Académique Documents
Professionnel Documents
Culture Documents
About this Guide/Help This guide presents a practical approach to profile management using AppSense Environment Manager in conjunction with Microsoft mandatory profiles.
AppSense takes no responsibility for changes made to corporate systems based on recommendations made in this document
Profile Management Consistent yet contextual user environment AppSense Environment Manager is a component of the AppSense Management Suite that provides consistent and contextual user environments across multiple application delivery mechanisms through management of user profiles. Whether users get their applications via desktop installation, publishing, virtual desktops, blade PC or streaming, AppSense Environment Manager ensures a consistent experience from a centralized management console.
Key Benefits
Quick and easy profile creation and maintenance Combines company policy (mandatory profile) and flexibility (contextual personalization) Central storage of profile information reduces risk of corruption Profile size reduced hence logon / off times reduced Profile stability maximized
Contents
Introduction Profile Management Process 1. Create a mandatory profile (A) - Prepare the profile (B) - Copy the profile to a shared folder (C) - Strip out user specific settings (D) - Assign the mandatory profile to users 2 - Redirect Folders 3 - File & folder manipulation 4 - Registry key manipulation Registry Hiving Registry Key and Value setting Profile State Emulation 4 5 5 6 6 7 7 8 11 11 12 15 17
Migrating settings from a Roaming Profile to use the Environment Manager solution 17 Conclusion 19
Introduction
On computers running Microsoft Windows Operating Systems, user profiles automatically create and maintain the desktop settings for each users work environment on the local computer. Administrators can elect to make use of the local user profile that is created the first time a user logs on to a computer and is stored on the computers local hard disk. Any changes made to the local user profile are specific to the computer on which the changes were made and the changes are not reflected on any other computer that user logs on to. This personalization can be extended to the wider enterprise by making use of a roaming profile where the profile is stored centrally on a file server, and copied to the workstation at logon and then back out to the file server at logoff. The advantage of this is that user settings follow the user to any computer they have the ability to log on to and hence, the user always has a consistent desktop. However, roaming profiles can easily grow in size to be 100s of MBs in size, which in itself presents several issues to the enterprise including huge performance degradation and heavy network utilization. If an organization delivers application content via a Terminal Server environment then these issues can be compounded further due to differing servers delivering different types of applications. This can cause simultaneous attempts to write profile settings out to the file server leading to potential contention in file overwriting, with a worst case scenario being roaming profiles becoming corrupt. Another type of profile available for administrators to deploy is a mandatory profile. A mandatory profile is a profile that is configured so that the user cannot save any changes made to the settings contained in the profile at logoff in essence, a read-only roaming profile. Mandatory profiles are fast to load, easy to manage and cannot be corrupted. However, the major disadvantage is that no personal user settings are retained at logoff and hence user specific changes to their desktop environment are not preserved between sessions. Folder redirection can be used to help resolve the personalization issues when using mandatory profiles, but default Windows methods are limited and do not offer support for personalized registry settings to be redirected or saved. This document offers an example of how AppSense Environment Manager can be used to manage profiles effectively within a Microsoft Windows Server 2003 Terminal Services environment. In this example we will assume the organization has configured a Windows Server 2003 Active Directory domain.
Two optional steps include: Profile state emulation to offer support for certificates when using mandatory profiles Migrating roaming profile settings to use the AppSense Environment Manager solution
The active setup settings are located in: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ActiveSetup\InstalledComponents and HKEY_CURRENT_USER\Software\Microsoft\ActiveSetup\InstalledComponents For further information, please see http://support.microsoft.com/kb/238441. 3) On a server that has all the applications installed To ensure that the mandatory profile contains as many application settings as possible, although this will increase the size of the profile and could increase network utilization and user logon speeds. In this example we shall use method (1).
Under Permitted to use, click Change and add Authenticated Users and click OK. On the Terminal Server, navigate to the shared folder that contains the profile that has been copied. Rename the file Ntuser.dat to Ntuser.man. Finally, ensure the ownership of all the files and folders in the <mandatory profile> folder belongs to the Administrators group and not the Administrator user. Failure to do this can result in permissions problems when users attempt to access the mandatory profile at logon.
Click OK. Log on to the Terminal Server using the account to which you have assigned the mandatory profile and ensure the mandatory profile has been applied correctly. Note: We have just set up the user account to access the mandatory profile from a network share. As the user will be accessing the file from a remote location, this may slow down the user logon process and increase network utilization. To resolve these issues, it is recommended you copy the Ntuser.man file from the network share and store it locally on each Terminal Server on which users will be logging on to. This can be done manually, using a 3rd party deployment mechanism such as SMS or by using an AppSense Environment Manager Computer | Startup file copy action. Using Environment Manager to achieve this results in a single point of control for maintenance of the profile. The Profile Path within Active Directory Users and Computers can then be changed to point to the local copy of Ntuser.man. As a final note, you will need to ensure that any version control mechanism (for the profile) is fully aware of the local copy of the profile such that where any changes to the mandatory profile are made centrally, the deployment mechanism of choice is made aware of the changes to ensure that the updated profile is propagated down to the client machines appropriately. Note: It is also recommended that the following Group Policy setting be enabled to delete users cached profiles at logoff:
This will ensure that each loaded user profile, for example C:\Document and Settings\User is removed at logoff, cleaning up your computer(s).
2 - Redirect Folders
A primary consideration with profile management is the physical size of a users profile. Commonly used directories such as My Documents and Application Data can grow dramatically over time as more documents are created and more applications are installed on the Terminal Server. This is one of the main reasons why mandatory profiles are preferred over roaming profiles as the time it takes to transfer and
load a mandatory profile, rather than roaming profile, is significantly shorter. However, as a mandatory profile does not save any new data that has been made during the session when the user logs off, documents and application settings are lost if they are not catered for in some other way. Folder redirection allows the users personal files and settings to be saved to another location, most commonly to the users home drive, which is outside of the profile itself. This means that personal files are retained at logoff and as these are no longer part of the profile, loading times during the logon process are significantly improved. Folders can be redirected to any available location including a local folder, a network drive, a user home drive or to a Terminal Server profile path location. In this example, we are going to redirect folders to the users home drive so that user specific files and application data can be backed up each evening by the managed backup solution in place in the organization. Another benefit is that by redirecting the Desktop folder to the user home drive, this can be included in the quota policy, where applicable, which prevents the user from having too many large documents on the desktop. We are going to assume that the home drive has previously been set up by the administrator within the Active Directory User and Computers console, although it is possible to configure this using Environment Manager. Redirecting folders to the user home drive Navigate to the User | Logon node. Select the Add a new sub node option. Select the (New sub node) node that has been created and rename to Redirect Folders. In the Rule and Actions pane click the New button. Select Folder Redirection and click the OK button. Select the folder you wish to redirect in the drop down Folder list Use the drop down Target list to select the location where you wish to redirect the folder, browse to the folder location you wish to use or manually enter the folder path. Click OK to complete the Folder Redirection action. You will need to repeat this process for each folder you wish to redirect.
10
Where H: is the user home drive. As the redirected folders will be visible to the user within their home directory, it is recommended that the redirected folders that are system or application specific, for example AppData, be hidden from the user. If the redirected folders are located on the computer on which the AppSense Environment Manager agent is running, then this can be achieved using the Set Attribute option from within the File Action wizard. However, if the redirected folders are located on a remote network share, then this will have to be done manually by the administrator. Note: Redirecting the Application Data folder to a network share may cause fileserver performance issues. This is because certain applications may require the ability to regularly read from and write to the Application Data folder. As an alternative, the Application Data folder can be copied out to a network share at user logoff (using AppSense Environment Manager file copy actions) and then copied back in at user logon. However, depending on the network speed, this may have the knock-on effect of increasing the user logon time, so the administrator must make an important decision with respect to how they control the Application Data folder.
