Windows NT Server Operating System White Paper Guide to Microsoft Windows NT 4.0 Profiles and PoliciesCopyright 1997 Microsoft Corporation. All rights reserved.The information contained in this document represents the current view ofMicrosoft Corporation on the issues discussed as of the date ofpublication. Because Microsoft must respond to changing market conditions,it should not be interpreted to be a commitment on the part of Microsoft,and Microsoft cannot guarantee the accuracy of any information presentedafter the date of publication.This White Paper is for informational purposes only. MICROSOFT MAKES NOWARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.Microsoft, the BackOffice logo, MS-DOS, Windows, and Windows NT areregistered trademarks of Microsoft Corporation.Other product or company names mentioned herein may be the trademarks oftheir respective owners.Microsoft CorporationOne Microsoft WayRedmond, WA 98052-6399USA0997Abstract========This guide provides information and procedures for implementing MicrosoftWindows NT 4.0 Profiles and Policies on client workstations and servers. AMicrosoft Windows NT 4.0 User Profile describes the Windows NTconfiguration for a specific user, including the user's environment andpreference settings. A System Policy is a set of registry settings thattogether define the computer resources available to a group of users or anindividual. With the addition of System Policies and the new User Profilestructure to Windows NT 4.0, network administrators have a greater abilityto control the user environment than they have ever had before.This document provides the details that administrators need to know toimplement a rollout of User Profiles and System Policies under Windows NT4.0. Although the primary emphasis is Windows NT, this paper alsodiscusses how User Profiles are handled with Windows 95 clients and howthe two platforms differ. You should use this guide in conjunction withyour Windows NT 4.0 documentation and Resource Kits.CONTENTS========IntroductionTCO and the UserProfiles, Policies, and the Zero Administration KitWhat are User Profiles and System Policies?Before You BeginKey TerminologyTechnical NotesEstablishing User Profiles - An OverviewCreating and Administering User ProfilesUser Profile StructureConfiguration Preferences Stored in the Registry HiveConfiguration Preferences Stored in Profile DirectoriesWindows NT 4.0 and Windows 95 User Profile DifferencesHow User Profiles Are Handled in Windows 95User Profile Planning and ImplementationSetting Permissions for User ProfilesEncoding Permissions in the User ProfileSelecting a Location to Save User ProfilesSetting Persistent ConnectionsWorking Around Slow Network LinksCreating and Maintaining User ProfilesCreating a New Roaming User Profile for Windows NT 4.0Creating a New Mandatory User Profile for Windows NT 4.0Making a Roaming Profile Mandatory in Windows NT 4.0Changing the User's Ability to Modify a ProfileEnforcing the Use of the Server-based ProfileCreating a New Roaming User Profile for a Windows 95 UserCreating a New Mandatory User Profile for Windows 95Maintaining User Profiles with Control Panel System PropertiesDeleting ProfilesChanging the Profile Type from Roaming to LocalDetermining Which Profile Is DisplayedCopying ProfilesViewing the Contents of the Profiles Directory on a Local ComputerLog Files Used by ProfilesThe All Users Shared ProfileDefault User Template ProfilesProfile Names and Storage in the RegistryManually Administering a User Profile through the RegistryModifying the Default User ProfileUpgrading Windows NT 3.5x Server-based Profiles to Windows NT 4.0 RoamingProfilesUpgrading Windows NT 3.5x Mandatory Profiles to Windows NT 4.0 MandatoryProfilesExtracting a User Profile for Use on Another Domain or MachineCreating Profiles Without User-Specific ConnectionsTroubleshooting User Profiles with the UserEnv.log FileSystem Policy - An IntroductionSystem Policy FilesPolicy ReplicationHow Policies Are AppliedAdditional Implementation ConsiderationsThe System Policy EditorInstalling the System Policy Editor on a Windows NT WorkstationInstalling the System Policy Editor on a Windows 95 ComputerUpdating the Registry with the System Policy EditorSystem Policy Editor Template (.Adm) FilesConfiguring Policy SettingsSetting Folder Paths Back to DefaultsCreating a System PolicyCreating Alternate Folder PathsSetting Up Shortcuts for Server-based ProfilesDeploying Policies for Windows NT 4.0 MachinesDeploying Policies for Windows 95 MachinesModifying Policy Settings on Stand-Alone WorkstationsCreating a Custom .Adm FileConfiguring System Policies Based on Geographic LocationClearing the Documents Available ListBuilding Fault Tolerance for Custom Shared FoldersRegistry Keys Modified by the System Policy Editor Default TemplatesDefault User SettingsControl Panel Display ApplicationWallpaperColor SchemeStart Menu Run CommandSettings FoldersSettings TaskbarStart Menu Find CommandMy Computer Drive IconsNetwork