Managing User Profiles

Managing User Profiles

User profiles contain settings for the network environment, such as desktop configuration and menu options. Problems with a profile can sometimes prevent a user from logging on. For example, if the display size in the profile isn't available on the system being used, the user might not be able to log on properly. In fact, the user might get nothing but a blank screen. You could reboot the machine, go into Video Graphics Adapter (VGA) mode, and then reset the display manually, but solutions for profile problems aren't always this easy and you might need to update the profile itself.

Windows Server 2003 provides several ways to manage user profiles:

• You can assign profile paths in Active Directory Users And Computers.

• You can copy, delete, and change the type of an existing local profile with the System utility in the Control Panel.

• You can set system policies that prevent users from manipulating certain aspects of their environment.

Local, Roaming, and Mandatory Profiles

In Windows Server 2003 every user has a profile. Profiles control startup features for the user's session, the types of programs and applications that are available, the desktop settings, and a lot more. Each computer that a user logs on to has a copy of the user's profile. Because this profile is stored on the computer's hard disk, users who access several computers will have a profile on each of them. Another computer on the network can't access a locally stored profile, called a local profile , and, as you might expect, this has some drawbacks. For example, if a user logs on to three different workstations, the user could have three very different profiles, one on each system. As a result, the user might get confused about what network resources are available on a given system.

To solve the problem of multiple profiles and reduce confusion, you might want to create a profile that other computers can access. This type of profile is called a roaming profile . With a roaming profile, users can access the same profile no matter which computer they're using within the domain. Roaming profiles are server-based and can only be stored on a server running Windows Server 2003. When a user with a roaming profile logs on, the profile is downloaded, which creates a local copy on the user's computer. When the user logs off, changes to the profile are updated both on the local copy and on the server.

As an administrator, you can control user profiles or let users control their own profiles. One reason to control profiles yourself is to make sure that all users have a common network configuration, which can reduce the number of environment- related problems.

Profiles controlled by administrators are called mandatory profiles . Users who have a mandatory profile can make only transitory changes to their environment. Here, any changes that users make to the local environment aren't saved, and the next time they log on they're back to the original profile. The idea is that if users can't permanently modify the network environment, they can't make changes that cause problems. A key drawback to mandatory profiles is that the user can log on only if the profile is accessible. If, for some reason, the server that stores the profile is inaccessible and a cached profile isn't accessible, the user won't be able to log on. If the server is inaccessible but a cached profile is accessible, the user receives a warning message and is logged on to the local system using the system's cached profile.

Creating Local Profiles

In Windows 2000 or later, user profiles are maintained either in a default directory or in the location set by the Profile Path field in the user's Properties dialog box. The default location for profiles depends on the workstation configuration in the following way:

• Windows Upgrade Installation

  The user profile is located at %SystemRoot%\ Profiles\%UserName%\Ntuser.dat, where %SystemRoot% is the root directory for the operating system, such as C:\Winnt, and %UserName% is the user name , such as wrstanek.

• New Installation of Windows

  The user profile is located at %SystemDrive%\ Documents and Settings\%UserName%.%UserDomain%, such as F:\Documents and Settings\wrstanek.adatum\Ntuser.dat. If the user logs on to a domain controller, the profile might be located at %SystemDrive%\Documents and Settings\%UserName%, such as F:\Documents and Settings\wrstanek\Ntuser.dat.

If you don't change the default location, the user will have a local profile.

Creating Roaming Profiles

Roaming profiles are stored on servers running Windows Server 2003. When users log on to multiple computers and use EFS, they'll need a roaming profile to ensure that the certificates necessary to read and work with encrypted files are available on computers other than their primary work computers.

If you want a user to have a roaming profile, you must set a server-based location for the profile directory by completing the following steps:

1. Create a shared directory on a server running Windows Server 2003 and make sure that the group Everyone has access to it.

2. Access the user's Properties dialog box in Active Directory Users And Computers, and then choose the Profile tab. Type the path to the shared directory in the Profile Path field. The path should have the form \\server name\profile folder name\user name. An example is \\Zeta\User_Profiles\Georgej, where Zeta is the server name, User_Profiles is the shared directory, and Georgej is the user name.

3. The roaming profile is then stored in the Ntuser.dat file in the designated directory, such as \\Zeta\User_Profiles\Georgej\Ntuser.dat.

   Note

   You don't usually need to create the profile directory. The directory is created automatically when the user logs on.

   
   

4. As an optional step, you can create a profile for the user or copy an existing profile to the user's profile folder. If you don't create an actual profile for the user, the next time the user logs on the user will use the default local profile. Any changes the user makes to this profile will be saved when the user logs off. Thus, the next time the user logs on, the user can have a personal profile.

Creating Mandatory Profiles

Mandatory profiles are stored on servers running Windows Server 2003. If you want a user to have a mandatory profile, you define the profile as follows :

1. Follow Steps 1 “3 in the previous section, "Creating Roaming Profiles."

2. Create a mandatory profile by renaming the Ntuser.dat file as %UserName%\Ntuser.man. The next time the user logs on, he or she will have a mandatory profile.

Using the System Utility to Manage Local Profiles

To manage local profiles, you'll need to log on to the user's computer. Afterward, you can use the System utility in the Control Panel to manage local profiles. To view current profile information, start the System utility, click the Advanced tab, and then under User Profiles, click Settings.

