Windows NT User Profiles

Take your desktop configuration with you

Did you ever have to share a Windows 3.1 computer with another user?If you did, you probably were involved in a mini-war over whose desktopconfiguration would prevail. The scuffle probably included icon and windowarrangement, application filenames and locations, and screen colors. The worst case scenario is using someone else's PC. You never know what you'll find or which folders will contain familiar icons, and frequently you grind your gears while getting oriented.

All that frustration went away with Windows NT. When you log on as a user on NT, you automatically access your personal desktop configuration in the formof a profile that NT updates specifically for your user ID. As you see inTable 1, the profile stores the information that defines your workingenvironment, from windows and icons to control panel settings and applicationpreferences. With this setup, all computer users have their own profiles, and noone steps on anyone else's toes.

This article will take you on a tour of user profiles as NT 4.0 implementsthem. Along the way, you will learn about the types of profiles, how you createand manage them, and how they interact.

Types of User Profiles
All NT computers, even isolated ones, support user profiles. Localprofiles let multiple users share the same workstation while letting themregain their desktop settings when they log on. NT maintains local profilesautomatically, and the software requires little administrative oversight. Whenyou connect an NT computer to a network, you can establish roaming profilesand mandatory profiles, both of which are stored on a network server.

Roaming profiles let you do something really cool: You can take yourenvironment with you. If your computers are connected to a network, they canshare the same profile stored on a network server. No matter which computer youlog on to, you can pull down your profile and work in the warm, fuzzyenvironment of your desktop.

Alternatively, administrators can set up mandatory profiles that strictlyconFigure users' desktops. That's just the ticket when you want to establish auniform environment for a large number of data entry clerks, or when you want toreduce support calls because someone has deleted an icon or messed up a setting.

Even after you establish a network profile, NT maintains a profile locallyon the workstation, letting the user establish a familiar desktop when thenetwork is unavailable. When you log off the network, NT synchronizes yournetwork and local profiles with copies of the current desktop configuration.Some people refer to this local profile as a locally cached profile.

User Profile Database Structure
The root folder for local profiles is %SystemRoot%Profiles. After a newlycreated user logs on for the first time, NT creates a profile folder structurefor the user in the %SystemRoot%Profiles folder. You can store network profilesin any folder. Screen 1 shows an example of a %SystemRoot%Profiles folder. NTassigns users subfolders, named to match the username. Additionally, there aretwo special profiles named Default User and All Users, which I'll discuss later.

To show all the contents of a user profile folder, I prepared Screen 1after configuring Explorer to display hidden files and file extensions. Thevarious folders in the profile directory store shortcuts and applicationpreferences that define the user's desktop. Table 2 lists the folders and thesettings stored in each. Be aware that some applications may create additionalsubfolders, which NT includes in the user's profile.

When users log on for the first time, they do not yet have a user profile(unless an Administrator has copied one into the user's profile folder). Sowhere does a user's initial working environment come from? When a user firstlogs on, NT creates a personal profile folder and initializes the user'senvironment from the Default Users profile. Consequently, all profiles begin asa copy of the Default Users profile. When the user logs off, NT stores desktopchanges the user makes in the user's personal profile.

The All Users profile defines settings that NT assigns to all users who logon locally to this computer and has only two folders: a Desktop folder, whichcontains desktop shortcuts that appear for all users, and a Start Menu folder,which defines common program groups and their shortcuts. Common program groupsand shortcuts are the ones that appear below the line that subdivides entries inthe Start menu. (Under NT 4.0, a common program group is simply a group that isstored under ProfilesAll Users\Start Menu. NT 3.51 users are familiarwith creating common program groups by declaring the type when the program groupis created.)

The folders in the profile store much of the data that constitutes a userprofile, but a profile includes other personal settings that a user establishesin the Control Panel. NT stores these settings in the Registry, so you need adifferent mechanism to include the settings in the user's profile.

