fbpx

So- you set up Citrix User Profile Management (UPM)! Good for you! Except it’s not working…. Before you rage quit the whole thing, here’s a few things I check when I have issues! [Last Updated Aug 1, 2018]

UPM was really a great step up from Terminal Services Roaming Profiles. But a lot of the same issues are present if you haven’t set things up right. Here’s the things I verify.

  1. Far and away the most common issue I find with UPM is the folders not having the right SECURITY permissions. So much so that I have this memorized. Here’s the permissions you need on your folder:
    1. System – Full Control
    2. Administrators – Full Control
    3. Users – Create Folders (This Folder Only)
    4. CREATOR OWNER – Full Control (Subfolders Only)
  2. Second to security permissions is SHARE permissions. (Yes, there are two places to set security on a share)
    1. Everyone – Full Access
    2. (you can restrict this to Domain Users and Domain Computers as well, however- since you are controlling security by NTFS and Delegated Permissions anyway, there isn’t much point in restricting the share itself)
  3. Is it really enabled?
    1. Remember that just setting policies are not enough- you need to actually ENABLE Profile Management within the policy as well!
    2. Check for “Enable Profile Management” under Computer\Profile Management\Basic Settings
  4. Did you include Administrators?
    1. This happens a lot- you get everything set up and launch a session only to find that your profile doesn’t save.
    2. This typically happens when you are a local machine administrator and the policy is not specifically set to include admins (it does NOT by default)
  5. Do you need a reboot for policy to apply? UPM uses COMPUTER policies. I have found every now and again that if I’m using Citrix Studio for UPM policies I need to do three things:
    1. Verify the policy is applied to the computer. I find the best way to accomplish this is to use OUs to apply rather than Delivery Groups. Not sure why, but it works. [Bonus tip: Always dedicate an OU to each Machine Catalog so you can properly separate policies.]
    2. Apply gpupdate/force
    3. Reboot
  6. Placing the Store location in a Redirected Folder location such as Documents is NOT supported
    1. Microsoft forbids profile locations from participating in folder redirection and very much dislikes active replication
    2. When consulting, sometimes I am given a path that is a DFS namespace. This is only supported if it is a single server per site and can only be used in one site at a time. If you have multiple active nodes, you can end up with very bad ‘last write wins’ issues.
    3. You don’t want the store to be in the same location as documents- an errant move from an admin could remove more than just the profile during a ‘reset’
  7. What’s in the Logs?
    1. Windows Logs should be your first stop.
    2. Next- grab the UPM logs and use the UPM Log Parser from Citrix to catch issues. The default location is under the Windows\System 32\Logfiles location, but in a non-persistent VDA environment especially, this is a bad idea as the logs would be wiped out at each reboot.  Use a policy to set the location elsewhere. Citrix has some words to say on the matter here… however…
    3. Pro Tip: I recommend storing all UPM logs in a central store on the network (per datacenter) to make it easy to not only store them but to compare others easily. Don’t use the same location as user profiles themselves if you can avoid it. You want this share to have permissions for Domain Computers and Domain Admins / Citrix Admins only. The system writes these files, not the user, so the usual users+creator owner combination is not required or recommended here.
    4. If you are having issues, I also recommend temporarily increasing the logging level (via policy or .ini file)

While I’m here, I have some other general pointers:

  1. Do NOT use Active Writeback (AWB) unless you have a VERY GOOD REASON to do so. AWB not only generates a lot of I/O but it can cause some very real corruption issues if it is accessed from multiple sources (VDAs) at the same time.
  2. Use Streaming. It works. There are occasional issues when streaming does not work, however those are few and far between these days. As always- test before putting things into production!
  3. Always use Microsoft Folder redirection for every single folder they allow you to…
    1. Except for AppData (roaming) and Start Menu. For AppData, you either want to have a per-Machine Catalog path (meaning, specific to the VDAs being accessed, not shared between different ones) or just use UPM. Make sure you exclude the redirected folders from UPM processing; while typically this won’t be an issue I have seen instances where you end up with multiple folders (GPO not applying properly, for example) and documents strewn about the datacenter. Not pretty. Similar rules go for Start Menu, though I’m finding fresh drama with this with Windows 10 and Server 2016. See CTX234144 for a description… but unfortunately the fix doesn’t always work. What I’ll say about this is that in both cases as of late I have found more consistent experience with UPM and streaming for these folders. I fully don’t understand why but it is something to test out!
      [updated with Start menu info on 8/1/2018]
    2. Another hot tip- if you are redirecting Downloads, consider using a different path. Remember that with Folder Redirection you can use a different path for each folder- they aren’t dependent on each other. You can do the same with high-cost/low-value folders such as ‘Videos’ to store that data in low-priority backup or slower storage paths.
  4. Exclude as much as you can. For example, if you have control over updates to software you can pretty safely exclude pretty much everything and only include those settings specifically needed for the programs running. It takes effort but ultimately the less you write, the less there is to corrupt! That and it takes much less space. As for what to exclude- that is a whole other topic. While I’m a fan of big lists, I’m a bigger fan of learning WHY- so I don’t just share those without context, because they shouldn’t always be copy-pasted! That said, a good place to start is Carl Stalhood’s list. Again, don’t just enable everything there; think about it first!
  5. Each OS has different requirements to keep in mind. Windows 10 has some pretty drastic profile differences in terms of what files and directories now need to be synchronized, mirrored and ignored altogether. If you use the same defaults for everyone, you’re probably doing it wrong and it will likely bite you later.
  6. Treat the Profile as destructible, and the Redirected Folders and indispensable when it comes to backups.
  7. Use different paths for each Machine Catalog (or at times, per OU if there are enough differences). While this does create more work and certainly more potential for chasing down the ‘right’ profile location for a user having trouble, I have found in my years that there is less probability of issues when each catalog has its own dedicated share for Profiles. Too much of the modern profile has dependencies outside of just the registry and files within a local path. Often programs will share and it can get ugly in a hurry. Play it safe and keep them separate.

 

More to come on this topic at a later date! Until then, cheers!

Share This
%d bloggers like this: