Profile Management policy descriptions and defaults

This topic describes the policies in the Profile Management .adm and .admx files, and the structure of the files. In addition, it lists the default setting of each policy.

Other information, such as the names of the equivalent .ini file settings and which version of Profile Management is required for any particular policy, is available in Profile Management policies.

In the Group Policy Object Editor, most of the policies appear under Computer Configuration > Administrative Templates > Classic Administrative Templates > Citrix. Redirected folder policies appear under User Configuration > Administrative Templates > Classic Administrative Templates > Citrix.

Sections in the .adm and .admx files

All Profile Management policies are contained in the following sections, located in the Citrix folder. The policies are located under Computer Configuration in Group Policy Editor unless a section is labeled User Configuration:

Profile Management

Profile Management\Folder Redirection (User Configuration)

Profile Management\Profile handling

Profile Management\Advanced settings

Profile Management\Log settings

Profile Management\Registry

Profile Management\File system

Profile Management\File system\Synchronization

Profile Management\Streamed user profiles

Profile Management\Cross-platform settings

Profile Management

Enable Profile Management

By default, to facilitate deployment, Profile Management does not process logons or logoffs. Enable Profile Management only after carrying out all other setup tasks and testing how Citrix user profiles perform in your environment.

If this policy is not configured here, the value from the .ini file is used. If this policy is not configured here or in the .ini file, Profile Management does not process Windows user profiles in any way.

Processed groups

Both computer local groups and domain groups (local, global, and universal) can be used. Domain groups should be specified in the format: DOMAIN NAME\GROUP NAME.

If this policy is configured here, Profile Management processes only members of these user groups. If this policy is disabled, Profile Management processes all users. If this policy is not configured here, the value from the .ini file is used. If this policy is not configured here or in the .ini file, members of all user groups are processed.

Excluded groups

You can use computer local groups and domain groups (local, global, and universal) to prevent particular user profiles from being processed. Specify domain groups in the form DOMAIN NAME\ GROUP NAME.

If this setting is configured here, Profile Management excludes members of these user groups. If this setting is disabled, Profile Management does not exclude any users. If this setting is not configured here, the value from the .ini file is used. If this setting is not configured here or in the .ini file, no members of any groups are excluded.

Process logons of local administrators

Specifies whether logons of members of the BUILTIN\Administrators group are processed. If this policy is disabled or not configured on server operating systems (such as Citrix Virtual Apps environments), Profile Management assumes that logons by domain users, but not local administrators, must be processed. On desktop operating systems (such as Citrix Virtual Desktops environments), local administrator logons are processed. This policy allows domain users with local administrator rights, typically Citrix Virtual Desktops users with assigned virtual desktops, to bypass any processing, log on, and troubleshoot the desktop experiencing problems with Profile Management.

Note: Domain users’ logons may be subject to restrictions imposed by group membership, typically to ensure compliance with product licensing. If this policy is disabled, Profile Management does not process logons by local administrators. If this policy is not configured here, the value from the .ini file is used. If this policy is not configured here or in the .ini file, administrators are not processed.

Path to user store

Sets the path to the directory (the user store) in which the user settings (registry changes and synchronized files) are saved.

The path can be:

  • A relative path. It must be relative to the home directory (which is typically configured as the #homeDirectory# attribute for a user in Active Directory).
  • A UNC path. It typically specifies a server share or a DFS namespace.
  • Disabled or unconfigured. In this case, a value of #homeDirectory#\Windows is assumed.

The following types of variables can be used for this policy:

  • System environment variables enclosed in percent signs (for example, %ProfVer%). System environment variables generally require extra setup.
  • Attributes of the Active Directory user object enclosed in hashes (for example, #sAMAccountName#).
  • Profile Management variables. For more information, see the Profile Management variables product document.

User environment variables cannot be used, except for %username% and %userdomain%. You can also create custom attributes to define organizational variables such as location or users fully. Attributes are case-sensitive.

