Oct 312014
 

I have seen where PVS targets (mainly Desktop OS) will fail to activate via KMS after booting, and/or not get the proper group policy settings.  I think this is because PVS hasn’t released the network when Windows is trying to activate/update gpo (or something along those lines).  On top of this in my environment I have PvD and Random desktops booting off of the same vdisk image.  To fix this I created the script below, and setup a scheduled task to run at startup (using SYSTEM account).

Note: Using this script you can do a lot more than just slmgr /ato and gpupdate /force commands.  For instance if you have an antivirus service that you just want to start if the vdisk is in standard mode… you could just add a “start-service” command (of course you’d want that service to be set to manual).  Feel free to edit however it suits your environment.

Steps to implement:

  1. Start a maintenance version of your vdisk
  2. Logon to that desktop/server
  3. Open powershell_ise, or notepad
    1. Copy the script below and paste it
    2. Edit line 2 to be the FQDN of your domain
      Example: yourdomain.com
    3. Save it (remember where you saved it) – I just save mine to the root of C:\ to keep it simple
  4. Open Task Scheduler
    1. Right click on “Task Scheduler Library” and select “Create a Basic Task”
    2. Name your task and optionally add a description and click Next
    3. On the Task Trigger screen select “When the computer starts” and click Next
    4. On the Action screen click Next (Start a program should be selected by default)
    5. On the Start a Program Screen
      1. Type the path, or browse to powershell.exe (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
      2. in the Add arguments section:
        1. -executionpolicy unrestricted -file <path to the .ps1 file you just saved>
          Example: -executionpolicy unrestricted -file c:\startup.ps1
    6. Click Next
    7. Check “Open the Properties dialog for this task when I click Finish” and click Finish
    8. On the properties page click Change User or Group
      1. In the Select User or Group box type in “system” (no quotes) in the box and hit OK
      2. You should now see “NT AUTHORITY\SYSTEM” as the user account to run as
    9. Check the Run with highest privileges box, and click OK
  5. Perform any cleanup operations you typically do, run PvD inventory (if you use PvD), and shutdown the machine
  6. Place your vdisk into Test mode, and test away
  7. When satisfied set the vdisk to production


function startup {
while ((Test-Connection "fqdn of your domain ie: contoso.com" -count 1) -eq $null) {
Start-Sleep -Milliseconds 500
}
& cscript.exe c:\windows\system32\slmgr.vbs /ato
& gpupdate.exe /force
}
$p = gc c:\personality.ini
$r = (Get-ItemProperty registry::'HKLM\SOFTWARE\Citrix\personal vDisk\config').vhdmountpoint
if (($r -eq $null) -and (($p -like "*diskmode=p*") -or ($p -like "*writecachetype=0*"))) {
break
}
startup

Explanation of the script:

When executed it will get the content of c:\personality.ini and the value of REG_SZ vhdmountpoint.  If personality.ini contains diskmode=p or writecachetype=0 and vhdmountpoint value is blank/non-existent it will stop the script (this indicates the vdisk is in private or maintenance mode).

PvD – value of vhdmountpoint will not be blank, so even if for whatever reason the .ini file shows the disk in private/maintenance it will go on and run the function
Shared Random – value of vhdmountpoint will be blank, but the .ini should show diskmode=s and writecachetype=something other than 0 (depends on the mode), so it will also run the function.

If the break condition is not met (indicating the disk is in shared mode) then it will run the startup function.  This function tries to ping the fqdn of your domain 1 time.  If it gets a reply it will run the activation command, and gpupdate.  If it does not, it will wait half a second and try again… over and over until it gets a reply from the fqdn of your domain.

 

Sep 182014
 

I recently ran into an issue where Citrix Profile Manager was not catching all the files from a user installed Office Add-in. I found the path to the files and they were in %localappdata%\Apps\2.0. Even if I specifically added a policy to sync that folder it still did not get every file needed for the Add-in to work. After banging my head against the wall trying to get profile manager to handle it I decided to write a logoff script to “backup” that folder to the user’s home share at logoff, and a logon script to “restore” it at logon. That worked, but it delayed logon/logoff as those files were copied to/from the user profile.

