Citrix Virtual Apps, formerly XenApp, fits the enterprise need to bring legacy apps into a cloud management environment.

Note: Refer to CTX139331  - Citrix Virtual Desktop Handbook 7.x for the latest information.

This article contains Microsoft and Citrix options for the design of user profiles in a XenApp environment.

An effective design of user profiles can make a significant difference in the performance and manageability of a XenApp environment. Many of the issues commonly seen in large or complex XenApp environments (including slow logon, loss of user settings, profile corruption, and excessive administrative effort) are often the result of sub-optimal user profile designs. A solid design and implementation of user profiles can maintain the integrity of user settings, eliminate issues requiring administrator intervention, and ensure high-performance user logon.

User Profile Background

Windows User Profiles Defined

At this point, it is useful to provide background information on the profile types available within Windows Terminal Services environments, and how they apply to Citrix XenApp. This document focuses only on Terminal Services profiles and how they relate to XenApp.
Microsoft provides several types of profiles that can be used in Windows Terminal Services/XenApp environment:

• Local Profiles

• Mandatory Profiles

• Roaming Profiles

Local Profiles are stored on each XenApp server and are initially created based on the default user profile. Therefore, a user accessing applications creates an independent profile on each server. Users are able to retain changes to their local profile on each individual server, but changes are only accessible for future sessions on that server. Local profiles require no configuration; if a user logging into a XenApp server does not have a profile path administratively defined, a local profile is used by default.

Roaming Profiles are stored in a centralized network repository for each user. Roaming profiles differ from local profiles making the information in the profile (whether it is a printer, a registry setting, or a file stored in the Documents folder) available to user sessions accessed from all XenApp servers in the environment. Configuring a user for a roaming profile requires an administrator to designate the Terminal Server Profile Path of the user to a particular location on the network. The first time the user logs onto a XenApp server, the default user profile is used to create the roaming profile of the. During logoff, the profile is copied to the administrator-specified network location.

Mandatory Profiles, sometimes called roaming mandatory profiles, are also stored in a centralized network location for each user. They differ from roaming profiles by not retaining the users’ changes at logoff. Configuring a user for a mandatory profile requires an administrator to create a mandatory profile file (NTUSER.MAN) from an existing roaming or local profile, and assign users’ Terminal Services profile path to the location where the file can be accessed.

Additional User Profile Options

In addition to these basic profile types provided by Microsoft, there are other profile options that can be applied in a XenApp environment. These include the following:

• Multiple Profiles

• Citrix User Profile Management

• Other

Multiple Profiles combine two or more of the three basic profile types (local, roaming, or mandatory) for the same user. Multiple profiles are useful in environments with application silos. For example, in a XenApp farm with two application silos serving SAP and a custom application, users can be configured to use a mandatory profile for the SAP servers and a roaming profile for the custom application servers. Multiple profiles are also useful for farms that span WAN connections, so that profiles can be accessed from local file servers instead of having to traverse the WAN. Multiple profiles can be implemented in a number of different ways, and the details of these options are discussed later in this white paper.

Citrix User Profile Management is a profile type that supersedes all other profiles for the user and is a unique type of profile. It addresses “last write wins” wins issues by only capturing the changes and recording those changes within the profile, rather than writing the entire profile at logoff. Thus, the obstruction that results from making profile changes when accessing multiple XenApp servers is minimized or eliminated.

Other third-party profile solutions exist but are beyond the scope of this document.

Analyzing Design Requirements

Now that the available profile types have been defined, it must be determined which one is right for use in a particular XenApp environment. To make the determination of the appropriate profile type, the requirements of a particular environment need to be carefully analyzed. Following are questions that need to be answered to define these requirements:

• Do users need to save their settings?

• Do applications store settings in the registry?

• How will printers be made available, and how will printer settings be handled?

• What is the farm design? Are applications streamed or segregated into application silos?

Now consider each of these questions to help determine an effective user profile design.

1. Do users need to save their settings?

User requirements and expectations play a large part in which user profile type to use. An administrator must first determine which settings need to be saved and where those settings are stored. If users need to save settings that can be stored in redirected folders, such as Documents, AppData, or other folders, then folder redirection should be considered. Folder redirection can be used with all profile types discussed in this document, and are generally recommended.

2. Do applications store settings in the registry?

If the application being deployed does not reference the HKEY_CURRENT_USER (HKCU) hive in the registry, then a mandatory profile solution can be considered. However, many applications do access this hive, so testing is required.

3. How will printers be made available, and how will printer settings be handled?

The printing requirements have an impact on the user profile design. Printers are typically enabled through logon scripts or XenApp policies; here we will only discuss the latter.

In order to enable printing, it cannot otherwise be disabled in another Terminal Services or XenApp policy. If printing will be enabled through XenApp policies, administrators can choose where to save client-side settings. Where printer properties (File > Print > Preferences > Local Settings) can be retained has a direct bearing on the type of user profile that has been configured.

In the XenApp Advanced Configuration Console (formerly Presentation Server Console), the Citrix policy named Printer properties retention should be set accordingly. Following are available options:

• Held in profile only if not saved on client (default)

• Saved on the client device only

• Retained in user profile only

4. How is the XenApp farm designed? Are applications in silos?

In farms based on multiple application silos, having roaming profiles increase the likelihood of profile setting loss due to “last write wins” issues. For example, users simultaneously accessing SAP and a custom application hosted on different servers will overwrite roaming profile settings made in the custom application session if the user logs off from the custom application session before the SAP session. This effect can therefore be termed the “last write wins” condition. Citrix User Profile Management must be considered as an alternative to roaming profiles if users experience this issue.