11
12 Registry Hiving
As an administrative user, navigate to the User | Logoff node within the Environment Manager console. Select the Add a new sub node option. Select the (New sub node) node that has been created and rename to Export Registry Settings. In the Rule and Actions pane click the New button. Select Hive Registry and click the OK button. Enter a Title, for example, User Profile Settings. Browse to the Location where the settings will be saved, preferably on a network share so that settings can be accessed from multiple computers, for example \\<servername>\<sharename>. It is not necessary to create separate folders for each user as Environment Manager will separate the user information being saved using the following format: <registry key name>_<domain>_<username> Select the Export the hive from the registry to file radio button. Click the Browse button. Use the Registry Browser window to select which areas of the HKCU registry you wish to hive out. This can be from the local computer registry or a registry on another machine. Click OK. Repeat the Browse process for each registry key you would like to hive out. Click OK when you have completed the required settings
13
You should now see a Save User Profile Settings Hive Registry action within the Actions list of the Rule and Actions pane:
You may want to hive out further personalized settings from applications such as Microsoft Office, Adobe Acrobat or the SAP Client to name but a few. This can be done by editing the same Registry Hive action created earlier and adding them to this single action or by creating separate Registry Hive actions for each individual application.
14
One you have completed the Registry Hive actions that will apply at logoff, you will now need to configure Environment Manager to import these registry settings when the user next logs on. Navigate to the User | Logon node within the Environment Manager console. Select the Add a new sub node option. Select the (New sub node) node that has been created and rename to Import Registry Settings. Navigate back to the User | Logoff | Export Registry Settings created earlier. Right click on the Hive Registry action displayed under the Actions list and select Copy. Navigate back to the User | Logon | Import Registry Settings node. Right click in the Actions list with the Rule and Actions pane and select Paste. Double click the Hive Registry action that has just been copied. Select the Import the hive from file to the registry radio button and click OK.
You should now see a Load User Profile Settings Hive Registry action within the Actions list of the Rule and Actions pane:
Applying Rules to cope with server silo environments Sometimes it is necessary for administrators to create dedicated application servers (or server silos) that have specific applications installed for specific tasks. This could be because of application compatibility issues, to simplify application upgrades and to reduce server maintenance downtime. In this scenario, it is possible to assign specific rules in AppSense Environment Manager when saving out and restoring registry settings so that users who are logged on to multiple servers in a farm do not experience profile contention when the user logs off and the profile settings are saved.
15
For example, Server A is installed with a specific application, App X, but also has Microsoft Office installed because App X relies on it. Server B only has Microsoft Office installed as this is the main application server where the majority of users will be accessing Microsoft Office from. If a user logs off from Server B their Microsoft Office settings are saved out. If the same user then logs off from Server A, both their App X and Microsoft Office settings are saved out, but their original Microsoft Office settings from Server B are overwritten. To alleviate this it is possible to assign a rule within AppSense Environment Manager based on the published application name, or published desktop name.
This will ensure that if the user logs on to Server A, then Server As settings are restored. If the user logs on to Server B then Server Bs settings are restored instead.
16
the registry actions and hive registry actions can be located within the same node and the Execute in Sequence option can be used to ensure order of execution. This can be achieved by utilizing the Environment Manager Registry Action Wizard. Registry Actions include the ability to create or delete registry keys and set, create, delete or set a default value for registry keys. For further details on the Registry Action Wizard, please see the AppSense Environment Manager Getting Started Guide or the Environment Manager online help files. Windows Appearance Settings Certain Windows Appearance Settings for the user may not applied as expected when registry actions and hive registry actions are utilized. This is due to the way the Windows Operating System functions. Certain registry keys are only loaded at computer startup, which therefore requires a reboot for them to take effect especially those involving the control panel settings. The following list details those registry keys that may not be applied as expected when a user logs on:
AppSense has available a utility that refreshes the settings stored beneath the HKCU\Control Panel registry keys, RefreshTool.exe. This utility can be used by configuring an Execute Action, during the user logon process. Navigate to the User | Logon node within the Environment Manager console. Select the subnode in which you wish to add the Execute Action, in this example the Import Registry Settings node. In the Rule and Actions pane click the New button.
