Using Profiles (Roaming, Mandatory, and Hybrid) With Citrix Password Manager

This article describes the use of various profile options and how best to integrate Password Manager with these profiles. The profiles covered in the article are Local User Profiles, Roaming User Profiles, and Mandatory User Profile / Hybrid Profile.

Local User Profiles

Local User Profiles are stored on the local server to which the user has logged on. Password Manager saves registry information in the HKCUSoftwareCitrixMetaFrame Password Manager hive of the User Registry located at:

%SystemDrive%Documents and Settings%username%NTUSER.DAT.

Password Manager also saves files in:

%SystemDrive%Documents and Settings%username%Application DataCitrixMetaFrame Password Manager.

On Vista, Password Manager uses:

%APPDATA%RoamingCitrixMetaFrame Password Manager

Important: It is CRITICAL that Password Manager has Full Control Access to the following files:

File Name



User’s credential information file with pointers to aelist.ini file.


Application definition file created at enterprise level in the synchronization point or Active Directory.


Application definition file created by merging user’s local application definition file (applist.ini) and the enterprise application definitions (entlist.ini).

Roaming User Profiles

Roaming user profiles are saved in a network share and synchronized to a local server copy each time the user logs on. Characteristics of a successful roaming profile deployment include high speed network connectivity such as a SAN (System Area Network) or NAS (Network Area Storage). Other common deployments include clustering solutions where the profiles are stored on high availability servers.

Currently, two issues affect roaming and mandatory profile deployments:

  • A single roaming profile can only be used with one file synchronization point. When multiple synchronization points are used, data in the MMF file might get corrupted.

  • When roaming profiles are used with multiple concurrent sessions, they share the same backend Memory Mapped File. The end result is that all active sessions share some common session data, such as retry lock counters, last used data counters, and event log entries.

Mandatory User Profile/ Hybrid Profile

Mandatory user profiles are by definition user read-only profiles. Password Manager needs write permission to the profile directory under Application Data. With mandatory profiles, a user may make changes, but the changes are not saved back to the profile at logoff. For Password Manager to work correctly in a mandatory profiles environment, the Application Data Folder must be redirected.

With Password Manager, the registry changes will be written each time the user logs on, credential information will be synchronized with the synchronization point, but the changes will not be saved back to the profile.

Beginning with Windows 2000, Microsoft provides a mechanism for redirecting the Application Data folder; however using Windows NT4 domains will require login scripts capable of modifying the location of the Application Data folder. This can be achieved by using tools like Kix or VBScript to define a writeable location for the Application Data user folder.

Following is an example using Kix to redirect the Application Data folder during user logon:

Important: The following sample script is for informational purposes only and should not be used in your environment without previous testing.

$LogonServer = "%LOGONSERVER%"$HKCU = "HKEY_CURRENT_USER"$ShellFolders_Key = "$HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerShell Folders"$UserShellFolders_Key = "$HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerUser Shell Folders"$UserProfFolder = "$LogonServerprofiles@userID"$UserAppData = "$LogonServerprofiles@userIDApplication Data"$UserDesktop = "$LogonServerprofiles@userIDDesktop"$UserFavorites = "$LogonServerprofiles@userIDFavorites"$UserPersonal = "X:My Documents"$UserRecent = "$LogonServerprofiles@userIDRecent"if (exist("$UserAppData") = 0)shell '%ComSpec% /c md "$UserAppData"'endifif (exist("$UserDesktop") = 0)shell '%ComSpec% /c md "$UserDesktop"'endifif (exist("$UserRecent") = 0)shell '%ComSpec% /c md "$UserRecent"'endifif (exist("$UserFavorites") = 0)shell '%ComSpec% /c md "$UserFavorites"'endif

The hybrid user profile is another solution for the mandatory profile issue. When the user logs on, the mandatory profile loads, and a custom application will load and unload user registry hives based on applications available to the user. The user, like in a mandatory profile scenario, will be able to modify those portions of registry during the session. The big difference from the pure mandatory profile is that changes get saved when the user logs off and they get reloaded when the user logs in again.

When the Hybrid Profile is used the HKEY_CURRENT_USERSoftwareCitrixMetaFrame Password registry keys must be imported and exported as part of the logon and logoff process.

Folder Redirection

Folder redirection is a new feature of Windows 2000 and Windows 2003 operating systems and is implemented using Group Policy Objects and Active Directory. Folder redirection uses Group Policies to define a location for folders that are part of the user profile.

Four folders might be redirected using folder redirection:

  • My Documents

  • Application Data

  • Desktop

  • Start Menu

Two modes of Redirection can be configured using Group Policies; basic redirection and advanced redirection. Both types of redirection are supported with Password Manager. In Windows 2000 the share where application data is stored should be referenced using the username variable, for example: \servernamesharename%username%

Folder redirection is global for the user and it affects all the user’s applications, therefore all applications that use the Application Data folder need to support it.

Best Practices

  • Use Application Data folder redirection when possible. This practice will improve network performance eliminating the need to copy that data each time a user logs on.

  • When troubleshooting Password Manager Agent always verify that the user logged on has Full Control permission on their Application Data folder.


  • No Related Posts

Leave a Reply