On top of that issue, I also had the need to redirect Chrome and Firefox cache directories to user home shares as they were soon to be installed on our VDI image. Of course, you can do both without the script you are about to see (GPO in the case of Chrome, and an .ini file with Firefox). I just figured kill three birds with one stone.

The answer ended up being very simple. Junction points! For those of you who may not know a junction point (aka reparse point or symbolic link) is basically a shortcut that Windows treats as a folder. A normal shortcut to “\\server\share\path” on your desktop would show that path in the address bar if you clicked on it. A symbolic link would show C:\Users\<username>\Desktop\<name of the link>. This allows you to basically “redirect” a specific folder. For those of you who have a “crappy app” that points its data to %userprofile%\AppData\<path> instead of %AppData% and prevents you from redirecting AppData this may help you as well.

Now all I need is a logon script (powershell) to create these junction points.

Requirements for this script:
1. Users must have the “Create symbolic links” right (set in GPO)

2. Users must have a Home Folder (if they don’t you could simply rewrite the script to create a folder somewhere using $env:username in the path).

Detailed explanation of what this script does:
1. Sets the location to C:\ so when it calls cmd it won’t complain about the path (assuming the script is going to run from a network share)

2. Imports a .csv file with the information
This .csv file has headers “localpath”, “homepath”, and “LorR”
localpath = the folder within local or roaming appdata. If the path is down inside somewhere make sure you include the whole path. In my case I want to get %localappdata%\Apps\2.0, so the localpath would be “Apps\2.0”
homepath = the path in the users home directory where you want the files located. Same as localpath you don’t include the entire share path… just the path you want it to create inside the share.
LorR = local or roam – so the script knows where to put the junction points.

3. For each line in the .csv file calls a function that will:
a. Decide if the path is in local or roaming appdata (LorR)
b. Create the folder structure on the user’s home folder
c. Checks if the local folder already exists. If so, checks to see if it is already a junction (which it shouldn’t be). If the path is *2.0 (path to the Office Add-ins) it moves those files to the home folder, and creates the junction. If it is anything else it deletes the folder (would be user installed chrome/firefox cache directories), and creates the junction.

After running this at logon my user now shows this in %appdata%

If I open Mozilla it shows to be local, but it is actually pointing to my home folder

 

The only “issue” I have seen thus far is Chrome will warn that the cache is on a network share the first time it is launched.

Below is the powershell script. Feel free to edit it to fit your needs, and make sure you test thoroughly before implementing into any production environment.

http://pastebin.com/vALZ8y7Y

Jun 032014
 

I am in the process of building out a new XenApp environment for a customer, and was thinking… “It would be so nice to automate the ‘Configure and run discovery’ settings”. So how do you accomplish this? I know my service desk would appreciate it!

The answer is a custom “MMC”. Below are the steps to accomplish this.

 

Part 1: Create the custom MMC

  • Open up a 32bit MMC console (universally will work better and create less stress)
    • On 32 bit OS run “mmc”
    • On 64 bit OS run “mmc /32”

  •  Click File > Add/Remove Snap-in…

  •  Select the console you are going to push out to your users and add it to the “Selected snap-ins”
    • (In my case it is going to be AppCenter)

  •  Right Click on “XenApp”
    • Select “Configure and run discovery”

  •  Select the “Skip this screen in the future” box
    • Click Next

  •  Click on Add
    • For the server, I am going to pick my two XenApp Controllers
      • Depending on your setup, and where you are publishing this, you will need to pick the correct server(s)… (setting up a load balanced VIP on your NetScaler….  hmmm….)