Examples:

  • \server\share#sAMAccountName# stores the user settings to the UNC path \server\share\JohnSmith (if #sAMAccountName# resolves to JohnSmith for the current user)
  • \server\profiles$\%USERNAME%.%USERDOMAIN%!CTX_OSNAME!!CTX_OSBITNESS! might expand to \server\profiles$\JohnSmith.DOMAINCONTROLLER1\Win8x64

Important: Whichever attributes or variables you use, check that this policy expands to the folder one level higher than the folder containing NTUSER.DAT. For example, if this file is contained in \server\profiles$\JohnSmith.Finance\Win8x64\UPM_Profile, set the path to the user store as \server\profiles$\JohnSmith.Finance\Win8x64 (not the \UPM_Profile subfolder).

For more information on using variables when specifying the path to the user store, see the following topics:

  • Share Citrix user profiles on multiple file servers
  • Administer profiles within and across OUs
  • High availability and disaster recovery with Profile Management

If Path to user store is disabled, the user settings are saved in the Windows subdirectory of the home directory.

If this policy is disabled, the user settings are saved in the Windows subdirectory of the home directory. If this policy is not configured here, the value from the .ini file is used. If this policy is not configured here or in the .ini file, the Windows directory on the home drive is used.

Active write back

Files and folders (but not registry entries) that are modified can be synchronized to the user store in the middle of a session, before logoff.

If this policy is not configured here, the value from the .ini file is used. If this policy is not configured here or in the .ini file, it is enabled.

Offline profile support

This policy allows profiles to synchronize with the user store at the earliest possible opportunity. It is aimed at laptop or mobile device users who roam. When a network disconnection occurs, profiles remain intact on the laptop or device even after rebooting or hibernating. As mobile users work, their profiles are updated locally and are eventually synchronized with the user store when the network connection is re-established.

If this policy is not configured here, the value from the .ini file is used. If this policy is not configured here or in the .ini file, offline profiles are disabled.

Profile Management\Folder Redirection (User Configuration)

The policies in this section (for example, Redirect the AppData(Roaming) folder) specify whether to redirect folders that commonly appear in profiles, and the redirection target. Specify targets as UNC paths (for server shares or DFS namespaces) or as paths relative to users’ home directory. This is typically configured with the #homeDirectory# attribute in Active Directory.

If a policy is not configured here, Profile Management does not redirect the specified folder.

Note: When you use UNC paths for folder redirection, the #homedirectory# variable is not supported. After you choose the Redirect to the user’s home directory policy, you do not need to specify the path.

Profile Management\Profile handling

Delay before deleting cached profiles

Sets an optional extension to the delay before locally cached profiles are deleted at logoff. A value of 0 deletes the profiles immediately, at the end of the logoff process. Profile Management checks for logoffs every minute. So a value of 60 ensures that profiles are deleted between one and two minutes after users have logged off (depending on when the last check took place). Extending the delay is useful if you know that a process keeps files or the user registry hive open during logoff. With large profiles, this setup can also speed up logoff.

Important: This policy works only if Delete locally cached profiles on logoff is enabled. If this policy is not configured here, the value from the .ini file is used. If this policy is not configured here or in the .ini file, profiles are deleted immediately.

Delete locally cached profiles on logoff

Specifies whether locally cached profiles are deleted after logoff.

If this policy is enabled, a user’s local profile cache is deleted after they have logged off. This setting is recommended for terminal servers. If this policy is disabled, cached profiles are not deleted.

Note: You can control when profiles are deleted at logoff using Delay before deleting cached profiles. If Delete locally cached profiles on logoff is not configured here, the value from the .ini file is used. If this policy is not configured here or in the .ini file, cached profiles are not deleted.

Local profile conflict handling

This policy configures how Profile Management behaves if both a profile in the user store and a local Windows user profile (not a Citrix user profile) exist.

If this policy is disabled or set to the default value of Use local profile, Profile Management uses the local profile, but does not change it in any way. If this policy is set to Delete local profile, Profile Management deletes the local Windows user profile. And then imports the Citrix user profile from the user store. If this policy is set to Rename local profile, Profile Management renames the local Windows user profile (for backup purposes). And then imports the Citrix user profile from the user store.

