license product key, you have 30 days during which you must activate that installation of Windows. If you do not activate Windows within the 30 day period and do not reset the activation clock, Windows will enter RFM (Reduced Functionality Mode). This mode prevents users from logging on to the computer until Windows is activated.

There is no limit to the number of times Sysprep can run on a computer. However, the clock for Windows Product Activation begins its countdown the first time Windows starts. You can use the sysprep /generalize command to reset Windows Product Activation a maximum of three times. After the third time you run the sysprep /generalize command, the clock can no longer be reset.

When you run the sysprep /generalize command, the activation clock will automatically reset. You can bypass resetting the activation clock by using the SkipRearm setting in the Microsoft-Windows-Security-Licensing-SLC component. This enables you to run Sysprep multiple times without resetting the activation clock. For more information about this setting, see the Unattended Windows Setup Reference.

If you anticipate running Sysprep multiple times on a single computer, you must use the SkipRearm setting in the Microsoft-Windows-Security-Licensing-SLC component to postpone resetting the activation clock. Because you can reset the activation clock only three times, if you run Sysprep multiple times on a computer, you might run out of activation clock resets. Microsoft recommends that you use the SkipRearm setting if you plan on running Sysprep multiple times on a computer.

Volume License and OEM Activation Requirements
For volume licenses, activation clock reset behavior is different, depending on the type of license.

•Activation can be reset an unlimited number of times for an activated Key Management Service (KMS) clients. For non-activated KMS clients, the activation clock can be reset only up to three times, the same as a single license.
Microsoft recommends that KMS clients use the sysprep /generalize command where the value of the SkipRearm setting is equal to 1. After capturing this image, use the sysprep /generalize command where the value of the SkipRearm setting is equal to 0.

•For Multiple Activation Keys (MAK) clients, the recommendation is to install the MAK immediately before running Sysprep the last time before delivering the computer to a customer.

For OEM Activation licenses, activation is not required. OEM Activation is available only to royalty OEMs.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
HowzattAuthor Commented:
Thanks for that. I will try reset the permissions.
FYI, there is no profile being copied. They are new profiles (old farm was svr 2003, so they wont be migrated).

Re Sysprep, yes you are right there is no limit on how many times you can run sysprep, however there is an issue with sysprep & Citrix. You can only do it 2 or 3 times before Citrix will not allow any published apps or desktops to be streamed (Don't quote me on the details, it was a while ago that I came across this, but it did halt proceedings for quite a long time whilst I was looking for the solution).
HowzattAuthor Commented:
Changing permissions hasn't seemed to have changed anything
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Tony JLead Technical ArchitectCommented:
Do you have inheritance enabled and did you override the permissions? (This folder and files and all below it)?
HowzattAuthor Commented:
Tony JLead Technical ArchitectCommented:
Have you tried/can you try it with a new user?
HowzattAuthor Commented:
Just tried, same result
HowzattAuthor Commented:
Looks like it was the Default Profile that was the issue.
I came across Citrix forum about this issue and they provided a download link to a new default profile. I downloaded it and replaced over the previous default profile.

Next logon and everything seems to work perfect. During logon, the users folder is created inside the Citrix profile store and the users folder is also created inside the redirected folders store.
From here, I created a new local account (using this new default profile), I then edited the settings I want for our default profile and resaved as a new default profile and it still works.

Just out of curiosity, should there be a folder for the user inside the windows profile store also? I was assuming there would be new folders created for both Windows & Citrix profiles?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.