Académique Documents
Professionnel Documents
Culture Documents
On a more technical level the user profile represents a collection of folders and files. The User Profile is
comprised of a registry hive and a set of profile directories. The registry is a database used to store computer and
user specific settings, and portions of the registry can be saved as files, called hives1 . These hives can then be
reloaded for use as necessary. User Profiles take advantage of the hive feature to provide roaming profile
functionality.
These folders and files are updated each time the user successfully logs off their computer. The following
screenshot depicts the typical folders and files that make up the user profile.
All User Profiles within the LS&A NT domain are configured as “roaming profiles”. Roaming profiles are the
collection of folders and files comprising the user profile that are automatically copied to a common
server—the s-lsa-prof server. Because of their location on a common server, user profiles are available on any
LS&A NT domain computer that a user logs into. Hence, the user profile (i.e. the collection of folders and files)
travels with the user as they move about logging into different NT4 or Win2K(P) computers.
Folder Description
*Application Data Application-specific data, such as a custom dictionary for a word processing
program. Application vendors decide what data to store in this directory. Users or
DSAs do not normally work within this directory.
Cookies Internet cookies are small signatures that indicate previous visits to a site. Cookies
usually make the subsequent visits faster. These files are generally small in size
(normally 1K) and do not require management by the DSA.
1
The registry hive is divided into hives. They are named hives for their resemblance to the cellular structure of a beehive. A hive is a discrete
body of keys, sub keys, and values.
NTUSER.DAT
The NTuser.dat file contains the following configuration settings.
• Windows NT Explorer settings. All user-definable settings for Windows NT Explorer, as well as
persistent network connections.
• Taskbar. All personal program groups and their properties, all program items and their properties, and
all taskbar settings.
• Printer settings. All network printer connections.
• Control Panel. All user-defined settings made in the Control Panel. For example, the wall paper and
screen savers.
As a result of these settings being embedded within the Ntuser.dat file, these settings can only be changed
when a user is logged into a computer. The user or DSA would have to make the changes on the cached
profile, and log off to preserve them on the server-based version2 .
Roaming Profile
A roaming profile is stored on a network share and can be accessed from any computer. A user who has a
roaming profile can log on to any computer for which that profile is valid and access the profile. An NT4 profile
is valid for both NT4 and Win2KP. However, NT4 or Win2K profiles cannot be used on Windows 9x
computers due to differences in the registry.
Local Profile
A local profile is specific to a computer. A user who has a local profile on a particular computer can gain access to
that profile only while logged on to that computer. The local profile will be stored in one of two locations on the
computer depending on whether it is an NT4 or Win2K(P) computer.
On NT4, the local profile is generally stored in the c:\winnt\profiles<UserName> folder. On Win2K(P)
computers, the local profile is generally stored in the c:\Documents and Settings\<UserName folder> 3 .
To determine the exact location of the local profile when logged into an NT4 or Win2K(P) computer, the user can
type “set” at a command prompt. The set command will display the environment variables on the computer. The
“UserProfile” variable will display the precise location of the local profile.
Mandatory Profile
A mandatory profile is a pre-configured roaming profile that the user cannot permanently change. In most cases,
mandatory profiles are assigned to a person or a group of people for whom a common interface and standard
configuration is required.
At LS&A, mandatory profiles are generally used for instructional labs. Typically, a shared account is created with
a mandatory profile. Students who use these accounts can make desktop modifications while logged into the
computer, but the changes are not uploaded or preserved when the user logs off the computer.
Changing the extension of Ntuser.dat to Ntuser.man inside the roaming profile directory will make a profile
mandatory. Likewise, the mandatory profile can be “unlocked” by changing the file extension back to .dat.
2
It is also possible to edit the registry hive, but directly editing the registry is not the recommended way to modify profiles.
3
The location of the local profile on Win2K(P) systems can vary depending on whether it is a new build or an upgrade of an NT4 system. If a
new computer, the User Profile path will be c:\Documents and Settings\<UserName>. If an upgrade from NT4, then the User Profile path will
be c:\winnt\profiles\<UserName>.
All user accounts at L&SA are configured as roaming profiles. This is done with the User Account Management
tool when the account is created.
When the user logs onto their computer for the first time, the local or cached version of the profile is created using
the Default User Profile. In addition, shortcuts assigned to the All Users Profile are added to the new User Profile.
When the user logs off the computer, the User Profile is copied (uploaded) to the
s-lsa-prof server for the first time. As the user logs on and off the network, the roaming profile is updated with the
changes.
The Default User Profile and the All Users Profile are system profiles used to generate all initial user profiles.
When installing applications manually, the program can be installed for the “current user” or “all users” using the
computer. If the program is installed for just the logged in user, then the shortcut for the program is only available
for the one user. If the program is installed for all users, then the program is available for anyone who logs onto
the computer.
Right-mouse clicking on the Start button and selecting “Open All Users” or “Explore All Users” can easily
display the user profiles. The profiles can also be displayed by navigating to the profile path.