Neighborhood IconNetwork Neighborhood DisplayNetwork Neighborhood Workgroup ContentsDesktop DisplayStart Menu Shut Down CommandSaved SettingsRegistry Editing ToolsWindows Applications RestrictionsCustom ProgramsCustom Desktop IconsStart Menu SubfoldersCustom Startup FolderCustom Network NeighborhoodCustom Start MenuShell ExtensionsExplorer File MenuStart Menu Common Program GroupsTaskbar Context MenusExplorer Context MenuNetwork ConnectionsExplorer Context MenuAutoexec.batLogon ScriptsTask ManagerWelcome TipsDefault Computer SettingsRemote UpdateCommunitiesPermitted ManagersPublic Community TrapsRun CommandDrive Shares - WorkstationDrive Shares - ServerPrinter Browse ThreadServer SchedulerError BeepAuthentication RetriesAuthentication Time LimitRAS Call-back IntervalRAS Auto-disconnectShared Programs Folder PathShared Desktop Icons PathShared Start Menu PathShared Startup Folder PathLogon BannerLogon Dialog Shut Down ButtonLogon Name DisplayLogon ScriptsLong File NamesExtended Characters in 8.3 File NamesRead Only Files - Last Access TimeCached Roaming ProfilesSlow Network DetectionSlow Network TimeoutDialog Box TimeoutRegistry Entries Not Included in the System Policy EditorAutorunStart BannerAppendix B - Implementing User ProfilesExisting Windows NT 3.5x Roaming ProfileExisting Windows NT 3.5x Roaming ProfileMigrating Windows NT 3.5x Roaming Profile to Windows NT 4.0 RoamingProfileMigrating Windows NT 3.5x Mandatory Profile to Windows NT 4.0 MandatoryProfileMigrating Windows NT 3.5x Mandatory Profile to Windows NT 4.0 RoamingProfileCreating a New Windows NT 4.0 Roaming ProfileCreating a New Windows NT 4.0 Mandatory ProfileUpdating and Changing a Roaming Profile to a Mandatory ProfileChanging a Roaming Profile to a Mandatory ProfileAppendix C - Usage NotesImportant Information for Administrators Regarding User Logons and UserLogoffsRecent Updates to Profiles Since Retail ReleaseRecent Updates to Policies Since Retail ReleaseAPPENDIX D - Related Knowledge Base ArticlesProfilesPoliciesINTRODUCTION============Not too many years ago, information technology professionals faced aserious challenge in controlling the mounting costs of mainframe use. Itseemed that everyone-clerks, writers, developers, and systemsadministrators-all had terminals and were using the system for everythingfrom numbers crunching to typing letters. Networks became bogged down, andIT professionals were given the task of getting "nonessential operations"off the mainframe. Their decision was to deploy personal computers in theenterprise-with emulation software for mainframe access and local softwarefor tasks where central processing or data sharing were not required.Gradually, as PCs became more powerful, more and more operations moved tothe desktop. And as PC networking matured, many businesses found that a PC-based network built on commodity hardware and off-the-shelf softwarewas their best business solution.Lately, however, we've come full circle on this. It seems that the totalcost of ownership (or TCO)-the real cost of maintaining a distributedpersonal computer network-is far from trivial. TCO includes the initialcapital cost of hardware and software, deployment and configurationexpense, costs associated with deploying hardware and software updates,training and retraining, day-to-day maintenance and administration, andtelephone and on-site technical support. With these escalating costs inmind, Microsoft and others are working together on several initiatives tolower the total cost of ownership of personal computers.TCO AND THE USER================One of the major costs highlighted in recent reports on Total Cost ofOwnership (TCO), is lost productivity at the desktop caused by user error,such as changing the system configuration and rendering the computerunworkable, or system distractions and complexities, for example too manyfeatures or nonessential applications installed on the desktop. To solvethese problems, system administrators need a means to control a user'saccess to key configuration files and to features and applications thatare not required to do that user's particular job. To be successful, thismeans of control must be flexible and customizable-the systemadministrator must be able to control the computer configurations ofindividuals and groups of users based on user job responsibilities andcomputer literacy.PROFILES, POLICIES, AND THE ZERO ADMINISTRATION KIT===================================================The Zero Administration Kit (ZAK) for the Microsoft Windows NT version 4.0operating system is designed to help the corporate administrator addresssome of the issues arising from user operations. ZAK is a set ofmethodologies for deploying Microsoft Windows NT 4.0 that greatly reducesthe burden of individual desktop management for task-based workers. WithZAK, system administrators can establish user profiles, system policies,and security to reduce some of the administrative costs associated withmanaging end-users in an enterprise network.ZAK's methodologies are based on the underlying technologies andcapabilities of Windows NT 4.0, and as such these techniques can readilybe adapted to accommodate a corporation's specific computing requirements.In the near future, you will see additional TCO-reducing features appearin Microsoft Windows 98, Windows NT 5.0, and Microsoft Systems ManagementServer. Central to these features is the idea of centralized desktopcontrol. This is accomplished through User Profiles and System Policies-the subject of this paper.WHAT ARE USER PROFILES AND SYSTEM POLICIES?