UPM not working for citrix roaming profiles

[Bruce McDonald]

I have setup a Citrix 7.9 XA/XD Site using Netscaler vpx 11 and Storefront 3.6 and everything is working so far except I am having a lot of trouble getting UPM to work for roaming profiles. My environment is all Windows Server 2012 and I have a number of the servers setup as shared desktops which are load balanced.

 

I have followed a few different guides to get UPM to work but I've mostly stuck to this one

http://www.carlstalhood.com/citrix-profile-management/

 

I cannot get a profile to logon and for the profile to get created in the user store path I have setup, when I try to logon I get a Windows Security message "these files can't be opened". This is a share on a Windows 2012 server, all the correct perms have been applied and this is where I would like all my profiles to be stored.

 

I am using UPM v 5.4.1.6105 with GPOs admx and adml files v 5.4.1. I have imported these into sysvol

 

Errors I am getting in userprofilemanager log files are - see attached log

 

Any help would be appreciated.

 

Here is a copy of my GPO

Citrix VDA Computer Settings Data collected on: 21/02/2017 4:02:22 PM

hide all

Generalhide

Detailshide

Domain blah.net Owner blah\Domain Admins Created 24/01/2017 2:18:10 PM Modified 20/02/2017 4:43:30 PM User Revisions 0 (AD), 0 (SYSVOL) Computer Revisions 31 (AD), 31 (SYSVOL) Unique ID {XXXXXXXXXXXXX-XXXXXX1BF4B40A} GPO Status Enabled

 

Linkshide

Location Enforced Link Status Path Citrix7.9RDSH No Enabled blah.net/blah/au.blah.net/Servers/Citrix7.9RDSH
This list only includes links in the domain of the GPO.

 

Security Filteringhide

The settings in this GPO can only apply to the following groups, users, and computers:

Name NT AUTHORITY\Authenticated Users

 

 

Delegationhide

These groups and users have the specified permission for this GPO

Name Allowed Permissions Inherited blah\Domain Admins Edit settings, delete, modify security No blah\Enterprise Admins Edit settings, delete, modify security No NT AUTHORITY\Authenticated Users Read (from Security Filtering) No NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Read No NT AUTHORITY\SYSTEM Edit settings, delete, modify security No

 

Computer Configuration (Enabled)hide

Policieshide

Administrative Templateshide

Policy definitions (ADMX files) retrieved from the central store.

Citrix/Profile Managementhide

Policy Setting Comment Active write back Disabled   Enable Profile management Enabled   Path to user store Enabled   Absolute path or path relative to the home directory: \\home.au.blah.net\CtxProfiles79\#SAMAccountName# Policy Setting Comment Process logons of local administrators Enabled  

Citrix/Profile Management/Advanced settingshide

Policy Setting Comment Process Internet cookie files on logoff Enabled  

Citrix/Profile Management/File systemhide

Policy Setting Comment Exclusion list - directories Enabled   List of directories to exclude: $Recycle.Bin AppData\LocalLow !ctx_roamingappdata!\Microsoft\AppV\Client\Catalog !ctx_localappdata!\Microsoft\Office\15.0\Lync\Tracing Tracing !ctx_localappdata!\Packages !ctx_localappdata!\Microsoft\Windows\Application Shortcuts !ctx_localappdata!\Microsoft\UEV !ctx_localappdata!\GroupPolicy !ctx_internetcache! !ctx_localappdata!\Microsoft\Windows\Burn !ctx_localappdata!\Microsoft\Windows\CD Burning !ctx_localappdata!\Microsoft\Windows Live !ctx_localappdata!\Microsoft\Windows Live Contacts !ctx_localappdata!\Microsoft\Terminal Server Client !ctx_localappdata!\Microsoft\Messenger !ctx_localappdata!\Microsoft\OneNote !ctx_localappdata!\Microsoft\Outlook !ctx_localappdata!\Microsoft\AppV !ctx_localappdata!\Windows Live !ctx_localappdata!\Sun !ctx_localappdata!\TileDataLayer !ctx_localappdata!\Microsoft\Windows\Notifications !ctx_localsettings!\Temp !ctx_roamingappdata!\Sun\Java\Deployment\cache !ctx_roamingappdata!\Sun\Java\Deployment\log !ctx_roamingappdata!\Sun\Java\Deployment\tmp !ctx_localappdata!\Google\Chrome\User Data\Default\Cache !ctx_localappdata!\Google\Chrome\User Data\Default\Cached Theme Images !ctx_localappdata!\Google\Chrome\User Data\Default\JumpListIcons !ctx_localappdata!\Google\Chrome\User Data\Default\JumpListIconsOld !ctx_startmenu! AppData\Local\Microsoft\Windows\INetCache Policy Setting Comment Exclusion list - files Enabled   List of files to exclude: !ctx_localappdata!\Microsoft\Windows\UsrClass.dat*

Citrix/Profile Management/Profile handlinghide

Policy Setting Comment Delay before deleting cached profiles Enabled   Delay (seconds): 40 Policy Setting Comment Delete locally cached profiles on logoff Enabled   Local profile conflict handling Enabled   If both a local Windows user profile and a Citrix user profile in the user store both exist: Delete local profile

Citrix/Profile Management/Registryhide

Policy Setting Comment Exclusion list Enabled   Exclusion list: Software\Microsoft\AppV\Client\Integration Software\Microsoft\AppV\Client\Publishing

Citrix/Profile Management/Streamed user profileshide

Policy Setting Comment Profile streaming Enabled  

 

User Configuration (Enabled)hide

No settings defined.

 

[Bruce McDonald]

Why are you loading the ntuser.dat hive on the profile server? You should be loading the hive on each xendesktop server and then edit the permissions on the ProtectedRoots folder, thats what I had to do because I setup my Citrix environment by cloning VMs off a VM template that had an edited default user. In hindsight what I should have done was build my citrix xendesktop servers from the windows ISO.

[Abdullah Sayeed]

Thank you Bruce ... It worked like a charm. 

[Hyperion IT Infrastructure]

Does this fix also apply to W2016 ?  I have a similar issue with no UPM profile being created

[Bruce McDonald]

11 hours ago, Hyperion IT Infrastructure said:

Does this fix also apply to W2016 ?  I have a similar issue with no UPM profile being created

I am not sure, I have not used W2016 but it depends on how you built your Citrix servers, did you build them off the W2016 ISO's or did you create them from VM templates for example? That was my issue, I created my Citrix servers off a VM template and so I had to manually edit the ntuser.dat on each of my Citrix Xenapp servers.

 

To see whats going on you need to enable Logging for the Logon and Logoff events and then check those logs out.

[Infrastructure Team]

it just did for me on windows 2016 DC

[Lucas Carvalho Francoi]

On 3/14/2017 at 9:38 AM, Wayne Bedwell1709152239 said:

Hi Bruce

 

Yes I've loaded and edited the hive permissions locally, I had to make Administrators the Owner then add System , and make that the owner, and all seems to be working OK.

 

Thanks

Worked to me! Thank you!