  •  Click Next

  •  Check the box next to “Close this wizard when discovery is successful”

  •  Change the options of your new custom MMC console
    • Click on File > Options…

  •  In my case, I want to restrict access to areas of the tree
    • I am going to select “User mode – limited access, single window”

Below is an explanation of each option:

  • Author mode
    • Enables full customization of the snap-in console, including the ability to add or remove snap-ins, create new windows, create Favorites and taskpads, and access all the options of the Customize View and Options dialog boxes. Users creating a custom console file for themselves or others typically use this mode. The resulting snap-in console is usually saved in one of the user modes in this table.
  • User mode – full access
    • The same as author mode, except that users cannot add or remove snap-ins, change snap-in console options, create Favorites, or create taskpads.
  • User mode—limited access, multiple window
    • Provides access only to those parts of the tree that were visible when the console file was saved. Users can create new windows, but cannot close any existing windows.
  • User mode – limited access, single window
    • Provides access only to those parts of the tree that were visible when the console file was saved. Users cannot create new windows.

 

  •  Now we want to save our custom MMC
    • Click File > Save As…

  •  Save it where ever you would like. I am going to save mine to c:\custom mmc\AppCenter.mmc on each of my terminal servers.

 

 

Part 2: Publish the custom MMC

This section could be done a dozen different ways. I will show you how to publish out the mmc we just created as it being accessed directly from each server.

  • Select “Skip this screen in the future”
    • Click Next

  •  Enter in a Display name for your application
    • In my case I am using “Citrix AppCenter”

  •  Use the defaults
    • Application
      • Accessed from a server
        • Installed application

  •  Location to mmc.exe and the location of the custom mmc
    • Command Line:
      • c:\windows\system32\mmc.exe “c:\windows\system32\AppCenter.mmc”
    • Working directory:
      • c:\windows\system32
    • Click Next

  •  Click Add
    • Select the Servers or Worker Group that contains the servers you would like to publish out the mmc too.
      • Click Next

  •  Click Add
    • Add the users that need access to the mmc
      • Click Next

  •  Go to where your Citrix management console is installed (where the console is installed), and right click > properties
    • Then click on “Change Icon…”

  •  Copy out the location of the .ico

  • Go back to your application you are publishing and click “Chang icon…”

  • Click Browse
    • Input the location of the .ico file you just copied
      • Click OK

  •  Click Next

  •  Click Finish

You now have a management console that your admins will not have to configure for discovery!

May 302014
 

This will go over how to setup a single Access Gateway Vserver connecting to Multiple Domains using a single Pair of web interface servers.  This might sound confusing at first but in reality its pretty strait forward.  This article assumes that you already have some basic knowledge of how to setup netscaler and xenapp with WI in a single domain.

Environment  (LB is not required)

  1. Pair of Netscalers v10.1 in LB config.
  2. Pair of Web Interface 5.4 Servers with LB Vserver.
  3. Two AD Forests/Domains.
  4. A few STA servers (Doesn’t matter what domain they are on)
  5. A couple XA farms in Different domains (We are using XA6.5 and XA6)

Step 1

Configure the AD Polices on the NS.  There are many articles out there on how to do this.  The Top two in this list are my first domain and the 3rd one is the second domain.

 

Multidomain NS Step1

Step 2

Build your Vservers for WI and XML for each Domain.  It helps to have the xml servers for each farm on different ports to save IP address’s.  In this case I have three different farms specified.  The one on port 8888 and 8080 are on the same domain and the xml server setup on port 80 is the second domain.   I had to create a separate IP for the second domain as my WI vserver is also using port 80.  Again if you need help on how to build these their is plenty of articles out there on how to do it.

 

Multidomain Step2

Step 3.

Configure the AG Vserver to hit multple domains.  The NS will step through these in order of priority until it finds a matching username/password match.  If you have the same username/password combination on both domains it will always grab the one that has the lowest priority.  In this case the Top two Policies hit the first domain and the 3rd one hits the second domain.

 

MultiDomain Step3

Under the Published Applications Tab for the AG Vserver you need to configure some STA’s.  In my case I used the first domain/farm servers for STA’s.  I would make sure that all the STA’s belong to the same domain/farm.  You do not need to have a STA for each domain here.