17
Select Execute and click the OK button. Enter the Filename path to where the RefreshTool.exe file exists Note: The RefreshTool.exe file must be located in a folder that all users have access to execute from. Click OK. Finally, select the Execute In Sequence option under the Options section of the Rule and Actions pane. This will ensure the Hive Registry action applies first before the Execute action is processed.
Migrating settings from a Roaming Profile to use the Environment Manager solution
Implementing the solution as described above is simple in a Greenfield scenario. However, within organizations that currently have their user profiles created, it will be necessary to migrate parts of the existing profile to the new profile solution so that users do not lose any of their current personalized settings. This migration phase should be carried out before any of the processes outlined above. A temporary migration scenario can be created whereby Environment Manager is configured to copy existing profile folders from the current Roaming Profile to the location where you wish your folders to be redirected to in our example from earlier, this will be the user home drive H:.
18
Also personalized registry settings can be saved out to a network share, using the Environment Manager Hive Registry action. At this stage there is no need to configure Environment Manager to restore the registry settings when the user logs on, since the users are still working with a roaming profile and their personalized settings will be retained. Users can now be slowly migrated, at the administrators desired pace, to the new profile solution without losing the contents from the Favorites folder or their personal settings in Microsoft Word for example. This transitional phase could last for a period of days or weeks prior to the migration, ensuring that all users have saved their personalized settings at logoff. In the example above, a rule has been assigned to the actions within the node, based on Active Directory membership ensuring the administrator can switch all users to the new solution at the same time. The export of registry settings at user logoff (as described earlier in the Registry Hiving section) can also be configured at this stage:
Once this transitional phase has run for a few days or weeks, all the administrator has to do to complete migration is to alter the group membership settings in Active Directory and configure the users to use the Mandatory Profile and the Environment Manager configuration as described earlier in this document.
19
Conclusion
As can be seen there are many elements involved with managing user profiles, and only when they are all brought together do they get close to representing a comprehensive profile management solution. AppSense Environment Manager can be used to resolve roaming profile issues that are often encountered within the enterprise. By using a mandatory profile, AppSense Environment Manager may be optimally configured to save out different portions of the users profile at logoff, such as registry settings and files, and restore them when the user next logs on. This has the added benefit of minimizing network bandwidth consumption, saving and loading relevant areas of a users profile, rather than transferring the whole profile across the network. This solution therefore enables the stability and control offered by a mandatory profile, whilst allowing the flexibility and personalization available with a roaming profile. Furthermore, user profile corruption becomes a thing of the past since no longer is there file copy contention during the logoff process, leaving IT support teams to spend their valuable time on other, more pressing projects or initiatives. Existing roaming profile implementations can be seamlessly migrated to use Environment Managers profile management solution, which also offers the added benefit of being able to centrally manage and maintain the lockdown of application and operating system content and self healing of critical files, processes, services and registry keys. By leveraging the power of the AppSense Management Center, administrators can also ensure that enterprise-wide deployment of Environment Manager software and configurations is completely taken care of, regardless of computer location.
The information contained in this document (the Material) is believed to be accurate at the time of printing, but no representation or warranty is given (express or implied) as to its accuracy, completeness or correctness. Neither AppSense nor the publisher accepts any liability whatsoever for any direct, indirect or consequential loss or damage arising in any way from any use of or reliance placed on this Material for any purpose.
AppSense, Security from within, Management made easy and Performance for everyone are registered trademarks of AppSense Ltd. All other brands or product names are trademarks or registered trademarks of their respective companies.