NTFS permissions for Citrix Roaming Profiles on share folder hosting profiles

Set these permissions on the root of a profile share to enable it for roaming profile storage. When Windows creates a new roaming profile it acts on behalf of the user, it “impersonates” that user. Therefore we must make sure that on the one hand each user may create new folders while on the other hand ensuring that each user may access only his own profile folder.
These permissions apply both to traditional Windows roaming profiles as well as to the user store where Citrix Profile Management keeps its profiles.

 NTFS permissions:

  • Administrators: full control
  • SYSTEM: full control
  • Authenticated users: list folder/read data & create folders/append data, this folder only
  • Creator/Owner: full control, subfolders and files only
  • Everyone: change
  • Administrators: full control
  • Do not check for user ownership of Roaming Profile Folders
  • in Computer Configuration \ Administrative Templates \ System \ User Profiles
  • Disabling this check speeds up logons slightly and may greatly reduce profile problems.
  • Add the Administrators security group to roaming user profiles
  • in Computer Configuration \ Administrative Templates \ System \ User Profiles
  • When a new roaming profile directory is created, Windows disables permission inheritance and grants SYSTEM and the profile’s user account full control. That makes user profiles inaccessible to administrators which prevents them from performing maintenance. If this policy setting is enabled the group “Administrators” is given full control on new profile folders, tool.
  • Note that this applies to new profiles only. Profiles created before this policy settings was in place lack the entry for “Administrators”.

Share permissions:
Enable these group policy settings for all computers where users log on with roaming profiles, namely physical and virtual client PCs and terminal servers.

Comments

Post a Comment

Popular posts from this blog

enable TLS 1.2 and disabling TLS1.0 and SSL 3 on all exchange servers and Clients

Image
1)       Table depicting support for various SSL/TLS versions on different Windows OS   2)       SMTP – key piece of Exchange server infrastructure – support for TLS 1.1 and 1.2 were added in Exchange Server 2013 CU8 and Exchange Server 2010 SP3 RU9. This means if you want to add support for the latest ciphers and TLS versions, you may need to apply an update. 3)        Disable SSL  3.0 on all windows exchange servers Steps to disable support for the SSL 3.0 protocol on Windows by following these steps: ·          Click Start, click Run, type regedt32 or type regedit, and then click OK. ·          In Registry Editor, locate the following registry key: ·          HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server ·          Note If the complete registry key path does not exist, you can create it by expanding the available keys and using the New -> Key opti
Read more

HP 3PAR storage Commands to troubleshoot performance issues

The quick reference guide below will help diagnose and rule out some common issues experienced in the 3PAR arrays.  CLI COMMAND – “STATVLUN” measures the round trip time of an IO as seen by the system. Running STATVLUN in the following order should lead to the resolution of a few performance issues: 1)      “statvlun –ni”   – The STATVLUN command without any switches will show the round trip time of IO on each path for exported Virtual Volumes. This is helpful to determine if there is a multipathing issue. The “-ni” flag will eliminate any inactive volumes. 2)      “statvlun –vvsum –ni –rw”   This will show you the round trip time of the IO to each volume with the paths condensed for consolidated reporting.  This is great to see an overall picture of what is going on The “-rw” flag will break the IO down into Reads & Writes. 3)      “statvlun –hostsum –ni –rw”   The output of this command will show you the round trip time of the IO organized to the host le
Read more