by – Jesse Boehm
A PDF version of this article is available the cost is $5.00
This article is to be used as guidelines for creating manual Roaming Profiles for Microsoft Remote Desktop Services (RDS) and Citrix XenApp and Citrix XenDesktop.
My goal is to show you have I create a Master Default Profile for my Citrix XenApp Farms. This of course applies to Citrix XenDesktop and Microsoft RDS as well.
I am fan of doing this the old fashioned way. I have been doing this for a very long time. This used to be the only way to do it, so I still tend to do it this way unless I am given access to a Software Product to use as a replacement.
I hope you find this useful.
I will note that I am a big fan of Classic Shell, which you can check out at www.classicshell.net. I did this article using the native menu of Windows 2012 R2. But personally I would use Classic Shell to provide my End Users a Classic Windows 7 Start Menu. But I know this can go either way by Administrators. My personal choice is to use it. But this article does not use it.
I am thinking of adding an addendum section to the end of this article when I am done setting everything up and then dropping Classic Shell on top of my Default Profile so you can see another option. Then you can choose for yourself.
First thing I like to do is turn on show Hidden Files
Next I prepare to make a copy of the Default Profile to another location. I have an E:\ Partition that I use for System Files that I redirect. So I create a folder called “Default Profile”
Back on the Desktop, right click the “This PC” Icon and select “Properties”. Then select “Advanced Settings” and then select “User Profiles”
Select “Default Profile” then click “Copy To” browse to “E:\Default Profile” and select the folder.
Now it will it ask you “Permitted to use” and there is a “Change” Button. Click the button and set the Permissions to “Everyone”. Then click on Ok.
You will get a “Confirm Copy” message, say Yes. Then you can click Ok twice to get out of User Profiles and back to the Desktop.
CREATE DEFAULT ROAMING PROFILE USER ACCOUNT
Now we need to go to Start > Administrative Tools > Computer Management
Click on Local Users and Groups. Right click on User and create “New User”
For the purposes of this article I am making the username “default_user”. I am giving the user a Complex Password. Setting the account so that the “User cannot change password” and that the “Password never expires”. Then click “Create”.
Add the “default_user” to the local “Administrators” groups.
Controlling the Start Menu
The next steps is all about the Start Menu or Start Screen and how we will control the content that users will see. On my RDS/Citrix Server Builds I like to remove all Applications from the All Users Start Menu and put them on the Administrators Start Menu and make a Full Backup of the Administrators Start Menu and put a copy of that full Start Menu on the “E:\Backup_Start_Menu” Folder. I also Block Inheritance on this folder and remove all permissions except for the Local Administrators and Domain Admins both having Full Control. The reason I do this as I have seen some strange things with the System trying to Redirect the Start Menu to the E:\ Drive.
The Administrators Start Menu Location is at:
I am going to Clear Out the Administrators Menu now, so I can make sure I clear out all menu items since the Domain Administrator sees All Applications. Go into the Start Menu, Right Click on “File Explorer” and select “Open File Location”.
When you are done it will look like this
Then do the same for Windows Accessories and “Open Location” and it will show the Path: C:\ProgramData\Microsoft\Windows\Start Menu\
I am going to Cut and Paste the contents of the “Programs” Folder to E:\ Backup_Start_Menu\. Leave the “Programs” Folder in place for future installed software.
My Start Menu Screen Now Looks Like This which is exactly what I wanted to see.
This gives me the clean slate that I want to start my Default Profile with. As I want to build my Default Profile from the ground up exactly the way I want my End Users to see it.
One more thing, I want to pull out any last remaining files in the “Default” Profile. So navigate to: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ and we do have some other files here that are in the “Default” Profile so I am going to copy those over to my “E:\ Backup_Start_Menu\” Folder which gives me a copy of every Start Menu Folder and File.
So now I am going to rebuild the Domain Administrator Start Menu will all Applications. This will leave the Administrator.DOMAIN with the only full Start Menu on the Citrix Server. Any other Administrator can get a copy of the full Start Menu from “E:\Start Menu” at any time. You can also create a Script to copy the files at login if you wanted to.
So now I am going to Copy the contents of “E:\Backup_Start_Menu\” to “C:\Users\administrator.STUR\AppData\Roaming\Microsoft\Windows\Start Menu\” and I will also copy to the Local Administrator at the following path: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\ which will leave a Start Menu that looks like this.
