User profiles contain global user settings and configuration information and are stored for each user account created on a server or in a domain. A user profile allows a user to maintain his or her desktop environment so it is the same whenever they log on. The profile is created the first time a user logs on. Different profiles are created for local user accounts and domain user accounts.
The following three types of user profiles can be used:
Local Local user profiles are the means for saving user settings and restoring them when the user logs on to the local machine.
Roaming Roaming profiles allow user settings to move with a user from computer to computer by storing the information on domain controllers and then downloading it when the user logs on to the domain. For an administrator, roaming profiles allow you to roam from server to server and not have to reconfigure the desktop each time you log on. For instance, in your roaming profile, Microsoft Windows Explorer can be configured through the Default Domain Policy to show file details regardless of where you log on or whether it was the first time you logged on to a particular computer.
Mandatory Mandatory profiles are roaming profiles, originated by you and kept on a server, that are applied to users or groups, and that can only be changed by system administrators. For instance, a company may want all its sales clerks to have the same desktop settings at every workstation. This requires the creation of a preconfigured profile.
When a user has a local profile, all the user data is stored locally on that user's machine. When a user has a roaming profile, all the user data is stored in the profile itself and can be located on a network share. Inside a profile are the following folders:
Application Data Includes program-specific settings as well as user security settings
Cookies Includes cookies that have been downloaded while using a World Wide Web browser
Desktop Includes the complete settings for the user's desktop, including any files, folders, and shortcuts that have been placed on the desktop
Favorites Includes shortcuts to favorite locations on the local computer, network, or the Internet that the user has set
Local Settings Includes application data as well as history and temporary files for the user's browser
My Recent Documents Includes shortcuts to the documents the user has recently opened
NetHood Includes shortcuts to My Network Places
PrintHood Includes shortcuts to the Printers folder
SendTo Includes items on the SendTo menu
StartMenu Includes menu items on the user's Start Menu
Templates Includes application templates
You can examine the contents of these folders using Windows Explorer. However, many of the folders are hidden from view by default. To configure Windows Explorer so that you can view the additional folders, choose Folder Options from the Tools menu, and then click the View tab. Under Advanced Settings, select Show Hidden Files And Folders.
There are new features in Windows Server 2003 for handling user profiles, and changes to existing user profile features. These include the following:
Windows Server 2003 will now save roaming profiles to a server when a user logs off, even if an application has the Registry open.
The user profile error messages now have more detail, and unique IDs are associated with the error events that are logged in the Windows event logs.
The System Properties dialog box (available via the System tool in Control Panel) has changed—the user profile store is now found on the Advanced tab of the System dialog box.
When a user logs on to a domain or that user's profile is in use on the network, the Delete and Copy To buttons in the Advanced tab of the System Properties dialog box are not available.
Tip
You may need to delete a user profile that is in use. To delete a user profile while someone is using it, take ownership of it using Windows Explorer. Right-click the profile file, and then select Properties. Click the Advanced button on the Security tab. Then select the Owner tab in the Advanced Security dialog box to set ownership to your account. You can then delete the profile in Windows Explorer.
There are changes in applying group policy settings to user profiles in Windows Server 2003. Policies for user profiles have their own node in Group Policy. They are located in Computer ConfigurationAdministrative TemplatesSystemUser Profiles.
These policies affect caching, slow network connections, timeouts, ownership, retries to load profiles, and wait times. The following group policy changes are included:
To add roaming user profiles to the Administrators security group, use the Add The Administrator Security Group To Roaming User Profiles policy. This allows an administrator full control over the folder containing the user's profile. Only computers running Microsoft Windows XP Professional or later are affected by this policy.
To deny access to a user's roaming profile on a per-computer basis, use the Only Allow Local Users Profiles policy. This prevents a user from getting his or her roaming profile on a particular computer or in the domain. Only computers running Windows XP Professional or later are affected by this policy.