If this policy is not configured here, the value from the .ini file is used. If this policy is not configured here or in the .ini file, existing local profiles are used.

Migration of existing profiles

Profile Management can migrate existing profiles “on the fly” during logon if the user has no profile in the user store. Select Roaming if you are migrating roaming profiles or Remote Desktop Services profiles.

The following event takes place during logon. If an existing Windows profile is found and the user does not yet have a Citrix user profile in the user store, the Windows profile is migrated (copied) to the user store on the fly. After this process, the user store profile is used by Profile Management in the current and any other session configured with the path to the same user store.

If this setting is enabled, profile migration can be activated for roaming and local profiles (the default), roaming profiles only, local profiles only. Or profile migration can be disabled altogether. If profile migration is disabled and no Citrix user profile exists in the user store, the existing Windows mechanism for creating profiles is used as in a setup without Profile Management.

If this policy is not configured here, the value from the .ini file is used. If this policy is not configured here or in the .ini file, existing local and roaming profiles are migrated. If this policy is disabled, no profile is migrated. If this policy is disabled and no Citrix user profile exists in the user store, the existing Windows mechanism for creating profiles is used as in a setup without Profile Management.

Template profile

Specifies the path to any profile you want to use as a template. This path is the full path to the folder containing the NTUSER.DAT registry file and any other folders and files required for the template profile.

Important: Ensure that you do not include NTUSER.DAT in the path. For example, with the file \myservername\myprofiles\template\ntuser.dat, set the location as \myservername\myprofiles\template. Use absolute paths, which can be UNC ones or paths on the local machine. You can use the latter, for example, to specify a template profile permanently on a Citrix Provisioning Services image). Relative paths are not supported.

This policy does not support expansion of Active Directory attributes, system environment variables, or the %USERNAME% and %USERDOMAIN% variables.

If this policy is disabled, templates are not used. If this policy is enabled, Profile Management uses the template instead of the local default profile when creating user profiles. If a user has no Citrix user profile, but a local or roaming Windows user profile exists, by default the local profile is used. And the local profile is migrated to the user store, if this policy is not disabled. This setup can be changed by enabling the checkbox Template profile overrides local profile or Template profile overrides roaming profile. Additionally, identifying the template as a Citrix mandatory profile means that, like Windows mandatory profiles, changes are not saved.

If this policy is not configured here, the value from the .ini file is used. If this policy is not configured here or in the .ini file, no template is used.

Profile Management\Advanced settings

Number of retries when accessing locked files

Sets the number of retries when accessing locked files.

If this policy is disabled, the default value of five retries is used. If this policy is not configured here, the value from the .ini file is used. If this policy is not configured here or in the .ini file, the default value is used.

Some deployments leave extra Internet cookies that are not referenced by the file Index.dat. The extra cookies left in the file system after sustained browsing can lead to profile bloat. Enable this policy to force processing of Index.dat and remove the extra cookies. The policy increases logoff times, so only enable it if you experience this issue.

If this policy is not configured here, the value from the .ini file is used. If this policy is not configured here or in the .ini file, no processing of Index.dat takes place.

Disable automatic configuration

Profile Management examines any Citrix Virtual Desktops environment, for example for the presence of personal vDisks, and configures Group Policy accordingly. Only Profile Management policies in the Not Configured state are adjusted, so any customizations you have made are preserved. This feature speeds up deployment and simplifies optimization. No configuration of the feature is necessary, but you can disable automatic configuration when upgrading (to retain settings from earlier versions) or when troubleshooting. Automatic configuration does not work in Citrix Virtual Apps or other environments.

If this setting is not configured here, the value from the .ini file is used.

If this setting is not configured here or in the .ini file, automatic configuration is turned on so Profile Management settings might change if the environment changes.