So that is how we capture our Master Start Menu on our RDS/Citrix Server. In the future as new Applications are installed this process will have to be repeated to update the Master Start Menu and Default Profile. But it is some Copy, Cut & Paste’s.
Now here I can build out the beginning of my Default Profile Start Menu. I know what I want my Default Profile to have. So I can build my basic collection. But for right now let’s login as “default_base” and take a look at our starting point. We can come back to the default menu once the actual profile is created.
So login is as “default_base”
Click on the Start Button and this is what you should see
Exactly like you should.
Ok so let’s setup a Default Profile.
Assumptions About My Environment:
- I want Quick Launch
- I don’t want Control Panel on the Desktop (This Can’t be controlled via GPO)
- Use small taskbar buttons
- Notification area: Show All Icons
- Never Combine Taskbar Buttons
- Desktop Icons: Computer, User’s Files & Recycle Bin. I can control these via GPO but I lock it down in my Default Profile as well. I am going to Enable the Network Icon as I won’t show that to End Users but I will Control that via GPO. No need to hide that from Administrators on the Desktop.
- I want a Solid Cold Background for All User Profiles. Via GPO we can prevent End Users from changing this.
Right click the Task Bar > Toolbars > New Toolbar…
Folder: %userprofile%\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch
The “%userprofile%” Variable is very important here as if you browsed to the actual “default_user” Quick Launch Folder it would not work for a Roaming Profile.
Click Select Folder
The new Quick Launch Toolbar will look like this
Right click the word Quick Launch and Uncheck Show Text and Show Title
You now have that familiar Quick Launch Toolbar you are used to. More important that your End Users are used to. More important your support team won’t get calls about the missing Quick Launch Toolbar ?
Drag the Quick Launch Toolbar over to the left.
The Desktop now looks like this
TASK BAR & NOTIFICATION AREA
Right click that Task Bar and click Properties and the Taskbar and Navigation Properties Screen will come up. Check “Use small taskbar buttons”, Set Taskbar buttons to “Never Combine”. Uncheck “Show Windows Store apps on the taskbar” and I Check “Use Peek to preview the desktop when you move your mouse to the Show desktop button at the end of the taskbar”
Then at Notification Area click “Customize…” the new window will open and check “Always show all icons and notifications on the taskbar”.
Right click the Desktop and choose “Personalize” and then select “Change Desktop Icons”.
Check Computer, User’s Files, Network & Recycle Bin. Click OK.
Some environments I work in absolutely don’t want users to see the Recycle Bin, some do. I include these 4 items in the Default Profile as they are all controllable via GPO. Only the Control Panel Icon is not GPO Controllable. You can disable access to the Control Panel, but you can’t remove the Icon. So now End Users have and Icon on their Desktop that they click that gives them an error. Hello Support! No Thank you.
Click Desktop Background, then Picture Location and change the Drop Down to Solid Colors and set it to whatever color you want. I am going with classic Windows Blue. Click Save Changes
While I am in here I am also going to change the color of the Taskbar to be something a bit more Solid. So Click Color. Change the Taskbar to whatever you want it to be. This is what I made it look like.
My Windows 2012 R2 Desktop that looks like it could be Windows 2003 or 2008 or whatever. Well except for that Start Menu. But that is fixable with Classic Shell. But for this Article I am not going to use it.
FEW OTHER SETTINGS I LIKE TO TURN ON
Open “This PC” on the Desktop go to the View Tab > Options > Change Folder and Search Options.
On the General Tab I like to enable “Show All Folders” and “Automatically Expand to Current Folder”
On the View Tab I like to Uncheck “Hide Extensions for Known File Types”
THE DEFAULT START MENU
On me E:\ Partition I am going to create a Folder called “Roaming_Start_Menu”.
So now I am going to build a Start Menu from the ground up. For this Article I just installed Office 2013. But this would apply for any number of Folders and Applications. My goal here is to make the Start Menu easy.
Assumptions about my Roaming Profile Start Menu for End Users
- Give users access to Microsoft Word, Excel, Access, Outlook & PowerPoint
- Citrix Receiver
- Internet Explorer
- Windows Accessories: Calculator, Notepad, Paint, Windows Media Player and WordPad
That is about it for this Roaming Profile. The number of Folders and Programs does not matter the strategy in the same. Control is what we are leveraging here. Total control of our Default Roaming Profiles. We want them Small, Clean and Perfectly Crafted. This is a very important part of performance. I spend a great deal of time on Default Roaming Profiles when building out Citrix Environments. Every Environment is different but that core Profile is key.
