Maximizing Security, Functionality, and Lowering Total Cost of Ownership (TCO) with User Profiles

Maximizing Security, Functionality, and Lowering Total Cost of Ownership (TCO) with User Profiles

Another facet of managing user rights and permissions involves user profiles. A user's profile is a collection of settings that configure the user's operating desktop experience. The user profile includes Internet Explorer settings, mapped drives , network printers, desktop settings, and even application-specific configurations. Managing a user's profile is similar to managing a user's privileges in that you can define in part what a user can and cannot do when logged in with a particular user account.

There are several types of user profiles available in Windows Server 2003 for you to manage. An understanding of the various types of profiles will enable you to better refine and manage user rights and permissions.

Local and Roaming Profiles

Local profiles exist on a particular workstation or server's hard disk. A single user could have several local profiles, each with different configuration settings, on various machines to which the user has logged in. Local profiles are managed individually at the workstation or server on which they exist.

Roaming profiles, on the other hand, are stored on a server file share. These profiles are downloaded from the server to the local workstation or server when the user logs into the domain. When the user logs off, the profile is then pushed back up to the server.

Roaming user profiles have the advantage of providing a standard set of profile settings to users regardless of the machine at which she logs into. The disadvantage is that the time it takes to log on or log off will depend on the size of the roaming user profile in use. A best practice for implementing roaming user profiles is to also implement folder redirection. Folder redirection is detailed in Chapter 6 in the section "Increasing Fault Tolerance with Intellimirror."

All Users and Default Profiles

Each Windows 2000, Windows XP, and Windows Server 2003 system includes Default and All Users Profiles. These profiles are helpful in setting up a user experience that will affect any user that logs into the system.

The All Users profile folder contains settings that will apply to all users logging into that system. You can use this folder to add desktop shortcuts or start menu items to the users' specific desktop settings in their local or roaming profile settings. The All Users profile are machine specific and will not modify a user's local or roaming profile settings.

The Default User profile is used whenever a user logs into a system for the first time. To manage how local profiles are configured on a system, configure the default user profile. You can configure the default user profile by configuring a local user profile, and then copying that configured profile to the default profile folder.

To create a default profile, follow these steps:

1. Log on to a workstation with a standard local or domain user account, with the same level of access a standard user will have. For this example, use an account called test1.

2. Configure the profile the way you want it. Create desktop settings, Internet settings, or whatever is necessary for a standard user.

3. Log off the workstation. The profile is then saved to the c:\documents and settings\test1 directory.

4. Log in with an Administrator account.

5. Double-click the System applet in Control Panel.

6. Select the Advanced tab, and then click the Settings button in the User Profile section.

7. Select the correct profile and click the Copy To button.

8. In the Copy To window, enter the path to the default user directory, C:\documents and settings\default user, and then click OK to complete the task.

Mandatory Profiles

A mandatory profile is the same as a roaming profile except that changes made to the profile settings are not saved to the server upon logoff. These profiles are commonly used in classrooms or publicly shared workstations to strictly manage the profile settings. To change a profile to a mandatory profile, configure the profile to the preferred specification, and then log off the account. Next, with an Administrator account, locate the profile folder and rename the corresponding Ntuser.dat file to Ntuser.man.

Temporary Profiles

Temporary profiles occur when the server authenticating the login for a user with a roaming profile cannot locate the profile folder on the server. When this happens, the machine attempts to load a cached copy of the user's profile from the local machine. If the user has never logged into the system before and no cached copy of the profile can be located, a temporary profile is created using the Default profile on the system. This temporary profile will become the user's roaming user profile when the user logs off and the profile is copied up to the server.