User Profiles on Windows 2000 Workstation

What are User Profiles?

A user profile represents what the user sees when they log into their computer. This includes the desktop
wallpaper, the icons such as My Computer, Internet Explorer, Recycle Bin, the Start Menu, and the task bar.
Some of these items can be customized by the user (such as the choice of wallpaper) and preserved when the user
logs on at a later time.

On a more technical level the user profile represents a collection of folders and files. The User Profile is
comprised of a registry hive and a set of profile directories. The registry is a database used to store computer and
user specific settings, and portions of the registry can be saved as files, called hives1 . These hives can then be
reloaded for use as necessary. User Profiles take advantage of the hive feature to provide roaming profile
functionality.

These folders and files are updated each time the user successfully logs off their computer. The following
screenshot depicts the typical folders and files that make up the user profile.

All User Profiles within the LS&A NT domain are configured as “roaming profiles”. Roaming profiles are the
collection of folders and files comprising the user profile that are automatically copied to a common
server—the s-lsa-prof server. Because of their location on a common server, user profiles are available on any
LS&A NT domain computer that a user logs into. Hence, the user profile (i.e. the collection of folders and files)
travels with the user as they move about logging into different NT4 or Win2K(P) computers.

Folders and Files that Make Up the User Profile

The folders and files that make up the user profile for most users at LS&A are described in the table below. Some
of these folders or files are normally hidden from view. These hidden objects are denoted with an asterisk. The
hidden objects, however, can be seen if the “Admin Friendly Explorer View” has been enabled.
Not all folders or files will be necessarily displayed for all users. Some folders will only display when a user is
using a Win2K(P) computer.

Folder Description
*Application Data Application-specific data, such as a custom dictionary for a word processing
program. Application vendors decide what data to store in this directory. Users or
DSAs do not normally work within this directory.
Cookies Internet cookies are small signatures that indicate previous visits to a site. Cookies
usually make the subsequent visits faster. These files are generally small in size
(normally 1K) and do not require management by the DSA.

1
The registry hive is divided into hives. They are named hives for their resemblance to the cellular structure of a beehive. A hive is a discrete
body of keys, sub keys, and values.

Date: 11/11/2005 4:10 PM

Page 1
User Profiles on Windows 2000 Workstation
Folder Description
Desktop Desktop icons/shortcuts that display on the desktop. This folder stores all shortcuts
created by the user. The shortcuts in this folder can be very useful to the DSA. New
shortcuts can be added directly to this folder. They can also be removed from this
folder. Shortcut changes in the Desktop folder must be made when the user is not
logged into a computer. The DSA should make the changes on the server-based
version of the profile only.
Favorites Listing of favorite web or URL network locations—mainly used by Internet
Explorer. Favorites can be deleted by the DSA to manage the growth of favorites.
Local Settings Application data for Internet applications. Not normally managed directly by the
user or DSA.
My Documents Storage point for documents and pictures. Location can be modified to point to a
network path. Note: My Documents replaces “Personal” when the user profile moves
to Windows 2000; they both serve the same process.
My Webs Storage point for synchronized Web Information.
*Net Hood Network Neighborhood information. Permanent drive mappings are stored here as
shortcuts. The DSA can copy the drive mappings stored in this location to other
profiles.
*PrintHood Stores shortcuts to printer folder items.
Recent Stores shortcuts to the most recently used documents. Can be managed by the DSA
to maintain a “recent” listing of the most used documents. The DSA does this by
removing files from the server-based profile. The user can trim this down by
selecting Start / Settings / Task Bar and Start Menu / Advanced, and click on the box
to Clear all recent document pointers. The Recent folder can become unwieldy to
work with over time if not cleaned up occasionally.
SendTo List of locations where you can send files and directories (e.g. Word or Notepad).
Generally used to open documents.
Start Menu Items that appear via the Start Menu. Normally applications that are specific to the
user.
*Templates Location of application templates.
Windows Location of user-specific files and settings for applications installed into Windows
2000.
*Ntuser.dat Represents the settings for NT Explorer, the taskbar, printer settings, control panel,
accessories, and help bookmarks. The Ntuser.dat file is mapped to the
HKEY_CURRENT_USER portion of the registry when the user logs on.
*Ntuser.dat.LOG The Ntuser.dat.LOG file acts as a sort of transaction log file that can serve the
purpose of profile recovery. This file is updated each time the user logs off the
computer.
*ntuser.ini Establishes the exclusion list of files not included as part of the Roaming Profile.
This list currently includes Temporary Internet Files, History, Temp, and Local
Settings\Application Data\Microsoft\Outlook
* Hidden Directories or Files