You can also prevent changes to a user's roaming profile on a local machine from being sent back to the server when the user logs off. To do this, enable the Prevent Roaming Profile Changes From Propagating To The Server policy. Users will receive their roaming profile when they log on, but if they change anything on their desktop, those changes will not be retained when they log off. Only computers running Windows XP Professional or later are affected by this policy.
Note
The Group Policy snap-in now has an Extended tab in the right window. By selecting any of the user group policies, when the Extended tab is chosen the description explains what the policy will do in each configuration and indicates which operating system supports the policy.
By default, local user profiles are stored in the %SystemDrive%Documents and Settings folder. However, if you are upgrading from Windows NT 4 to Windows Server 2003, the original profile path is not changed. It will remain as %SystemRoot%Profiles.
Preconfigured user profiles are used to define default user configuration and environment settings. They make it easier for new users to get started in a new environment and can be used for local, roaming, or mandatory profiles. For instance, you could have one preconfigured user profile for each department in the organization. Any of these preconfigured profiles could be saved and then used as a local, roaming, or mandatory profile for new users.
Before creating a preconfigured user profile, you should be aware of these guidelines:
Use NTFS file system volumes for user profiles that are on shares. This allows you to configure profiles with different file and share permissions. By doing this you can have multiple roaming user profiles for users or groups. It also allows for higher security than a file allocation table (FAT) or FAT32 volume does.
Do not use Encrypted File System for shared profiles. Encryption is configured on a per-user basis and the user logging on won't have access to the profile.
It is a good idea to use a test computer that has video and hardware components similar to the production computers.
For mandatory user profiles, the shares where the mandatory user profiles are stored should have permissions set to read-only. A mandatory profile must also be created before a user logs on to a computer for the first time. This is required because the contents of the Default User folder are copied to the new user's profile folder with the Common Program Group settings from the All Users folder. The user account itself contains username, passwords, and the groups of which the user is a member.
To create a preconfigured user profile, follow these steps:
Log on to the test computer. (If you are creating multiple profiles, it is a good idea to create a separate account for each preconfigured profile to ensure that the configurations are correct.)
Install or configure all programs that meet the requirements of the department or group of users for which you are creating the profile. Arrange the Desktop and the Start menu as desired. Configuring the applications and the user desktop will create a model desktop profile template.
Log off, and then log on again as a member of the Administrators group.
Right-click My Computer, and then select Properties to display the System Properties dialog box (or simply select or double-click System in Control Panel). Select the Advanced tab, and then, under User Profiles, click Settings. The User Profiles dialog box appears, as shown in Figure 37-9.
Select the user profile you just created, and then click Copy To. In the Copy To dialog box, shown in Figure 37-10, type the path where you want to save a copy of the selected profile. Save a local profile to the %SystemDrive%Documents and Settings Default User folder. If you want a default profile for the domain, copy the preconfigured profile to a location on a network share. Then, when you set up a user's account, you can copy the saved profile to the path for the user's profile. For example, if the path for the user's profile is \CorpSvr17ProfilesJennyP, you would enter this as the Copy Profile To path.
Set the profile permissions so that the profile can be used by other users. To do this, click Change under Permitted To Use, and then, in the Select User Or Group dialog box, type Everyone or the name of the specific user or group which should have access to the profile, and then click OK.
Click OK twice to close the open dialog boxes.
Local user profiles are created the first time a user logs on to a computer, unless there is a roaming or mandatory profile previously configured. This means that the contents of the Default User folder are copied to the new user's profile folder together with the Common Program Group settings from the All Users folder. Combined, this creates the user's desktop. Each new user has a unique path for the local user profile that includes the user's logon name as a subdirectory of the path.
In a new Windows Server 2003 environment, or for an upgrade from Windows 2000, the path would be %SystemDrive%Documents and Settings\%UserName%.
For an upgrade from Windows NT 4, the path would be %SystemRoot%Profiles\%UserName%.
