Citrix Profile Management and errors

One of the biggest problem in Application or Desktop Virtualization is end user experience and consistency of user profile and customizations. Luckily there is a bunch of tools available on the market that help solve that problem. One of them is Citrix Profile Management intended as a profile solution for XenApp servers, virtual desktops created with XenDesktop, and physical desktops. You install Profile management on each computer whose profiles you want to manage. Active Directory Group Policy Objects allow you to control how Citrix user profiles behave. All sounds like a fairy tail – Citrix admin configures policy settings and it everything works like a charm. But obviously it isn’t. Recently I needed to troubleshoot user Citrix profile related problem, or at least user stated that  I’ve started from checking Active Directory Group Policy settings for Citrix Profile Management. Everything looked good, user was member of a proper security group. I switched then to the user store defined in Group Policy to check if I can find anything there. Usually you held use store on network share on file server. It might be part of user homedir or might be completely separate folder. After getting to user store you find the below structure of files and folders.

Add caption

I was searching Citrix eDocs trying to find explanation of that structure and especially those configuration files but I was unsuccessful. So what does they really do? Let’s start from .INI files. Below you can find information stored in my Citrix profile:

PmCompatibility.ini

You can find here two interesting information helpful in troubleshooting:

[VersionUpdateTimeStamps] – first part of that string tells you which version of Citrix UPM was used and the second part tells you when logged off last time from Citrix session using profile  management. In my case I used UPM version 5.1 and I logged of 18th August at 19:20.

[LastUpdateServerName] – one more time, first part tells you which version of Citrix UPM was used and the second part tells you to which Citrix XenApp/XenDesktop server you were  connected.

UPMSettings.ini

I haven’t paste whole file here. Basically it contains configuration of UPM. It is synced every time you log to Citrix session and it  reflects settings in Active Directory Group Policy for Citrix Profile Management – or at least it should 

UserProfileOrigin.ini

 This file contains few useful information:

OPTemplate – it tells you from what kind of profile your Citrix profile was created. In that particular case I was launching Citrix session in the environment where Citrix Profile Management was configured. So my profile was created from Default user profile on server PSXA01. But if I would have already some existing/local profile on XenApp/XenDesktop server that string would be like: C:\Users\PawelSerwan. It would be the same if you would change version of Citrix Profile Management.

UTCTime – shows when Citrix user profile was created

Conflict Flags  – shows if there were some conflicts between profiles – I was not able to find info what exact conflicts count here.

Machine Name – tells you to which server user was connected when Citrix profile was created.

Machine Domain – shows domain name which server is member of.

Now let’s check what directories contain.

Pending

This directory contains 2 subfolders:

1. UPM_Profile – contains configuration, settings and data changed in current Citrix session/sessions. Those changes will be later incorporated into user Citrix profile.

2. Stamp – it contains one file with name of the server to which user Citrix profile was copied locally.

Stamp subfolder

UPM_Profile

UPM_Profile folder contains all data, settings and configuration that were defined in Active Directory Group Policy for Citrix Profile Management. This folder simply contains Citrix profile.

Hope that this short explanation of directories and files sitting inside UPM user store will be useful for you and will ease your troubleshooting of Profile Management problems.

User Profile Service Failed the Logon

User Profile Service Failed the Logon

When Windows cannot even create a temporary profile you get to see the following error message:

The User Profile Service failed the logon. User profile cannot be loaded.

This typically happens when the default profile, stored in C:\Users\Default, has incorrect permissions or is corrupt in some way.

Default Profile Permissions

If all is well, the directory C:\Users\Default inherits permissions from its parent folder, C:\Users. This results in SYSTEM and Admninistrators having full control, while Users and Everyone have read permissions. In SetACL Studio this looks as follows:

The permissions for SYSTEM and Administrators are not relevant, but if for some reason the user logging on does not have read permissions on C:\Users\Default the error message User Profile Service Failed the Logon will be displayed and logging on is not possible.

When this happens the user profile service logs an event with ID 1509 and source User Profile General in the application event log:

Windows cannot copy file \\?\C:\Users\Default\ to location \\?\C:\Users\username\. This error may be caused by network problems or insufficient security rights.   DETAIL - Access is denied.

Default Profile Corrupt

Logon is not possible, either, if the default profile’s NTUSER.DAT file is nonexistent or corrupt.

If NTUSER.DAT does not exist the user profile service logs an event with ID 1500 and source User Profile Service in the application event log:

Windows cannot log you on because your profile cannot be loaded. Check that you are connected to the network, and that your network is functioning correctly.   DETAIL - The system cannot find the file specified.