The Ntuser.dat File

The User Profile registry hive is the NTuser.dat in file form, and is mapped to the HKEY_CURRENT_USER
portion of the registry when the user logs on.The NTuser.dat hive maintains the user’s environment preferences
when the user is logged on. It stores those settings that maintain network connections, Control Panel
configurations unique to the user (such as the desktop color and mouse settings), and application-specific settings.
Together, the Ntuser.dat file and the other folders/files make up the user profile that provides the complete set of
user profile settings.

NTUSER.DAT
The NTuser.dat file contains the following configuration settings.
• Windows NT Explorer settings. All user-definable settings for Windows NT Explorer, as well as
persistent network connections.
• Taskbar. All personal program groups and their properties, all program items and their properties, and
all taskbar settings.
• Printer settings. All network printer connections.
• Control Panel. All user-defined settings made in the Control Panel. For example, the wall paper and
screen savers.

Date: 11/11/2005 4:10 PM

Page 2
User Profiles on Windows 2000 Workstation
• Accessories. All user-specific application settings affecting the Windows NT environment,
including: Calculator, Clock, Notepad, Paint, and HyperTerminal, among others.
• Help bookmarks. Any bookmarks placed in the Windows NT Help system.

As a result of these settings being embedded within the Ntuser.dat file, these settings can only be changed
when a user is logged into a computer. The user or DSA would have to make the changes on the cached
profile, and log off to preserve them on the server-based version2 .

Types of User Profiles

Roaming profiles are one type of user profile. Other profile types can include local profiles, cached profiles, and
mandatory profiles. Each profile type is defined below:

Roaming Profile
A roaming profile is stored on a network share and can be accessed from any computer. A user who has a
roaming profile can log on to any computer for which that profile is valid and access the profile. An NT4 profile
is valid for both NT4 and Win2KP. However, NT4 or Win2K profiles cannot be used on Windows 9x
computers due to differences in the registry.
Local Profile
A local profile is specific to a computer. A user who has a local profile on a particular computer can gain access to
that profile only while logged on to that computer. The local profile will be stored in one of two locations on the
computer depending on whether it is an NT4 or Win2K(P) computer.

On NT4, the local profile is generally stored in the c:\winnt\profiles<UserName> folder. On Win2K(P)
computers, the local profile is generally stored in the c:\Documents and Settings\<UserName folder> 3 .

To determine the exact location of the local profile when logged into an NT4 or Win2K(P) computer, the user can
type “set” at a command prompt. The set command will display the environment variables on the computer. The
“UserProfile” variable will display the precise location of the local profile.

Mandatory Profile
A mandatory profile is a pre-configured roaming profile that the user cannot permanently change. In most cases,
mandatory profiles are assigned to a person or a group of people for whom a common interface and standard
configuration is required.

At LS&A, mandatory profiles are generally used for instructional labs. Typically, a shared account is created with
a mandatory profile. Students who use these accounts can make desktop modifications while logged into the
computer, but the changes are not uploaded or preserved when the user logs off the computer.

Changing the extension of Ntuser.dat to Ntuser.man inside the roaming profile directory will make a profile
mandatory. Likewise, the mandatory profile can be “unlocked” by changing the file extension back to .dat.

How User Profiles are Initially Created

Before a user logs into a new Win2K(P) computer for the first time, there are only two user profiles on the newly
built computer. These profiles are called “All Users” and “Default User”. The screenshot below shows these
profiles. Understanding how they are used to create the initial user profile for the user is important for later
troubleshooting and management.

2
It is also possible to edit the registry hive, but directly editing the registry is not the recommended way to modify profiles.
3
The location of the local profile on Win2K(P) systems can vary depending on whether it is a new build or an upgrade of an NT4 system. If a
new computer, the User Profile path will be c:\Documents and Settings\<UserName>. If an upgrade from NT4, then the User Profile path will
be c:\winnt\profiles\<UserName>.

Date: 11/11/2005 4:10 PM

Page 3
User Profiles on Windows 2000 Workstation

All user accounts at L&SA are configured as roaming profiles. This is done with the User Account Management
tool when the account is created.

