For anyone that’s ever worked on a helpdesk, as a desktop administrator or Terminal Services/Citrix administrator it’s no news that user profile management is, and has been an issue since forever.
Let’s define the problems with Windows User Profiles:
1. Profile Corruption - Users logon and their profile does not load, leaving them with a temporary profile without any of their personalizations
2. Logon speed (or lack thereof) - as profiles age the ntuser.dat file grows and the number of files associated with the user’s profile increases. These cause the user’s logon time to increase over time, starting at 10-15 seconds when the profile is new, and increasing to minutes as time goes on.
3. It’s not generally accepted to use the same profile for diffent OS, i.e. XP and Server 2003. In an environment with Terminal Services this typically leads administrators to using two completely different user profiles, for example one for the client OS and one for Windows Terminal Services.
4. Support for application silos - In a Terminal Services or VDI environment users may access multiple hosts to get their applications, often without their knowledge. Administrators have the option of using local profiles for each system, or risking use of roaming profiles getting bloated and corrupted due to the registry, start menu and app data being populated with items that have nothing to do with the system being used.
5. Local user profile cleanup (or lack thereof) - These profiles can consume massive amounts of disk space on shared systems, so administrators usually have to account for this space, or write scripts to delete them.
Via acquisition of Provision Networks in 2007, Quest acquired one of the only commercially available User Profile Management solutions. The problem was that it only supported Windows Terminal Services.
In January of 2009 Quest released vWorkspace 6.0, the successor to Provision Networks Virtual Access Suite. in vWorkspace 6.0 User Profile Management (also known as Metaprofiles) now fully supports Terminal Services, Virtual Desktops and Physical PCs.
So how does it work?
User Profile Management in vWorkspace is a client-server application, where there is an agent on the Virtual PC/Physical PC/Terminal Server, and one or more storage servers for maintaining the user settings.
Everything is managed from the vWorkspace Management Console, and the components are:
Quest Metaprofiles Agent - Installed on virtual and/or physical desktops running Windows XP/Vista, or Terminal Servers running 2000/2003/2008. Responsible for downloading compressed user settings (xml files) from the storage server, applying the settings at logon, exporting the settings deleting the local profile at logoff.
Quest Metaprofiles Storage Service - Installed on a Windows server OS hosting the storage service. This is typically a dedicated virtual machine but could also be on a physical server. Since this is a client-server application, there is no Windows File Share associated with the storage service.
Quest Connection Broker Service - responsible for directing the Metaprofiles Agent to the correct Storage Server.
A typical deployment of Quest User Profile Management consists of:
1. Customized local Default User Profile, containing the minimum base user settings for all users logging on. Common tweaks include removing desktop icons, favorites and eliminating the “Customizing your user preferences” dialog that appears logon for the first time.
2. Use Group Policy to redirect My Documents, Desktop, Application Data and Start Menu to network file shares, so theses are not copied back and forth at logon/logoff and so roaming profiles are not configured.
3. Define the application settings that users may customize, which users may customize the settings and on which desktop groups or terminal servers the settings will be applied. These may be registry entries, directories or files. Best practice would be to let GPO Folder Redirection manage the majority of files, and only use Quest User Profile Management for specific individual files or folders that are not handled by GPO. Settings may be marked as “global”, meaning they will apply on any system, or “silo”, meaning they will only apply on specific desktop groups or terminal servers.
4. Install the Microsoft User Profile Hive Cleanup service to ensure that user profiles are successfully unloaded at logoff.
What are the benefits of implementing Quest User Profile Management:
1. Stable User Profiles - reduced administrative overhead and helpdesk calls
2. Fast user logons - typically about 10 seconds, vs 30-60 seconds with roaming profiles
3. Reduced storage requirements for profile data, since only compressed deltas are maintained, not the entire user profile
4. Reduced number of Virtual PCs to maintain, as administrators can deploy non-persistent (temporarily assigned) desktops, where the user settings are dynamically applied at logon.
5. No need to cleanup local user profiles or configure mandatory or roaming profiles.
6. Quest User Profile Management is included in all versions of Quest vWorkspace, so it’s another critical feature that won’t require the purchase of another 3rd party user profile management tool.
You can leave a response, or trackback from your own site.
March 16th, 2009 at 4:03 pm
We would be great is if you had a Windows profile importer, so you can pull an AD profile from AD and import it into your manager, so you wouldnt have to figure out all of the registry settings and what not.
March 16th, 2009 at 4:10 pm
Steven, I hear you but the problem is that you need to know what you want to allow users to do with their profile, otherwise you end up with them customizing everything which results in a roaming profile. This functionality and Flex Profile Kit (similar freeware) have been aroound for 5+ years and successfully deployed thousands of times.
Regshot is your friend to figure out what your applications do. Run regshot, open your application, make a change, i.e. toolbar placement, run regshot again and it will compare your registry before and after to show what was changed. 90% of the time it’s hkcu\software\vendor\product, which is pretty simple.
This works really well when deployed and solves the problems with roaming profiles. Other profile managment products have the same problem as roaming profiles, in that over time the amount of deltas being tracked bloat to a size that negatively affects logon and logoff times.
March 18th, 2009 at 2:29 pm
Ok, thanks. But what i need to figure out is how to convert the lockdown i have done for our windows server 2008 in active directory, over to your profile management. I have locked down everything including them not being able to even see the C:\ drive in my computer. They can access their folder with the documents and what not still. But its locked down to the max. How can i see how to do all the lock downs and customizations like IE UNC path security profile settings (allow the user to run an exe via a unc path without the security warning dialog) and what not in your system..that is where im confused.
March 18th, 2009 at 8:11 pm
Profile Management is not about locking down the system, but rather authorizing what application and shell settings end users may change, vs giving them a roaming profile that bloats out of control and becomes unstable, or a completely inflexible mandatory profile. So you may continue to use what you have designed, along with Quest’s User Profile Management. User Profile Management is 90% about authorizing what parts of the registry end users may retain from session to session.
September 24th, 2009 at 10:55 pm
I’m curious what happens if a session gets locked and has to be reset. Will Profile-IT save those changes? Or does that only happen at Log Off?
October 19th, 2009 at 8:05 am
Settings are only exported at logoff, but if someone were logged onto more than one system at thye same time, we overcome the last logoff wins scenario by date/time stamping every setting that is exported, so one can make changes in all sessions without them being overwritten.
The idea of writing HKCU settings directly to the network introduces concerns about scalability and stability. What we do has been done for 6+ years in a shipping product and is bing used by thousands of customers on Citrix, Terminal Services and VDI.
By the way, the User Environment Configuration features of vWorkspace have been ported to VDI (vWorkspace Desktop Edition) inn 7.0 which is scheduled to ship in December.
November 20th, 2009 at 12:32 pm
The company I work for is thinking about implementing vWorkspace User Profile Management. Since we currently are running a VDI environment using vWorkspace, this should not be a problem.
I spoke with another administrator that is running a Citrix Terminal Services environment and is looking for a user profile management tool. Can the Quest User Profile Management tool be purchased separate of vWorkspace \ is it licensed separately?