Bri forum 2005 inside flex profiles - jeroen van de kamp

April 11, 2005 BriForum 2005: Washington DC 1

April 11-12, 2005

Jeroen van de Kamp

Inside Flex Profiles


Agenda

• To Flex or not to Flex…• Flex Basics• Mandatory Profiles Configuration• Profile Folder Content Redirection• Optimizing Performance • Timing is of Essence• Printer Tactics• Flex Framework• Migration Strategies

April 11-12, 2005

To Flex or not to Flex…



• Why use Flex?– Constant/faster logons or logoffs– No profile shares, backup or maintenance– No more profile corruption & deletion– Granular control over profile content

• Roaming = Unmanaged• Flex = Managed

– Saving personal settings over WAN– Prevent profile conflicts with application silo’s



SAPServer

\\FileServer\TSProfiles\MrSmith\ntuser.dat

OfficeServer



• Alternatives– Commercial Products

• Hybrid Profiles• Jumping Profiles• Managed Profiles• Meta Profiles• WTS Profiles• Appsense Environment Manager• Simplify Profiles

– Separate profile path through 2003 GPO



• Flex Considerations– No GUI– Some scripting required– It is a concept, not a software product– Limitation: no root certificates

• Flex Positives– Free– Simple– No additional hard/software required– Saves both Registry & Files/Folders– Compression (Flex Framework Feature)– Allows unconventional solutions

April 11-12, 2005

Flex Basics


Flex Basics

• Four ingredients1. A Mandatory Profile2. The Office Profile Wizard (proflwiz.exe)3. Configured through INI file 4. Saved in OPS file

• Logon Script > Restoring Settings– proflwiz.exe /r H:\Settings.ops /q

• Logoff Script > Saving Settings– proflwiz.exe /s H:\Settings.ops /i Settings.INI /q


Flex Basics

Hex Edit Proflwiz.exe:


Flex Basics

• Use Resource Hacker to change profile wizard progress indicator


Flex Basics

• Configuration INI file: Files & Folders

[Header]Version = 11.0Product = Microsoft Office 11.0 [IncludeFolderTrees]<AppData>\Microsoft\Outlook

[IncludeIndividualFolders]<AppData>\Microsoft\Office

[IncludeIndividualFiles]<AppData>\Windows\saplogon.ini

[ExcludeFiles]*.pst


Flex Basics

• Configuration INI File: Registry

[IncludeRegistryTrees]HKCU\Software\Microsoft\Office\11.0\Outlook

[IncludeIndividualRegistryKeys]HKCU\Software\Microsoft\Office\Outlook

[IncludeIndividualRegistryValues]HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Device

[ExcludeRegistryTrees]HKCU\Software\Policies [ExcludeIndividualRegistryKeys]HKCU\Software\Microsoft\Office\11.0\Outlook\IM [ExcludeIndividualRegistryValues]HKCU\Software\Microsoft\Office\11.0\Outlook\IM\Enabled


Flex Basics

• Use UPH Cleaning service

• Case Sensitive– <AppData>– <UserProfile>– Etc..

• Do not use:[SubstituteEnvironmentVariables]%USERPROFILE%%USERNAME%

• Spaces are not supported in INI filename


Flex Basics

• Avoid generic configuration

• Store settings in separate OPS files for improved manageability:

– Windows_IE– Printers– Office– Apps

• Beware of “locked files” or registry permission issues– Use Filemon & Regmon– <UserProfile>\Local Settings\Application Data\Microsoft\

Windows\UsrClass.dat

• INI files in Flex_Config\ProfilesSettings are templates, evaluate each setting before you use them


Capturing Settings

• Regshot!