When the user logs onto their computer for the first time, the local or cached version of the profile is created using
the Default User Profile. In addition, shortcuts assigned to the All Users Profile are added to the new User Profile.
When the user logs off the computer, the User Profile is copied (uploaded) to the
s-lsa-prof server for the first time. As the user logs on and off the network, the roaming profile is updated with the
changes.

The Default User Profile and the All Users Profile are system profiles used to generate all initial user profiles.

The All Users Profile

The All Users Profile provides common shortcuts to all users that log onto the computer. These shortcuts usually
apply to application programs.

When installing applications manually, the program can be installed for the “current user” or “all users” using the
computer. If the program is installed for just the logged in user, then the shortcut for the program is only available
for the one user. If the program is installed for all users, then the program is available for anyone who logs onto
the computer.

The Default User Profile

The Default User Profile is a hidden profile. The DSA will want to insure that their view of desktop files is set up
with the administrative view. This will allow the visual view of the Default User profile.

Right-mouse clicking on the Start button and selecting “Open All Users” or “Explore All Users” can easily
display the user profiles. The profiles can also be displayed by navigating to the profile path.

The contents of the Default User Profile resemble a normal user profile. The contents of this profile are used to
create the initial user profile for all new users. The typical Default User profile is displayed below:

Date: 11/11/2005 4:10 PM

Page 4
User Profiles on Windows 2000 Workstation

The Default User Profile is created by the Win2K(P) system during the installation of the operating system. It can
also be modified as a custom template for users. See later section on “Management Tasks with User Profiles”.

Differences between NT4 and Win2K(P) User Profiles

User profiles for NT4 and Win2K(P) are stored in different locations on the hard drive. For NT4 computers, the
user profile is stored in the c:\winnt\profiles<User Name> path. For Win2K(P) computers, the default user profile
is stored in the c:\documents and settings\<User Name> path. Microsoft made this change in order to move the
user profile out of the secure location of the Win2K(P) operating system files under winnt.

However, the default location for user profiles on Win2K(P) computers depends on whether the computer was
newly installed or upgraded. If newly installed, the user profile path will be the c:\Documents and Settings\<User
Name> path. If the NT4 computer is, instead, upgraded to Win2K(P), the user profile path will continue to use the
former NT4 setting of c:\ winnt\profiles\<User Name>.

The following table shows the possible location for user profiles on the local computer according to the method
used to install Win2K(P).

Installation Method for Win2K(P) Location of the User Profile

Windows 2000 New Installation C:\Documents and Settings
Windows 2000 Upgrade from NT4 C:\winnt\profiles
Windows 2000 Upgrade from Win9x with User Profiles disabled C:\Documents and Settings
Windows 2000 Upgrade from Win9x with User Profiles enabled C:\windows\system\profiles

Logging into Both NT4 and Win2K with the same User Profile
A user with a roaming profile who logs on to both NT4 and Win2K computers should have no issue with their
user profile. The profile path, however, may vary depending on the version of Windows NT and the mode of
Win2K(P) installation (i.e. new install or upgrade).

While there may be no issue, there have been reports of two anomalies. First, the network applet under control
panel on NT4 systems seems to disappear after logging into a Win2K computer with the same user profile. The
present workaround is to access the network properties by selecting properties from the network neighborhood.
Second, the login switching between NT4 and Win2K will occasionally bring up a password problem with
Protected Storage. The workaround is to select cancel when presented with the password window. A fix is also
available by editing the registry—see section on troubleshooting.

Roaming Profiles are Recommended

LSAIT believes that roaming profiles are the recommended profile setups for most users at LS&A. Roaming
profiles provide roving users a consistent desktop when traveling about the college. They also provide a backup of

Date: 11/11/2005 4:10 PM

Page 5
User Profiles on Windows 2000 Workstation
user settings should the user’s main computer become inoperative. All the user’s settings are preserved
and can be easily recovered should the computer have to be rebuilt.

Once the issues of user profiles are well understood, most profile problems can be easily managed.

Changing the User Profile

The user can make direct changes to their profile. Each time a user logs into Win2K(P) and makes changes to
their desktop settings, the changes are preserved when the user logs off successfully. A successful log off occurs if
the user receives no errors when logging off the computer, and the logon screen appears on the monitor.