 

MultiDomain STAs

Step 4.

On the WebInterface Servers configure a Xenapp site for Each Domain making sure to point to the XML Vserver’s created in Step2.  Make Sure you have each Site pointing back to the respective Vserver XML LB IP/port and configure it to point to your AG Vserver.   In this case the top Site is pointing to the Second Domain and the Second Site is pointing to the First domain.  For this it really doesn’t matter what domain

 

Multidomain WIConfig

 

For the Sta Config on the WI Servers I am using STA servers on the First domain even though the users are coming into the second domain.  All sites/domains should be setup with the same STA servers and they should match what your AG Vserver has configured for STA servers in Step 2.

MultiDomain WI_STA

Step 5.

Configure the AAA Policies and Profiles to hit the AG Vserver.  For this to work the AAA group name must match the AD group that the user is a member of.  In this Case the Second one down ASP_Access is my first Domain, and the one A_Access is the Second Domain.

MultiDomain Step4_1

Inside each AAA Group you have your Session policies that point to the specific URL/Domain.  Each Domain/AAA group should point back to a different Session policy

MultiDomain AAA_Config

Next we need to make sure the Session profile is pointed back to our WI Server site for that domain.  Make sure you have the corresponding  domain specified and the override global check boxes checked.  You will have to create one of these for each domain so that users from that domain hit the appropriate site.

MultiDomain AAA__ses_Profile

Step 6. Profit!!!

Once again if you have users that have the same username and password in multiple domains they will always get the lower priority domain.  If you have any questions feel free to jump on the channel and ask Splatone.

http://join.citrixirc.com

Patrick.

 

Jan 292014
 

 

I’m sure we are all familiar with the Shutdown Event Tracker. Hypervisor crash for “no reason”? Have a bunch of servers power down hard “by accident”? It happens to all of us. What’s annoying about this, specifically in a XenApp/RDS environment is the fact that when a regular user logs in they will see this message unless an administrator has already gone in and removed it.

Now, you could just remove it via GPO all together, but I’m not really a fan of that. I would think that this would be available for administrators only, and not regular users. The GPO supplied is a computer based GPO and does not allow that type of granularity. This is in Computer Configuration / Policies / System. As you can see it basically has no options for users.

Simple fix though. After about two seconds of troubleshooting I found that this tracker is controlled by c:\windows\system32\shutdown.exe. So, you could simply just take ownership of this file and remove users read access to this and that works fine. However, if you want to do this in some scale, you can setup a Software Restriction policy and apply it to your RDS/XenApp users. This is also pretty simple.

Drill down to User Configuration / Policies / Windows Settings / Software Restriction Policies. Go to Action and select “New Software Restriction Policy”.

This will create some new folders under Software Restriction Policies. Drill down to Additional Rules and right-click “New Path Rule”.

Simply type in the path and hit “ok”

Make sure this policy is applied only to non-admin users and not administrators. I have a large GPO that I apply to all regular users that access XenApp, so I simply applied it there. That’s about it. Now when your non-admin users’ login they will not be allowed to launch shutdown.exe, which in turn will stop the Shutdown Event Tracker from appearing.

You can validate this by running a command prompt as a regular user. They should be getting this message.

Have fun!

Jan 072014
 

I’m not going to go into the details about what Multi-Stream ICA (MSI) is in this article. I assume you already have a basic understanding of what this is and you are really just here to figure out how to configure it. If you do not, a great Citrix blog about Multi-Stream ICA has been written up here. In a nutshell Multi-Stream ICA allows you to break out different portions of Citrix traffic into dedicated TCP ports. The basic breakdown is below:

Enabling this on the Citrix side is pretty easy. We need to first enable Multi-Stream in a computer policy.

 

Then we need to setup the Multi-Port Policy. In this example I’m using 2599,2600,2601 for the other ports. The Default Port is the standard 2598 port for Session Reliability.

