Monday, 9 January 2012

Walkthrough Setup Guide for Implementing Citrix Profile Management 4.0 (User Profile Manager) for a Windows 7 VDI Environment

Prerequisites
1) AD forest functional and domain functional levels of Windows 2003 native mode and above
2) A Windows 7 “Gold” image.
For complete System Requirements see http://support.citrix.com/proddocs + Technologies + Profile Management.
*The lab set-up used to illustrate this walk-through guide uses Windows 7 32-bit, Profile management 4.0, and a Windows 2008 R2 domain controller

Part A: Download and Install Profile Management on the Windows 7 “Gold” Image

1) Download Profile Management 4.0 from www.citrix.com
2) Log on to the Windows 7 “Gold” image with an administrative account, copy the downloaded PM4.0.zip to the desktop, and extract the contents
3) Double-click either profilemgt4.0.0_x86.msi and run through the Setup Wizard to install:
Next >
Accept License Agreement: Next >
Choose where to Install Citrix Profile management (default location = C:\Program File\Citrix\User Profile Manager\) : Next >
Install >
Finish >
Yes to restart the system

Part B: Create a Server Share

Create a share on the fileserver (for example: \\fileserver\profileManager$ )

The below is from Microsoft's 'Security Recommendations for Roaming User Profiles Shared Folders':

Minimum Required NTFS Permissions for Roaming Profile Parent Folder
Create Owner: Full Control – Subfolders and Files Only
Administrator: None
Security group of users needing to put data on share: List Folder/Read Data, Create Folders/Append Data – This Folder Only
Everyone: No permissions
Local System: Full Control – This Folder, Subfolders and Files

Minimum Required Share level (SMB) Permissions for Roaming Profile Share
Everyone: No permissions
Security group of users needing to put data on share: Full Control

Minimum Required NTFS Permissions for Each User's Roaming Profile Folder
*If not already created, the user's Profile Management folder will automatically be created with the correct permissions
%Username%: Full Control, Owner of Folder
Local System: Full Control
Administrators: No Permissions
Everyone: No Permissions

Part C: Install Citrix Policies

1) Log on to a suitable domain controller with an account that has permission to create and edit GPOs
2) Copy PM4.0.zip to the desktop and and extract the contents
3) Open up the Group Policy Management console (gpmc.msc,) right-click the OU containing the Windows 7 VDI computer accounts, and select 'Create a GPO in this domain, and Link it here...'
*The GPO applies to the Computer Configuration so only needs to be linked to the OU containing the computer accounts of the VDIs
4) Give the GPO a name like say 'Citrix Profile Management' and click OK
5) Right-click the newly created GPO and choose 'Edit'
6) Expand 'Computer Configuration' > Expand 'Policies' > Right-click 'Administrative Templates' > Choose 'Add/Remove Templates...'
7)
i: From the 'Add/Remove Templates' window, remove any pre-existing Policy Templates, then click 'Add..'
ii: Browse to the location of the extracted PM4.0.zip
iii: Navigate – via ADM_Templates – to the folder for the language of your choice (e.g en for English)
iv: Select ctxprofile4.0.0.adm, and click Open
v: Close the 'Add/Remove Templates' window
8) Still in the 'Group Policy Management Editor' for the 'Citrix Profile Management' GPO:
Expand 'Computer Configuration' > Expand 'Policies' > Expand 'Administrative Templates' > Expand 'Classic Administrative Templates (ADM)' > Expand 'Citrix' > Expand 'Profile Management'
*Citrix > Profile Management : is under Classic Administrative Templates (ADM) here, due to being installed into a Windows 2008 environment.

9) The configuration of the 'Profile Management' Policy Settings will vary from customer to customer; the below is sufficient for a working starter set-up:

Profile Management
Enable Profile management: Enabled
Processed groups: Disabled (all user groups are processed)
Process logons of local administrators: Enabled (members of local administrators group are processed by Profile Management)
Path to user store: Enabled and provide path (for example: \\fileserver\profileManager$\%username% )
Active write back: Enabled (allows settings to trickle back and forth whilst logged in)

Profile Management > Profile handling
Delete locally cached profiles on logoff: Enabled

Profile Management > Registry
Exclusion list: {Typically used to exclude registry keys if encounter problems when using Profile Management across different Windows platforms. For a 100% Windows 7 VDI deployment, we can leave this 'Not configured'}

Profile Management > Streamed user profiles
Profile streaming: Enabled
Streamed user profile groups: Disabled (all user groups are processed)

Part D: Test

1) Create a VDI from the Windows 7 “Gold” image.
*If testing carrying on from using the same Windows 7 system as used in Part A  –  give the system an additional restart to fully apply the computer configuration policies from the 'Citrix Profile Management' GPO, before proceeding with the test
2) Log on to the VDI with a user account that is to be processed by profile Management and check that the server share is generated.
3) Make a few changes to the profile as desired (for example – place a file on the desktop)
4) Log off
5) Log on to another VDI (or if using non-persistent VDIs then just log back on to the VDI) to see Profile Management in action.

THE END!

Appendix: Further reading & Credits

David Fiske's video -”How to install Citrix User Profile Manager”
*This post is very much based on David's excellent video. I came, I watched, and I understood!

Profile Management 4.0: Install and setup

How to Implement and Configure the Profile Management Group Policy Settings Using the .ADM Template (and other links)

Security Recommendations for Roaming User Profiles Shared Folders

Environment with Multiple Platforms – What Types of Profiles Should I Create?

4 comments:

  1. Excellently written, straight and to the point. Have you used the template profile setting in upm? If so, how did it work for you? Also, did you disable the ini file or leave as is?

    ReplyDelete
    Replies
    1. Hello JP, thank you for the comment. Apologies I cannot answer your questions; this goes back a year now to when I was briefly engaged on a small 200 user VDI project, working with a specialist Citrix Consultant who did the fine tuning. My work tends to send me off on all sorts of random things, and - alas - I haven't had much to do with UPM since then. Cheers!

      Delete
  2. Very helpful - thanks.

    ReplyDelete
  3. Don't forget to use Citrix Profile Manager in conjunction with folder redirection or you will have the same problems as generic roaming profiles such as slow login times.

    ReplyDelete