This blog is a quick note to summarize all the considerations I faced when (re)introducing Mandatory Profiles for a very basic (SMB) Citrix XenApp implementation.
First of all I needed to create a Mandatory Profile on Windows Server 2008 R2, using the following instructions from Mark Swinkels, which stated the following actions:
- Make a local user on the server (Windows Server 2008 R2 in my environment)
- Make the user member of the local administrators group on your server
- Login in with this user and customize for example the start menu
- Logoff and login again with an administrator account
- Create a share on your file server. For example \\[servername]\TSmandatory
(I used a local folder on the XenApp server)
- For share permissions choose Everyone Full Control, NTFS permissions choose Authenticated Users Read
- Turn off Caching on this share
- Copy the complete template folder from the C:\Users directory to the new TSmandatory share
- Rename the template folder to TSmandatory.V2
You have to add the .V2 in the name of your folder, because it’s the new profile type in Windows Server 2008 and 2008 R2!
- Delete the Local and LocalLow folders from the AppData folder
(I forgot this one, very important, see remark lateron)
- The next step is to add the right permissions on the mandatory profile
(I forgot this one as well, resulting in Access Denied error)
- Open REGEDIT and load the NTUSER.DAT hive
- Right-click on the TS Mandatory profile and choose permissions
- Delete the template user and add the Authenticated Users (Full Control)
- Unload the NTUSER.DAT from your registry
- Rename the NTUSER.DAT to NTUSER.MAN
- When you configure a GPO to specify the location of the Mandatory profile, you’ve to choose to following location: \\[servername]\TSmandatory\TSmandatory without the .V2!
I work my way through the above steps too fast and ended up skipping the wrong ones. This resulted in some very annoying errors that took unneccessary time to resolve.
First error I encountered, was an Access Denied when I tried to start my published desktop, which Craig Tolley explained very clearly was due to incorrect registry hive settings within the ntuser.man file in my profile.
The second error was a very slow logon process, showing a “Please Wait for Local Session Manager” message for 2 minutes before completing the logon process. Luckily for me, this was also quickly explained by Phil Lindsey.
So after solving those self-created errors I now have succesfully implemented Mandatory Profiles for my Citrix XenApp farm.
Unfortunately I ran into one more error while testing the function of the mandatory profile, which was due to the new policies on XA6.5 that still disallowed me to log onto the published desktop. I found the explaination (and solution) in the blogpost from Martin Lako
The following sources have been used to create this post:
How to: Create a Mandatory profile in Windows Server 2008 R2
Group Policy Client Service Failed the Login: Access is Denied
Please wait for the Local Session Manager
RDP and ICA (Direct) Desktop Connections Fail to Launch with XenApp 6.0