Log off user if a problem is encountered

If this policy is disabled or not configured, users are given a temporary profile if a problem is encountered (for example, the user store is unavailable). If it is enabled, an error message is displayed and users are logged off. This setup can simplify troubleshooting of the problem.

If this setting is not configured here, the value from the .ini file is used.

If this setting is not configured here or in the .ini file, a temporary profile is provided.

Profile Management\Log settings

Enable logging

This policy enables or disables logging. Only enable this policy if you are troubleshooting Profile Management.

If this policy is disabled, only errors are logged. If this policy is not configured here, the value from the .ini file is used. If this policy is not configured here or in the .ini file, only errors are logged.

Log settings

It is a set of policies that you can use to focus on specific activities. Only set these policies if you are troubleshooting, and set them all unless you are requested to do otherwise by Citrix personnel.

If these policies are not configured here, Profile Management uses the values from the .ini file. If these policies are not configured here or in the .ini file, errors and general information are logged.

The check boxes for these policies correspond to the following settings in the .ini file: LogLevelWarnings, LogLevelInformation, LogLevelFileSystemNotification, LogLevelFileSystemActions, LogLevelRegistryActions, LogLevelRegistryDifference, LogLevelActiveDirectoryActions, LogLevelPolicyUserLogon, LogLevelLogon, LogLevelLogoff, and LogLevelUserName.

Maximum size of the log file

The default value for the maximum size of the Profile Management log file is small. If you have sufficient disk space, increase it to 5 MB or 10 MB, or more. If the log file grows beyond the maximum size, an existing backup of the file (.bak) is deleted. The log file is renamed to .bak and a new log file is created. The log file is created in %SystemRoot%\System32\Logfiles\UserProfileManager.

If this policy is disabled, the default value of 1 MB is used. If this policy is not configured here, the value from the .ini file is used. If this policy is not configured here or in the .ini file, the default value is used.

Path to log file

Sets an alternative path to which the log files are saved.

The path can point to a local drive or a remote, network-based one (a UNC path). Remote paths can be useful in large, distributed environments but they can create significant network traffic, which may be inappropriate for log files. For provisioned, virtual machines with a persistent hard drive, set a local path to that drive. This setup ensures log files are preserved when the machine restarts. For virtual machines without a persistent hard drive, setting a UNC path allows you to retain the log files. But the system account for the machines must have write access to the UNC share. Use a local path for any laptops managed by the offline profiles feature.

If a UNC path is used for log files, Citrix recommends that an appropriate access control list is applied to the log file folder. This setup ensures that only authorized user or computer accounts can access the stored files.

Examples:

  • D:\LogFiles\ProfileManagement.
  • \server\LogFiles\ProfileManagement

If this policy is not configured here, the value from the .ini file is used. If this policy is not configured here or in the .ini file, the default location %SystemRoot%\System32\Logfiles\UserProfileManager is used.

Profile Management\Registry

Exclusion list

List of registry keys in the HKCU hive which are ignored during logoff.

Example: Software\Policies

If this policy is disabled, no registry keys are excluded. If this policy is not configured here, the value from the .ini file is used. If this policy is not configured here or in the .ini file, no registry keys are excluded.

Inclusion list

List of registry keys in the HKCU hive that are processed during logoff.

Example: Software\Adobe.

If this policy is enabled, only keys on this list are processed. If this policy is disabled, the complete HKCU hive is processed. If this policy is not configured here, the value from the .ini file is used. If this policy is not configured here or in the .ini file, all of HKCU is processed.

Enable Default Exclusion List - Profile Management 5.5

Default list of registry keys in the HKCU hive that are not synchronized to the user’s profile. Use this policy to specify GPO exclusion files without having to fill them in manually.

If you disable this policy, Profile Management does not exclude any registry keys by default. If you do not configure this policy here, Profile Management uses the value from the .ini file. If you do not configure this policy here or in the .ini file, Profile Management does not exclude any registry keys by default.

NTUSER.DAT backup

Enables a backup of the last known good copy of NTUSER.DAT and rollback in case of corruption.

