How to Configure a File Server for Hosting User Profiles

This article is part of Helge’s Profile Toolkit, a set of posts explaining the knowledge and tools required to tame Windows user profiles.

Setting up a network share on a file server for hosting user profiles is not too difficult if you follow the steps outlined in this article. The recommendations I give here apply to both Windows roaming profiles and Citrix Profile Management (UPM) profiles.

Server Load

Roaming Profiles

Roaming user profiles can place a considerable load on the file server. As is the nature of roaming profiles, the maximum load typically occurs during peak logon hours. If your organization has 1,000 users who log on every day, 800 of those might be logging on in a very small time window between 8:30 and 9:00 am. While that is a trivial observation, it causes a great amount of stress for the file server, because 800 profiles need to be served in only 30 minutes, which is one profile every 2.25 seconds. If each profile consists of 1,000 files the file server needs to serve one file every 2 milliseconds, which is pretty tough. Consider that when planning file server capacity and make sure to take measurements during peak logon hours.

Citrix Profile Management

Citrix Profile Management with on-demand streaming enabled reduces the load during peak logon hours considerably since files are loaded only when actually accessed, but it creates a constant load for the entire duration of the user sessions, which needs to be taken into account, too.

Serving People by swanksalot under CC

Roaming Profile File Share

Permissions

Set these permissions on the root of a profile share to enable it for roaming profile storage. When Windows creates a new roaming profile it acts on behalf of the user, it “impersonates” that user. Therefore we must make sure that on the one hand each user may create new folders while on the other hand ensuring that each user may access only his own profile folder.

These permissions apply both to traditional Windows roaming profiles as well as to the user store where Citrix Profile Management keeps its profiles.

NTFS permissions:

  • Administrators: full control
  • SYSTEM: full control
  • Authenticated users: list folder/read data & create folders/append data, this folder only
  • Creator/Owner: full control, subfolders and files only

Share permissions:

  • Everyone: change
  • Administrators: full control

You should use SetACL Studio to manage permissions, of course.

Enable these group policy settings for all computers where users log on with roaming profiles, namely physical and virtual client PCs and terminal servers.

  • Do not check for user ownership of Roaming Profile Folders
    in Computer Configuration \ Administrative Templates \ System \ User Profiles
    Disabling this check speeds up logons slightly and may greatly reduce profile problems.
  • Add the Administrators security group to roaming user profiles
    in Computer Configuration \ Administrative Templates \ System \ User Profiles
    When a new roaming profile directory is created, Windows disables permission inheritance and grants SYSTEM and the profile’s user account full control. That makes user profiles inaccessible to administrators which prevents them from performing maintenance. If this policy setting is enabled the group “Administrators” is given full control on new profile folders, tool.
    Note that this applies to new profiles only. Profiles created before this policy settings was in place lack the entry for “Administrators”.
CapacityCitrixCitrix Profile ManagementPermissionsRoaming ProfilesUser Profiles

Comments

Related Posts

Citrix User Profile Manager (UPM) and the Broken Rootdrive

Citrix User Profile Manager (UPM) and the Broken Rootdrive
Terminal server application compatibility scripts have been around for a long time - so long in fact, that I considered them a legacy and stowed away any knowledge of them in a very remote area of my brain. When a Citrix customer brought up a problem with the mapping of ROOTDRIVE in the User Profile Manager forum, at first I had no clue what he was talking about. Luckily, the customer was able to pin the problem down to a specific command that failed when, and only when, User Profile Manager was processing the logon. This is the story of UsrLogon.cmd, ACRegL.exe and UPM.
User Profiles

Free Script: User Profile Domain Migration with SetACL

This article is part of Helge’s Profile Toolkit, a set of posts explaining the knowledge and tools required to tame Windows user profiles. When administrators migrate user accounts between domains, they typically re-ACL those server resources users have access to. In plain English: they copy or move the permissions from the accounts of the old domain to the corresponding accounts of the new domain. There are various ways to do that. In this article, I present a simple way to re-ACL roaming user profiles.
User Profiles

Latest Posts

Fast & Silent 5 Watt PC: Minimizing Idle Power Usage

Fast & Silent 5 Watt PC: Minimizing Idle Power Usage
This micro-series explains how to turn the Lenovo ThinkCentre M90t Gen 6 into a smart workstation that consumes only 5 Watts when idle but reaches top Cinebench scores while staying almost imperceptibly silent. In the first post, I showed how to silence the machine by replacing and adding to Lenovo’s CPU cooler. In this second post, I’m listing the exact configuration that achieves the lofty goal of combining minimal idle power consumption with top Cinebench scores.
Hardware

Fast & Silent 5 Watt PC: Lenovo ThinkCentre M90t Modding

Fast & Silent 5 Watt PC: Lenovo ThinkCentre M90t Modding
This micro-series explains how to turn the Lenovo ThinkCentre M90t Gen 6 into a smart workstation that consumes only 5 Watts when idle but reaches top Cinebench scores while staying almost imperceptibly silent. In this first post, I’m showing how to silence the machine by replacing and adding to Lenovo’s CPU cooler. In a second post, I’m listing the exact configuration that achieves the lofty goal of combining minimal idle power consumption with top Cinebench scores.
Hardware