Citrix User Profile Manager: How Registry Exclusion Lists Can Mess Up Group Policy Processing

Helge Klein, 02/25/2009 | 8 Comments | 33,083 Views

The documentation of Citrix User Profile Manager (UPM, for short) recommends excluding the following registry keys from processing:

HKEY_CURRENT_USER\Software\Policies
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies

The net effect of this is that the Citrix profiles managed by UPM do not contain any policy settings. The reasoning behind this being: Policies are reapplied anyway during the nextlogon, so there is no reason to waste CPU cycles on synchronizing such "redundant" information.

Unfortunately, nobody had taken the group policy engine's own optimizations into account.
Policy processing is relatively costly in terms of performance. It is only logical to try and reduce the number of times policies need to be applied. Since policies are relatively static compared to the frequency of user logons, it makes sense to cache the policy settings in the user profile. That is exactly what the group policy engine does.

Actual settings are cached in the two registry keys mentioned above. What is still missing, though, is a way to detect new or changed policies in the domain. The policy engine thus needs to cache metadata on the applied GPOs in addition to the settings stored in those GPOs. Group policy metadata is stored in another area of the user's registry hive:


HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group
Policy

Where is the Problem?

We have two locations containing data that relates to each other. Storing only one part of it and dropping the other breaks the group policy engine's caching mechanism.

If HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy is present but HKEY_CURRENT_USER\Software\Policies is not, the engine thinks all policy information is present in the user profile whereas in reality it is not. As a result, policies effectively are not applied any more.

How to Fix it

Either exclude all three registry paths from processing by UPM or none of them. I recommend the latter, which leaves the group policy engine's caching mechanism intact.

Wrap Up

Do not put any of these paths on UPM's registry exclusion list:

Software\Policies
Software\Microsoft\Windows\CurrentVersion\Policies
Software\Microsoft\Windows\CurrentVersion\Group Policy

Note: Above paths are in the notation UPM expects (without the string "HKEY_CURRENT_USER").

+++ Your opportunity +++ Use Profile Migrator the new sepago product that makes migrating user personalities between different platforms a breeze.! Download your free version now!

8 responses for "Citrix User Profile Manager: How Registry Exclusion Lists Can Mess Up Group Policy Processing"

Hallo Helge Hmm....

Hallo Helge

Hmm.... interessant. Ein von uns eröffneter Citrix-Call zu diesem Thema wurde letzte Woche anderst beantwortet.
Folgender Eintrag sollte der Reg-Exclude Liste hinzugefügt werden:
Software\Microsoft\Windows\CurrentVersion\Group Policy

Deine Ausführungen erscheinen mir aber als sinnvoller. (Performanter)
Was ist jetzt richtig?

Gruss Christian

To the non-germanic

To the non-germanic readers:

The question was which of the two solutions presented in the article is the "better" one.

I think I have answered the question in the article:

"Either exclude all three registry paths from processing by UPM or none of them. I recommend the latter, which leaves the group policy engine’s caching mechanism intact."

Hello, Although the settings

Hello,

Although the settings where ok with Version1, by deleting these 3 keys as suggested made my GPO work again with V2.

Software\Policies
Software\Microsoft\Windows\CurrentVersion\Policies
Software\Microsoft\Windows\CurrentVersion\Group Policy

Thank you!

Helge, there is hard proof

Helge,

there is hard proof that removing the policy keys from the exclusions list is the proper fix because I tested adding the third key at a customer. Although group policy processing was fixed for Software\Microsoft\Windows\CurrentVersion\Policies, the key Software\Policies did not exist resulting in "fewer settings" to be applied ;-)

To cut a long story short: Remove both keys from the exclusion list. Just like you recommended.

Thanks for the resolution,
Nicholas

Hello, I'm having the same

Hello,

I'm having the same type issues and have tried everything. Here is my exact issue: Everything works great when the profile is first created. However, if I change the GPO to add a directory or file sync (outside the profile) it does not happen. The log file on the PC and the .ini file created in the profile by UPM 2.0.1 both show the entries so I know that the service is reading the GPO...however the files/directories never get created. Changes within the profile work fine. We get no errors anywhere and show no denies in FileMon on the profile store side of it. If I delete the profile and log back in everything is fine once again with the current changes.

I'm not excluding any of the 3 policy keys and I've set various GPO settings to force GPO to process even if there are no changes. This is happening with both versions of UPM. We are provisioning physical desktops with XP via PVS 5.0. Any thoughts on what is missing?

Casey

Casey, the problem you have

Casey,
the problem you have described is different from the one outlined in the article (user policies not being processed at all). I suggest you either post in the UPM forum or open a support case with Citrix.

Hi Helge, i don´t have any of

Hi Helge,

i don´t have any of the group policy hives in my exclusion list, but i have anyway problems with logon scripts embedded in a GPO.

see my post in Citrix Forum: http://forums.citrix.com/thread.jspa?messageID=1461460&

Regards

Csaba
IT-Support DIS AG

I had the exact same problems

I had the exact same problems with UPM 2.x and this page fixed everything with WinXP. Thank-you. Now I am trying to upgrade to UPM 3.x and having the problems again Windows7 and I have tried excluding the 3 registry paths and also excluding none of them. If anyone has any ideas, please post. Here is my post on the Citrix forum. http://forums.citrix.com/thread.jspa?messageID=1510305&