Windows Server 2003 : Managing User Profiles

10/10/2010 4:13:33 PM

User Profiles

A user profile is a collection of folders and data files that contain the elements of your desktop environment that make it uniquely yours. Settings include:

  • Shortcuts in your Start menu, on your desktop, and in your Quick Launch bar

  • Documents on your desktop and, unless redirection is configured, in your My Documents folder


    The properties of the My Documents folder, and the Folder Redirection policies in group policy, enable you to redirect My Documents so that it targets a network folder. This best practice allows the contents of a user’s My Documents folder to be stored on a server, where they can be backed up, scanned for viruses, and made available to users throughout the organization, should they utilize a system other than their normal desktop. My Documents can also be made available offline, so that users have access to their files even when users are not connected to the network.

  • Internet Explorer favorites and cookies

  • Certificates (if implemented)

  • Application specific files, such as the Microsoft Office custom user dictionary, user templates, and autocomplete list

  • My Network Places

  • Desktop display settings, such as appearance, wallpaper, and screensaver

These important elements are specific to each user. It is desirable that they are consistent between logons, available should the user need to log on to another system, and resilient in the event that the user’s system fails and must be reinstalled.

Local User Profiles

By default, user profiles are stored locally on the system in the %Systemdrive% \Documents and Settings\%Username% folder. They operate in the following manner:

  • When a user logs on to a system for the first time, the system creates a profile for the user by copying the Default User profile. The new profile folder is named based on the logon name specified in the user’s initial logon.

  • All changes made to the user’s desktop and software environment are stored in the local user profile. Each user has their individual profiles, so settings are user-specific.

  • The user environment is extended by the All Users profile, which can include shortcuts in the desktop or start menu, network places, and even application data. Elements of the All Users profile are combined with the user’s profile to create the user environment. By default, only users of the Administrators group can modify the All Users profile.

  • The profile is truly local. If a user logs on to another system, the documents and settings that are part of their profile do not follow the user. Instead, the new system behaves as outlined here, generating a new local profile for the user if it is the user’s first time logging on to that system.

Roaming User Profiles

If users work at more than one computer, you can configure roaming user profiles (RUPs) to ensure that their documents and settings are consistent no matter where they log on. RUPs store the profile on a server, which also means that the profiles can be backed up, scanned for viruses, and controlled centrally. Even in environments where users do not roam, RUPs provide resiliency for the important information stored in the profile. If a user’s system fails and must be reinstalled, an RUP will ensure that the user’s environment is identical on the new system to the one on the previous system.

To configure an RUP, create a shared folder on a server. Ideally, the server should be a file server that is frequently backed up.


Be sure to configure share permissions allowing Everyone Full Control. The Windows Server 2003 default share permissions allow Read, which is not sufficient for a roaming profile share.

On the Profile tab of the user’s Properties dialog box, type the Profile Path in the format: \\<server>\<share>\%Username%. The %Username% variable will automatically be replaced with the user’s logon name.

It’s that simple. The next time the user logs on, the system will identify the roaming profile location.


Roaming user profiles are nothing more than a shared folder and a path to the user’s profile folder, within that share, entered into the user object’s profile path property. Roaming profiles are not, in any way, a property of a computer object.

When the user logs off, the sytem will upload the profile to the profile server. The user can now log on to that system or any other system in the domain, and the documents and settings that are part of the RUP will be applied.


Windows Server 2003 introduces a new policy: Only Allow Local User Profiles. This policy, linked to an OU containing computer accounts, will prevent roaming profiles from being used on those computers. Instead, users will maintain local profiles.

When a user with an RUP logs on to a new system for the first time, the system does not copy its Default User profile. Instead, it downloads the RUP from the network location. When a user logs off, or when a user logs on to a system on which they’ve worked before, the system copies only files that have changed.

Roaming Profile Synchronization

Unlike previous versions of Microsoft Windows, Windows 2000, Windows XP, and Windows Server 2003 do not upload and download the entire user profile at logoff and logon. Instead, the user profile is synchronized. Only files that have changed are transferred between the local system and the network RUP folder. This means that logon and logoff with RUPs are significantly faster than with earlier Windows versions. Organizations that have not implemented RUPs for fear of their impact on logon and network traffic should reevaluate their configuration in this light.

Creating a Preconfigured User Profile

You can create a customized user profile to provide a planned, preconfigured desktop and software environment. This is helpful to achieve the following:

  • Provide a productive work environment with easy access to needed network resources and applications

  • Remove access to unnecessary resources and applications

  • Simplify help desk troubleshooting by enforcing a more straightforward and consistent desktop

No special tools are required to create a preconfigured user profile. Simply log on to a system and modify the desktop and software settings appropriately. It’s a good idea to do this as an account other than your actual user account so that you don’t modify your own profile unnecessarily.

Once you’ve created the profile, log on to the system with administrative credentials. Open System from Control Panel, click the Advanced tab, and then click Settings in the User Profiles frame. Select the profile you created, and then click Copy To. Type the Universal Naming Convention (UNC) path to the profile in the format: \\<server>\<share>\<username>. In the Permitted To Use section, click Change to select the user for whom you’ve configured the profile. This sets the ACL on the profile folder to allow access to that user. Figure 1 shows an example. Click OK and the profile is copied to the network location.

Figure 1. Copying a preconfigured user profile to the network


You must be a member of the Administrators group to copy a profile.

Finally, open the properties of the user object and, on the Profile tab, enter the same UNC Profile Path field. Voilà! The next time that user logs on to a domain computer, that profile will be downloaded and will determine his or her user environment.


