In almost all XenApp and XenDesktop environments I build, I solve user virtualization with AppSense Personalization and local profiles.
AppSense Personalization allows you to virtualize and personalize the user desktop without the need of a roaming profile, and by using AppSense Personalization together with local profiles you get some big advantages over roaming and mandatory profiles:
- Fast logon and logoff times (no profile has to be loaded over the network)
- No profile corruption
- No manual mandatory profile creation
- No “hung” profiles
The only drawback of using local profiles is that they are not automatically deleted from the server or desktop when the user logs off, but this is where spoofing the state of the local profile with PowerShell comes in.
If you would make your users member of the local guest group, the problem would be solved: Windows automatically deletes local profiles of guest users at logoff.
Unfortunately it’s not that simple because being a guest user on a system has some limitations, for example not being able to use and manage certificates.
The trick is to make windows believe you are a guest user only at logoff so the local profile will be deleted automatically.
You can achieve this by spoofing the local profile state with a PowerShell script:
# Spoof Profile State Script # Created by Michel Stevelmans - http://www.michelstevelmans.com # Get SID of the current user $SID = ([Security.Principal.WindowsIdentity]::GetCurrent()).User.Value # Set the state of the local profile to guest Set-ItemProperty -path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\$SID\" -name State -value 128
Because the script requires the user to change the value of a local machine key, you must give the user permissions on HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList.
Ofcourse you can change these permissions locally or in your vDisk, but I prefer to use group policy:
Notice the following parameter for powershell.exe:
By setting this parameter you completely bypass the PowerShell execution policy, which eliminates the need for changing the default restricted execution policy (with the
Hopefully soon AppSense will let us use PowerShell as a custom action like they already do with VBScript and JScript (If you are reading AppSense: this is a feature request!), but for now stick with the execute action.
When a user logs off now, all settings are saved in AppSense Personalization and the local profile will be deleted from the server or desktop… Great!
Update 20 November 2011:
AppSense released Environment Manager 8.2 last week, which includes native PowerShell support (thanks for listening to my feature request guys ).
You don’t have to make a custom action which calls my PowerShell script anymore. Instead just copy and paste my PowerShell script into a PowerShell custom action like this:
Apparently the PowerShell custom action bypasses your system’s execution policy which means Environment Manager can run scripts without you having to lower your system’s execution policy, great!