The contents of the Default User Profile resemble a normal user profile. The contents of this profile are used to
create the initial user profile for all new users. The typical Default User profile is displayed below:
The Default User Profile is created by the Win2K(P) system during the installation of the operating system. It can
also be modified as a custom template for users. See later section on “Management Tasks with User Profiles”.
However, the default location for user profiles on Win2K(P) computers depends on whether the computer was
newly installed or upgraded. If newly installed, the user profile path will be the c:\Documents and Settings\<User
Name> path. If the NT4 computer is, instead, upgraded to Win2K(P), the user profile path will continue to use the
former NT4 setting of c:\ winnt\profiles\<User Name>.
The following table shows the possible location for user profiles on the local computer according to the method
used to install Win2K(P).
Logging into Both NT4 and Win2K with the same User Profile
A user with a roaming profile who logs on to both NT4 and Win2K computers should have no issue with their
user profile. The profile path, however, may vary depending on the version of Windows NT and the mode of
Win2K(P) installation (i.e. new install or upgrade).
While there may be no issue, there have been reports of two anomalies. First, the network applet under control
panel on NT4 systems seems to disappear after logging into a Win2K computer with the same user profile. The
present workaround is to access the network properties by selecting properties from the network neighborhood.
Second, the login switching between NT4 and Win2K will occasionally bring up a password problem with
Protected Storage. The workaround is to select cancel when presented with the password window. A fix is also
available by editing the registry—see section on troubleshooting.
Once the issues of user profiles are well understood, most profile problems can be easily managed.
The CSG or DSA can also make modifications to the user profile in two ways. One, they can remotely connect to
the user’s desktop with SMS remote control when the user is logged in and make desktop modifications that will
be preserved when the user logs off. Two, they can make direct modifications to the user profile folders and files
that are stored on the s-lsa-prof server. The user must not be logged into any computer when changes are made to
the server-based profile. If the user is logged in, the changes will be overwritten by the upload of the cached
profile when the user logs off.
Some staff in the SST, for example, have elected to use a local profile rather than a roaming profile on their main
work computer. The reason, typically, is to improve the login/logout time on the computer. By doing this on one
computer does not mean that the roaming profile is no longer available. In fact, the roaming profile remains
available when the user logs on to other computers.
One other typical reason to enable a local profile is to prevent download of the roaming profile for dial-up users.
Remote users should not use roaming profiles over slow links.
To change the roaming profile to a local profile on one computer, the CSG or DSA would bring up the User
Profiles program and change the profile to local. To do this, right-mouse click the My Computer icon, select
properties, and select the User Profiles tab. This will bring up the User Profiles program. Select the appropriate
user account and change the type to local.
Changing the user profile to a local profile from a roaming profile does have its consequences. A local profile is
not preserved on the s-lsa-prof file server. As a result, it is not regularly backed up. Hence, if the user’s computer
becomes unusable, the local profile will be lost.
Removing the roaming profile altogether does have its consequences. A local profile is not preserved on the s-lsa-
prof file server. As a result, it is not regularly backed up. Hence, if the user’s computer becomes unusable, the
local profile will be lost. All custom settings will have to be manually added.
It is important to note that if a user is logged on locally to a machine and then attempts to delete his or her own
profile, a message will appear stating that the profile is currently in use and cannot be deleted. The user must log
off, log back on using a different account with administrator privileges, and delete the profile. In addition, if a
service is running for a particular user account, the same message may appear. If this happens, stop the service
and then delete the profile.
Once the local and server-based profiles have been deleted, then the user can log in again starting with the
standard profile defined by the Default User profile.
The entire profile can be regenerated in two ways. One, copy the template profile in place of the existing user
profile; two, have the user login in fresh to a computer thus creating a new profile from the existing default user
profile. The steps to do this are defined below:
1. The CSG or DSA should log onto the user’s workstation as Administrator
2. Right-mouse click on the My Computer icon and select Properties.
3. Click on the User Profiles tab
4. Highlight the local version of the User’s Profile and click on Copy To...
5. At the Copy profile to field, enter the path to the user’s profile and click OK. If this were user Kirk’s
profile, the path would be \\s-lsa-prof\profiles\k\kirk.
A mandatory profile is typically used in instructional labs where desktop consistency is highly desirable and
necessary. Users are denied the ability to save changes the desktop settings with a mandatory profile.
Configuring NT4 or Win2K to not download the Roaming Profile over a Dial-up
Connection
NT4 or Win2K dial-up users could be frustrated by the download of their roaming profile over a slow
dial-up connection. Dial-up users should not download their roaming profile. They should configure their off-site
computer to use the local profile instead.
A domain-wide policy can be set such that detection of a slow link automatically triggers the use of the local
profile instead of the roaming profile.
>, you can access the Dfs root with a domain name rather than the server name.
One thing to consider, however, is where the most recent profile changes are located and how long the server-
based profile has been unavailable. If the user has been using the local profile for many days and has been making
changes to their desktop, then they should select the local, not server-based, profile when prompted with this
dialogue box. In only this way will they preserve changes to their profile?
