Profiles are stored under %systemroot%\profiles, typically c:\winnt\profiles.
A profile will exist here for each user that logs onto the NT computer,
and be
named after their logon name. Except for the Guest user. Guest does
not get a user profile.
In the user's profile directory there are several
subdirectories that contain configuration information about that
user's desktop settings, application data, Start menu, and so on.
Any configuration changes made to Windows NT are stored in the user's
profile. You can view this information by opening a user's profile
directory and seeing the subdirectories underneath.
The NTUSER.DAT file plus the directories under the user's name
in c:\winnt\profiles and the settings under c:\winnt\profiles\all
users make up each user's profile.
If you need to have your user profile available no
matter what NT machine you logon to, you can create a Roaming Profile.
A Roaming profile is stored on a server that you have access to, and
is loaded onto whatever NT computer you logon to.
To create Roaming Profiles do this:
1. Create a shared directory on a NT server (it does not
have to be a domain controller)
and name it Profiles$ (or whatever). Use the dollar sign at the
end to hide the share from the
browse list. Give this Profiles$ directory Change share permissions.
2. Open User Manager for Domains and for each user click
on the User menu,
properties, then the Profile button. In the "User Profile Path"
enter the UNC path to the share
you just created.
Ex. If you created a Profiles$ share on
a server name Server01, then in the user profile path you would
enter \\server01\profiles$\sallysmith. Alternatively, you could
enter \\server01\profiles$\%username%
Once you do this, when the user logs into the
domain, a directory for that user name will be created under the
Profiles share. Since there is no profile yet on the server for
the user, NT loads the local profile from the NT computer they logged
on to. When the user logs off the computer, the profile information
will be copied to the server under the user name directory for that
user. The next time they logon, the roaming profile on the server
will be compared to the profile on the local machine and the newer
of the two profiles will be used on the local machine.
Creating a preconfigured Default User Profile
Since every new user that logs on to a NT computer has their user
profile created from
the Default User profile, you can preconfigure a default profile
for every user that logs on.
To do this:
1. Log on to the NT computer with an Administrator
access account and create a user named Defprofile (or whatever).
Log off the NT computer, and log back on with the defprofile account.
Configure the PC the way you want it, desktop, printers, install
applications, and so on, then logoff. There will now be a profile
for the defprofile user under c:\winnt\profiles.
2. Log back on as an admin, open control panel, system,
click the User Profiles tab,
and select the defprofile profile. Click the "Copy To"
button then the "Browse" button
in the Copy to profile field and go to c:\winnt\profiles\default
user.
Under Permitted to use click the "Change" button and choose
the Everyone group.
(This is important… otherwise users won't have the necessary
permissions to use the profile.)
You will now have a preconfigured default profile for any new user
that logs on to that PC.
You can copy the same profile to all your NT workstations by entering
the computer name
in the Copy to field:
\\ntpc02\admin$\profiles\default user
\\ntpc03\admin$\profiles\default user
Use the admin$ share in place of c:\winnt. You will need administrator
access to whatever
PC you are copying to. If you logon as a member of the Domain Admins
group you will
have this access.
Creating a Domain wide Default Profile
By default, when a new user logs into a domain their PC checks
the Netlogon share
on a their authenticating domain controller (c:\winnt\system32\repl\import\scripts\)
for
a Default User directory.
If one exits, the profile information in Default User is copied
to the NT PC
as a template for the new user's profile.
Remember, this is the Default User's profile which is only used
for new users.
An existing user would not get this profile. Only users who don't
have a profile
set up on a NT computer would get this Default profile.
Under c:\winnt\system32\repl\import\scripts create a Default User
directory, and then
using the System applet in Control Panel, copy your preconfigured
default profile to
this directory.
Note: By default the netlogon share has share permissions
for only
Everyone - Read. You will need to add a user or group (i.e. Domain
Admins) to the share
and give them Change or Full control share permissions to copy the
profile to the netlogon share.
In the Copy To path you can enter:
\\PDC_Name\\netlogon\default user
Note: Make sure to give the domain Everyone group access
to this profile
Considerations:
- If you are going to set up a domain wide Default
User profile, it should be created on your domain PDC and then copied
to all BDCs since they will also be authenticating users. Use the
Directory Replication feature of Windows NT to do this.
