Those of you who have worked in large server-based computing environments have probably come across problems with roaming profiles, especially when silos are used. Often times the profiles become corrupt or are found to contain faulty settings. All too often the “fix” to this problem is to delete the profile and let a new one be created. Another solution is to use mandatory profiles where user settings are not saved. Mandatory profiles are usually very fast. They’re easy to manage and do not become corrupt. Unfortunately it’s almost impossible to use only mandatory profiles in today’s world. Too many applications depend on personal settings for each user in the registry.
One way to solve this problem is to use the Flex Profile Kit (FPK) developed by Jeroen van de Kamp. The latest version 4.0.1 was released in March 2005. Many new features have been added when compared to Version 3. For example, it’s now possible to use the FPK to manage certificates, window appearance, mouse and keyboard settings, and passwords (just like Jumping Profiles). Additional new features include the use of compression, support for silos or server groups, easier configuration, and better deployment. Like in previous versions, the new FPK is based on the Microsoft Office Profile Wizard tool, with additional tools and scripts enabling the new functionality.
Installation
To use the FPK, you must install the “Flex Framework” on each of your Citrix MetaFrame or Microsoft Terminal Servers. This is simply a small program that only requires a single parameter—the destination installation folder. Because the installation is an MSI file, this part can be easily made silent/unattended using the MSIEXEC command. Once this is installed, all you need to do is set up a (fault tolerant) fileshare where you place the configuration files of the FPK. These configuration files are available in one zip file—just expand this zip file to the share and the installation is finished!
Configuration
This version of the FPK comes with a pretty good manual which provides a step-by-step description of the configuration process. Like with previous versions, the FPK uses INI files that specifies which registry keys should be backed up for a user when that user logs off. The FPK4 also uses a new INI to configure the Flex Framework.
After creating a mandatory profile and configuring folder redirection (using policies), you need to configure the INI files for saving the user registry entries. (Again these steps are no different than with Version 3.) This means that you need to look up the required registry keys for each application. One of the nice things here is that you only need to specify a key, and all values and subkeys are automatically saved (or loaded) as well. For example, this could be the INI file for Outlook:
[Header]
Version = 11.0
Product = Microsoft Office 11.0
[IncludeRegistryTrees]
HKCU\Software\Microsoft\Office\9.0\Outlook
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem
HKCU\Software\Microsoft\Windows Messaging Subsystem\Profiles\Outlook
There are two ways to setup these INI files for the FPK. One method is configure one INI file for all applications where the registry settings need to be saved. Alternately you could create a separate INI file for each application. The advantage of the second option is that if one setting gets corrupt, only that application’s settings are affected. Using IF INGROUP statements or NTFS permissions (the manual advises to use NTFS permissions because this is fastest methodology) it’s possible to use these settings on actual usage of the application.
As mentioned earlier, one of the new features of the FPK4 is the Flex Framework. The Flex Framework is used to configure deep windows settings that apply across all applications for a user. This includes things like loading/saving Windows appearances, keyboard and mouse settings (including swapping mouse buttons), certificates, compression, and so on. The Flex Framework is also configured via a simple INI file (partially shown below). This INI file also lets you configure error message detail levels.
; >>> FLEX_FRAMEWORK CONFIGURATION FILE <<<
; Like any other INI file, ensure there are no trailing spaces at the end of each setting!
; In the section [MAIN] features of the framework can be enabled or disabled with a "1" or "0"
[MAIN]
; To enable the use of Windows appearance settings with Flex Profiles configure REFRESH_WINDOWS_APPEARANCE=1. This will launch Dennis Damen's FlexRefresh and loaded appearance settings are activated.
REFRESH_WINDOWS_APPEARANCE=1
; Like Windows appearance settings the keyboard and mouse settings need to be activated by a refresh. With these options the Keyboard & Mouse settings become user specific instead of client specific.
REFRESH_KEYBOARD=1
REFRESH_MOUSE=1
; With the ENABLE_PASSWORDS setting the Flex Framework will create a key in HKCU\Software\Microsoft\Protected Storage System Provider\[SID of the User]. Since it already exists Windows does not need to create this key with only permissions for System account.
ENABLE_PASSWORDS=0
; To enable the limited use of (web-) Certificates set ENABLE_CERTIFICATES=1. In addition, it is essential to configure permissions to HKLM\Software\Microsoft\Windows NT\Currentversion\Profilelist for users. Normally, users only have read access here. Enable the special permission "set value" for "Authenticated Users" on that key. This allows the Framework to spoof the profile state to a "Roaming Profile" during logon. Only Roaming or Local Profiles are allowed to store a certificate. During Logoff the Framework configures the profile back to a "Mandatory Profile" to prevent Windows from trying to save the profile.
; Root certificates are not supported. This is a typical limitation amongst profile alternatives, and not only of FPK. It is possible to distribute a root certificate through group policies.
ENABLE_CERTIFICATES=0
One of the new features of the FPK4 is the ability to set up server group (or silo) settings. To do this, you create subfolders under the main “ProfileSettings” folder that holds the centralized INI configuration files. Then you set specific settings for the server groups in INI files in the subfolders.
When member Terminal Servers running the Flex Framework look for their configuration settings, they’ll first check to see if a local system variable or registry value is set (called “SERVERTYPE” that specifies where they should look for their configuration settings. If a registry value is used then you can even configure this via Group Policy meaning that all you have to do to configure your server is drag and drop it into the proper OU!
The last configuration step is to set FPK to run during the login and logoff process. In contrast with Version 3, this configuration is now done with one simple command line. This command line can be put in a logon/logoff script or whatever tool or script runs during the logon/logoff process. The command line could be CSCRIPT /NOLOGO "%PROGRAMFILES%\Flex Framework\Flex_Framework.vbs" LOGON "\\SERVER\SHARE\Flex_Config"
Management
The Flex Framework configuration file lets you specify an error level for the Framework and Profile Wizard. Depending on which settings you configure, the user gets messages when errors occurred. Some of these verbose settings should only be used when troubleshooting because excessive error messages slow down the logon/logoff process or can cause orphaned sessions. It would be nice if there was a possibility to enable the logging of the complete process in some kind of log file during normal operations. This could make troubleshooting easier without changing the level of error message presented to the user.
User experience
Users who are already using mandatory profiles with a profile solution will love the new version of FPK. Settings which are not retained in previous versions of FPK or most other profile products are now saved and back in place the next time they logon. Users will hardly notice that their (profile) settings are retained in a other way than roaming profiles.
Conclusion
With this new version it’s now possible to save and restore almost every necessary setting which normally would be only available using roaming profiles. While most other profile products offer more settings to configure in a GUI way like hiding drive letters or setting up default printers, this can all be down with the FPK using a combination of INI files, GPO, and folder redirection The Flex Profile Kit is easy to install and configure, only needs a simple share (no databases), and is still is freeware. The FPK is simply one of the best products available in the profile market.