Showing posts with label Policies. Show all posts
Showing posts with label Policies. Show all posts

Thursday, July 30, 2020

Stupid Citrix Trick #7: Getting User Profiles Right

Problem: User profiles, man.

Solution: So who doesn't love user profiles?  Well, the users aren't too fond of them when their profile gets corrupted, and as a systems engineer who works on Citrix I can say that I get awfully tired of resetting them.  It's a rare instance when users and sysadmins are in full agreement.

But like many crummy things, profiles are the best of a bad lot.

This post won't delve into quite as many technical details as some of my others, but I thought I'd pass along the best practices that I've learned, most of which won't be new if you've worked on profiles before.  But it may help you avoid some of the pitfalls I've tumbled headlong into.

Profile Location.  A profile is just a folder with a bunch of files in it, so it can go on pretty much any shared folder.  I always like to name this folder "CitrixProfiles" so other sysadmins will leave it alone so they don't get Citrix all over themselves. You can just put it at the root of a share, but I normally do it like this:


You'll see that this path includes a template for what each user's profile will be.  I highly encourage you to use %username%.%userdomain% as in the picture, even if your environment only has a single domain.  Someday that might change and it's very difficult to go back and reorganize profiles.

I'd really prefer if Citrix allowed us to use the environment variable %userdnsdomain% but if you can read the text near the bottom of the profile policy image, that's not allowed.

Profile Permissions When setting profile permissions, you'll have two goals:  1) Users who are logging on for the first time must be able to create a profile folder, and 2) users should not have access to other people's folders.  To implement that, we'll use two different sets of permissions.

(As for share permissions, users will need modify rights and administrators will need full control.)

The first set of permissions will be for "Authenticated Users" - anyone who can log on to a Citrix server - and will apply to "This folder only":


It's not obvious what those permissions mean, but what it amounts to is that all authenticated users can create a subfolder in this folder, CitrixProfiles, but they cannot see into other user's folders. When a user creates a folder, they become the Creator Owner of that folder.  Creator Owner is an object that can be assigned permissions.  In fact that's how we'll grant the user rights.  Here is the second set of permissions we'll use:


As you can see, setting rights for the Creator Owner object, but not for the CitrixProfiles folder - for subfolders and files only (subfolders of the user's own profile folder, not CitrixProfiles itself).  By the way, I have seen some documents that suggest giving users the "Full control" permission on their profile folder.  DO NOT DO THIS!! I cannot emphasize that enough.  Users only need rights to modify the contents of their folder, they do not need to be able to set permissions on their folder as well.  Of course no user would ever do that but the process that saves their settings runs as the user.  Sometimes things go wrong, and if the account has the ability to change permissions then the permissions will get bunged up from time to time.

You should also apply permissions for whatever administrators' group you're using.  This group will need full control, and it will be applied to "This folder, subfolders, and files" so it will have permission to everything.

One other thing - if your organization has an IT Security team, and if that team ever has to update permissions on your profile folder, they'll probably take ownership of the file system, which will make all the users' profiles unavailable since they rely on the user being the owner.  I do have a Powershell script that can get a list of all the profiles, look up the user with the profile name (which is the username) and profile extension (the domain), and then grant the user explicit rights to the folder.  I'll post it in a few days, so watch this space.
Posted by at No comments:
Labels: ,

Wednesday, July 8, 2020

Stupid Citrix Trick #4: Profile Bloat and INetCache

Problem: User profiles are unusually large.  Logons and logoffs are taking an extremely long time, and disk space is running low in the network share where profiles are saved.

Solution: Almost every user with a Citrix profile will have a folder in that profile called INETCACHE.  Based on the name alone, what would you expect that folder to do?  Cache internet files, right?  And that's exactly what it does, but unfortunately there's more to the story.

First of all, that's not the folder where Internet Explorer files are cached.  They are actually cached in a subfolder, INetCache\IE.  It's the IE folder that gets bloated and cause issues. There's another good reason for putting in in its own subfolder: the INetCache folder contains quite a bit of stuff besides cached Internet Explorer files.

I don't know if it's this was for all Office versions, but I do know that Office 2010 and Office 2013 also store cached resources in the INetCache folder, each in as separate subfolder.  Not only that but Office does not like it one bit if you delete those folders.  It will complain about it without doing anything useful, such as automatically recreating them at application launch.  If they do get deleted you'll have to recreate them manually or reset the user's profile.

So how to limit bloat without affecting Office or other apps that use that folder.  Naturally, Citrix has you covered.

In the Profile section of XenApp 7 policies there are a lot of settings for user profiles, from the most basic, such as the path to the profile share and the names of the user folders, to such things as... folder inclusion and exclusion policies.

First, here is the exclusion policy to make sure that INetCache is included in the user's profile:


(Profile paths are always relative to the root of the user's profile, natch.)

So that setting will include the entire INetCache folder.  Great!  Well, sorta.  We don't want to include the IE folder.  Remember the catchphrase "There's an app for that!"  You guessed it: there's a setting for that!  And here it is:


Yes it's JUST THAT SIMPLE.  You can explicitly exclude subfolder of folders you have already explicitly included.  Apply these two policies and your profile woes are over.

But Graham (you say), we still have all these bloated folders on disk.  Is there any way we can clean out the IE folder that's already there?  I'm glad you asked!  This is Citrix, of course there's a way.

May I present to you the Logon Exclusion Policy.


As you can see we have selected to delete excluded files and folders from the user's profile.  Once we apply the two policies above, this policy will delete the files in the IE folder (and any other excluded folders).  The other values for this setting are to synchronize the excluded files and folders with the user's profile, or to ignore the files.

Disinfecting your profiles this way reduce disk usage and improve logon performance, which should keep both IT and your end users happy.
Posted by at No comments:
Labels: ,
Subscribe to: Comments (Atom)