User Profiles and the Registry
While a user is working on an NT computer, NT stores the user's personalsettings in the Registry under the HKEY_CURRENT_USER root key. (For aninformative examination of the Registry see Mark Russinovich, "Inside theWindows NT Registry," April 1997.) Six root keys anchor the six data treesthat make up the Registry. NT stores nonvolatile Registry data in a series ofhives, a term that describes how Registry data is organized.

Each hive consists of two files: a log file and a data file. NT uses thelog file as a transaction log when users update the data files, and you can useit to roll back incomplete updates that might corrupt the Registry. The datafile for the HKEY_CURRENT_USER hive is Ntuser.dat, and the transaction log fileis ntuser.dat.LOG. You will find an Ntuser.dat file in each user's profiledirectory. You will also find the associated log file, named ntuser.dat.LOG. InScreen 1, hidden files are visible to show you the Ntuser.dat and ntuser.dat.LOGfiles in the example user's profile.

When a user logs on to NT, the data in Ntuser.dat initializes the HKEY_CURRENT_USERRegistry subtree. When the user logs off, Ntuser.dat is updatedfrom HKEY_CURRENT_USER. This point is important and bears repeating: Ntuser.datis updated only when the user logs off. As you will observe later, this behaviorresults in a couple of problems where roaming profiles are concerned.

A complete user profile consists of a folder structure in a Profiles folderwith numerous shortcut and other files, and the Ntuser.dat Registry hive filecaps it off. The Ntuser.dat file has a crucial role in determining how profileswill function once they are stored on the network.

An important point is that some Control Panel settings stored in theRegistry are hardware dependent. An example is video display resolution. Consequently,only computers with similar hardware characteristics can shareprofiles. For instance, you probably would not be comfortable using the sameprofile on your 21" desktop monitor and your notebook. If computers will besharing profiles, when you design the profiles you must consider the commoncapabilities of the workstations that you will use the profiles on.

Moving User Profiles to the Network
Connecting a workstation to the network is a prerequisite to supportingnetwork profiles, but it isn't the only requirement. First, create a folder onthe server where you will store users' network profiles. Next, create a sharefor the profile folder. Finally, conFigure users' accounts with a profile path.

A user's profile folder can be on any network server. You can create one ormore profiles folders. This approach is often the best. Storing profiles forgroups of users lets you distribute profiles across multiple volumes and serversif necessary. You can store network profiles in the server's profile directory,%SystemRoot%Profiles. In this case, users who are authorized to log onlocally to the server will use their network profiles as local profiles. Or youcan store each user's network profile in his or her network home directory, anapproach that is complicated by the need to establish a network share for eachprofile directory.

To demonstrate network profiles, let's use a separately created profilesfolder named c:profiles. After creating the folder, grant the group EveryoneChange (RWXD)(RWXD) permission for the directory. This permission lets userscreate and update their profile.

In this example, users share the profile directory with the share nameProfiles$. The $ character is optional, but you can append it to the share nameto prevent it from being advertised through network browsers. Users have noreason to connect to this share except through the profile mechanism. The $doesn't provide any real security, but it prevents confusion that users mighthave by casually picking the share from a browse list.

The next step is to conFigure the user's account with the profile path. Goto User Manager for Domains, User Properties, and click on Profile. This steptakes you to the User Environment Profile dialog box, shown in Screen 2. Theuniversal naming convention (UNC) for the profile path specifies the server,share, and the name of the user's profile directory (e.g.,ts1profiles$Buster).

You can specify the user's profile directory by name, but an alternative isto use the system variable %Username%. This variable is especially useful if youare defining profile paths for multiple users, and it lets User Manager forDomains supply the username for each user account that you're configuring.

Logging On to a Network User Profile
If you perform the steps I mentioned to enable network profile support for auser, the events that take place when the user logs on depend on whether theuser has previously logged on to the domain. First, if the user has never loggedon, neither a local nor a network profile exists. The sequence of events is asfollows:

If the user has previously logged on to the network, things proceed a bitdifferently. The distinguishing factor is that a local profile has been createdfor the user on the local computer. Consequently, in Step 2, NT initializes theuser's environment from the user's local profile.