 

MSI requires Session Reliability to be enabled, so make sure you don’t have it disabled in a Computer Policy. I like to enable it so my other engineers know for a fact that it is enabled.

This takes care of the Citrix side. Not too much configuration there. The Cisco side gets a bit more involved. You do need to have a bit of knowledge on basic Cisco configuration and more specifically, an understanding of how QOS works, in general, and specifically how Cisco QOS works. Cisco has released an article here that talks in detail about how to implement MSI in a Cisco Enterprise environment. The Cisco document calls for mapping specific DiffServ classes to each MSI priority level. This is certainly the best practice when you want this to traverse a larger network with multiple hops. I’m going to post a simple example where you have Users—–RTR1—–RTR2—–Citrix. We will be using a 5Mbps Point to Point link between the 2 routers. In this setup we are going to define the ports, and assign bandwidth values to them.

First, you want to define the port groups. I will label these with Very High, High, Medium, Low (vh, h, m, l). All configurations need to be performed on both routers.

ip access-list extended citrix-vh
permit tcp any eq 2599 any
 
ip access-list extended citrix-h
permit tcp any eq 2598 any
 
ip access-list extended citrix-m
permit tcp any eq 2600 any
 
ip access-list extended citrix-l
permit tcp any eq 2601 any
 
Next we will define the Class-Maps.
 
class-map match-any citrix-vh
match access-group name citrix-vh
 
class-map match-any citrix-h
match access-group name citrix-h
 
class-map match-any citrix-m
match access-group name citrix-m
 
class-map match-any citrix-l
match access-group name citrix-l
 

Now that the variables are defined we move on to creating a queuing policy. Let’s assume we have 20 users. My main concern here is the “high” queue. At periods of congestion I want to make sure that the Screen/Keyboard/Mouse have enough bandwidth so users can continue to work and not have service degradation. Let’s say 20 users @ 50Kbps each = 1000Kbps. That’s about 25% of a 5 meg link, however we can give it a little wiggle room, so let’s bump that up to 35% (1.7Mbps). Keep in mind that this doesn’t LIMIT the bandwidth to 35%, it can use as much bandwidth as it wants until periods of congestion (link saturation) where it’s guaranteed the 35% of the bandwidth we configure. The medium and low queues which contain printing and file redirection aren’t as critical and I will set these to use 1Mbps during congestion (25%). Lastly, is the Very High queue. In my specific environments we don’t use too much audio, therefore I have set this to 15% of the link speed.

 

Keep in mind that your numbers and percentages will vary based on your use case and your amount of bandwidth available. Do you have a lot of users upload photos? Do you print a lot of large documents? Do you use a lot of real-time audio? You will need to evaluate your specific scenario and alter this example to fit your needs. You may also have existing QOS on your link and need to integrate this configuration. We have customers using SIP/RTP for voice on most of our links and I have integrated that into my configuration. I have removed that configuration for simplicities sake.

 

Here is the configuration for my policy map.

 
policy-map CITRIX-QUEUE
class citrix-vh
bandwidth percent 15
class citrix-h
bandwidth percent 35
class citrix-m
bandwidth percent 25
class citrix-l
bandwidth percent 25
class class-default
fair-queue
 

After this policy-map is configured we will need to embed this into a shaping policy to make sure the percentages line up with the available bandwidth. If you do not do this, QOS will assume the link speed of the interface which is generally 100/1000 Mbps. Obviously 25% of 100Mbps is more than the 5Mbps the link speed actually is. The below configuration will shape the bandwidth at the site to 4.9Mbps then apply the queue.

 
policy-map CITRIX-SHAPE
class class-default
shape average 4900000
service-policy CITRIX-QUEUE
 

After all is said and done you will need to apply this to the each end of the interface in an OUTBOUND direction.

 
interface FastEthernet4
service-policy output CITRIX-SHAPE
 

Make sure your configuration is working by doing a “show policy-map interface FastEthernet4”. The first example shows citrix-vh. You will want to make sure its incrementing packets under the “Match” area. You may see some drops (164), but this is normal. The second snip is class-default. If you have congestion on your link you will start to see drops on this class-map. In this example we have 143878 drops. This is a 5Mbps link and QOS is working great keeping non-critical traffic from starving my Citrix traffic.