As shown in Figure 10-8, the User Profiles dialog box displays various information about the profiles stored on the local system. You can use this information to help you manage profiles. The fields have the following meanings:

• Name

  The local profile's name, which generally includes the name of the originating domain or computer and the user account name. For example, the name Adatum\Wrstanek tells you that the original profile is from the domain adatum and the user account is wrstanek.

• Size

  The profile's size. Generally, the larger the profile, the more the user has customized the environment.

• Type

  The profile type, which is either local or roaming.

• Status

  The profile's current status, such as whether it's from a local cache.

• Modified

  The date when the profile was last modified.

Creating a Profile by Hand

In some cases you might want to create the profile by hand. You do this by logging on to the user account, setting up the environment, and then logging out. As you might guess, creating accounts in this manner is time-consuming . A better way to handle account creation is to create a base user account. Here, you create the base user account, set up the account environment, and then use this account as the basis of other accounts.

Copying an Existing Profile to a New User Account

If you have a base user account or a user account that you want to use in a similar manner, you can copy an existing profile to the new user account. To do this, you'll use the System Control Panel utility. You do that by completing the following steps:

1. Start the System Control Panel utility, click the Advanced tab, and then under User Profiles, click Settings.

2. Select the existing profile you want to copy using the Profiles Stored On This Computer list box (see Figure 10-8).

3. Copy the profile to the new user's account by clicking the Copy To button. Next, type the path to the new user's profile directory in the Copy Profile To field (see Figure 10-9). For example, if you were creating the profile for our user, georgej, you'd type \\Zeta\User_Profiles\Georgej .

   Figure 10-9. Use the Copy To dialog box to enter the location of the profile directory and to assign access permissions to the user.

   

4. Now you need to give the user permission to access the profile. Click the Change button in the Permitted To Use area, and then use the Select User Or Group dialog box to grant access to the new user account.

5. Close the Copy To dialog box by clicking OK. Windows Server 2003 then copies the profile to the next location.

   Tip

   If you know the name of the user or group you want to use, you can type it directly into the Name field. This will save you time.

   
   

Copying or Restoring a Profile

When you work with workgroups where each computer is managed separately, you'll often have to copy a user's local profile from one computer to another. Copying a profile allows users to maintain environment settings when they use different computers. Of course, in a Windows Server 2003 domain you can use a roaming profile to create a single profile that can be accessed from anywhere within the domain. The problem is that sometimes you might need to copy an existing local profile over the top of a user's roaming profile (when the roaming profile is corrupt) or you might need to copy an existing local profile to a roaming profile in another domain.

You can copy an existing profile to a new location by doing the following:

1. Log on to the user's computer, and then start the System Control Panel utility, click the Advanced tab, and under User Profiles, click Settings.

2. Select the existing profile you want to copy using the Profiles Stored On This Computer list box.

3. Copy the profile to the new location by clicking the Copy To button, and then type the path to the new profile directory in the Copy Profile To field. For example, if you're creating the profile for janew, you could type \\Gamma\User_Profiles\Janew .

4. Now you need to give the user permission to access the profile. Click the Change button in the Permitted To Use area, and then use the Select User Or Group dialog box to grant access to the appropriate user account.

5. When you're finished, close the Copy To dialog box by clicking OK. Windows Server 2003 then copies the profile to the new location.

Deleting a Local Profile and Assigning a New One

Profiles are accessed when a user logs on to a computer. Windows Server 2003 uses local profiles for all users who don't have roaming profiles. Generally, local profiles are also used if the local profile has a more recent modification date than the user's roaming profile. Because of this, there are times when you might need to delete a user's local profile. For example, if a user's local profile becomes corrupt, you can delete the profile and assign a new one. Keep in mind that when you delete a local profile that isn't stored anywhere else on the domain, you can't recover the user's original environment settings.

To delete a user's local profile, complete the following steps:

1. Log on to the user's computer using an account with Administrator privileges.

2. Start the System utility, click the Advanced tab and then, under User Profiles, click Settings.

3. Select the profile you want to delete and then click Delete. When asked to confirm that you want to delete the profile, click Yes.

Now the next time the user logs on, Windows Server 2003 does one of two things. Either the operating system gives the user the default local profile for that system or it retrieves the user's roaming profile stored on another computer. To prevent the use of either of these profiles, you'll need to assign the user a new profile. To do this you can

• Copy an existing profile to the user's profile directory. Copying profiles is covered in the next section.

• Update the profile settings for the user in Active Directory Users And Computers. Setting the profile path is covered in this chapter in the section entitled "Configuring the User's Environment Settings."

Changing the Profile Type

With roaming profiles, the System utility lets you change the profile type on the user's computer. To do this, select the profile and then click Change Type. The options in this dialog box allow you to

• Change a roaming profile to a local profile

  If you want the user to always work with the local profile on this computer, set the profile for local use. Here, all changes to the profile are made locally and the original roaming profile is left untouched.

• Change a local profile (that was defined originally as a roaming profile) to a roaming profile

  The user will use the original roaming profile for the next logon. Afterward, Windows Server 2003 treats the profile like any other roaming profile, which means that any changes to the local profile are copied to the roaming profile.