The CSG or DSA can also make modifications to the user profile in two ways. One, they can remotely connect to
the user’s desktop with SMS remote control when the user is logged in and make desktop modifications that will
be preserved when the user logs off. Two, they can make direct modifications to the user profile folders and files
that are stored on the s-lsa-prof server. The user must not be logged into any computer when changes are made to
the server-based profile. If the user is logged in, the changes will be overwritten by the upload of the cached
profile when the user logs off.

Changing the Roaming Profile to a Local Profile on One Computer

The CSG or DSA may decide to change a user’s profile on a designated computer to a local profile instead of a
roaming profile. A local profile is a user profile that does not upload or download to the s-lsa-prof server. The
local profile is dedicated to a single computer—it does not roam with the user logging into other computers. The
result of doing this is a dramatic improvement in the login time on the one computer.

Some staff in the SST, for example, have elected to use a local profile rather than a roaming profile on their main
work computer. The reason, typically, is to improve the login/logout time on the computer. By doing this on one
computer does not mean that the roaming profile is no longer available. In fact, the roaming profile remains
available when the user logs on to other computers.

One other typical reason to enable a local profile is to prevent download of the roaming profile for dial-up users.
Remote users should not use roaming profiles over slow links.

To change the roaming profile to a local profile on one computer, the CSG or DSA would bring up the User
Profiles program and change the profile to local. To do this, right-mouse click the My Computer icon, select
properties, and select the User Profiles tab. This will bring up the User Profiles program. Select the appropriate
user account and change the type to local.

Changing the user profile to a local profile from a roaming profile does have its consequences. A local profile is
not preserved on the s-lsa-prof file server. As a result, it is not regularly backed up. Hence, if the user’s computer
becomes unusable, the local profile will be lost.

Date: 11/11/2005 4:10 PM

Page 6
User Profiles on Windows 2000 Workstation

How to Prevent Users from Changing the User Profile Type

Only DSAs should change the local profile type from roaming to local. To prevent users from making this change,
the DSA should remove the read permissions from the c:\winnt\system32\sysdm.cpl file for the users or groups
that should not be able to modify profile settings. See Q file, Q150919.

Disabling the Roaming Profile Altogether

If desired by the user, the roaming profile capability can be disabled altogether. The user should contact the CSG
or DSA and request that the roaming profile be disabled. The CSG or DSA would remove the roaming profile
entry as defined in the user’s account setting. The result will be that the user will get a profile that is local to their
computer and all other computers they log into. The profile will not travel with the user if they log onto another
computer. The user will always receive a local profile for each distinct computer they log into. Their customized
profile will only be available on the computer they regularly use day to day.

Removing the roaming profile altogether does have its consequences. A local profile is not preserved on the s-lsa-
prof file server. As a result, it is not regularly backed up. Hence, if the user’s computer becomes unusable, the
local profile will be lost. All custom settings will have to be manually added.

Deleting a User Profile and Starting Over

It may become necessary to delete a user’s profile and start fresh with a new user profile. To do this successfully,
it is important that the local profile and the server-based profile be deleted. The deletion of the profile must be
done with a different user account other than the user’s account.

It is important to note that if a user is logged on locally to a machine and then attempts to delete his or her own
profile, a message will appear stating that the profile is currently in use and cannot be deleted. The user must log
off, log back on using a different account with administrator privileges, and delete the profile. In addition, if a
service is running for a particular user account, the same message may appear. If this happens, stop the service
and then delete the profile.

Once the local and server-based profiles have been deleted, then the user can log in again starting with the
standard profile defined by the Default User profile.

The entire profile can be regenerated in two ways. One, copy the template profile in place of the existing user
profile; two, have the user login in fresh to a computer thus creating a new profile from the existing default user
profile. The steps to do this are defined below:

Copy the Template Profile Over the Existing Profile

If a template profile has been preserved for a particular department, the template profile can be copied to a user’s
profile directory to replace a corrupted profile. Perform the following steps:

1. Instruct the user to log off their computer

2. Connect to the \\s-lsa-prof\profiles share.
3. Navigate to the target profile. For instance, to navigate to the kirk profile, change directories to k\kirk.
4. Select the contents of the profile and delete everything
5. Copy the template profile into this folder
6. Have the user log back into their computer
7. The user will be prompted to select between the server-based profile and the local profile. Instruct the
user to select the server-based profile. Note, the new server-based profile will replace the local profile on
the user’s hard disk.
Copy the Local Profile to the s-lsa-prof Server
If the server-based profile is corrupted, it is possible to copy the local profile to the server. Here are the steps.

