Version 3.2 of Profile Manager is out and available for download from It is the second release of the just in time streaming stuff and if you’re like me, you’re moving up!  In Joe’s world, I have the luxury of not having real users to worry about, but stick with me on the idea – out with the old, in with the new.  

User Profile Manager has this awesome behavior of “install and forget”; it doesn’t require much day to day management and once installed it does the broad stroke of moving user settings from machine to machine without requiring much supervision and generally speaking, once installed, you don’t have to worry about it until the next time you move up.

In moving up to 3.2, I replaced the ADM template on the domain controller to match the new version of the UPM code and there, I get to questions.  Questions which I don’t know the answer to and even after reading the help text and the official ADM reference, I still don’t know the answer. 

Who is a “local administrator”?

Conveniently, I have access to “smart people” – let’s call him John.  John can answer these things.  I share the outcome…

First – a description of the execution environment

I have a small domain and a handful of computers with multiple user accounts on the domain.  Most of the time, I use the “josephno” account which has admin rights on each of the computers.  Sometimes I use a user account, a real user account. 

Yes, these are test computers, but YES – I still like the use of profile manager.  Things stay steady as I move from computer to computer and even when installing new computers – it just works and works good.  Settings are steady and I don’t have to reconfigure everything eight times a week.

Process logons of local administrators

If the domain user josephno (jhn\josephno) is a member of the local machine “administrators” group, what does UPM do at logon?  Am I a local machine admin?  I sure think I am – I can do all kinds of admin things like installing applications.

I’m a member of the domain users group, but not a domain admin.  My domain account IS a member of each of the test computers administrators group.  This means that I’m a local machine administrator on every box.

What I want

The idea of the UPM setting is that if everything comes unglued and you need to logon to repair UPM, then you don’t want UPM to process things during the repair session logon activity.  In my case, I want to be a local machine admin so I can install things and configure things, but I also want my settings to roam across the domain.  These seem counter goals.

I read the official docs.  Let’s dissect.  To start, our pubs people have done an excellent job.  I really throw rocks at myself and the dev/test team for not getting them enough details to them to make it “right”.

Dissect the official text
> Specifies whether logons of members of the local Administrators group are processed by Profile management.

Thanks for that nice intro.

> If this setting is disabled, logons by local administrators are not processed by Profile management.

Great – Who is a “local administrator”?

> If this setting is not configured here, the value from the .ini file is used. If this setting is not configured here or in the .ini file, administrators will not be processed.

While technically 100% accurate, this isn’t particularly useful.  What is the value in the .INI file?  At least the comment tells me what the code’s default is (disabled). 

So far all I know is that I need to set the domain setting so I can be sure a random default in the .INI file isn’t going to interfere.

> This setting corresponds to the ProcessAdmins setting in the .ini file.

That’s good to know – I have a domain, so won’t be using the .INI file but it is comforting that this actually useful information is in the docs.

“John’s” response> From memory “process local admins” means process domain users who are local server admins, not server local admins. 

Reading that in email, it all made great sense even with the words reversing all over the place.  Maybe because he later inspected the code to confirm.


This setting behaves EXACTLY as it should.  When Enabled, if I am a domain user who happens to be a local machine admin, my profile IS processed.   The slight follow-on is that if I am a local machine user who is also a local machine admin, the profile is not processed – ever.  Local machine users aren’t processed even if users.   Yes, this seems obvious now.  Thought I’d spread the word.

Joe Nord
Product Architect – Citrix Systems XenApp Product Group

App Streaming, Profile Manager, Encrypted Data Plug-in