Chapter 15: Profiles, Policies, and Procedures


This chapter examines the different types of profiles that are available to assist in controlling and optimizing the server-based computing environment. The chapter also covers general deployment tips and guidelines for using Windows Group Policies to implement standard computing environments, and introduces the new Windows Server 2003 policy settings as well as the Group Policy Management Console (GPMC).

The last section of this chapter covers recommended best practices for using profiles and Group Policies, with the focus on SBC infrastructure as it relates to the CME case study.

User Profiles

A user profile is simply a registry hive in file format (NTuser.dat) and a set of profile folders (stored in %systemdrive%\Documents and Settings) that contain information about a specific user's environment and preference settings. Profiles include settings such as printer connections, background wallpaper, ODBC settings, MAPI settings, color schemes, shortcuts, Start menu items, desktop icons, mouse settings, folder settings, and shell folders such as My Documents. Profiles are automatically created the first time a user logs into any NT-based machine, including a Terminal Server.

NTuser.dat (the file that stores the user's registry-based preferences and configurations) is loaded by the system during logon and mapped into the registry under the subtree HKEY_CURRENT_USER. This file can be found at the root of the user's profile location, such as C:\Documents and Settings\username\NTuser.dat. The set of profile folders such as Application Data, Cookies, Desktop, and Start Menu are also located at the root of a profile location such as C:\Documents and Settings\username\Application Data. The Application Data profile folder is where applications and other system components store user data, settings, and configuration files. There are two types of profiles: local and roaming.

Local Profiles

As the name implies, a local profile is a user profile that exists on a single machine. By default, a user will employ a local profile and may have several local profiles on different machines. This type of profile is not very useful for the average user since it cannot traverse a load-balanced server farm. Local profiles lead to end-user confusion as applications and environment changes do not follow the users when they log in to different servers in the farm. For example, a user may change their background setting to green on one Terminal Server, log out, and then log back in to a different Terminal Server to find that the background is not green. This is caused by having two separate local profiles, with one on each server. Local profiles are useful for administrators or service accounts that do not need their settings to roam from one server to another.

Roaming Profiles

A roaming profile is a centrally stored version of a local profile. The profile is "roaming" in that it is copied to every computer the user logs in to as their "local" profile. There, it is utilized as a locally cached copy until the user logs out, at which point it is saved back to the central storage location for profiles. This is the primary type of profile employed in an SBC network due to the necessity of having user settings "roam" with the user. A roaming profile can also be mandatory. The corresponding files have an extension specific to the type: NTuser.dat for a roaming profile and NTuser.man for mandatory roaming. Mandatory profiles are covered more in depth in the next section.

Roaming profiles allow users to make changes to their environment. These changes are then recorded in the locally stored copy of the roaming profile. Once a user logs off, the profile changes are copied back to the network share from which it was originally loaded. This profile is then used the next time the user logs in to the SBC environment. Another item to remember with roaming profiles is that the last write wins. An example of this can be seen when a user logs in to two different machines simultaneously. They may change something in their profile in one session (such as the background color to green) and proceed to log out. They then change the background color to blue in the other session and log out. As a result, the user will end up having a blue background the next time they log in to a machine. This is due to the fact that the last logout causes the profile to be written back to the profile storage location which overwrites any previous writes.

click to expand

Roaming profiles have the following advantages:

  • User-specific application settings, such as default file locations, file history, and fonts are saved to the profile.

  • Users can customize the desktop environment. They can change colors, fonts, backgrounds, desktop icons, and the Start menu.

Default limitations of roaming profiles include

  • Profiles have no restriction on file size, which can lead to rapidly increasing disk space and network bandwidth consumption. This becomes a problem particularly when users drag large documents onto their desktop for easy access.

  • Users are not prevented from making changes that might render their environment unstable or unusable.

Although roaming profiles were designed to allow users to make changes, roaming profiles can be locked down to reduce the changes a user can make to their environment. A review of how to implement roaming profiles with Group Policy to achieve a balance between giving users sufficient rights to change what they need while maintaining control and manageability of the profiles is presented later in this chapter.

Mandatory Roaming Profiles

A mandatory roaming profile is a specific type of roaming profile that is preconfigured by an administer and cannot be changed by the user. This type of profile has the advantage of enforcing a common interface and a standard configuration. A user can still make modifications to the desktop, Start menu, or other elements, but the changes are lost when the user logs out, as the locally stored profile is not saved back to the network share.

Mandatory roaming profiles are created by renaming the NTuser.dat file in the roaming profile to NTuser.man. Mandatory profiles should be used for kiosk environments or where users cannot be trusted to change settings related to their profiles.