Note
In the user's main subdirectory for his or her profile, there is a file with a default name of Ntuser.ini. By default, this file contains the items that will be excluded from the copy process. For example, Microsoft Internet Explorer temporary files and history files, and individual application data are not copied as part of the user profile.
Configuring local user profiles is similar to configuring domain profiles. On the local machine, start Computer Management and access the Local Users And Groups node. Double-click a user's local account, and then select the Profiles tab. Type the local path for the profile. Domain controllers do not have local accounts, so you cannot access Local Users And Groups on a domain controller.
Roaming user profiles are settings that follow a user from computer to computer. They are especially valuable for administrators or troubleshooters who may need to log on to many different workstations or servers and need to maintain desktop and common settings for security and convenience reasons. To manage roaming profiles, you must be a member of the Account Operators, Domain Admins, or Enterprise Admins group in Active Directory, or have been delegated the right to configure roaming user profiles. Use either Active Directory Users And Computers or Server Manager to configure roaming profiles.
If you are using Active Directory Users And Computers to configure roaming profiles, double-click the user's account to display the related Properties dialog box. Select the Profile tab. Type the unique path of the roaming user profile chosen for that user in the Profile Path field. The path can be a local path on the user's computer such as C:Profiles\%UserName% or a path to a network share on a remote server.
If you choose to put the user profiles on a remote server, the path should be in the Uniform Naming Convention (UNC) form such as \ServerNameShareName\%UserName% where ServerName is the name of the server, ShareName is the name of the share created for storing roaming profiles, and %UserName% is an environment variable that allows the profile path to be unique for each user. For example, if you set the profile path to \CorpSvr15Profiles\%User-Name%, as shown in Figure 37-11, and were configuring the account for JennyP, the profile path would be set as \CorpSvr15ProfilesJennyP. The subfolder, JennyP, is created automatically, and the roaming profile is then stored in the folder as Ntuser.dat.
Caution
When logged on to multiple computers using roaming profiles, changes to the profile settings and configuration may be lost if the order of logging off is incorrect. Imagine you are using a roaming profile and are logged on to two computers. You then change or install an application or program on the first computer. If you then log off that computer, any changes you made will be lost if you go to a second computer and log off without making the same changes, because your roaming profile on the second computer will be the one that is saved to the server and will not contain the changes made on the first computer. When using roaming profiles, the profile stored on the server is the one from the computer you logged off last.
Mandatory user profiles are a type of roaming user profile. They can be used to maintain a higher security level and consistent environment for users. Although users can log on to different computers and get the same desktop settings, changes made to the desktop on the local computer will not be saved to the server where the mandatory user profiles are stored. Mandatory user profiles have the .man extension, for example, Ntuser.man.
To configure a mandatory user profile for a user, you set the user's profile path as previously discussed for roaming profiles. Then copy the profile that you want the user to have to the profile folder and change the name from Ntuser.dat to Ntuser.man. That's it—you rename the Ntuser.dat file to Ntuser.man using Windows Explorer, and it becomes a mandatory user profile.
Note
Because profiles are hidden system files, they aren't automatically displayed in Windows Explorer. Choose Folder Options from the Tools menu, and then click the View tab. Under Advanced Settings, select Show Hidden Files And Folders. Note also that a mandatory profile must be available for a user to log on. If for some reason the user profile becomes unavailable, the user will not be able to log on. Because of this, you should check the security on the profile to ensure that the user can access it.
Sometimes you may want to switch from a roaming to a local user profile or vice versa. This could be for personal preference, you may be troubleshooting, or you may have a slow network connection and the roaming profile takes too long to download to the local computer.
To switch between local and roaming profiles, complete these steps:
Right-click My Computer, and then select Properties to display the System Properties dialog box (or simply select or double-click System in Control Panel).
Select the Advanced tab, then, under User Profiles, click Settings. The User Profiles dialog box appears.
After selecting the profile that is to be changed, click Change Type, and then select Roaming Profile or Local Profile as appropriate.
Click OK twice.