 

Class-map: citrix-vh (match-any)
752287922 packets, 53798289807 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: access-group name citrix-vh
752287923 packets, 53798290067 bytes
5 minute rate 0 bps
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/164/0
(pkts output/bytes output) 752287754/53798175224
bandwidth 25% (1024 kbps)
 

Class-map: class-default (match-any)
315951400 packets, 75108131350 bytes
5 minute offered rate 94000 bps, drop rate 0 bps
Match: any
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops/flowdrops) 0/143878/0/143878
(pkts output/bytes output) 315807520/74835090017
Fair-queue: per-flow queue limit 16
 

Hope this helps you in your Citrix Multi-Stream ICA configurations. This is a pretty basic setup, but I hope this points you in the right direction to get started using this cool newish feature. I hope to write up a blog later on how this integrates with CloudBridge and how to use MSI in conjunction with that.

Apr 162013
 

 

Why Windows didn’t enable this feature in the built in GPOs is beyond me. Regardless, I needed a way to disable Windows Defender automatic scans to keep my hundreds of XenApp servers from running a scan at 2am and most likely crushing my storage infrastructure. So, what am I talking about here? How to disable this:

As you can see, the default GPOs do nothing for us.

So, how does this actually work? Well, when you configure this automatic scan, it creates a scheduled task, and writes a file in C:\Windows\System32\Tasks\Microsoft\Windows Defender\

Now, you can just delete the MP Scheduled Scan file, but this doesn’t remove the configuration from Windows Defender, so that won’t work. After a small bit of digging I found these registry keys in HKLM\Software\Microsoft\Windows Defender\Scan

The key in question here is “ScheduleDay” 0 = daily, and 1=Sunday, 2=Monday, etc. 8=off. So. Simple GPP configuration here to set the key to 8.

Do a GPUpdate /force and Viola! It has been removed from Scheduled Tasks, the file is gone, and its configuration removed from the Windows Defender GUI.

 

Apr 032013
 

Today I got stuck publishing apps that had icons in the %windir%\System32\ folder on the XenApp server.  There are a couple ways around this but my personal favorite is to reference sysnative.

So lets say your trying to publish the TS Licensing Manager, the exe only sits in the 64 bit OS Path on 2008r2

%windir%\system32\licmgr.exe

You try and fix up the icon and you get

iconbrowser bad

So to fix this we change the path to

%windir%\sysNative\licmgr.exe

and we get the icon.

iconbrowser good

For more information check out the following links:

http://msdn.microsoft.com/en-us/library/windows/desktop/aa384187(v=vs.85).aspx

http://www.brianmadden.com/blogs/videos/archive/2012/02/16/lie-to-me-using-built-in-windows-system-filter-in-virtual-desktops_2C00_-a-video-from-BriForum-2011.aspx

Apr 032013
 

So I like to have a group that can run every and all published application so I can login and at least smoke test them.

Thats far to much clicking for me, so powershell to the rescue.

Add-PSSnapIn citrix.xenapp.commands

$Groups="Revord\Citrix_Admins"

Get-XAApplication | foreach {Add-XAApplicationAccount $_.BrowserName $Groups}

Those 3 lines gets Citrix_Admins into EVERY published application, not to shabby.

Lets take it a bit further, you need to add say multiple groups, but only to a folder of published applications..

No problem..

$Groups="Revord\Citrix_Admins","Revord\Domain Users"

Get-XAApplication -FolderPath "Applications\Utils" | foreach {Add-XAApplicationAccount $_.BrowserName $Groups}

So in my environment all my MMC’s etc are published in the Applications\Utils path for readability.

But wait, what was I thinking, giving domain users access to all my published utilities!

