A common issues for Citrix and Terminal Services users is terminal services specific account properties being incorrectly or inconsistently implemented causing numerous profile/useability issues.

Using the Flex Profile Framework and configuring an environment that requires no pre-staging of Terminal Services specific configuration such as Active Directory attributes or folder structures can vastly reduce user issues.

1) Create a share
Ideally a DFS share \\<domain>\dfs\flex remembering to grant everyone full permissions on the share level permissions so they can write to the share.

1a) Remove Inherited Permissions

- Right click on the Flex Profile root folder shared above and select Properties from the context tab
- Select the Security tab
- Uncheck Allow inheritiable permissions from the parent to propogate to this object and all child objects
- Click Remove
- Click OK
- Click Yes to permissions warning

1b) Set Permissions

- Click Add and set SYSTEM to Full Permissions
- Click Add and set Administrators to Full Permissions
- Click Add and set CREATOR OWNER to Modify permissions
- Click Advanced
- Click Add
- Enter Authenticated Users and click OK
- Select This folder only from the dropdown
- Check Traverse Folder/Execute File in the Allow column
- Check List Folder/Read Data in the Allow column
- Check Read Attributes in the Allow column
- Check Create Floders/Append Data in the Allow column
- Click OK
- Click OK
- Click OK

2) Install the Flex Profile Framework

2a) Configure Flex Profile
- Copy the Flex_Config folder to \\<domain>\NETLOGON
- Create a folder under \\<domain>\NETLOGON\Flex_Config\ProfileSettings to match the ServerType environment variable set below
- Copy the appropriate .INI files from \\<domain>\NETLOGON\Flex_Config\ProfileSettings to \\<domain>\NETLOGON\Flex_Config\ProfileSettings\<ServerType>

Edit Framework.ini and check the following values:
- STOREROOT=\\<domain>\dfs\flex\%userdomain%.%username%\
- STOREFOLDER=Flex

2b) Install the Flex Profile Framework on each Citrix/Terminal Server

Ensure the ServerType environment variable is configured on each Citrix/Terminal Server to match the folder created above

3) Configure a Flex Profile Framework Group Policy

Create a new Group Policy on the Citrix/Terminal server Organisation Unit with the following settings.

3a) Configure as a Loopback Policy

- Select Computer Configuration | Administrative Templates | System | Group Policy
- Double click on User Group Policy loopback processing mode
- Select the Enabled radio button
- Click OK

3b) Disable Roaming Profiles

- Select Computer Configuration | Administrative Templates | System | User Profiles
- Double click on Allow only local user profiles
- Select the Enabled radio button
- Click OK

3c) Set the Logon/Logoff Scripts as per the Flex Profile documentation

- Navigate to User Configuration | Windows Settings | Scripts (Logon/Logoff)
- Double click on Logon
- Enter %PROGRAMFILES%\Flex Framework\Flex_Framework.vbs for the Script Name
- Enter LOGON \\<domain>\NETLOGON\Flex_Config for the Script Parameters
- Click OK
- Double click on Logoff
- Enter %PROGRAMFILES%\Flex Framework\Flex_Framework.vbs for the Script Name
- Enter LOGOFF \\<domain>\NETLOGON\Flex_Config for the Script Parameters
- Click OK

- Navigate to User Configuration | Administrative Templates | System | Scripts
- Double click on Run logon scripts synchronously
- Select the Enabled radio button
- Click OK

3d) Set Redirected Folders to \\<domain>\dfs\flex\%username%\Common\<folder>

- Navigate to User Configuration | Windows Settings | Folder Replication

- Right click on Application Data and select Properties from the context menu
- Select Basic - Redirect everyone's folder tothe same location
- Select Redirect to the following location
- Enter \\<domain>\dfs\flex\%username%\Common\AppData
- Select the Settings tab
- Uncheck Grant the user exclusive rights to Application Data
- Uncheck Move the contents of Application Data to the new location
- Click OK

