User Profile Best Practices
​User Profile Best Practices
Deploying user profiles might seem easy but when it come to a state that you have application silo like;
- a Terminal Server 's cluster,
- a Citrix XenApp's farm,
- a vmware view or Citrix XenDesktop's farm
- a wide mix of them
It can come to a nightmare to manage.
Let's start by explaining the different's profile you might have:
Profile supported by Microsoft natively
Local Profile : Is a profile that exist only on the local computer that the user work on. That profile is created from the Default's user's folder (c:\user\defeault or c:\document and setting\default and it copy the Default's user registry hive (HKEY_USERS\Default).
Roaming Profile : Is a profile that roam/travel with the user. A network's administrator is needed to configure those. As usually they will be centralized in on a file server. In the Active Directory User and Computer's applet, a GPO or in the Remote Desktop Service Profile's tab you can configure the network path to each user profile. In the Terminal Server
Mandatory Profiles : Is a profile that work the same way as the roaming's profile, except that it does not save back the change when the user log off. The NTUSER.DAT is renamed NTUSER.MAN in the profile's directory.
Profile option from other Vendor
Citrix User Profile Management (UPM) : Is a profile that roam/travel with the user. A network's administrator is needed to configure those. As usually they will be centralized in on a file server. In the Group Policy's applet you will have to make a GPO to enforce it. UPM work by 'hooking' on the WinLogon service, so it's a service that you got to install on any machine you want to use it on.
Let's compare them
Profile Type | Pro | Con |
Local | - Fast login. | - User experiences change on every desktop or server that he logon to. |
Mandatory | - Fast login. - The user experience is always the same (as nothing can change between session) |
- Settings are not saved. |
Roaming | - User experience is always the same across everywhere he logon to. | - Slow login - Affected by the last writer win. - Corrumption can happen on network loss or slow link. |
Multiple's types | - You gain the pro of each user profile you use. | - Complex to configure. - Complex to manage afterhand. |
Citrix User Profile Management (UPM) | - User experience is always the same across everywhere he logon to. - Less problematic for last writer win, it can load up only what the user work on only. |
- Slow login - Have to install a service locally to have it work. |
Planning the user's profile
Let's start by an easy decision's chart;
http://www.jabea.net/img/chart1.png
Now let's start to make the same exercise with a terminal's server idea.
http://www.jabea.net/img/chart2.png
OK, now let's start to complex that a little :)
Q: What is your users use Word from SERVER1 and Excel from SERVER2 in a RemoteApp's or XenApp connection and you enable to roaming on the workstation ?
If you users use Roaming, never forget that the last writer always WIN. So basicly that scenario will take place.
http://www.jabea.net/img/chart3.png
The correct answer there would be to disable the roaming's profile from the workstation if you don't need it or change it's network location and just configure the roaming to be there on SERVER1 and SERVER2.
In short that will become a sample like that;
http://www.jabea.net/img/chart4.png
No,w lets's make that a bit more complex just for the fun of it. What is your user login in your Active Directory with the user CONTOSO\JohnDoe on a workstation, and after open a connection to a virtual's desktop ? (and that user would surely use word/excel from the physical's computer too)
That will make something like that;
http://www.jabea.net/img/chart5.png
or
http://www.jabea.net/img/chart6.png
So at the moment, that tip could come handy : Disabling Roaming User Profiles on Certain Computers
In the end it all depend on your need, but the best tip I can give is to try to keep it simple.
Application Silo's approch
If you use roaming's profile on multiple Terminal Server, then you take the way to enable special profile for those users. By using Setx or OU targetted GPO.
SETX can enable you to do that trick by setting the %profilepath% environnement variable. (How to Set the Path for the All Users Profile)
Microsoft Office's Server: %profilepath% = file://file-server/office
Accounting's Server: %profilepath% = \file-server\accouting
That would make something like that.
http://www.jabea.net/img/chart7.png
Virtual's machine approch
With the cloud success we see a lot more often private cloud solution. What are they ? Often it will be a pool of virtual's machine ready for a lot of users. The difficulty there is that day #1 our user JohnDoe can log into computer XP-1, the second day in XP-34. What's if at day #3 he log into a Windows 7 ? The roaming will be the Default User profile.v2 ? (Customize the default local user profile when preparing an image of Windows)
It's important to redirect My Desktop, My Documents outside the profile store for that reason. (usually in the %homefolder%)
It's important to validate and redirect the APPDATA too. By validating, I mean you need to sync anything that can be used in both OS's version. (by script in worst case)
In case you need to synchronize sometime from the HKEY_LOCAL_MACHINE, then I suggest a reg import/export in a login script or in a GPO (the reg import method to be able to use environnement variable like %username% in the batch file). Try to stay away from application that write in HKEY_LOCAL_MACHINE for user settings.
Best practice Roaming's profile configuration
- Redirect My Documents and My Desktop outside of the Roaming' profile store.
- Configure the file server antivirus to scan on write for the profile's store.
- The file server that host the profile must be in the LAN, or near the server/computer that will access it. Having a roaming profile over a slow link is a bad idea.