No problem we can use the same trick in reverse to rid ourselves of those extra accounts.

$Groups="Revord\Domain Users"

Get-XAApplication -FolderPath "Applications\Util-Servers" | foreach {Remove-XAApplicationAccount $_.BrowserName $Groups}

Now there is a neat glitch, if you run these powershell commands with a actively running AppCenter you’ll need to select applications and hit F5 to refresh and actually see your changes did take effect.

 

Enjoy!

Ryan

Feb 182013
 

Profile Optimization and “How do I speed up login times?” generally go hand-in-hand. These have to be two of the most important and most talked about items when it comes to delivering XenApp desktops. There are lot of different philosophies and strategies with regards to this, and in this article I’ll simply talk about what I have implemented in my environment. I have gone through extensive testing, tracing, logging, and analyzing of my settings and will show you what has worked for me. You can use some of these techniques to troubleshoot your own environment and see if you can get some gain in yours.

To start, I have leveraged many whitepapers, blogs, and Citrix KBs to generate my settings. I’d like to give credit where credit is due. First the Citrix XenApp and XenDesktop Policy Planning Guide was a good resource and baseline for everything. Second, this Citrix blog about Citrix Profile Management had a lot of great information. Also, CitrixIRC, of course, has been a great reference to talk things through with a bunch of great Citrix Admins. Join our chat at http://join.citrixirc.com. I have also read many other things on these topics, but I don’t recall them well enough to cite them.

Let’s get the framework in perspective here. I work for a Citrix CSP (Citrix Service Provider) and we currently have a couple dozen farms mostly in the SMB space (<250 users) I don’t do any enterprise work, so my tools and tricks are built around an SMB mindset. I use Citrix Profile Manager and GPOs, exclusively. I do not use any other third party tools to manage my profiles. I try to keep my environments simple enough for our other admins to be able to manage them. I think that if you can configure and test these tools properly they can do the job well enough to not need additional cost factors in our environments.

That being said lets start with Folder Redirection! Simply put, I redirect everything, except for AppData, utilizing GPOs. I manipulate AppData with UPM and we will talk about that later. Redirecting everything keeps it out of the profile and keeps the profile small. Simple enough.

Folder redirection isn’t the only culprit for large profiles. There are other commonly used programs that keep crap in the profile. I use GPOs to redirect these items as well. Outlook PST and OST files. Download the Office admx templates and USE THEM. “Microsoft Outlook 2010/Miscellaneous/PST Settings”. I set “Default location for PST/OST files” to a network drive. Well, I’m not using cached mode you say? Other things are stored in PST files as well, such as SharePoint Lists, so keep this in mind. AutoArchive? This will create a PST also, so if you are using this, you will want to make sure PST/OST files are moved. AutoRecover files are also stored in the profile. You can redirect Excel and Word Autorecover using the same admx templates.

How about Evernote? A lot of my users use Evernote, and by default the database is stored in AppData\Roaming. I redirect this to a network drive with a GPP Registry key. “HCU\Software\Evernote\Evernote” REG_SZ “DatabasePath”. I have seen very large databases and this is a good tweak to keep the profiles small.

Let’s talk AppData. First, I use UPM to exclude AppData\Local and AppData\LocalLow at the root. I keep AppData\Roaming in the users profile mainly for the performance implications of this being redirected on a large scale. However, I use the UPM to exclude a bunch of directories to keep it as small as possible. I will attach my UPM GPO for you to look at these settings in more depth. I exclude about 12 directories from AppData\Roaming that were gathered from the various best practices documents. Using Chrome? Chrome keeps all of its settings in AppData\Local. Shame on you, Google! With UPM, this is no problem. I do 2 things with Chrome. First, I include AppData\Local\Google in Synchronization. Second, I exclude AppData\Local\Google\Chrome\User Data\Default\Cache, Cached Theme Images, and JumpListIcons. This allows my users’ Chrome settings to save, but excludes the not-needed bloat directories.