1. The CSG or DSA should log onto the user’s workstation as Administrator
2. Right-mouse click on the My Computer icon and select Properties.
3. Click on the User Profiles tab
4. Highlight the local version of the User’s Profile and click on Copy To...
5. At the Copy profile to field, enter the path to the user’s profile and click OK. If this were user Kirk’s
profile, the path would be \\s-lsa-prof\profiles\k\kirk.

Date: 11/11/2005 4:10 PM

Page 7
User Profiles on Windows 2000 Workstation
6. Click on OK to close the System Properties Screen.

Making a Profile Mandatory

A user profile can be made mandatory (not subject to change) by changing the file extension of Ntuser.dat to
Ntuser.man. The change must occur on the server-based profile. The mandatory profile represents a Read-Only
profile. Changes cannot be updated to the server-based profile. Users using a mandatory profile will be able to
make changes to the desktop while logged into the computer. However, those changes will not be preserved when
the user logs off the computer. Instead the original profile settings will recover automatically.

A mandatory profile is typically used in instructional labs where desktop consistency is highly desirable and
necessary. Users are denied the ability to save changes the desktop settings with a mandatory profile.

Forcing the Use of the Server-Based Profile Only

Adding the .man extension to the server-based folder containing the roaming profile can enforce the use of the
server-based profile. For instance, if the user profile named kirk was stored in the
s-lsa-prof\k\kirk.man folder, the user kirk would not be able to log into the computer unless the
server-based profile was available. In this case, the cached profile, even if it existed, would still not allow the user
to login and access the profile. Only the server-based profile would be used if available.

Configuring NT4 or Win2K to not download the Roaming Profile over a Dial-up
Connection
NT4 or Win2K dial-up users could be frustrated by the download of their roaming profile over a slow
dial-up connection. Dial-up users should not download their roaming profile. They should configure their off-site
computer to use the local profile instead.

A domain-wide policy can be set such that detection of a slow link automatically triggers the use of the local
profile instead of the roaming profile.
>, you can access the Dfs root with a domain name rather than the server name.

Best Practices for Department Systems Administrators

1. The DSA should have an account without a roaming user profile. This will improve login time and
minimize frustration of having zombie shortcuts installed on the foreign computer when performing
administrative tasks. LSAIT recommends that DSAs have an account created that is called
<Department Name> Sysadm. The math DSA, for instance, would request an account named “math
sysadm”. The math sysadm account would not have a roaming profile. It would also be added to the
math sysadm group as well. The NT department prefix is required.
2. Obtain admin rights to the user profiles in your department. New user accounts already provide their
local DSA Full Control rights over the profile. LSAIT is working on a script to provide this capability
to long-term accounts as well.
3. Confirm that all users in your department have Full Control rights to their roaming user profile. This
will be critical for Windows 2000. Windows 2000 requires that users have Full Control rights to their
server-based profiles in order that updates work correctly.
4. Review TechNet or “support.Microsoft.com” for issues related to Us er Profiles. Just search on “user
profiles”.
5. Maintain a folder for common user shortcuts. The shortcuts can be copied to a user’s server-based
profile when needed to correct a problem.
6. Make the roaming profile mandatory for troublesome users. Making the profile mandatory will
maintain a consistent desktop, prevent the user from corrupting their desktop, and minimize your
support intervention. You can instruct the user to simply log off and log back on to correct desktop
problems.
7. Advise your users to not place data on their profile. Instead, advocate the use of shortcuts to point at
the real data. One way to heighten the user’s interest in compliance is to explain that data on the profile
becomes part of the cached profile on every machine they log into. Hence, it is possible that a user
could risk access to their personal data on a computer where the permissions have been changed or
modified directly. Other users on the computer could possibly access their data!

Date: 11/11/2005 4:10 PM

Page 8
User Profiles on Windows 2000 Workstation
Troubleshooting User Profile Problems
What happens to the profile when the user is logged into several machines at once?
When a user is logged into multiple machines at the same time, the last computer that the user logs out from will
represent the user profile that is saved to the server. Any changes made from other computers during the interim
will be overwritten and therefore lost.

What happens to the profile during slow network connections?

If network traffic is heavy when the user logs in to the LSA NT network, they may receive a message stating that
a slow network connection has been detected. Furthermore, they will be prompted to use the locally cached
version of their user profile. In almost all cases, the user should continue to select the server-based version.