If you do not configure this policy here, Profile Management uses the value from the .ini file. If you do not configure this policy here or in the .ini file, Profile Management does not back up NTUSER.DAT.

Profile Management\File system

Exclusion list - files

List of files that are ignored during synchronization. File names must be paths relative to the user profile (%USERPROFILE%). Wildcards are allowed and are applied recursively.

Examples:

  • Desktop\Desktop.ini ignores the file Desktop.ini in the Desktop folder
  • %USERPROFILE%*.tmp ignores all files with the extension .tmp in the entire profile
  • AppData\Roaming\MyApp*.tmp ignores all files with the extension .tmp in one part of the profile

If this policy is disabled, no files are excluded. If this policy is not configured here, the value from the .ini file is used. If this policy is not configured here or in the .ini file, no files are excluded.

Exclusion list - directories

List of folders that are ignored during synchronization. Folder names must be specified as paths relative to the user profile (%USERPROFILE%).

Example:

  • Desktop ignores the Desktop folder in the user profile

If this policy is disabled, no folders are excluded. If this policy is not configured here, the value from the .ini file is used. If this policy is not configured here or in the .ini file, no folders are excluded.

Enable Default Exclusion List - directories - Profile Management 5.5

Default list of directories ignored during synchronization. Use this policy to specify GPO exclusion directories without having to fill them in manually.

If you disable this policy, Profile Management does not exclude any directories by default. If you do not configure this policy here, Profile Management uses the value from the .ini file. If you do not configure this policy here or in the .ini file, Profile Management does not exclude any directories by default.

Profile Management\File system\Synchronization

Directories to synchronize

Profile Management synchronizes each user’s entire profile between the system it is installed on and the user store. It is not necessary to include subfolders of the user profile by adding them to this list.

Paths on this list must be relative to the user profile.

Example:

  • Desktop\exclude\include ensures that the subfolder called include is synchronized even if the folder called Desktop\exclude is not

Disabling this policy has the same effect as enabling it and configuring an empty list.

If this policy is not configured here, the value from the .ini file is used. If this policy is not configured here or in the .ini file, only non-excluded folders in the user profile are synchronized.

Files to synchronize

Profile Management synchronizes each user’s entire profile between the system it is installed on and the user store. It is not necessary to include files in the user profile by adding them to this list.

This policy can be used to include files below excluded folders. Paths on this list must be relative to the user profile. Wildcards can be used but are only allowed for file names. Wildcards cannot be nested and are applied recursively.

Examples:

  • AppData\Local\Microsoft\Office\Access.qat specifies a file below a folder that is excluded in the default configuration
  • AppData\Local\MyApp*.cfg specifies all files with the extension .cfg in the profile folder AppData\Local\MyApp and its subfolders

Disabling this policy has the same effect as enabling it and configuring an empty list.

If this policy is not configured here, the value from the .ini file is used. If this policy is not configured here or in the .ini file, only non-excluded files in the user profile are synchronized.

Folders to mirror

This policy can help solve issues involving any transactional folder (also known as a referential folder). That folder contains interdependent files, where one file references others. Mirroring folders allows Profile Management to process a transactional folder and its contents as a single entity, avoiding profile bloat. For example, you can mirror the Internet Explorer cookies folder so that Index.dat is synchronized with the cookies that it indexes. In these situations the “last write wins.” So files in mirrored folders that have been modified in more than one session are overwritten by the last update, resulting in loss of profile changes.

For example, consider how Index.dat references cookies while a user browses the Internet. If a user has two Internet Explorer sessions, each on a different server, and they visit different sites in each session, cookies from each site are added to the appropriate server. When the user logs off from the first session (or in the middle of a session, if the active write back feature is configured), the cookies from the second session must replace those cookies from the first session. However, instead they are merged, and the references to the cookies in Index.dat become out of date. Further browsing in new sessions results in repeated merging and a bloated cookie folder.