So on the server logged in as the Administrator I am going to open up to Explorer Views side by side one with the “Backup_Start_Menu” on the Left and the other with the “Roaming_Start_Menu” on the Right.
I am going to select the items I want.
Then Copy them to the “Roaming_Start_Menu” on the Right. Then I will go into the Microsoft Office 2013 Folder and Windows Accessories Folder and clean out the items I don’t need based on my list previous stated.
Now I have my Default Roaming Profile Start Menu Master Folder.
Next Step is to copy the contents of this Folder into “default_user” profile Start Menu.So open up an Explorer window to the Following Path: C:\Users\default_user\AppData\Roaming\Microsoft\Windows\Start Menu\
Copy the Contents of “E:\Roaming_Start_Menu\” to “C:\Users\default_user\AppData\Roaming\Microsoft\Windows\Start Menu\”
Take a look in the Programs Folder as “default_user” is in the Local Administrators Group so it will have the Administrative Tools Folder even though it will be blank. Delete it.
Open up Computer Management > Expand Local Users and Groups, Select Users > default_user > remove it from the Administrators Group.
Check the Default User
Now go ahead and login as “default_user”
Now my Start Screen looks like this
The last thing I want to do is setup my Default Quick Launch. I want to Delete a few items and add a Few Items. So easiest way to grab the shortcuts I want is to open the Start Screen and right click Microsoft Word and Select Open File Location. Which will bring up this window.
Now we can setup the Default Quick Launch Icons the way we want them.
When I am don’t it looks like this
The Windows Items, like Notifications, Volume Icon, and Network can all be handled by GPO. But I want to disabled VMware and Citrix Provisioning Services Icon in the Default Profile.
Right now it looks like this
Now it looks like this. With some GPOs applied it would pretty much empty.
That is about it for setting up this Roaming Profile Image. Time to log off and save the profile.
LOCKING DOWN THE DEFAULT PROFILE
Only thing left now is to set this profile as the Default Profile on this Server.
Back to the Administrator Session, we need to do a few tasks to lock down our new Default Profile so that it is the Default Profile used when logging into this RDS/Citrix Server.
- Make a copy of the current “Default” Profile
- Rename “Default” Profile to “Default.old”
- Delete the “Default” Profile
- Rename “default_user” to “Default”
- Make a copy of “default_user” Folder and rename it to “Default”
- Set Permission on the new “Default” folder to “Everyone” with “Full Control”
- In the Security Tab we need to Force the changes to the security to all files in the new “Default” Folder
Make a Copy of the “Default” Profile and then Paste in Here. We already made an Original Backup of the Default Profile before we started the beginning of this article but this “Default Profile” has been modified so I make a backup of this as well.
Rename your Backup to “Default.old”
Delete the original “Default” Profile. Don’t worry you two backups.
Make a Copy of the “default_user” Folder and rename it to “Default”
Right Click “Default” Folder and select Properties
The Default Folders Properties will be shown. Go to the Security Tab > Click Advanced Button > Owner > Select: Change > Set: “Everyone” as Owner and then click OK>
Now back at the Advanced Security Settings for Default Screen Check the “Replace Owner On Subcontainers and Objects” Checkbox and the “Replace All Child Object Permission Entries With Inheritable Permission Entries From This Object” and then click Apply.
You will get a “Windows Security” Prompt and just say Yes. Then OK on the “Advanced Security Settings for Default” window.
Now back on the Default Properties windows click Edit > Select Everyone > Check Full Control and Modify and then Click OK> Then OK again.
You have just create your Default Roaming Profile for Microsoft RDS and Citrix XenApp and XenDesktop on Windows 2012 R2 for End Users.
New Programs being installed on the server in the future.
So now you have this clean Default Profile the way you want it forever. But eventually you may have to update the Default Profile to add new Programs.
You can do 2 things here and moving forward from a management standpoint depending on how you want to handle things. In the future you will eventually install new programs.
If those programs are going to be available to All Users, you can let those Start Menu Icons install into the Default Path at: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\
The reason behind this is that if all users are going to have access to these programs then you customize the Start Menu for All User, remove added installed Shortcuts a Program may install, like Help Docs or anything else. This way users with existing profiles get the new Apps. I like this method as then I don’t have to do any Scripting. Years ago I would you KiXtart Login Scripts and you could automate this process. But these days I try to use Active Directory GPO’s instead of Login Scripts to do my Tasks instead of Login Scripts whenever possible. But that bring be to Option 2
You could use a Login Script like KiXtart Login Scripts to copy Shortcuts for newly Installed Programs over from the E:\ Drive over to the Users Start Menu at Login. This method also works great if you need to deploy Start Menu Applications based on Global Group. Which is inevitable at some point. But for this Article I am not going to get into this.