===========================================A Microsoft Windows NT 4.0 User Profile describes the Windows NTconfiguration for a specific user, including the user's environment andpreference settings. For example, those settings and configuration optionsspecific to the user-such as installed applications, desktop icons, coloroptions, and so forth-are contained in a User Profile. This profile isbuilt in part from System Policy information (for example, those thingsthat a user has access to and those things that the user can and cannotchange) and in part from permitted, saved changes that a user makes tocustomize his or her desktop.A System Policy is a set of registry settings that together define thecomputer resources available to a group of users or an individual.Policies define the various facets of the desktop environment that asystem administrator needs to control, such as which applications areavailable, which applications appear on the user's desktop, whichapplications and options appear in the Start menu, who can changeattributes of their desktops and who cannot, and so forth.With the addition of System Policies and the new User Profile structure toWindows NT 4.0, network administrators have a greater ability to controlthe user environment than they ever have had before. Many of the requeststhat customers submitted, including providing more options in controllingthe user's desktop, accessibility to applications and system tools,minimizing administrative overhead, and scalability enhancements, havebeen added. And, as with every release, Microsoft encourages customerfeedback on enhancements to the Windows NT operating system.This document provides the details that administrators need to implement arollout of User Profiles and System Policies under Windows NT 4.0.Although the primary emphasis is Windows NT, this paper also discusses howUser Profiles are handled with Windows 95 clients and how the twoplatforms differ.BEFORE YOU BEGIN================Before proceeding with this document, we recommend that you read Chapters3 and 4 of the Windows NT 4.0 Concepts and Planning Guide. In addition,you should be familiar with the following terms and concepts.KEY TERMINOLOGY===============Directory ReplicationThe copying of a master set of directories from a server (called theexport server) to specified servers or workstations (called importcomputers) in the same or other domains. Replication simplifies the taskof maintaining identical sets of directories and files on multiplecomputers, because only a single master copy of the data is maintained.Files are replicated when they are added to an export directory and eachtime a change is saved to one of the exported files.Domain StructureIn Windows NT, a domain is a collection of computers defined by theadministrator of a Windows NT Server network that share a common directorydatabase. A domain provides access to the centralized user accounts andgroup accounts maintained by the domain administrator. Each domain has aunique name.Home DirectoryA home directory is a directory that is accessible to the user andcontains files and programs for that user. A home directory can beassigned to a single user or to a group of users.Local ProfileA local profile is specific to a computer. A user who has a local profileon a particular computer can gain access to that profile only while loggedon to that computer.Mandatory ProfileA mandatory profile is a preconfigured roaming profile that the usercannot change. In most cases, these are assigned to a person or a group ofpeople for whom a common interface and standard configuration is required.NetLogon ServiceFor Windows NT Server, the NetLogon service authenticates domain logonsand keeps the domain's directory database synchronized between the primarydomain controller (PDC) and the backup domain controllers (BDCs).Regedt32.exeThe 32-bit version of the Registry Editor.RegistryThe registry is a database where Windows NT internal configurationinformation and machine- and user-specific settings are stored.Registry HiveA hive is a section of the registry that is saved as a file. The registrysubtree is divided into hives (named for their resemblance to the cellularstructure of a beehive). A hive is a discrete body of keys, subkeys, andvalues.Roaming ProfileA roaming profile is stored on a network share and can be accessed fromany computer. A user who has a roaming profile can log on to any computerfor which