User Profiles
A
user profile is a collection of folders and data files that contain the
elements of your desktop environment that make it uniquely yours.
Settings include:
Shortcuts in your Start menu, on your desktop, and in your Quick Launch bar
Documents on your desktop and, unless redirection is configured, in your My Documents folder
Tip
The
properties of the My Documents folder, and the Folder Redirection
policies in group policy, enable you to redirect My Documents so that
it targets a network folder. This best practice allows the contents of
a user’s My Documents folder to be stored on a server, where they can
be backed up, scanned for viruses, and made available to users
throughout the organization, should they utilize a system other than
their normal desktop. My Documents can also be made available offline,
so that users have access to their files even when users are not
connected to the network. |
Internet Explorer favorites and cookies
Certificates (if implemented)
Application specific files, such as the Microsoft Office custom user dictionary, user templates, and autocomplete list
My Network Places
Desktop display settings, such as appearance, wallpaper, and screensaver
These
important elements are specific to each user. It is desirable that they
are consistent between logons, available should the user need to log on
to another system, and resilient in the event that the user’s system
fails and must be reinstalled.
Local User Profiles
By default, user profiles are stored locally on the system in the %Systemdrive% \Documents and Settings\%Username% folder. They operate in the following manner:
When
a user logs on to a system for the first time, the system creates a
profile for the user by copying the Default User profile. The new
profile folder is named based on the logon name specified in the user’s
initial logon.
All
changes made to the user’s desktop and software environment are stored
in the local user profile. Each user has their individual profiles, so
settings are user-specific.
The
user environment is extended by the All Users profile, which can
include shortcuts in the desktop or start menu, network places, and
even application data. Elements of the All Users profile are combined
with the user’s profile to create the user environment. By default,
only users of the Administrators group can modify the All Users profile.
The
profile is truly local. If a user logs on to another system, the
documents and settings that are part of their profile do not follow the
user. Instead, the new system behaves as outlined here, generating a
new local profile for the user if it is the user’s first time logging
on to that system.
Roaming User Profiles
If
users work at more than one computer, you can configure roaming user
profiles (RUPs) to ensure that their documents and settings are
consistent no matter where they log on. RUPs store the profile on a
server, which also means that the profiles can be backed up, scanned
for viruses, and controlled centrally. Even in environments where users
do not roam, RUPs provide resiliency for the important information
stored in the profile. If a user’s system fails and must be
reinstalled, an RUP will ensure that the user’s environment is
identical on the new system to the one on the previous system.
To
configure an RUP, create a shared folder on a server. Ideally, the
server should be a file server that is frequently backed up.
Note
Be
sure to configure share permissions allowing Everyone Full Control. The
Windows Server 2003 default share permissions allow Read, which is not
sufficient for a roaming profile share. |
On the Profile tab of the user’s Properties dialog box, type the Profile Path in the format: \\<server>\<share>\%Username%. The %Username% variable will automatically be replaced with the user’s logon name.
It’s that simple. The next time the user logs on, the system will identify the roaming profile location.
Tip
Roaming
user profiles are nothing more than a shared folder and a path to the
user’s profile folder, within that share, entered into the user
object’s profile path property. Roaming profiles are not, in any way, a
property of a computer object. |
When the user logs off,
the sytem will upload the profile to the profile server. The user can
now log on to that system or any other system in the domain, and the
documents and settings that are part of the RUP will be applied.
Note
Windows
Server 2003 introduces a new policy: Only Allow Local User Profiles.
This policy, linked to an OU containing computer accounts, will prevent
roaming profiles from being used on those computers. Instead, users
will maintain local profiles. |
When
a user with an RUP logs on to a new system for the first time, the
system does not copy its Default User profile. Instead, it downloads
the RUP from the network location. When a user logs off, or when a user
logs on to a system on which they’ve worked before, the system copies
only files that have changed.
|
Unlike
previous versions of Microsoft Windows, Windows 2000, Windows XP, and
Windows Server 2003 do not upload and download the entire user profile
at logoff and logon. Instead, the user profile is synchronized.
Only files that have changed are transferred between the local system
and the network RUP folder. This means that logon and logoff with RUPs
are significantly faster than with earlier Windows versions.
