Back docs > winnt > NT profiles
     
   
   



A user profile is created the first time a user logs on to a NT computer. The user's profile is based on the Default User profile which is copied to the new user's profile.

Profiles are stored under %systemroot%\profiles, typically c:\winnt\profiles. A profile will exist here for each user that logs onto the NT computer, and be named after their logon name. Except for the Guest user. Guest does not get a user profile.

In the user's profile directory there are several subdirectories that contain configuration information about that user's desktop settings, application data, Start menu, and so on. Any configuration changes made to Windows NT are stored in the user's profile. You can view this information by opening a user's profile directory and seeing the subdirectories underneath.

NT creates 3 default profiles during installation. The Default User profile, the All Users user profile and the Administrator user profile. The Administrator user profile is created after a new NT install, and the Administrator logs on for the first time. The Default User profile is a template for all users that logon to the NT computer. Each new user's profile is created from the Default User profile. The All Users profile contains settings for any and all users who logon to the NT computer. The settings in All Users profile combine with the user's profile to create the settings for each user.

Also in the root of the user's profile directory is found the NTUSER.DAT file and NTUSER.DAT.LOG file. The NTUSER.DAT file contains user specific registry settings from the HKEY_CURRENT_USER subtree in the NT registry. The .LOG file is a transaction log file for these registry settings.

The NTUSER.DAT file plus the directories under the user's name in c:\winnt\profiles and the settings under c:\winnt\profiles\all users make up each user's profile.

The default permissions for a user's profile directory(s) are:
Administrators - Full Control
System - Full Control
User_Name - Full control


Roaming Profiles

If you need to have your user profile available no matter what NT machine you logon to, you can create a Roaming Profile. A Roaming profile is stored on a server that you have access to, and is loaded onto whatever NT computer you logon to.

To create Roaming Profiles do this:

1. Create a shared directory on a NT server (it does not have to be a domain controller) and name it Profiles$ (or whatever). Use the dollar sign at the end to hide the share from the browse list. Give this Profiles$ directory Change share permissions. 2. Open User Manager for Domains and for each user click on the User menu, properties, then the Profile button. In the "User Profile Path" enter the UNC path to the share you just created.

Ex. If you created a Profiles$ share on a server name Server01, then in the user profile path you would enter \\server01\profiles$\sallysmith. Alternatively, you could enter \\server01\profiles$\%username%

Once you do this, when the user logs into the domain, a directory for that user name will be created under the Profiles share. Since there is no profile yet on the server for the user, NT loads the local profile from the NT computer they logged on to. When the user logs off the computer, the profile information will be copied to the server under the user name directory for that user. The next time they logon, the roaming profile on the server will be compared to the profile on the local machine and the newer of the two profiles will be used on the local machine.

Creating a preconfigured Default User Profile

Since every new user that logs on to a NT computer has their user profile created from the Default User profile, you can preconfigure a default profile for every user that logs on.

To do this:

1. Log on to the NT computer with an Administrator access account and create a user named Defprofile (or whatever). Log off the NT computer, and log back on with the defprofile account. Configure the PC the way you want it, desktop, printers, install applications, and so on, then logoff. There will now be a profile for the defprofile user under c:\winnt\profiles.

2. Log back on as an admin, open control panel, system, click the User Profiles tab, and select the defprofile profile. Click the "Copy To" button then the "Browse" button in the Copy to profile field and go to c:\winnt\profiles\default user. Under Permitted to use click the "Change" button and choose the Everyone group. (This is important… otherwise users won't have the necessary permissions to use the profile.)

You will now have a preconfigured default profile for any new user that logs on to that PC.

You can copy the same profile to all your NT workstations by entering the computer name in the Copy to field:

\\ntpc02\admin$\profiles\default user
\\ntpc03\admin$\profiles\default user

Use the admin$ share in place of c:\winnt. You will need administrator access to whatever PC you are copying to. If you logon as a member of the Domain Admins group you will have this access.

Creating a Domain wide Default Profile

By default, when a new user logs into a domain their PC checks the Netlogon share on a their authenticating domain controller (c:\winnt\system32\repl\import\scripts\) for a Default User directory. If one exits, the profile information in Default User is copied to the NT PC as a template for the new user's profile.

Remember, this is the Default User's profile which is only used for new users. An existing user would not get this profile. Only users who don't have a profile set up on a NT computer would get this Default profile.