Don’t forget the cookies! I have written another blog here on that. Read it!

How about the rest of the UPM settings? Again, I’m going to attach my UPM policy in here somewhere, but we can run through the basic settings. I delete cached copies of local profiles. We always want to load a fresh profile each time. This will lower profile corruptions. How about profile streaming and active writeback? Well, I turn these off. Most people will say that’s dumb, and those are great features, and you should keep those on. Well, I can see how these are great features, but again, I’m tuning these settings for my environments. With the tweaks I am implementing I have an average profile size of 30meg. The profile itself can load in less than 1 second on a gigabit network, so I’m not too concerned about this. These settings are nice for larger setups, but in my environment I’ll keep it as simple as possible.

Did you use the 2008 R2 Optimization Guide for XenApp 6/6.5? Well, don’t forget this blog post about one of the settings you need to change if you are using the UPM. Without changing it, UPM times out a lot and slows logon/logoff processing.

Don’t forget to exclude all of the un-needed folders inside of the profile as well. This is done with a GPO.

When all is said and done, here is what my profile looks like. Of course, this is a test user, but this is a great foundation to build user profiles on. Notice there are not any folders in there except for Windows and AppData.

Do you already have an environment built and would like to tweak these settings? I certainly did. I actually wrote a script that would go through the Profile Store and delete out all of the bloat from the users’ existing profiles. You can check that out script here. Its powershell, so have fun. I had users with 1gig profiles and was able to lower then to 30-60meg in our internal environment. Note, this must be run from the Profile Store directory.

One setting that works for me, but will require testing, is the GPO to wait for network at computer startup and logon. I was able to gain about 13 seconds on my logon times when I disabled this setting. Your mileage may vary.

Are you using GPPs for shortcuts and printers and such? I did a lot of GPP tracing to analyze these mappings and found this to be true inside my environments. If you create GPP Shortcuts using “update” it takes about 200ms for each item at each logon to parse. If you have 60 shortcuts between the start menu and desktop, that’s 12 seconds right there. That’s not a short amount of time. Setting these to “create” will speed this up to about 5ms per item at each login. You can change it to “update” if you actually want to change something in the future. I gained another 15 seconds on my logins when I changed all of my GPP shortcuts to “create”. The same basic numbers apply for printers too, however, I have not traced them to get exact numbers yet.

Login times have a lot to do with how many GPOs that you have in your environment. Remember these tips. Always prefer fewer larger GPOs opposed to many smaller ones. Each GPO has a set base processing time that can be avoided by consolidating GPOs into one larger one. Make sure you disable Computer/User settings in a GPO if you aren’t using them. This lowers login time a second or so per GPO.

So, what did I use to troubleshoot all of these things? I do curse Microsoft for getting rid of the userenv.log detailed logging. Nothing works quite as good. UPM logging is a really good place to start, however. You can turn it on in the UPM Policy GPO, and parse the logs with the UPM Log Parser. You should also be using the GPSvc.log. You can set that up using this blog. Don’t forget to create the “usermode” directory if it doesn’t exist, or the logs won’t work. You can also turn on GPP Tracing in a GPO under “Computer Configuration\Policies\Administrative Templates\System\Group Policy\Logging and Tracing”. You can turn all of these on, and enable tracing, to get detailed information of your GPPs. Some people like to use Policy Reporter to go through the logs. This is a nice tool, but I just read the logs manually.

Using all of these tips and tricks above, I was able to get my test user in my test environment to log in after about 9 seconds on the 3rd login. Obviously the first 2 logins are a tad slower as it builds the profile from scratch and runs some other scripts that I have in my environment. Now, keep in mind that’s a bare environment and your mileage will vary here as well. In my internal environment I was able to speed my logins up from around 75 seconds to 23 seconds. This is keeping in mind that our internal environment has about 847 GPOs and isn’t optimized at all. In my customer facing CSP environments I have gotten about a 75% improvement time in the environments that I have implemented these changes.

Take a look at my detailed UPM policy is here