Managing User Profiles

Windows XP Professional requires that every user has his or her own profile in order to be able to log in and use the computer. Profiles store settings that determine the user's working environment. This includes settings that affect Start menu and taskbar configuration. Administrators can affect the user's profile in a number of ways, including:

• Establishing roaming profiles

• Creating a mandatory profile

• Restricting user profiles using Group Policy

Setting Up a Roaming Profile

A roaming profile follows the user regardless of which Windows XP Professional computer he or she logs on to. This provides users with a consistent configuration wherever they go. A roaming user profile is established when the administrator stores the user's profile in a shared folder on a network computer to which the user has read and write access. When the user logs in to Windows XP Professional, the user's profile is copied from the shared folder and loaded on the local computer. Any changes that the user makes are later stored in the user's profile back on the shared network folder when the user logs off.

User accounts can be created and managed using the Local Users and Groups extension on the Computer Management console. Figure 6.20 shows the profile property sheet on the Properties dialog for a typical user account. In this example, the location for the roaming profile is specified as \\FileSvr\Profile\Molly. User profiles are named ntuser.dat and are stored as hidden files.

Figure 6.20: Configuring a roaming user profile

Setting Up a Mandatory User Profile

A mandatory user profile is one that is configured by the administrator and is assigned to the user, which the user is not able to modify. A mandatory user profile provides administrators with a tool for enforcing a standardized user desktop and Start menu.

To create a mandatory profile, the administrator logs on as a regular user, customizes the Windows XP desktop and Start menu as required, and then saves the settings by logging off. The administrator then logs back on as an administrator and renames the profile that was just created from ntuser.dat to ntuser.man. The ntuser.man file can then be copied to each user's profile folder and assigned security permissions that allow users to read but not to change the file. This allows Windows XP to access and download the user's profile during login while preventing any changes that may have been made by the user from being saved at logoff.

Mandatory user profiles can be stored either on the local computer or in a shared folder on a network computer.

Controlling User Profiles Using Group Policy

Using Local Group Policy or Group Policy applied by Active Directory on Windows networks, administrators can configure policies that restrict the user's working environment, including the Start menu and taskbar. Group Policy settings always override profile settings. For example, the Prevent Changes to Taskbar and Start Menu Settings policy prevents any users from making any changes to the Windows XP Start menu and taskbar. Examples of other policies include policies that prevent the My Documents, My Pictures, and My Music folders from appearing on the Start menu. In addition, there are policies that control taskbar toolbars and the notification area.