Under c:\winnt\system32\repl\import\scripts create a Default User directory, and then using the System applet in Control Panel, copy your preconfigured default profile to this directory. Note: By default the netlogon share has share permissions for only Everyone - Read. You will need to add a user or group (i.e. Domain Admins) to the share and give them Change or Full control share permissions to copy the profile to the netlogon share.

In the Copy To path you can enter:
\\PDC_Name\\netlogon\default user

Note: Make sure to give the domain Everyone group access to this profile


Considerations:

- If you are going to set up a domain wide Default User profile, it should be created on your domain PDC and then copied to all BDCs since they will also be authenticating users. Use the Directory Replication feature of Windows NT to do this.
- If you are going to use roaming profiles, remember that the profile must fit the PC. This means that the PCs your users log on to should all have the same hardware, or< at least be very similar in their capabilities.
- Watch out for shortcuts on the desktop that point to objects only on one PC. These shortcuts will be saved to the roaming profile on the server, and when the user logs in to another PC, the PC will try and access the PC where the objects are. You don't want this, so make sure any files or folders or whatever that you create a shortcut for, is on every PC a user could log on to. Additionally, make sure the shortcut path uses environmental variables like %systemroot% or %windir% in case the paths are different on different PCs.
- Finally, think about the disk space that might be needed on a server for profiles. A user's profile directory can get quite large, especially if they don't clear out their Temporary Internet Files folder. Do you have space on your server for all your profiles directories??



Mandatory Profiles:

If you don't want your users to be able to save configuration changes to their NT environment, then use mandatory profiles.

On individual workstations you would rename the NTUSER.DAT file to NTUSER.MAN. This tells NT that no changes can be made to the profile. Users can still modify their NT environment while logged on, but they cannot save changes when they log off.

If you want a group of users, say the Accounting group, to use a mandatory profile, do this:

1. Create a user on a NT PC, log on as that user, and configure the NT PC the way you want it, log off.
2. Under your Profiles$ share on a NT server, create a profile directory for the group and give it a .man extension. For example, create an accounting.man directory. Give the Accounting group at least Read and Execute permissions to this directory.
3. Log back on to the PC as an Admin, and copy the configured profile to the accounting.man directory. For Permitted to use, assign the Accounting group.
4. Go to the accounting.man directory on the server and rename NTUSER.DAT to NTUSER.MAN.
5. Open User Manager for Domains, select the members of the Accounting group, click the User Menu, then Properties, then Profile, and in the User Profile Path enter the path to the accounting.man directory, \\server01\profiles$\accounting.man

Now, when anyone in the accounting group logs in to the domain, they will get this mandatory profile on their PCs.

Considerations:

- You have to manually create a Mandatory Profile directory on a server. Unlike non-mandatory roaming profiles, NT will not create a user directory for you.
- If a user tries logging on, and the Mandatory Profile is not available (the server that it is on is unavailable), then the user will not be able to log on to their PC.


Preventing certain folders being replicated as part of the user profile

If you are replicating numerous user profiles to a server, you will quickly eat up server hard drive space unless you restrict what is saved on the server. Part of a user's profile is their Temporary Internet Files folder which holds all of the files that are downloaded when the user visits web sites. This can grow to be 30, 40, 60MB or more over time. To prevent copying this directory (and any other directories you don't want saved to a profile directory on the server) do this:


Service Pack 4 introduced a new registry setting, ExcludeProfileDirs, which can be used to exclude certain directories from the replication of user profiles. To implement perform the following:

1. Start the registry editor (regedit.exe)
2. Move to HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
3. From the Edit menu select New - String value
4. Enter a name of ExcludeProfileDirs and press Enter
5. Double click the new value and set to the relevant areas, separating them by semi-colons,
for example: Local Settings\Application Data\Microsoft\Outlook;Temporary Internet Files;Personal
6. Click OK
7. Close the registry editor

This can also be done through a system policy:

1. Start the Policy Editor (poledit.exe)
2. Create a new policy (or open an existing one providing it was created after SP4 installation)
3. Double click Default User
4. Expand 'Windows NT User Profiles
5. Check the 'Exclude directories in roaming profile'
6. In the data box type the name of the directories to be excluded
7. Click OK
8. Save the policy to the netlogon share of the PDC


Additionally, you can go to each users Internet Options and change the path for their Temporary Internet Files Folder. This is usually found under General, Temporary Internet Files, Settings. If you change the path to say c:\temporary internet files, then this directory will not get copied to the server as part of their profile when the user logs off. You can also set an option in Internet Explorer to delete the temporary files when the user closes their browser.  This is found on the Advanced tab towards the bottom under Security.

    Top

b/johnson:01