that profile is valid and access the profile. (Note that aprofile is only valid on the platform for which it was created-forexample, a Windows NT 4.0 profile cannot be used on a Windows 95computer.)Roaming UserA roaming user is a user who logs on to the network from differentcomputers at different times. This type of user may use a kiosk or mayshare a bank of computers with other users. A roaming user stores his orher user profile on a network share, and can log on to any networkedcomputer and access that profile.System PolicyA System Policy is a set of registry settings that together define thecomputer resources available to a group of users or an individual. Youcreate system policies with the System Policy Editor. System policiesallowan administrator to control user work environments and actions, and toenforce system configurations.%systemroot%An environment variable that expands to become the root directorycontaining Windows NT files. The directory name is specified when WindowsNT is installed (normally, this directory name is c:\winnt).%systemroot%\profilesA folder in the root directory that contains the user profiles for eachuser of the computer.%username%An environment variable that expands to become the user account ID for thecurrent logged on user. This identifies the user account to Windows NT.TECHNICAL NOTES===============Several portions of this guide refer to registry locations that allow youto change certain behaviors of Windows NT and modify settings. For thisreason, we include the following warning.Caution:Using Registry Editor incorrectly can cause system-wide problems that mayrequire you to reinstall Windows NT to correct them. Microsoft cannotguarantee that any problems resulting from the use of Registry Editor canbe resolved. In addition, portions of this guide refer to a registry hivecalled NTuser.xxx. In instances where this is used, .xxx can be replacedwith either .dat or .man.ESTABLISHING USER PROFILES - AN OVERVIEW========================================A Microsoft Windows NT 4.0 User Profile describes the Windows NTconfiguration for a specific user, including the user's environment andpreference settings. A User Profile can be local, roaming, or mandatory. Alocal profile is specific to a given computer. A user who creates a localprofile on a particular computer can gain access to that profile onlywhile logged on to that computer. Conversely, a roaming profile is storedon a network share and can be accessed from any networked computer. A userwho has a roaming profile can log on to any networked computer for whichthat profile is valid and access the profile. A mandatory profile is apreconfigured roaming profile that the user cannot change. As a systemadministrator, you may want to use mandatory profiles for a group ofpeople who require a common interface and standard configuration.One of the primary goals of User Profiles is to allow a user's system anddesktop customizations to travel with the user from computer to computer,without requiring the user to reconfigure any settings. When a user logson to any computer that supports his or her roaming profile, the desktopappears-just as the user left it the last time he or she logged off. Withroaming user support, users can share computers, but each user has his orher personal desktop on any computer in the network (both roaming andmandatory profiles support this functionality).CREATING AND ADMINISTERING USER PROFILES========================================User Profiles can be created and administered in several different ways aswill be described next. Note that as a system administrator, you determinewhether users can modify their profiles. - You create a User Profile that is not modifiable for a particular user or group (this is a mandatory profile). - You establish a network Default User Profile that applies to all new users on Windows NT 4.0 computers. After downloading this default profile and logging on, the user can customize the profile (provided that it is not mandatory). - You allow a new user to use the local Default User Profile on the Windows NT 4.0 computer where the user logs on. After logging on, the user can customize the profile (provided that it is not mandatory). - You copy a template User Profile, and assign the copy to a user. The user can then customize the profile (provided that it is not a mandatory profile).Profiles can be stored on a network server or cached on the local machine.