- Right click on Desktop and select Properties from the context menu
- Select Basic - Redirect everyone's folder to the same location
- Select Redirect to the following location
- Enter \\<domain>\dfs\flex\%username%\Common\Desktop
- Select the Settings tab
- Uncheck Grant the user exclusive rights to Application Data
- Uncheck Move the contents of Application Data to the new location
- Click OK

- Right click on My Documents and select Properties from the context menu
- Select Basic - Redirect everyone's folder tothe same location
- Select Redirect to the user's home directory
- Select the Settings tab
- Uncheck Grant the user exclusive rights to Application Data
- Uncheck Move the contents of Application Data to the new location
- Click OK

Other folders can be redirected using custom group policy templates. Suggested folders are:

- Cookies
- Favorites
- History
- Recent Documents
- My Network Places
- Templates

3e) Ensure folders are created with the correct Owner
If the following is not done the folders will be created by the SYSTEM process leading to issues with permissions. Add the following lines to the beginning of %SystemRoot%\System32\USRLOGON.CMD on the Citrix/Terminal Server:

@Echo Off
mkdir \\<domain>\dfs\flex\%USERNAME%\%ServerType%
mkdir \\<domain>\dfs\flex\%USERNAME%\common

3f) Registry Permissions for ENABLE_CERTIFICATES

If setting ENABLE_CERTIFICATES=1 in Framework.INI:

- Navigate to User Configuration | Windows Settings | Security Settings | Registry
- Right click on Registry and select Add Key from the context menu
- Select MACHINE\Software\Microsoft\Windows NT\Currentversion\Profilelist and click OK
- Click Advanced
- Click Add
- Enter Authenticate Users and click OK
- Check Set Value and click OK
- Click OK
- Click OK
- Click OK
- Click OK to accept inheritance configuration

If local profiles are deleted at logoff line 392 in %ProgramFiles%\Flex Framework\Flex_Framework.vbs may need to be changed to 102 from 133

If ENABLE_CERTIFICATES="1" Then
WshShell.RegWrite "HKLM\Software\Microsoft\Windows NT\Currentversion\Profilelist\" & decsid & "\STATE",102,"REG_DWORD"
End If

This can be seen in userenv.log:

USERENV(230.a28) HH:MM:SS:XXX UnloadUserProfileP: deleting profile because it is a guest user or cache needs to be deleted

If FlexRefresh.exe generates Application Errors the following may be the cause:
http://theether.net/kb/100068


Further Information

Flex Profile Kit 5.0/Flex Framework 2.0
http://www.loginconsultants.com/
http://theether.net/download/Login%20Consultants/Flex%20Profile%20Kit/FPKv5%20Admin%20Guide.pdf

How to enable user environment debug logging in retail builds of Windows
http://support.microsoft.com/kb/221833

Security Recommendations for Roaming User Profiles Shared Folders
http://technet.microsoft.com/en-us/library/cc757013.aspx

As posted by Mike Soultan http://www.mcse.ms/showthread.php?t=2330569
Key: HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\SID
Value: State
DataType: REG_DWORD
Data:

001 = PROFILE_MANDATORY
Profile is mandatory.

002 = PROFILE_USE_CACHE
Update locally Cached profile.

004 = PROFILE_NEW_LOCAL
Using a new local profile.

008 = PROFILE_NEW_CENTRAL
Using a new central profile.

010 = PROFILE_UPDATE_CENTRAL
Need to update central profile.

020 = PROFILE_DELETE_CACHE
Need to delete cached profile.

040 = PROFILE_UPGRADE
Need to upgrade profile.

080 = PROFILE_GUEST_USER
Using guest user profile.

100 = PROFILE_ADMIN_USER
Using administrator profile.

200 = DEFAULT_NET_READY
Default net profile is available & ready.

400 = PROFILE_SLOW_LINK
Identified slow network link.

800 = PROFILE_TEMP_ASSIGNED
Temporary profile loaded.