If, on the other hand, NTUSER.DAT is corrupt the user profile service logs an event with ID 1508 and source User Profile Service in the application event log:

Windows was unable to load the registry. This problem is often caused by insufficient memory or insufficient security rights.   DETAIL - The system has attempted to load or restore a file into the registry, but the specified file is not in a registry file format. for C:\Users\username\ntuser.dat

Fixing a Corrupt Default Profile

The easiest way to fix a corrupt default profile is to delete the content of C:\Users\Default and copy it from a working system. Make sure, though, that the machine you copy from has the same operating system version and language.

Users only get a temp profile in Citrix

New users when logging into Citrix XenApp are only able to get a temp profile. Existing users have working profiles, If we delete existing profiles and login again, user only gets temp profile. It is not corrupt profiles.

Delete .bak GUIDS in registry "profile list"

The Profile List is located here: HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\ProfileList

Delete any entries that end in .bak from this list

2

Replace the corrupted Default User profile

The Default User profile on the server is corrupt or missing. Simply copy the default user profile over from one of the other Citrix Servers to the problem server via UNC path: \\servername\users\default user or whatever copy method floats your boat.
I recommend disabling logins and reconnections to this Citrix Server before completing this and rebooting after the profile is copied over and the .bak GUIDs removed from the profile list.
Once the server is back up you should be all set.

Description

We had a long running issue that Citrix users would randomly get a temporary profile when logging in. I wrote the below script to connect to the registry on the citrix servers and find (delete) temporary profiles.

Source Code

This script has not been checked by Spiceworks. Please understand the risks before using it.

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

runAsCscript()

'If it finds a temporary profile, should it delete it? If it is false, you will get a list printed to the screen.
deleteKey = TRUE



Dim arrComputers
'If you want to run this script on the local computer arrComputers should just contain a period: arrComputers = Array(".")
  
'This is a list of computers we want to check for temporary profiles. 
arrComputers = Array("CITRIX01", "CITRIX02", "CITRIX03", "CITRIX04", "CITRIX05", "CITRIX06", "CITRIX07", "CITRIX08", "CITRIX09")




const HKEY_LOCAL_MACHINE = &H80000002

For Each strComputer in arrComputers
 findBakProfiles(strComputer)

Next


Function findBakProfiles(strComputer)
 Set objReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\default:StdRegProv")
 strKeyPath = "SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList"
 objReg.EnumKey HKEY_LOCAL_MACHINE, strKeyPath, arrSubKeys
 
 For Each subkey In arrSubKeys
    'wscript.echo subkey
 
 
 Set objRegEx = CreateObject("VBScript.RegExp")
 objRegEx.Pattern = ".*\.bak$"
 Set regMatches = objRegEx.Execute(subkey)
 
   If regMatches.Count > 0 Then
          For Each strMatch in regMatches 
      strBadKey = strKeyPath & "\" & strMatch
      objReg.GetExpandedStringValue HKEY_LOCAL_MACHINE, strBadKey, "ProfileImagePath", strValue
               wscript.echo "Server Name: " & strComputer 
      wscript.echo "Registry Key: " & strMatch  
      wscript.echo "Directory: " & strValue
       
      if deleteKey Then
       objReg.CheckAccess HKEY_LOCAL_MACHINE, strBadKey, DELETE, bHasAccessRight
       If bHasAccessRight = True Then
        wscript.echo "We have Delete Access Rights on Key"
       Else
        wscript.echo "We Do Not Have Delete Access Rights on Key"
       End If
       'wscript.echo strBadKey
       'You cant delete a key if it has any sub keys. This code only works to one level right now. 
       objReg.EnumKey HKEY_LOCAL_MACHINE, strBadKey, arrKeyNames
 
       
       If isArray(arrKeyNames) Then       
        For Each strKey in arrKeyNames
         'delete all of the sub keys
         wscript.echo "Removing Key: " & strKey
         strBadSubKey = strBadKey & "\" & strKey
         objReg.DeleteKey HKEY_LOCAL_MACHINE, strBadSubKey
        Next
       End If
       
       
       objReg.DeleteKey HKEY_LOCAL_MACHINE, strBadKey
       wscript.echo "Removing Profile: " & strBadKey
       
      
      End If
          Next
      End If
 
 
 Next
End Function




'just a little trick to make sure that the application waits until we press enter to close

wscript.echo "DONE, Press Enter to continue"
WScript.StdIn.ReadLine 


Function runAsCscript()

    Dim Arg, Str 
    If Not LCase( Right( WScript.FullName, 12 ) ) = "\cscript.exe" Then 
        For Each Arg In WScript.Arguments 
            If InStr( Arg, " " ) Then Arg = """" & Arg & """" 
            Str = Str & " " & Arg 
        Next 
        CreateObject( "WScript.Shell" ).Run "cscript.exe //nologo """ & WScript.ScriptFullName & """" & Str 
        WScript.Quit 
    End If