One thing to consider, however, is where the most recent profile changes are located and how long the server-
based profile has been unavailable. If the user has been using the local profile for many days and has been making
changes to their desktop, then they should select the local, not server-based, profile when prompted with this
dialogue box. In only this way will they preserve changes to their profile?

Note: the best way to determine the degree to which the cached profile and the server-based profile are in sync is
to compare the timestamp of the Ntuser.dat files.

What happens when the user is unable to log on because the profile cannot be loaded?
This indicates that permissions have been set too tightly within the “winnt” directory, “winnt\system” directory,
“winnt\system32” directory, or the “winnt\system32\config” directory. The DSA can use the “fixacls.exe”
resource kit utility to restore the default Win2K security access control (acl) list.

Note: The use of fixacls should be used only after consulting the CSG or SST group. The fixacls command will
remove all lockdown and expose the local computer to the Everyone Group.

What happens if the roaming user profile is unavailable at login?

Once the user logs in successfully to their Win2K computer, the user profile from s-lsa-prof is downloaded to
their local hard drive as a cached version. If the s-lsa-prof server were unavailable at login, the user would be
prompted to use the locally cached version. Hence, users should always have access to their computer even if the
s-lsa-prof server is unavailable. However, this does require one previous successful login onto their computer.

If the user has never logged into their computer successfully, and the s-lsa-prof server is unavailable, then the user
would get the profile for the “default user” provided they could authenticate to the NT domain with their login
credentials.

If none of the login servers (s -lsa-01, s-lsa-02, s-lsa-m1) were available for a user who has never logged into the
workstations before, then the user would not be able to login at all. The user would require an account on the local
computer.

What happens if all LS&A NT domain servers were unavailable at login?

Provided that the user has logged in at least one time successfully to their computer, they will be able to
authenticate using the locally cached profile information on their computer, and thus gain access to the desktop. If
they have never logged in successfully to the computer, they will be denied access to the computer.

In this latter case where the user has never logged into the computer, the only way the user could gain access to
the desktop is to obtain a local user account on the machine. A local user account can be provided by the DSA in
the department or by the CSG (936-3279; lsa-accounts@umich.edu).

Access to remote NT file services, of course, will not be available. Access to programs like Microsoft Word or
SPSS would be available since they are stored on the local computer.

Once access to the LSA NT servers is available, the user should log out and log back in to reconnect all services.

ile will not download from the s-lsa-prof server. The locally cached version of the profile maintains updates, but
does not upload to the server-based version.

Date: 11/11/2005 4:10 PM

Page 9
User Profiles on Windows 2000 Workstation
If this occurs, the first thing to examine is the timestamp on the Ntuser.dat file. The timestamp on the
server-based version and the local version should be compared. If the timestamp on the local version is
significantly newer than the timestamp on the server-based version, then something is wrong with the update
mechanism.

After checking that all settings are correct for the roaming profile with the user’s account, you should examine the
User Profiles settings on the local computer. To do this, Right-mouse click My Computer and select Properties.
Click on the User Profiles Tab. Review the profile type. It is possible that the profile type was changed to local
instead of roaming.

If the profile is set to roaming, then you should delete the cached version of the profile and see if the roaming
profile begins to download. Before doing this, you should confirm that the user’s profile is absent of data files.

Can other users access data that is stored as part of a roaming profile on the local
computer?
Users who place data on their profile risk having others gain access to their data. Data should never be stored on
the profile. Not only is it a security risk, but it also slows the login and logout time of the login process.

By default, Windows NT or Windows 2000 grants Full Control permissions for the “everyone group” to the
storage location of cached profiles. For NT4, this would be c:\winnt\profiles; for Win2K, this would be
c:\Documents and Settings. However, the user’s cached profile that is stored in this location provides Full Control
permissions to the user, the local administrator on this computer, and the System (operating system). According to
Q file, Q243420, the default security for roaming profiles is “change”. Only the user who owns the profile has full
control rights to their cached profile.

While this security is generally okay, the user should understand that any member of the local administrative
group could potentially access their data if it is part of the roaming profile. Moreover, permissions could be
changed on the local computer by a systems administrator, thus opening access to locally stored profiles.

How does a systems administrator remove zombie shortcuts or broken “.lnk” files?
Over time a user profile may have several shortcuts or links to programs that no longer exist. They are “dead
shortcuts —zombies—that no longer run the program they were originally attached. The user can delete these
shortcuts one at a time. Better than this, the DSA can run the “chklnks.exe” resource kit program on the user’s
computer and delete them all quickly.