Mandatory roaming profiles have the following advantages:

  • Profile size is fixed and typically small. This alleviates disk storage problems and potential network congestion.

  • Profile network traffic is cut in half since the locally cached profile is never copied back to the profile server.

  • No user settings are saved. This eliminates some help-desk calls as it prevents users from inadvertently destroying their environments. If the user has made inappropriate changes to the environment, logging out and logging back in will reset them to an original configuration.

The following are disadvantages of mandatory roaming profiles:

  • No user settings are saved. This lack of flexibility may lead to the need to create various "standard" mandatory roaming profiles to accommodate different needs.

  • User-specific application settings, such as Microsoft Outlook profile settings, are not saved with the profile. Mailbox settings need to be set each time a user logs in to the system or be configured before the profile is changed to mandatory.

Many of the same beneficial restrictions of mandatory roaming profiles can be accomplished using a standard roaming profile without compromising flexibility. For this reason, mandatory profiles are not often utilized in the SBC environment.

Profile Mechanics

Two separate roaming profile locations can be specified in an Active Directory domain. Both are configured from within the Active Directory Users and Computers administration program.

  • Terminal Server Profile Path This profile path is used when a user logs in to a server with Terminal Services running. It is configured from the Active Directory Users and Computers administration program on the Terminal Services Profile tab, as shown in Figure 15-1. This setting is strongly recommended in an SBC environment to keep users' Terminal Server profiles separate from their standard client OS profile.

    click to expand
    Figure 15-1: The Terminal Server profile path

    Note

    Windows Server 2003 Active Directory environments can use Group Policy to set the Terminal Server profile path.

  • User Profile Path This profile path is used when a user logs into a computer without Terminal Services running (such as a local workstation or laptop) or when no specific Terminal Server profile path is specified. This profile path is configured from the Active Directory Users and Computers administration program on the Profile tab, as shown in Figure 15-2.

    click to expand
    Figure 15-2: User Profile Path

The importance of these two profile paths is critical in setting up an optimized SBC environment and is illustrated in the following example. Users located at the CME-EUR site log in to Windows 2000 Professional desktops before launching Citrix applications. They have a value for User Profile Path populated for their user accounts that points to a local server (\\frankfurtsrv\profiles\%username%). This keeps the profiles for their local workstation close to their workstation for optimal retrieval. The same users log in to MetaFrame servers that are located back at CME-CORP in Chicago, Illinois. The Terminal Services profile path for these users points to a server located in the corporate network in Chicago (chicagosrv\profiles\%username%). This is done to avoid having profiles copied from the Frankfurt server over the WAN links to the MetaFrame XP servers and avoids user confusion that may arise from having a common profile for both their local workstation and MetaFrame XP sessions.

Profile Processing

The process that occurs when a user logs in to a Terminal Server is as follows. The Terminal Server contacts a domain controller to determine where the roaming profile is located as specified in the Terminal Services Profile text field in the user's account. If this field exists, the profile is copied down to a locally cached version of the profile. If the Terminal Services Profile field is left blank, the Terminal Server will look at the Profile Path text field and download that profile if it exists. If both fields are blank, the Terminal Server will use a local profile (if one already exists), or create one if it does not exist by copying settings from the default users profile on the machine they are logging in to. This process is illustrated in Figure 15-3.

click to expand
Figure 15-3: Profile processing

Home Directory

Like the profile path settings, two different home directories can be specified. Terminal Services Home Directory (shown in Figure 15-1) specifies the directory used when a user logs in to a server running Terminal Services. The Home folder (shown in Figure 15-2) specifies the user's home directory when they are not utilizing a machine with Terminal Services.

Note

The Terminal Services Home directory can be specified with Group Policy as described later in this chapter.

Windows 2000 and 2003 will default the home directory location to the user's profile if no other location is specified, causing a profile's size to swell as users store information at this location. Since a user's profile is copied across the network every time they log in to, or out of, another computer, the goal is to minimize the size of the profile. Home directories accomplish this by giving the users a location to store their personal information outside of the profile.

Note

Support for legacy applications that were not designed appropriately still may require the use of application compatibility scripts. The data from the application compatibility scripts are stored in the home directory. Chapter 13 has more information on the use of application compatibility scripts.

Home directories should be placed on network file servers that are co-located with the Terminal Servers in order to facilitate the efficient transfer of files. In relation to our case study CME Corp, we recommend creating a home directory share called "Home" on the local enterprise file server closest to the user and storing the home directories in this share.




Citrix Metaframe Access Suite for Windows Server 2003(c) The Official Guide
Citrix Access Suite 4 for Windows Server 2003: The Official Guide, Third Edition
ISBN: 0072262893
EAN: 2147483647
Year: 2003
Pages: 158

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net