Mandatory Profile Considerations

This blog is a quick note to summarize all the considerations I faced when (re)introducing Mandatory Profiles for a very basic (SMB) Citrix XenApp implementation.

First of all I needed to create a Mandatory Profile on Windows Server 2008 R2, using the following instructions from Mark Swinkels, which stated the following actions:

  • Make a local user on the server (Windows Server 2008 R2 in my environment)
  • Make the user member of the local administrators group on your server
  • Login in with this user and customize for example the start menu
  • Logoff and login again with an administrator account
  • Create a share on your file server. For example \\[servername]\TSmandatory 
    (I used a local folder on the XenApp server)
  • For share permissions choose Everyone Full Control, NTFS permissions choose Authenticated Users Read
  • Turn off Caching on this share
  • Copy the complete template folder from the C:\Users directory to the new TSmandatory share
  • Rename the template folder to TSmandatory.V2


You have to add the .V2 in the name of your folder, because it’s the new profile type in Windows Server 2008 and 2008 R2!


  • Delete the Local and LocalLow folders from the AppData folder
    (I forgot this one, very important, see remark lateron)
  • The next step is to add the right permissions on the mandatory profile
    (I forgot this one as well, resulting in Access Denied error)
  • Open REGEDIT and load the NTUSER.DAT hive
  • Right-click on the TS Mandatory profile and choose permissions
  • Delete the template user and add the Authenticated Users (Full Control)
  • Unload the NTUSER.DAT from your registry
  • Rename the NTUSER.DAT to NTUSER.MAN
  • When you configure a GPO to specify the location of the Mandatory profile, you’ve to choose to following location: \\[servername]\TSmandatory\TSmandatory without the .V2!

    Lessons learned

    I work my way through the above steps too fast and ended up skipping the wrong ones. This resulted in some very annoying errors that took unneccessary time to resolve.

    First error I encountered, was an Access Denied when I tried to start my published desktop, which Craig Tolley explained very clearly was due to incorrect registry hive settings within the file in my profile.

    The second error was a very slow logon process, showing a “Please Wait for Local Session Manager” message for 2 minutes before completing the logon process. Luckily for me, this was also quickly explained by Phil Lindsey

    So after solving those self-created errors I now have succesfully implemented Mandatory Profiles for my Citrix XenApp farm.


    Unfortunately I ran into one more error while testing the function of the mandatory profile, which was due to the new policies on XA6.5 that still disallowed me to log onto the published desktop. I found the explaination (and solution) in the blogpost from Martin Lako



    Esther Barthel
    Solutions Architect at cognition IT

    Esther has been working in different roles and functions as an IT consultant ever since she finished her Masters degree in Computer Science in 1997. She has worked as a web developer, database administrator, and server administrator until she discovered how Server-Based Computing ( SBC ) combined servers, desktops, and user experience in one solution. Esther has been specializing in virtualization solutions such as SBC, VDI, application, and server virtualization for over eight years now and is currently working as a Senior Consultant at PepperByte, where she designs and implements Citrix® solutions for both small-business and large-enterprise infrastructures scaling from 100 to 15,000 users.
    In january 2014 her first book Citrix XenApp 6.5 Expert Cookbook was published by Packt Publishing.

    Esther is awarded as a Citrix Technology Professional (CTP) from 2015 - 2017.
    Esther is awarded as a Microsoft Most Valuable Professional (MVP) in 2017.

    Esther is a Citrix Certified Expert – Virtualization (CCE-V), Citrix Certified Professional – Mobility (CCP-M), Citrix Certified Professional – Networking (CCP-N) and RES Software Certified Professional (RCP).