Earlier today I wrote about how to determine the location of your UPM Central Store from a user privilege account. This post takes that a step further to look into all the things that your administrator configured, which you can’t change, but which you can inspect.
Is is a good idea to post things like this?
The Mushroom theory of user support can apply, but I’m going with the open approach. Using the link above, you’ll see the configuration where I’m running. Citrix XenDesktop, with darn near everything on the bleeding edge, nothing at release level and all of it trying to get along with their friends.
The kicker is that I’m on a user privilege account and I’m trying to confirm that Citrix Profile Management is
- Working as intended and
- Properly configured.
So far, I’m good on “1” and not good on “2”. Since I’m a “user”, I’m having figure much of this out from standard user privilege and it’s a pretty fun exercise. The prior post showed how to find your directory in the UPM Central Store. Check, did it. The answer for me is
It is supposed to be
See the prior post for more details on this unfortunate use of the user’s name rather than the username.
Back to this post
The last part of this UNC path ends with …\username\UPM_Profile.
Look in here and you’ll see lots of stuff that looks like a normal user profile.
That part isn’t too interesting except to observe that my “Documents” directory isn’t redirected to a network server. Let’s push on.
Go up one level and we can get some useful stuff.
Now I have something useful!
Profile Management code gets its defaults from a few sources.
- Source code – variable initialization, almost never used as the actual default
- .INI file provided with installation of profile management service. Note: This is not the .INI listed above.
- Active Directory group policy – primary source of settings
Peeking behind the curtain
When profile management performs logoff, one of the things it does is WRITE the .ini file in the user’s directory, UPMSettings.ini. This is done just to assist diagnosis, the file is not read at logon. The good part – it’s readable from user space.
In here are a number of useful items, a trimmed version of mine follows.
[UPM configuration] LoggingEnabled=1 <cut> PathToUserStore=\\FTLEPROF01.eng.citrite.net\UPM-XD\Alsace\Win7x86\#CN# <cut> SyncExclusionListDir10=AppData\Local\Google\Chrome\User Data\Default\Plugin Data SyncExclusionListDir11=AppData\Local\Google\Chrome\User Data\Default\Cache SyncExclusionListDir12=AppData\Local <cut> PSMidSessionWriteBack=1 PSEnabled=0 <,cut>
BINGO! Found the source of the “Joseph Nord” vs. josephno problem identified in the last post. Look in PathToUserStore and see that the admin plugged in #CN#. They should have put #sAMAccountName# in this spot. Moderate sized booboo.
- Logging is ENABLED!
- They went out of their way to permit Chrome to install on user privilege – user installed applications
- Profile Streaming is DISABLED 🙁
Profile Stremaing is disabled
The .INI setting which controls just in time populate for User Profile Manager is PSEnabled. In this case, it’s zero = disabled. Note, this feature first shipped in profile manager version 3. A year or two in now, with pooled XenDesktop, this SHOULD be enabled.
You may have seen my prior post describing that profile streaming must be expressly enabled. Apparently this hasn’t happened on our dogfood farm and as a user, I’m not happy. I want FAST LOGONS! Always! OKAY – One more item to pass on to the farm administrator.
Also, one more item to stand back and get people to turn things on by default. By “people”, I’m referring to us development types. It doesn’t matter how many new features you have if your customers will not have them enabled. This is a large soapbox of mine, so its best I stop here.
Logging is enabled
The profile manager service can be configured to spit out all kinds of information as it runs. My .INI says that in our farm, this is turned on and lots of information is configured to be logged. The location of the log file can be adjusted, but the important part is that it is and SHOULD always be stored in a space where normal users can’t see it. Else, I could see information about other users on the system – and the system could be a multi-user machine, such as XenApp and letting me see outside my world, would be wrong.
Inspecting my logs. Survey says, I have no access to the directory that holds the log files, “Access denied”.
Plus 1 for proper configuration.
My next thought is that while much in that log is “admin only”, there is much in there that is specific to me. Bummer that I can’t get to it. This though is enough for me to go back to the farm admins and suggest changes to profile management configuration.Joe Nord XenDesktop Personalization Architect App Virtualization, Profile Management