Wilco van Bragt - LinkeIn Wilco van Bragt - Twitter rssa 

Flex Profile Kit 5

 If you ever worked in a big SBC environment (especially in silo environments) you should noticed problems with roaming profiles. The profiles are corrupt or contains faulty settings. How do you fix it? Delete the profile and let create a new one is the only solution. A solution is to use mandatory profiles, where user settings are not saved. It works fantastically because it's fast, easy to manage and can not be corrupted. Unfortunately in current environments it is almost impossible to use only mandatory profiles. Too many applications nowadays depends on personal settings in the registry.

A way to solve this problems is to use the Flex Profile Kit (FPK) developed by Jeroen van de Kamp. The latest version 4.0.1 is just released in March 2005. In comparison with version 3 a lot of awesome features have been added. It is now possible to use FPK also for certificates, Window appearance, mouse and keyboard settings and support for passwords (just like Jumping Profiles). Additional Features are the use of compression, support for silo's or server groups, easier configuration and better deployment. The FPK is still based on the Microsoft Profile Wizard tool, but is extended with additional tools and scripts to make the improvements possible.

Installation

To work with the Flex Framework within FPK (and in this way use all the new features and improvement) you need to install a small program on all your Terminal Servers. The installation itself just needs one parameter; the destination location where to install the program. Because the installation is an MSI file, this part can be easily made silent/unattended using the MSIEXEC command. Second you need a set up a (fault tolerant) share where you place the configuration files of the FPK. These configuration files are available in one zip file, just unpack this zip file in the share and installation is finished.

Configuration

Also this version of the FPK is shipped with a pretty good manual. The configuration process is described step by step in this manual.
Besides the configuration of the INI files for saving the user registry settings, a new INI file is introduces to configure the Flex Framework.

After creating a mandatory profile and folder redirection (using policies) you need to configure the INI files for saving the user registry. These steps are not changed in comparison with version 3. So you need to look up the needed registry keys. A big advantage in comparison with for example WTSProfiles is that you only need to specify a key, all values and sub keys are automatically saved (or loaded) as well.
For example for Outlook this could be the INI file:
[Header]
Version = 11.0
Product = Microsoft Office 11.0

[IncludeRegistryTrees]
HKCU\Software\Microsoft\Office\9.0\Outlook
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem
HKCU\Software\Microsoft\Windows Messaging Subsystem\Profiles\Outlook

To setup these INI files there are two methods. One method is setup one INI file for all applications where the registry settings need to be saved or create a separate INI file for each application. The advantage of the latest option is that if one setting gets corrupt, only that application settings are effected. Using IF in-group statements or NTFS permissions (the manual advises to use NTFS permissions because this is fastest methodology)  it's possible to use this settings on actual usage of the application.

New is the configuration of the Flex Framework INI file. Within this INI file all new features (like saving/loading Windows appeareance, keyboard/mouse settings, certicates, compression and so on) can be turned on or off. Also you can configure the logging level of the Flex Framework and Profile Wizard logging. Partly sample configuration of Flex Framework INI file.


; >>> FLEX_FRAMEWORK CONFIGURATION FILE <<<
; Like any other INI file, ensure there are no trailing spaces at the end of each setting!

; In the section [MAIN] features of the framework can be enabled or disabled with a "1" or "0"
[MAIN]

; To enable the use of Windows appearance settings with Flex Profiles configure REFRESH_WINDOWS_APPEARANCE=1. This will launch Dennis Damen's FlexRefresh and loaded appearance settings are activated.
REFRESH_WINDOWS_APPEARANCE=1

; Like Windows appearance settings the keyboard and mouse settings need to be activated by a refresh. With these options the Keyboard & Mouse settings become user specific instead of client specific.
REFRESH_KEYBOARD=1
REFRESH_MOUSE=1

; With the ENABLE_PASSWORDS setting the Flex Framework will create a key in HKCU\Software\Microsoft\Protected Storage System Provider\[SID of the User]. Since it already exists Windows does not need to create this key with only permissions for System account.
ENABLE_PASSWORDS=0

; To enable the limited use of (web-) Certificates set ENABLE_CERTIFICATES=1. In addition, it is essential to configure permissions to HKLM\Software\Microsoft\Windows NT\Currentversion\Profilelist for users. Normally, users only have read access here. Enable the special permission "set value" for "Authenticated Users" on that key. This allows the Framework to spoof the profile state to a "Roaming Profile" during logon. Only Roaming or Local Profiles are allowed to store a certificate. During Logoff the Framework configures the profile back to a "Mandatory Profile" to prevent Windows from trying to save the profile.
; Root certificates are not supported. This is a typical limitation amongst profile alternatives, and not only of FPK. It is possible to distribute a root certificate through group policies.
ENABLE_CERTIFICATES=0

In version 5 for above mentioned configuration now also a GUI is available.

New is the possibility to setup in a very simple way server group settings or silo settings. Within the folder ProfileSettings (where all Profile Wizard INI are stored) there is option to create additional folders. In these folder you set specific settings for a server group or a silo in the same way you configured the INI files. With the value SERVERTYPE (which can be a system variable or registry value) Flex define which INI files need to be read or which OPS files need to be loaded. If SERVERTYPE is not defined the INI file straight in the ProfileSettings directory will be used, if SERVERTYPE is defined as one of the directory names within ProfileSettings FPK will use the INI files in that particular directory. 

Image

The last configuration step is to accomplish that FPK will be run during the login and logoff process. In contrast with version 3 this all configuration settings are now done executed with one simple command line. This command line can be put in a logon/logoff script or whatever tool or script runs during the logon/logoff process. The command line could be CSCRIPT /NOLOGO "%PROGRAMFILES%\Flex Framework\Flex_Framework.vbs" LOGON "\\SERVER\SHARE\Flex_Config"

Management




Within the Flex Framework configuration file you can specify an error level for the Framework and Profile Wizard. Depending which settings you configured the user gets messages when an error occurred. Use some of the settings only when troubleshooting, because excessive error messages slow down the logon/logoff process or can cause orphaned sessions. It would-be nice if there was a possibility to enable the logging of the complete process in some kind of log file during normal operations. This could make trouble shooting easier, without changing the level of error message presented to the user.

User experience

Users which already using mandatory profiles with a profile product/solutions will love the new version of FPK. Settings which are not retained in previous versions of FPK or most other profile products are now saved and back in place the next time they logon. Users will hardly notice that their (profile)settings are retained in a other way than roaming profiles.

Conclusion

With this new version it is now possible to save and restore almost every necessary setting which normally would be only available using roaming profiles concerning application and windows settings. Version 5 adds even more new features. The most other profile products offers more settings to configure like hiding drive letters, setting up default printers and so on, but most of these settings can be arranged in some other ways like GPO's and Folder redirection. The Flex Profile Kit acts exactly for those settings you really need such product the most. The Flex Profile Kit is easy to install and configure, only needs a simple share (no databases) and also is still is freeware. FPK is simply one of the best products available in the profile market.

Advantages:
- Beside registry savings FPK support all kind of advanced features
- Now with a GUI, which makes implementation even easier
- The software is available for free

Disadvantages:
- Freeware, so no official support
- There are situation reported that the tool crashes

Flex Profile Kit