• Use server/workstations without other users

• Finding Application Settings1. Take 1st regshot 2. Start application, make change, stop application3. Take 2nd regshot 4. Compare

• Finding Windows settings1. Logon as administrator (Console)2. Logon with a user using a normal profile (RDP)3. Take 1st regshot with administrator4. Make change as user5. Logoff the user6. Logon again with that user7. Take 2nd regshot with the administrator8. Compare

April 11-12, 2005

Profile Configuration


Mandatory Profile

• Single enterprise wide mandatory TS profile for all users

• Use a fresh Windows server – No domain membership (GPO pollution)– Create New account– Logon– Configure basic Windows settings– Logoff

• Configure Profile– Copy Profile– Load as hive in Regedit


Mandatory Profile

• Reset permissions in profile– System Full Control– Administrators Full Control– Authenticated Users Full Control

• As “clean” as possible– No application settings– No user specific information– No policies– Do not delete root folders

• Use 2003 profile on mixed 2000 & 2003 terminal servers


Profile Folder Redirection

• GPO– Always UNC– Desktop UNC path visible in explorer– UNC based Application Data path can cause problems– Only basic folder redirection

• True Control Template– Redirection based on drive letters– All folders can be managed– Application Data must also be configured in the

mandatory profile



• Hardcode in mandatory profile– Sometimes the preferred method: robust– Custom system variables can be used for additional

flexibility– HKCU\Software\Microsoft\Windows\CurrentVersion\

Explorer\User Shell Folders

• Flex instead of P.F.R.– Increases logon/logoff times– Decreases load on Fileserver– Can improve performance of applications– Higher load on server resources during logon/logoff



• Always use P.F.R. for:– Desktop– My Documents– My Pictures

• Evaluate P.F.R. or Flex for:– Application Data– Favorites– Cookies– Templates

• Not recommended for P.F.R.:– Local Settings– History– Start Menu

April 11-12, 2005

Best Practices


Optimizing Performance

• Don’t run save/restore directly in network share

• SMB– File & Print Services, the weakest link– P.F.R. increases load on fileserver– “Application Data” biggest performance risk– SMB Tuning is vital: MS KB324446– Search Google/Technet: MaxCmds

• Beware of– Virus scanner– Monitoring & Management Software– Clamping Software

• Flex Logon/Logoff require additional CPU & Disk I/O


Timing is of Essence

• Logon Process1. Load profile2. Apply GPO’s3. Run GPO logon script4. Map TS Homedrive5. Run AD logon script 6. Process Appsetup7. Application / Desktop is started

• TS Homedrive is not available in GPO logon script

• Consider using AD logon script or AppSetup

• Run Flex first in the logon script

• Machine > Admin Templates > System > User Profiles– “Delete Cached Copies Of Roaming Profiles”


Printer Tactics

• Prevent roaming printers: save printer settings in %Clientname%.ops

• Network Printing on Silo’s– Use single silo for printer configuration/management– Use single OPS file for printer settings: printer.ops– Load printer.ops on other silo’s during logon– Create printer wizard script to save settings in printers.ops

AddPrinter.cmdrundll32.exe shell32.dll,SHHelpShortcuts_RunDLL AddPrinterproflwiz.exe /s “H:\Flex\Printers.ops /i PRINTER.INI /q

– Restart Silo Application (logoff & logon) to load new printer settings


Printer Tactics

OfficeSILO

SAPSILO

ReflectionSILO

PRINTER.OPS

April 11-12, 2005

Flex Framework


Flex Framework

• Features FF 1.0 – Central Configuration– Simplified configuration– Configuration per application– Support for server or workstation groups– Easy & lightweight deployment– Compression– Windows appearance support– Password support– Error messages


Flex Framework

• Installation Procedure1. Deploy the Flex_Framework.MSI on all

terminal servers or workstations2. Unpack "Flex_Config.zip" in a central

redundant share3. Configure the Framework.INI4. Configure the "ProfileSettings" folder5. Add FF in the logon & logoff script


Central Configuration


Simplified configuration

• Flex_Framework.INI– [MAIN]– REFRESH_WINDOWS_APPEARANCE=0– REFRESH_KEYBOARD=0– REFRESH_MOUSE=0– ENABLE_PASSWORDS=0– ENABLE_CERTIFICATES=0– COMPRESSION=0– COMPRESSION_PRIORITY=NORMAL

– [LOCATIONS]– STOREROOT=1– STOREFOLDER=SETTINGS\FLEX

– [ERRORMESSAGES]– DISPLAY_FRAMEWORK_ERROR=1– DISPLAY_PROFLWIZ_ERROR=0


Configuration Per Application


Server / Workstation Groups


Server / Workstation Groups


Flexible Configuration

CSCRIPT /NOLOGO [PATH_TO_FRAMEWORK.VBS]

