Managing Local, Roaming, and Mandatory User Profiles

Objective:

Manage local, roaming, and mandatory user profiles

The settings for a user's work environment are stored in a set of files and folders known as the user profile. The profile is automatically created the first time a user logs on to a computer running any version of Windows, and any changes to the environment (Favorites, Start menu items, icons, colors, My Documents, local settings) are saved when the user logs off. The profile is reloaded when the user logs on again. Table 2.2 lists the components of a user profile (from Windows Server 2003 Help and Support).

The user profiles facility allows several people to use the same computer running Windows, yet each can see his or her own private desktop, and the settings will be remembered each time the user logs on.

User profiles are stored under C:\Documents and Settings. By default, all servers will have two profiles: All Users and Default Users. The contents of the Default Users profile are used to create a user profile for a new user who logs on to the server. The All Users folder contains files and folders and icons that are common to all users.

Initially, the profile exists only on the computer where it was created: For this reason, it is called a local user profile. However, the profile can also be stored on a server, allowing the user to see the same desktop no matter what machine he or she is logged on to. This server-based profile is known as a roaming user profile. For some groups of users, we can also create mandatory user profiles, which cannot be changed by the users.

Creating and Modifying Local User Profiles

The first time a user logs on to a computer running Windows Server 2003, the folder structure shown in Figure 2.23 is created. This structure used the data and shortcuts contained in the DefaultUser profile as a template. In Figure 2.23 you see the Administrator profile.

Figure 2.23. The folder structure of a user profile.

The folders of interest in the structure are Application Data, where software vendors store data for particular users, Cookies, where data about website preferences are stored, Desktop, which contains the desktop items, including any files stored there, My Documents, which is the default location for the storage of user data, and Start Menu, from which programs can be accessed that were installed for this user, but not all users of this computer.

Note: For More Information

For a full description of the folders, search Help and Support for "Contents of a User Profile." As you can imagine, the contents of the user profile structure can become quite large, especially because My Documents is one of the folders.

Within the root folder of the profile, you will see a file called NTuser.dat. This file contains the contents of the current user-specific section of the Registry (HKEY_CURRENT_USER). This file is updated each time the user logs off.

Another profile structure that is used to create the user work environment is the All Users folder. Profile items that all users will see, such as program links that are on all users' All Programs menu, are stored in the All Users folder.

The contents and settings of the user profile are modified by working with the environmentusing Control Panel applets, such as Display, installing programs, and creating shortcuts on the desktop.

Creating and Modifying Roaming User Profiles

Because many users move from computer to computer and would like to see the same work environment each time, the Roaming User Profiles facility has been created. This facility allows the profile to be stored on a network server. When the user logs on, the profile is downloaded from the server, and the expected work environment is seen. When the user logs off, the profile is uploaded to the server, so any changes made are available for the next logon at that or any other computer.

Exam Alert: Expect a Roaming Profile Question

Expect at least one exam question that deals with the topic of roaming profiles. Remember that although Windows 9x/Me and Windows NT support roaming profiles, they aren't compatible, and they cannot be maintained via Group Policy the way that Windows 2000/XP/2003 can.

To assign a roaming profile to a user using Active Directory Users and Computers, go to the Profile tab on the user accounts Properties dialog box and enter a valid path in the Profile field, as shown in Figure 2.24.

Exam Alert: Know Your UNC Paths!

Be very familiar with the use of Universal Naming Convention (UNC) paths for the exam. For example, in the path \\mars\profiles\%username%, MARS is the NetBIOS name of the server that the PROFILES shared folder resides on. The replaceable parameter %username% refers to the name of the folder that will be created.

The next time the user logs on, the profile type will be changed to "Roaming," and after logoff the server-based profile will be updated.

Note that Active Directory Users and Computers will allow you to change some properties of multiple user accounts at once. That is, you can select multiple users and then choose Action, Properties, and set the values for those properties. See Figure 2.25 for the Profile tab of the Properties on Multiple Objects dialog box.

You can also use dsmod to set the home folders and profile paths for multiple users. The following command entered as a batch file, for convenience, sets the profile path and the home folder path simultaneously:

[View full width]
dsmod user "CN=Tom Thomson,OU=Users,OU=Phoenix,DC=70-290,DC=int" "CN=Arthur Lismer ,OU=Users,OU=Phoenix,DC=70-290,DC=int" "CN=Arthur Adams,OU=Users,OU=Phoenix,OU=LTI ,DC=70-290,DC=int" -profile "\\mars\users\$username$\profile" -hmdrv x: -hmdir \\mars\users \$username$

Note: Encrypted Files Are Not Allowed

You cannot include encrypted files in roaming user profiles.

Creating and Enforcing Mandatory User Profiles

You might want to ensure that the profiles for a specific group of users are the same for all the users and unchangeable. A preconfigured profile that is not allowed to be changed by the user is called a mandatory user profile. In addition, you probably want to set up a mandatory user profile for a group of user accounts, all of whom do the same limited set of tasks, such as an inside sales group.

To set up a mandatory user profile, first create a temporary user account and assign a profile path (such as \\mars\profiles\Adams) in Active Directory Users and Computers. Ensure that the user has permissions to update files in the profile path. After the profile path is defined, the user has a roaming profile. Log on as that user, make the changes to the work environment (appearance of the desktop, icons available, programs installed, and so on) that are appropriate for the group of users, and then log off.

Log on again as an administrator, navigate to the user's profile folder, and rename the NTuser.dat file to NTuser.man.

To test that the mandatory profile is working, log on as the temporary user, change some settings, and log off. Log on again as the same user, and you should see that the changes you made in the previous session were discarded.

Note: Use Group Policy

This method of controlling the user's profile works the same as it has since the early days of Windows NT. However, it is now considered preferable to use Group Policies to control most user environment settings. See "How to Create a Mandatory User Profile" under User Profiles in the Client Computers section of the Help and Support Center.

The template user account now has a mandatory user profile assigned. You can assign the same mandatory user profile to any number of user accounts by adding the profile path to the Profile tab of ADUC. In addition, all users or groups who will be assigned the mandatory profile must be granted Write permissions for the folder.