(Cached profiles are located in the \%systemroot%\Profiles directory.)Caching a profile reduces the total time to log on and load the profile;however, in a roaming user or kiosk environment, this approach may not beoptimal. This option is controlled by the administrator.USER PROFILE STRUCTURE======================A User Profile is comprised of a Windows NT registry hive and a set ofprofile directories. The registry is a database used to store machine- anduser-specific settings, and portions of the registry can be saved asfiles, called hives. These hives can then be reloaded for use asnecessary. User Profiles take advantage of the hive feature to provideroaming profile functionality.The User Profile registry hive is the NTuser.dat in file form, and ismapped to the HKEY_CURRENT_USER portion of the registry when the user logson. The NTuser.dat hive maintains the user's environment preferences whenthe user is logged on. It stores those settings that maintain networkconnections, Control Panel configurations unique to the user (such as thedesktop color and mouse), and application-specific settings. The series ofprofile directories store shortcut links, desktop icons, startupapplications, and so forth. Together, these two components record all user-configurable settings that can migrate from computer to computer.Details are provided below.CONFIGURATION PREFERENCES STORED IN THE REGISTRY HIVE=====================================================The Ntuser.dat file contains the following configuration settings. - Windows NT Explorer settings. All user-definable settings for Windows NT Explorer, as well as persistent network connections. - Taskbar. All personal program groups and their properties, all program items and their properties, and all taskbar settings. - Printer settings. All network printer connections. - Control Panel. All user-defined settings made in the Control Panel. - Accessories. All user-specific application settings affecting the Windows NT environment, including: Calculator, Clock, Notepad, Paint, and HyperTerminal, among others. - Help bookmarks. Any bookmarks placed in the Windows NT Help system. Configuration Preferences Stored in Profile Directories The profile directories are designed to contain the following configuration settings. - Application data. Application-specific data, such as a custom dictionary for a word processing program. Application vendors decide what data to store in this directory. - Desktop. Desktop items, including files and shortcuts. - Favorites. Shortcuts to program items and favorite locations. - NetHood.* Shortcuts to Network Neighborhood items. - Personal. Shortcuts to program items. Also a central store for any documents that the user creates. Applications should be written to save files here by default. - PrintHood.* Shortcuts to printer folder items. - Recent. Shortcuts to the most recently used items. - SendTo. Shortcuts to document storage locations and applications. - Start Menu. Shortcuts to program items. - Templates.* Shortcuts to template items. * These directories are hidden by default. To see these directories, change the View Options.WINDOWS NT 4.0 AND WINDOWS 95 - USER PROFILE DIFFERENCES========================================================Windows 95 Profiles are very similar in behavior to Windows NT 4.0Profiles, but there are some differences.Unlike Windows NT 4.0, Windows 95 downloads and writes User Profiles tothe user's home directory. When the Windows 95 user first logs on, the UNCpath specified in the user account's home directory path is checked forthe Windows 95 User Profile. You can modify this behavior, however. Seethe Windows 95 Resource Kit for more information. Windows 95 and WindowsNT 4.0 User Profiles have the following additional functional differences: - Windows 95 does not support common groups. - Windows 95 can be configured to copy only the shortcut (.lnk) and Program Information Files (.pif) when the User Profile is downloaded, whereas Windows NT downloads all file, shortcut, and directory objects. - Windows 95 User Profiles do not support a centrally stored Default User Profile. - Windows 95 uses different files for the registry portion of User Profiles. (Refer to the following table.) Windows 95 and Windows NT 4.0 profiles are not interchangeable, primarily because the registry hive, which is a key component of the User Profile, is incompatible between operating system versions. Windows NT 4.0 file Equivalent Windows 95 file ------------------------------------------------ Ntuser.dat User.dat Ntuser.dat.log User.da0 Ntuser.man User.manNOTE: The Windows 95 User.da0 and Windows NT 4.0 Ntuser.dat.log, whileequivalent, provide slightly different functionality. Windows 95 writes acopy of User.dat to User.da0 each time the user logs off. Windows NT usesthe Ntuser.dat.log file as a transaction log file. This allows for faulttolerance in the event that a User Profile must be recovered.Windows 95 and Windows NT 4.0 file structures are identical with theexception of the Application Data directory. Windows 95 does not supportthis directory.Windows 95 User Profiles can be stored on NetWare servers. For moreinformation on configuring a client with a Primary Network Logon of Clientfor NetWare Networks, see the chapter "Windows 95 on NetWare Networks" inthe Windows 95 Resource Kit. For more information on configuring a clientthat uses Microsoft Service for NetWare Directory Services, see the onlineHelp that accompanies the service.
Article ID: 161334 - Last Review: 08/09/2007 07:07:11 - Revision: 3.1