Mirroring the cookie folder solves the issue by overwriting the cookies with those cookies from the last session each time the user logs off. So Index.dat stays up-to-date.

If this policy is not configured here, the value from the .ini file is used. If this policy is not configured here or in the .ini file, no folders are mirrored.

Profile Management\Streamed user profiles

Profile streaming

Files and folders contained in a profile are fetched from the user store to the local computer only when they are accessed by users after they have logged on. Registry entries and any files in the pending area are exceptions. They are fetched immediately.

If this policy is not configured here, the value from the .ini file is used. If this policy is not configured here or in the .ini file, it is disabled.

Always cache

Optionally, to enhance the user experience, use this policy with the Profile streaming policy.

This setting imposes a lower limit on the size of files that are streamed. Any file this size or larger is cached locally as soon as possible after logon. To use the cache entire profile feature, set this limit to zero (which fetches all of the profile contents as a background task).

If this policy is not configured here, the value from the .ini file is used. If this policy is not configured here or in the .ini file, it is disabled.

Timeout for pending area lock files

You can set a timeout period (days) that frees up users’ files. So the files are written back to the user store from the pending area if the user store remains locked when a server becomes unresponsive. Use this policy to prevent bloat in the pending area and to ensure that the user store always contains the most up-to-date files.

If this policy is not configured here, the value from the .ini file is used. If this policy is not configured here or in the .ini file, the default value of one day is used.

Streamed user profile groups

This policy streams the profiles of a subset of Windows user groups in the OU. The profiles of users in all other groups are not streamed.

If this policy is disabled, all user groups are processed. If this policy is not configured here, the value from the .ini file is used. If this policy is not configured here or in the .ini file, all users are processed.

Profile Management\Cross-platform settings

Enable cross-platform settings

By default, to facilitate deployment, cross-platform settings are disabled. Turn on processing by enabling this policy but only after thorough planning and testing of this feature.

If this policy is not configured here, the value from the .ini file is used. If this policy is not configured here or in the .ini file, no cross-platform settings are applied.

Cross-platform settings user groups

Enter one or more Windows user groups. For example, you might use this policy to process only the profiles from a test user group. If this policy is configured, the cross-platform settings feature of Profile Management processes only members of these user groups. If this policy is disabled, the feature processes all of the users specified by the Processed groups policy.

If this policy is not configured here, the value from the .ini file is used. If this policy is not configured here or in the .ini file, all user groups are processed.

Path to cross-platform definitions

Identifies the network location of the definition files that you copied from the download package. This path must be a UNC path. Users must have read access to this location, and administrators must have write access to it. The location must be a Server Message Block (SMB) or Common Internet File System (CIFS) file share.

If this policy is not configured here, the value from the .ini file is used. If this policy is not configured here or in the .ini file, no cross-platform settings are applied.

Path to cross-platform settings store

Sets the path to the cross-platform settings store, the folder in which users’ cross-platform settings are saved. Users must have write access to this area. The path can be an absolute UNC path or a path relative to the home directory.

This area is the common area of the user store where profile data shared by multiple platforms is located. Users must have write access to this area. The path can be an absolute UNC path or a path relative to the home directory. You can use the same variables as for Path to user store.

If this policy is disabled, the path Windows\PM_CP is used. If this policy is not configured here, the value from the .ini file is used. If this policy is not configured here or in the .ini file, the default value is used.

Source for creating cross-platform settings

Specifies a platform as the base platform if this policy is enabled in that platform’s OU. This policy migrates data from the base platform’s profiles to the cross-platform settings store.

Each platform’s own set of profiles are stored in a separate OU. You must decide which platform’s profile data to use to seed the cross-platform settings store. It is referred to as the base platform. If the cross-platform settings store contains a definition file with no data, or the cached data in a single-platform profile is newer than the definition’s data in the store, Profile Management migrates the data from the single-platform profile to the store unless you disable this policy.

Important: If this policy is enabled in multiple OUs, or multiple user or machine objects, the platform that the first user logs on to becomes the base profile. By default this policy is Enabled.