[LOGON / LOGOFF] [PATH_TO_FLEX_CONFIG]

• Copy the “Flex_Config” folder for a separate configuration

• Enable or disable compression “on the fly”

• Dynamic INI file configuration; remove or add INI files effective immediately


Inside Flex Framework

• Certificate Support– Certificates are not allowed with mandatory profiles– Profile “spoofing” required: temporary roaming profile– HKLM\Software\Microsoft\Windows NT\Currentversion \

Profilelist\SID\STATE– Grant special permission “set value” for Authenticated

Users!– Flex Framework Logon sets STATE to 256 (Roaming)– Flex Framework Logoff sets STATE to 133 (Mandatory)– Root certificates are not supported (yet)





• Certificate Support Alternative– Windows 2003 only– Configure TS profile path (dummy) through GPO

• Computer > Admin Templates > Windows Components > Terminal Services– Set Path for TS roaming profiles

– Backup and empty Default User profile– Copy mandatory profile in Default user– Rename ntuser.man into ntuser.dat– Enable GPO

• Computer > Admin Templates > System > User Profiles – Prevent Roaming Profile Changes to propagating to the server



• Password Support– HKCU\Software\Microsoft\Protected Storage System

Provider– By default only System has is permissions– FF pre-creates password key during logon

• To Compress or not to Compress…– Compression can hog CPU– Set compression priority– Use to improve overall logon/logoff performance



• Mouse & keyboard refresh– Mouse & keyboard are normally client specific– When enabled Mouse & Keyboard become user

specific

• Storeroot– Auto (1) recommended when TS homedrives are used– Personal settings with an Anomynous account:

STOREROOT=\\Client\C$

• Error Messages– Logfile %userprofile%\FF_Error.txt– Use Display_Framework_Error=2 only for

troubleshooting


Trouble Shooting FF

• User>Administrative Templates>System>Scripts– Run logon scripts synchronously: Enabled

• HKLM\System\CurrentControlSet\Control\FileSystem– NtfsDisable8dot3NameCreation=0

• Remove section– [SubstituteEnvironmentVariables]

• Verify the OPS file with OPSview.exe

• Does the problem also exist with roaming profiles?

April 11-12, 2005

Migration Strategies



• Migration scenario1. Install Framework.msi on all servers2. Setup mandatory profile3. Create Flex Group4. Configure INI files5. Configure folder redirection (or use Flex)6. Add Flex Framework logoff script7. Add Flex Framework logon script for members of Flex

group 8. Run migration script

• Check for OPS file existence• Change TS profile path• Add user in Flex group



• Migration without changing AD user property– Windows 2003 only– Configure TS profile path (dummy) through GPO

• Computer > Admin Templates > Windows Components > Terminal Services– Set Path for TS roaming profiles

– Backup and empty Default User profile– Copy mandatory profile in Default user– Rename ntuser.man into ntuser.dat– Enable GPO

• Computer > Admin Templates > System > User Profiles – Prevent Roaming Profile Changes to propagating to the server


Office Migration

• [IncludeFolderTrees]– <AppData>\Microsoft\Proof– <AppData>\Microsoft\Signatures– <AppData>\Microsoft\Stationery– <AppData>\Microsoft\Templates

• [IncludeRegistryTrees]– HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows

Messaging Subsystem– HKCU\Software\Microsoft\Windows Messaging Subsystem\Profiles\

Outlook

• Outlook PRF file[General]Custom=1DefaultProfile=YesOverwriteProfile=NOModifyDefaultProfileIfPresent=TRUE

April 11-12, 2005

Flex Framework 1.1


Flex Framework 1.1

• Support for Windows MUI• Variable support for StoreRoot &

Storefolder• Redundant OPS file removal• Backup optional• Direct OPS Loading from Store


Credits

• Contributors– Dennis Damen– Jakobo– BrianSerous– Citrix44u– Erwin Vollering– NeilH– Magnarj– Looble– And the others..

http://portal.loginconsultants.nl

Date post:	18-Nov-2014
Category:	Technology
Upload:	jkorell
View:	1,435 times
Download:	1 times

Bri forum 2005 inside flex profiles - jeroen van de kamp

Technology