Note: the best way to determine the degree to which the cached profile and the server-based profile are in sync is
to compare the timestamp of the Ntuser.dat files.
What happens when the user is unable to log on because the profile cannot be loaded?
This indicates that permissions have been set too tightly within the “winnt” directory, “winnt\system” directory,
“winnt\system32” directory, or the “winnt\system32\config” directory. The DSA can use the “fixacls.exe”
resource kit utility to restore the default Win2K security access control (acl) list.
Note: The use of fixacls should be used only after consulting the CSG or SST group. The fixacls command will
remove all lockdown and expose the local computer to the Everyone Group.
If the user has never logged into their computer successfully, and the s-lsa-prof server is unavailable, then the user
would get the profile for the “default user” provided they could authenticate to the NT domain with their login
credentials.
If none of the login servers (s -lsa-01, s-lsa-02, s-lsa-m1) were available for a user who has never logged into the
workstations before, then the user would not be able to login at all. The user would require an account on the local
computer.
In this latter case where the user has never logged into the computer, the only way the user could gain access to
the desktop is to obtain a local user account on the machine. A local user account can be provided by the DSA in
the department or by the CSG (936-3279; lsa-accounts@umich.edu).
Access to remote NT file services, of course, will not be available. Access to programs like Microsoft Word or
SPSS would be available since they are stored on the local computer.
Once access to the LSA NT servers is available, the user should log out and log back in to reconnect all services.
ile will not download from the s-lsa-prof server. The locally cached version of the profile maintains updates, but
does not upload to the server-based version.
After checking that all settings are correct for the roaming profile with the user’s account, you should examine the
User Profiles settings on the local computer. To do this, Right-mouse click My Computer and select Properties.
Click on the User Profiles Tab. Review the profile type. It is possible that the profile type was changed to local
instead of roaming.
If the profile is set to roaming, then you should delete the cached version of the profile and see if the roaming
profile begins to download. Before doing this, you should confirm that the user’s profile is absent of data files.
Can other users access data that is stored as part of a roaming profile on the local
computer?
Users who place data on their profile risk having others gain access to their data. Data should never be stored on
the profile. Not only is it a security risk, but it also slows the login and logout time of the login process.
By default, Windows NT or Windows 2000 grants Full Control permissions for the “everyone group” to the
storage location of cached profiles. For NT4, this would be c:\winnt\profiles; for Win2K, this would be
c:\Documents and Settings. However, the user’s cached profile that is stored in this location provides Full Control
permissions to the user, the local administrator on this computer, and the System (operating system). According to
Q file, Q243420, the default security for roaming profiles is “change”. Only the user who owns the profile has full
control rights to their cached profile.
While this security is generally okay, the user should understand that any member of the local administrative
group could potentially access their data if it is part of the roaming profile. Moreover, permissions could be
changed on the local computer by a systems administrator, thus opening access to locally stored profiles.
How does a systems administrator remove zombie shortcuts or broken “.lnk” files?
Over time a user profile may have several shortcuts or links to programs that no longer exist. They are “dead
shortcuts —zombies—that no longer run the program they were originally attached. The user can delete these
shortcuts one at a time. Better than this, the DSA can run the “chklnks.exe” resource kit program on the user’s
computer and delete them all quickly.
The chklnks.exe program is a resource kit utility that executes a wizard that checks to see if the shortcut points to
an existing application or document. If the associated application or document is not found, the Wizard lists that
file as a dead link, providing the option to remove it.
Note: LSAIT does not recommend as a matter of course that the WinGuard program be disabled to speed the
login/logout time. Users should be fully aware of this change if this is enabled for them. They, not the DSA,
should take responsibility for this.
Why does a custom program work well for the administrator account, but not new users?
Assuming this is not a permissions problem, then the problem is most likely the result of the program not being
properly configured for the Default User Account. This can be remedied by the DSA. The DSA can copy the
administrator account profile in place of the Default User Profile with the User Profile tool. The user profile tool
is accessed according to the following steps:
• Right-mouse click the My Computer Icon
• Select Properties
• Click on User Profiles
Note: A temporary admin equivalent account is necessary to copy the administrator profile. The administrator
cannot copy their own profile while logged in and using it.
While LSAIT continues to investigate, there is a remedy to the problem. To fix the problem, the registry will have
to be changed by the DSA. Here are the steps:
Logoff times for normal roaming profiles take about 30 seconds. However, users with large profiles over 20MB
could experience logoff times that take several minutes. In this case, the user may become impatient waiting for
logon screen to select Shutdown.
The likely cause of changes not being preserved to the profile is that the user is not a member of the local
workstation Users group. If a user is not an explicit member of the local workstation Users group or another group
other than the Guest group, the user is considered a guest. All guest profiles are deleted when the user logs off the
computer.
Why are Win2K users getting an error message stating that their roaming profile cannot
be updated?
This normally indicates that the user does not have full control permissions for the roaming profile stored on the s -
lsa-prof server. Change the permissions so that the user has full control permissions to all profile folders and files.