Citrix Virtual Apps and Desktops

Basic policy settings

This section contains policy settings relating to the basic configuration of Profile Management.

Enable Profile Management

By default, to facilitate deployment, Profile Management does not process logons or logoffs. Enable Profile Management only after carrying out all other setup tasks and testing how Citrix user profiles perform in your environment.

If this policy is not configured here, the value from the .ini file is used. If this policy is not configured here or in the .ini file, Profile Management does not process Windows user profiles in any way.

Processed groups

Both computer-local groups and domain groups (local, global, and universal) can be used. Domain groups must be specified in the format: DOMAIN NAME\GROUP NAME.

If this policy is configured here, Profile Management processes only members of these user groups. If this policy is disabled, Profile Management processes all users. If this policy is not configured here, the value from the .ini file is used. If this policy is not configured here or in the .ini file, members of all user groups are processed.

Excluded groups

You can use computer local groups and domain groups (local, global, and universal) to prevent particular user profiles from being processed. Specify domain groups in the form DOMAIN NAME\ GROUP NAME.

If this setting is configured here, Profile Management excludes members of these user groups. If this setting is disabled, Profile Management does not exclude any users. If this setting is not configured here, the value from the .ini file is used. If this setting is not configured here or in the .ini file, no members of any groups are excluded.

Process logons of local administrators

Specifies whether logons of members of the BUILTIN\Administrators group are processed. Consider this policy is disabled or not configured on multi-session operating systems, such as Citrix Virtual Apps environments. In this case, Profile Management assumes that logons by domain users, but not local administrators, must be processed. On single-session operating systems (such as Citrix Virtual Desktops environments), local administrator logons are processed. This policy allows domain users with local administrator rights, typically Citrix Virtual Desktops users with assigned virtual desktops, to:

  • Bypass any processing
  • Log on
  • Troubleshoot the desktop-experiencing problems with Profile Management

Note: Domain users’ logons might be subject to restrictions imposed by group membership, typically to ensure compliance with product licensing. If this policy is disabled, Profile Management does not process logons by local administrators. If this policy is not configured here, the value from the .ini file is used. If this policy is not configured here or in the .ini file, administrators are not processed.

Path to user store

Sets the path to the directory (the user store) in which the user settings (registry changes and synchronized files) are saved.

The path can be:

  • A relative path. It must be relative to the home directory (which is typically configured as the #homeDirectory# attribute for a user in the Active Directory).
  • A UNC path. It typically specifies a server share or a DFS namespace.
  • Disabled or unconfigured. In this case, a value of #homeDirectory#\Windows is assumed.

The following types of variables can be used for this policy:

  • System environment variables enclosed in percent signs (for example, %ProfVer%). System environment variables generally require extra setup.
  • Attributes of the Active Directory user object enclosed in hashes (for example, #sAMAccountName#).
  • Profile Management variables. For more information, see the Profile Management variables product document.

User environment variables cannot be used, except for %username% and %userdomain%. You can also create custom attributes to define organizational variables such as location or users fully. Attributes are case-sensitive.

Examples:

  • \server\share#sAMAccountName# stores the user settings to the UNC path \server\share\JohnSmith (if #sAMAccountName# resolves to JohnSmith for the current user)
  • \server\profiles$\%USERNAME%.%USERDOMAIN%!CTX_OSNAME!!CTX_OSBITNESS! might expand to \server\profiles$\JohnSmith.DOMAINCONTROLLER1\Win8x64

Important: Whichever attributes or variables you use, check that this policy expands to the folder one level higher than the folder containing NTUSER.DAT. For example, if this file is contained in \server\profiles$\JohnSmith.Finance\Win8x64\UPM_Profile, set the path to the user store as \server\profiles$\JohnSmith.Finance\Win8x64 (not the \UPM_Profile subfolder).

For more information on using variables when specifying the path to the user store, see the following topics:

  • Share Citrix user profiles on multiple file servers
  • Administer profiles within and across OUs
  • High availability and disaster recovery with Profile Management

If Path to user store is disabled, the user settings are saved in the Windows subdirectory of the home directory.

If this policy is disabled, the user settings are saved in the Windows subdirectory of the home directory. If this policy is not configured here, the value from the .ini file is used. If this policy is not configured here or in the .ini file, the Windows directory on the home drive is used.

Migrate user store

Specifies the path to the folder where the user settings (registry changes and synchronized files) were previously saved (the user store path that you previously used).

If this setting is configured, the user settings that are stored in the previous user store are migrated to the current user store specified in the “Path to user store” policy.

The path can be an absolute UNC path or a path relative to the home directory.

In both cases, you can use the following types of variables:

  • System environment variables enclosed in percent signs
  • Attributes of the Active Directory user object enclosed in hash signs

Examples:

  • The folder Windows\%ProfileVer% stores the user settings in a subfolder called Windows\W2K3 of the user store (if %ProfileVer% is a system environment variable that resolves to W2K3).
  • \\server\share\#SAMAccountName# stores the user settings to the UNC path \\server\share\<JohnSmith> (if #SAMAccountName# resolves to JohnSmith for the current user).

In the path, you can use user environment variables except %username% and %userdomain%.

If this setting is disabled, the user settings are saved in the current user store.

If this setting is not configured here, the corresponding setting from the .ini file is used.

If this setting is not configured here or in the .ini file, the user settings are saved in the current user store.

Active write back

Files and folders (but not registry entries) that are modified can be synchronized to the user store in the middle of a session, before logoff.

If this policy is not configured here, the value from the .ini file is used. If this policy is not configured here or in the .ini file, it is enabled.

Offline profile support

This policy allows profiles to synchronize with the user store at the earliest possible opportunity. It is aimed at laptop or mobile device users who roam. When a network disconnection occurs, profiles remain intact on the laptop or device even after rebooting or hibernating. As mobile users work, their profiles are updated locally. Also, eventually synchronized with the user store when the network connection is re-established.

If this policy is not configured here, the value from the .ini file is used. If this policy is not configured here or in the .ini file, offline profiles are disabled.

Active write back registry

Use this policy along with “Active write back.” Registry entries that are modified can be synchronized to the user store in the middle of a session.

If you do not configure this setting here, the value from the .ini file is used.

If you do not configure this setting here or in the .ini file, the active write back registry is disabled.

Active write back on session lock and disconnection

With both this policy and the Active write back policy enabled, profile files and folders are written back only when a session is locked or disconnected.

With this policy and both the Active write back and Active write back registry policies enabled, registry entries are written back only when a session is locked or disconnected.

Offline profile support

Enables the offline profiles feature. This feature is intended for computers that are commonly removed from networks. For example, laptops or mobile devices not servers or desktops.

If this setting is not configured here, the value from the .ini file is used.

If this setting is not configured here or in the .ini file, offline profile support is disabled.

Basic policy settings