Design Practices

When designing your XenApp environment, once the analysis of requirements has been performed, the appropriate profile type(s) needs to be selected.

Comparing Profile Options

The following table is useful for comparing the relative benefits of each profile type when analyzing the design requirements:

Profile Type	Benefits	Disadvantages
Local Profile	Fast Logon No requirement for centralized repository for profile storage Not susceptible to corruption	Settings are inconsistent across servers and sessions Consumes local disk space
Roaming Profile	User profile accessible from any XenApp server Settings are saved across sessions	Slow login Susceptible to “last write wins” and resultant settings loss where application silos exist
Mandatory Profile	Fast Logon No settings are susceptible to loss	Settings are not saved across sessions
Multiple Profiles	Benefits of both mandatory and roaming profiles without the disadvantages of each	Potential for additional file server space requirements Complex to implement Administrative expertise and maintenance required
Citrix User Profile Management	Fast Logon Allows for the most control over settings Addresses “last write wins” issue Space requirements are minimal	Administrative effort and skills to implement and maintain

Using Active Directory Group Policies

Active Directory includes a number of group policies--including a subset of Terminal Services policies--that can be applied to a XenApp environment to optimize performance and stability. Terminal Services profiles are commonly configured within these Group Policy Object (GPO) options. Active Directory based on Windows Server 2003 SP2 and higher, as well as Windows Server 2008, allows Terminal Services mandatory profiles to be configured as a GPO.

Folder Redirection policies can be used with mandatory or roaming profiles to maintain a centralized location for specific folders and is generally recommended to exclude that data from the user profile. The folders that can be redirected are dependent upon the version of Active Directory in use. Where folder redirection is used, the AppData and Documents folders are redirected at minimum.

Without folder redirection, user data is stored within the profile. When folder redirection is enabled, user files stored in the selected folders are segregated from the user profile. As a result, user logins proceed as quickly as possible, and the impact on the profile is minimized.

For profile folders, such as Documents and Desktop, it is generally best to redirect them to the user’s home directory location, under subdirectories with the same profile folder names (such as: Desktop). Folder redirection paths can be in a UNC format (such as: \\servername\share\%username%\Desktop) or using a drive letter (such as: H:\Desktop). Use of a drive letter provides flexibility if home directories are stored across multiple file servers.

Depending on the profile solution selected, policies exist to exclude data from the user profile:

• Roaming Profile: Exclude directories in roaming profile

• Citrix User Profile Management: Registry exclusion list and File system exclusion list

In addition, deleting locally cached profiles on logoff can be configured for Microsoft profiles, as well as Citrix User Profile Management. By configuring appropriately, profiles are not cached on each XenApp server at logoff. In addition, a consistent user experience is assured and disk space is used efficiently.

Specifying Multiple Profiles

As discussed previously, a single user in a XenApp environment may be configured to use different profile types depending on the server being accessed. In a farm employing application silos, this can be useful. However, the administrative effort to configure and maintain multiple profiles needs to be weighed against the expected benefit. For example, a farm may have three different application silos and use different profile types within each silo.

The benefit of this approach is reduction in logon time and profile corruption, while maintaining the administrative benefits of application silos. Multiple profiles can be configured for users in one of several ways. The options are:

• Environment variables

• Only allow local user profile

• Terminal Services profile per application silo

These three methods are described below.

The environment variables method involves setting the users’ profile paths to a value with an environment variable, for example: %profilepath%\%username%. On each server, the %profilepath% environment variable will be created. For a farm with two application silos running Microsoft Office and Lotus Notes, the variables could be specified using the SETX utility as follows:

• Microsoft Office servers: %profilepath% = \\fileserver\office-profiles

• Lotus Notes: %profilepath% = \\fileserver\lotus-profiles

When users log on to the Microsoft Office servers, profiles are loaded from \\fileserver\office-profiles\%username% as denoted by the user profile path and the value of the environment variable on those servers. This method also allows a user to have multiple mandatory profiles, or a blend of roaming and mandatory profiles by copying a mandatory profile (NTUSER.man file) into each specified profile path for every user.

Note: When implementing persistent environment variables using the SETX utility, a reboot might be required.

The Only allow local user profiles policy prevents a user’s roaming profile from downloading, and instead creates a local profile for the user. This option is useful in situations where a multiple application silo approach is used, such as, when published applications are run within published desktops. For example, if an application silo hosting a published desktop requires a roaming profile and a secondary application silo is accessed via a pass-thru ICA connection, it may be necessary to configure this setting. The Only allow local user profile policy therefore allows a blend of roaming and local profiles to be used. In Windows Server 2003 and Windows Server 2008, this policy is available in Active Directory (under the Computer Configuration > Administrative Templates > System > User Profiles settings).

Alternatively, within Citrix User Profile Management, distinct profiles can be designated based on the Organizational Unit (OU) structure.

Finally, where application silos are designated based on computer-based OU, the Terminal Services profile per application silo can be configured accordingly. Using this technique, users can have different roaming profiles depending on the GPOs that are applied to specific servers.

The policy Set Path for TS Roaming User Profile (available under Computer Configuration > Administrative Templates > Windows Components > Terminal Services) can be specified.

An easier means of configuring multiple profiles is by means of Citrix User Profile Management. Because the profile configuration is based on Active Directory OUs, a distinct profile can be designated per application silo so long as each silo is in its own child OU.

Additional Resource
Knowledge Center Highlights: App Virtualization & VDI (July Edition)

This article contains Microsoft and Citrix options for the design of user profiles in a XenApp environment.