The chklnks.exe program is a resource kit utility that executes a wizard that checks to see if the shortcut points to
an existing application or document. If the associated application or document is not found, the Wizard lists that
file as a dead link, providing the option to remove it.

Why does the profile upload and download take so long?

There are three reasons for a slow download or upload of user profiles. One, the network is very slow. There is
considerable traffic resulting in delays of file transfers. This may occur at 8am or 5pm when many other college
users are logging into or off the network. Two, the user profile is large. The user may have copied data files to the
profile. A large profile is any profile over 20MB. Three, the virus software may be inspecting the file download at
login. This problem was noted with DSAVand the Winguard program. Disabling the Winguard program from its
file inspection dramatically improved the user profile upload and download times in some cases.

Note: LSAIT does not recommend as a matter of course that the WinGuard program be disabled to speed the
login/logout time. Users should be fully aware of this change if this is enabled for them. They, not the DSA,
should take responsibility for this.

Why does a custom program work well for the administrator account, but not new users?
Assuming this is not a permissions problem, then the problem is most likely the result of the program not being
properly configured for the Default User Account. This can be remedied by the DSA. The DSA can copy the
administrator account profile in place of the Default User Profile with the User Profile tool. The user profile tool
is accessed according to the following steps:
• Right-mouse click the My Computer Icon
• Select Properties
• Click on User Profiles

Date: 11/11/2005 4:10 PM

Page 10
User Profiles on Windows 2000 Workstation
• Click on the Administrator Profile
• Change permitted to use to Domain Users
• Copy in place of the Default User Profile
After doing this, the DSA should log back in using the normal administrator account and delete the temporary
admin account.

Note: A temporary admin equivalent account is necessary to copy the administrator profile. The administrator
cannot copy their own profile while logged in and using it.

What to do if the user is prompted for a Protected Storage Password at login?

There have been a few reports of users getting a prompt for the protected storage password at just after the initial
login to NT4 or Win2K(P). The problem seems to be related to users who log into both NT4 and Win2K(P)
computers. There also seems to be some evidence that this is related to use of Office 2000 as well.

While LSAIT continues to investigate, there is a remedy to the problem. To fix the problem, the registry will have
to be changed by the DSA. Here are the steps:

1. Stop the Protected Storage Service with the Services Tool.

2. Use regedt32 to navigate to the HKEY_CURRENT_USER\Software\Microsoft\Protected Storage
System Provider Registry key.
3. Double-click this key and you will see at least one subkey that has a name that is equivalent to your
Windows NT user account’s SID. You need to delete this subkey, but you don’t have permission to do
so. So you need to give yourself permission to do this.
4. Highlight the key that represents the SID, and select Permissions from the Security menu.
5. Add your user account to the ACL with Full Control rights.
6. Delete the subkey.
7. Restart the Protected Storage Service.

Why do user profiles get corrupted?

While there is no exact answer for user profile corruption, there does appear to be some indication that user
profiles can be corrupted by an incomplete logoff. This normally occurs when the user logs off and powers off the
computer before the logoff has completed or the computer has crashed. The interrupted logoff results in a
corrupted profile.

Logoff times for normal roaming profiles take about 30 seconds. However, users with large profiles over 20MB
could experience logoff times that take several minutes. In this case, the user may become impatient waiting for
logon screen to select Shutdown.

Why are changes to the User Profile not preserved?

Let’s assume that the user has a roaming profile that is functioning correctly. It is not a mandatory profile either.
And they only log in to one computer—there is no other occurance of their login on another computer. Yet, each
time they log in and log off the computer, all changes to the user profile are lost. No error messages are generated.
However, if the user is made an administrator of the local workstation, all changes to the user profile are retained
properly.

The likely cause of changes not being preserved to the profile is that the user is not a member of the local
workstation Users group. If a user is not an explicit member of the local workstation Users group or another group
other than the Guest group, the user is considered a guest. All guest profiles are deleted when the user logs off the
computer.

Why are Win2K users getting an error message stating that their roaming profile cannot
be updated?
This normally indicates that the user does not have full control permissions for the roaming profile stored on the s -
lsa-prof server. Change the permissions so that the user has full control permissions to all profile folders and files.

Date: 11/11/2005 4:10 PM

Page 11