- If you are going to use roaming profiles, remember that the profile
must fit the PC. This means that the PCs your users log on to should
all have the same hardware, or< at least be very similar in their
capabilities.
- Watch out for shortcuts on the desktop that point to objects only
on one PC. These shortcuts will be saved to the roaming profile
on the server, and when the user logs in to another PC, the PC will
try and access the PC where the objects are. You don't want this,
so make sure any files or folders or whatever that you create a
shortcut for, is on every PC a user could log on to. Additionally,
make sure the shortcut path uses environmental variables like %systemroot%
or %windir% in case the paths are different on different PCs.
- Finally, think about the disk space that might be needed on a
server for profiles. A user's profile directory can get quite large,
especially if they don't clear out their Temporary Internet Files
folder. Do you have space on your server for all your profiles directories??
Mandatory Profiles:
If you don't want your users to be able to save configuration changes
to their NT
environment, then use mandatory profiles.
On individual workstations you would rename the NTUSER.DAT file
to NTUSER.MAN.
This tells NT that no changes can be made to the profile. Users
can still modify their
NT environment while logged on, but they cannot save changes when
they log off.
If you want a group of users, say the Accounting group, to use
a mandatory profile, do this:
1. Create a user on a NT PC, log on as that user, and configure
the NT PC the way
you want it, log off.
2. Under your Profiles$ share on a NT server, create a profile
directory for the group
and give it a .man extension. For example, create an accounting.man
directory. Give
the Accounting group at least Read and Execute permissions to this
directory.
3. Log back on to the PC as an Admin, and copy the configured
profile to the accounting.man
directory. For Permitted to use, assign the Accounting group.
4. Go to the accounting.man directory on the server and rename
NTUSER.DAT to NTUSER.MAN.
5. Open User Manager for Domains, select the members of the
Accounting group,
click the User Menu, then Properties, then Profile, and in the User
Profile Path enter the
path to the accounting.man directory, \\server01\profiles$\accounting.man
Now, when anyone in the accounting group logs in to the domain,
they will get this mandatory
profile on their PCs.
Considerations:
- You have to manually create a Mandatory Profile directory on
a server. Unlike non-mandatory
roaming profiles, NT will not create a user directory for you.
- If a user tries logging on, and the Mandatory Profile is not available
(the server that it is on is unavailable), then the user will not
be able to log on to their PC.
Preventing certain folders being replicated as part of the user
profile
If you are replicating numerous user profiles to a server, you will
quickly eat
up server hard drive space unless you restrict what is saved on
the server.
Part of a user's profile is their Temporary Internet Files
folder which holds
all of the files that are downloaded when the user visits web sites.
This can
grow to be 30, 40, 60MB or more over time. To prevent copying this
directory
(and any other directories you don't want saved to a profile directory
on the server)
do this:
Service Pack 4 introduced a new registry setting, ExcludeProfileDirs,
which can be used
to exclude certain directories from the replication of user profiles.
To implement perform
the following:
1. Start the registry editor (regedit.exe)
2. Move to HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
3. From the Edit menu select New - String value
4. Enter a name of ExcludeProfileDirs and press Enter
5. Double click the new value and set to the relevant areas, separating
them by semi-colons,
for example: Local Settings\Application Data\Microsoft\Outlook;Temporary
Internet Files;Personal
6. Click OK
7. Close the registry editor
This can also be done through a system policy:
1. Start the Policy Editor (poledit.exe)
2. Create a new policy (or open an existing one providing it was
created after SP4 installation)
3. Double click Default User
4. Expand 'Windows NT User Profiles
5. Check the 'Exclude directories in roaming profile'
6. In the data box type the name of the directories to be excluded
7. Click OK
8. Save the policy to the netlogon share of the PDC
Additionally, you can go to each users Internet Options and
change the path for
their Temporary Internet Files Folder. This is usually found under
General, Temporary
Internet Files, Settings. If you change the path to say c:\temporary
internet files, then
this directory will not get copied to the server as part of their
profile when the user logs
off. You can also set an option in Internet Explorer to delete the
temporary files when the
user closes their browser. This is found on the Advanced tab
towards the bottom
under Security.