Be careful with preconfigured roaming profiles, or any roaming profiles, to pay attention to potential issues related to different hardware on systems to which a user logs on. For example, if desktop shortcuts are arranged assuming XGA (1024x768) resolution, and the user logs on to a system with a display adapter capable of only SVGA (800x600) resolution, some shortcuts may not be visible.

Profiles are also not fully cross-platform. A profile designed for Windows 98 will not function properly on a Windows Server 2003 system. You will even encounter inconsistencies when roaming between Windows Server 2003 systems and Windows XP or Windows 2000 Professional.

Creating a Preconfigured Group Profile

Roaming profiles enable you to create a standard desktop environment for multiple users with similar job responsibilities. The process is similar to creating a preconfigured user profile except that the resulting profile is made available to multiple users.

Create a profile using the steps outlined above. When copying the profile to the server, use a path such as: \\<server>\<share>\<group profile name>. You must grant access to all users who will utilize the profile, so, in the Permitted To Use frame, click Change and select a group that includes all the users, or the BUILTIN\USERS group, which includes all domain users. The only users to whom the profile will actually apply are those for which you configure the user object’s profile path.

After copying the profile to the network, you must configure the profile path for the users to whom the profile will apply. Windows Server 2003 simplifies this task, in that you can multiselect users and change the profile path for all users simultaneously. Type the same UNC that you used to copy the profile to the network, for example, \\<server><share>\<group profile name>.


The profile path is configured as a property of one or more user objects. It is not assigned to a group object. Although the concept is that of a group profile, do not fall into the trap of associating the profile with a group object itself.

Finally, because more than one user will be accessing a group profile, you must make a group profile mandatory, as described in the following section.

Configuring a Mandatory Profile

A mandatory profile does not allow users to modify the profile’s environment. More specifically, a mandatory profile does not maintain changes between sessions. Therefore, although a user can make changes, the next time the user logs on, the desktop will look the same as the last time he or she logged on. Changes do not persist.

Mandatory profiles can be helpful in situations in which you want to lock down the desktop. They are, in a practical sense, critical when you implement group profiles because you obviously don’t want the changes one user makes to affect the environments of other users.

To configure a profile as mandatory, simply rename a file in the root folder of the profile. Interestingly, mandatory profiles are not configured through the application of permissions. The file you need to rename is Ntuser.dat. It is a hidden file, so you must ensure that you have specified to “Show hidden files and folders” in the Folder Options program in Control Panel, or use attrib from the command-line to remove the Hidden attribute. You may also need to configure Windows Explorer to display file extensions.

Locate the Ntuser.dat file in the profile you wish to make mandatory. Rename the file to The profile, whether roaming or local, is now mandatory.

  •  Windows Server 2003 : Creating Multiple User Objects
  •  Windows Server 2003 : Creating and Managing User Objects
  •  Understanding Application Domains
  •  Building and Deploying Applications for Windows Azure : Activating the Storage Account Account
  •  Deploying Applications to Windows Azure
  •  Building and Deploying Applications for Windows Azure : Creating a Demo Project
  •  Network Programming with Windows Sockets : Datagrams
  •  Network Programming with Windows Sockets : An Alternative Thread-Safe DLL Strategy
  •  Network Programming with Windows Sockets : A Thread-Safe DLL for Socket Messages
  •  Network Programming with Windows Sockets : In-Process Servers
  •  Network Programming with Windows Sockets : A Socket-Based Server with New Features
  •  Network Programming with Windows Sockets : A Socket-Based Client
  •  Network Programming with Windows Sockets : A Socket Message Receive Function
  •  Exchange Server 2010 : Operating Without Traditional Point-in-Time Backups
  •  Exchange Server 2010 : Performing Backup and Recovery for Mailbox Server Roles
  •  Exchange Server 2010 : Performing Backup and Recovery for Non-Mailbox Server Roles
  •  Exchange Server 2010 : Backup and Disaster Recovery Planning
  •  Changes to Backup and Restore in Exchange Server 2010
  •  Programming Windows Azure : Using the SDK and Development Storage
  •  Programming Windows Azure : Building a Storage Client
    Top 10
    Fujifilm Fujinon XF 14mm f/2.8R Lens Review
    Nikon Coolpix L320 - A Compact Camera (Part 2)
    Nikon Coolpix L320 - A Compact Camera (Part 1)
    NZXT Kraken X60 - The Best Liquid Cooling System (Part 2)
    NZXT Kraken X60 - The Best Liquid Cooling System (Part 1)
    Late 2012 Razer Blade - One Of The Luxurious Laptops (Part 4)
    Late 2012 Razer Blade - One Of The Luxurious Laptops (Part 3)
    Late 2012 Razer Blade - One Of The Luxurious Laptops (Part 2)
    Late 2012 Razer Blade - One Of The Luxurious Laptops (Part 1)
    The Apple iPad (Fourth Generation) - The Bigger Brother Is Back
    Most View
    How To Make A Massive Synth Bass Sound (Part 5) : Commercial house bass with impOSCar
    Guide To Upgrades With The Greatest Effects (Part 1)
    Top 10 Televisions – Q1 2013
    Master The New Calendar
    17 Killer Mac Apps Under $20 (Part 1) : Smartday, Eisenpower
    Google vs Apple vs Microsoft (Part 5)
    Nokia Lumia 822 Windows Phone 8 Smartphone (Part 3)
    Red Redray Player - Dedicated 4K Player
    Lenovo Ideapad Yoga 11 Hybrid Laptop
    Gentlemen, Lend Me Your Ears!