Organizations that have not implemented RUPs for fear of their impact
on logon and network traffic should reevaluate their configuration in
this light.
|
Creating a Preconfigured User Profile
You
can create a customized user profile to provide a planned,
preconfigured desktop and software environment. This is helpful to
achieve the following:
Provide a productive work environment with easy access to needed network resources and applications
Remove access to unnecessary resources and applications
Simplify help desk troubleshooting by enforcing a more straightforward and consistent desktop
No
special tools are required to create a preconfigured user profile.
Simply log on to a system and modify the desktop and software settings
appropriately. It’s a good idea to do this as an account other than
your actual user account so that you don’t modify your own profile
unnecessarily.
Once
you’ve created the profile, log on to the system with administrative
credentials. Open System from Control Panel, click the Advanced tab,
and then click Settings in the User Profiles frame. Select the profile
you created, and then click Copy To. Type the Universal Naming
Convention (UNC) path to the profile in the format: \\<server>\<share>\<username>.
In the Permitted To Use section, click Change to select the user for
whom you’ve configured the profile. This sets the ACL on the profile
folder to allow access to that user. Figure 1 shows an example. Click OK and the profile is copied to the network location.
Note
You must be a member of the Administrators group to copy a profile. |
Finally,
open the properties of the user object and, on the Profile tab, enter
the same UNC Profile Path field. Voilà! The next time that user logs on
to a domain computer, that profile will be downloaded and will
determine his or her user environment.
Tip
Be
careful with preconfigured roaming profiles, or any roaming profiles,
to pay attention to potential issues related to different hardware on
systems to which a user logs on. For example, if desktop shortcuts are
arranged assuming XGA (1024x768) resolution, and the user logs on to a
system with a display adapter capable of only SVGA (800x600)
resolution, some shortcuts may not be visible. Profiles
are also not fully cross-platform. A profile designed for Windows 98
will not function properly on a Windows Server 2003 system. You will
even encounter inconsistencies when roaming between Windows Server 2003
systems and Windows XP or Windows 2000 Professional. |
Creating a Preconfigured Group Profile
Roaming
profiles enable you to create a standard desktop environment for
multiple users with similar job responsibilities. The process is
similar to creating a preconfigured user profile except that the
resulting profile is made available to multiple users.
Create
a profile using the steps outlined above. When copying the profile to
the server, use a path such as:
\\<server>\<share>\<group profile name>. You must
grant access to all users who will utilize the profile, so, in the
Permitted To Use frame, click Change and select a group that includes
all the users, or the BUILTIN\USERS group, which includes all domain
users. The only users to whom the profile will actually apply are those
for which you configure the user object’s profile path.
After
copying the profile to the network, you must configure the profile path
for the users to whom the profile will apply. Windows Server 2003
simplifies this task, in that you can multiselect users and change the
profile path for all users simultaneously. Type the same UNC that you
used to copy the profile to the network, for example, \\<server><share>\<group profile name>.
Tip
The profile path is configured as a property of one or more user
objects. It is not assigned to a group object. Although the concept is
that of a group profile, do not fall into the trap of associating the
profile with a group object itself. |
Finally,
because more than one user will be accessing a group profile, you must
make a group profile mandatory, as described in the following section.
Configuring a Mandatory Profile
A
mandatory profile does not allow users to modify the profile’s
environment. More specifically, a mandatory profile does not maintain
changes between sessions. Therefore, although a user can make changes,
the next time the user logs on, the desktop will look the same as the
last time he or she logged on. Changes do not persist.
Mandatory
profiles can be helpful in situations in which you want to lock down
the desktop. They are, in a practical sense, critical when you
implement group profiles because you obviously don’t want the changes
one user makes to affect the environments of other users.
To
configure a profile as mandatory, simply rename a file in the root
folder of the profile. Interestingly, mandatory profiles are not
configured through the application of permissions. The file you need to
rename is Ntuser.dat. It is a hidden file, so you must ensure that you
have specified to “Show hidden files and folders” in the Folder Options
program in Control Panel, or use attrib from the command-line to remove
the Hidden attribute. You may also need to configure Windows Explorer
to display file extensions.
Locate
the Ntuser.dat file in the profile you wish to make mandatory. Rename
the file to Ntuser.man. The profile, whether roaming or local, is now
mandatory.