In an Environment where All End Users will have the same Applications Option 1 is great. In more complex environments Option 2 becomes a better way of doing things.
I will look into doing another article about using KiXtart Login Scripts to build Dynamic Start Menu’s based on Active Directory Global Groups in the future.
Thanks for reading my article, I hope it was helpful
This has been
Creating Default Roaming Profiles for Microsoft RDS and Citrix XenApp and XenDesktop on Windows 2012 R2 for End Users by Jesse Boehm
I am a big fan of Classic Shell, I have been using it since the Metro Theme was introduced. I never got onboard with the Windows 8 new menu system. Personally I think it is awful. I really don’t think it works well in a Remote Desktop Services, Citrix XenApp or Citrix XenDesktop Published Desktop Environment. I think it is big change for the End Users. I hear it every day how companies never went to Windows 8. But now they are moving to XenApp 7.6 or RDS 2012 R2 and they are going to have Published Desktops. Now they are going to have that Start Menu that they hated about Windows 8.
So this is my Free, Stable and very Customizable Solution to that. Well not mine since I didn’t event Classic Shell, I just integrated it into my Deployments. I have tested this over many hours and it works fantastic. Especially for Default Profiles where you want to really lock things down and give users that Windows 7 Menu or Windows Classic Menu.
I am going to go for the Classic Style Menu in this Default Profile Addendum. But you have three choices. So you can determine what you want if you choose to go the Classic Shell route.
The one thing that you do lose here which is tradeoff is some GPO Control of the Start Menu. But I am ok with that as I can match my GPO Lock Down of a Default User in my Default Profile and Configure my GPO Policy Permissions to match to make sure the permissions are the same.
Obviously this is a choice. That is why this is an Addendum and I didn’t make it part of the main article.
Assumptions about this Classic Shell Install
- Classic Shell 4.1.0 (Current Release Version)
- This is being installed on top of the system I just configured for Clean Default Roaming Profiles
- I am going to install Classic Shell
- I am not going to remove it from the All Users Start Menu till I am done. At which point I will add it to the E:\Backup_Start_Menu Folder.
- I am going to login as “default_user” and configure the Classic Style Start Menu and Save the Profile.
- I am going to update the “Default” Profile
With the Install we are going to do a Custom Install. Classic Shell has some added features that we don’t want. So we are going to Disable the Install of Classic Explorer, Classic IE and Classic Shell Update. The only thing we are installing is Classic Start Menu.
Now this is what the Default Start Menu looks like after Classic Shell is Installed.
We let install a Start Menu with the Install, this was needed for everything to work right. But now we want to delete the folder it created. Go to C:\ProgramData\Microsoft\Windows\Start Menu\ and Delete the second \Start Menu\ Folder
Right now it looks like this C:\ProgramData\Microsoft\Windows\Start Menu\Start Menu\
So Delete that second \Start Menu\ leaving just the “Programs” Folder. It will like this
Now we are going to Login as “default_user”
When we click the Start Button it will open the Classic Shell Start Up Options. We are going to select “Classic style”.
Now I am going to edit the menu and the settings so when I am done it will look like this
So we are still left with the Classic Shell Menu Item. That is fine we are going to remove that. But I want to Backup my settings now that I have configured everything.
So open up Classic Start Menu Settings > Click the Backup Drop Down Menu > Save to XML File which I am going to save to the Desktop and name RoamingProfile.xml.
From my Administrator Account I am going to drill down into the following path
C:\Users\default_user\Desktop\ and I am going to Cut the RoamingProfile.xml file and paste to the E:\ Drive and remove it from the “default_user” profile.
So now this is the new Desktop and Start Menu with Classic Shell on Windows 2012 R2.
From the Administrator account go to
Cut the \Classic Shell\ Folder and Paste in “E:\Backup_Start_Menu\Start Menu”
Now if you open the Start Menu on “default_user” Classic Shell Menu Item will be gone
Log off as “default_user”
Follow the steps to set the “default_user” profile to the “Default” profile in the original article and close your Roaming Profile.
That ends The Classic Shell Addendum