OK, now the user has logged on and has created both a network and a localprofile. Which profile will NT use the next time the user logs on? The answerdepends on which profile is more recent, as determined by the "last writetime" stamps of the Ntuser.dat files. If the network profile time stamp isthe same as or more recent than the time stamp of the local profile, the networkprofile will be used to initialize the user's environment. If the time stamp ofthe local profile is more recent, the local profile will be used.

The above procedures are all that NT requires to establish a roaming userprofile. As you can see, the network administrator does not need to explicitlycreate the profile folders and files. However, the administrator must create theshared profiles folder, establish the required security, and add the path to theproperties of the affected user accounts.

More Than One User Profile
Profile confusion occurs because NT can associate a given username with morethan one profile. NT identifies a user account not by the username, but by anumeric security ID (SID). Each time NT creates a user account, it assigns theaccount a unique SID.

Now let's consider the following scenario. An administrator assignsBuster's computer to a workgroup, and Buster diligently creates a profile thatsuits him to a T. His company decides to implement NT Server, and theadministrator assigns Buster a domain account, equipped with a roaming profile.Buster logs on to the domain and gets his default profile, not the beautifulprofile he has labored over. What happened?

The problem is that Buster's workgroup and domain accounts, although theyshare a username, have different SIDs. As far as NT is concerned, they aredistinct accounts with distinct profiles. If Buster logs on to the domain, hegets his domain profile; if he logs on to the workgroup, he gets his workgroupprofile. When an administrator creates Buster's domain user account, the SID forthe domain account is different from the SID for the workgroup account.Consequently, when Buster logs on to the domain for the first time, NT Serversays, "Hmm, a new user. He doesn't have a profile, so he gets the default."NT initializes Buster's desktop using the local Default User profile.

You can observe a user's various profiles in the System applet of theControl Panel. The User Profiles tab, shown in Screen 3, lists the user profileson this computer. The Name column identifies the domain or workgroup the userbelongs to. The Type column shows whether the profile is Local (stored on thiscomputer) or Roaming (stored on the network). We will return to this utilityseveral times in the remainder of this article.

Incidentally, although any user can view profiles in the System applet,standard users see only their own profiles. Administrators see all profilesstored on the local computer.

In Screen 3, notice that the Administrator and Buster have two profileseach. Buster's INFOWORKS profile is a domain profile, and his NTW1 profile is alocal profile maintained on the local computer. Because the Administratoraccount has not been assigned a network profile, this account uses the localprofile. Users who have multiple profiles access the appropriate profiledepending on whether they are logging on to the domain or to the local machine.

Roaming off the Network
The time stamp issue comes into play if you work on a computer that isisolated from the network, either because of a network outage or an intentionaldisconnection. Suppose that your NT notebook is connected to the network and youare conFigured to use a roaming profile. You log off, disconnect the computer,and take a trip, during which NT uses the locally cached profile to set up yourdesktop. When you return and connect to the network, your local profile willhave a time stamp that is more recent than the network profile. Which profilewill the system access when you log on?

To find out, let's look at the complete sequence of events. Mabel fires upher notebook in her hotel room. She wants to use her familiar network profile,so in the Logon Information dialog box she logs on to the office domain. Here'swhat happens:

While working in the hotel (step 4), if Mabel looks at the User Profiles tabof the System Control Panel applet, she will see that NT is accessing her domainprofile from the local copy.

WAN Issues
In general, NT profiles do not work well over slow WAN links. In fact,Microsoft does not recommend using roaming profiles across a slow network link.Not only does the profile maintenance traffic chew up scarce bandwidth, butlocal and roaming profiles can become unsynchronized.

In one scenario, a user logs on via a WAN link that is slow enough to causeNT to time out. Then NT uses the local profile or initializes the user from thedefault profile if necessary. If the remote server becomes available when thesession ends, NT uses the local profile to update the roaming profile.

If users change locations frequently and want to use roaming profiles,Microsoft recommends that you store copies of the roaming profiles on servers ateach site. You can use NT Server's directory replication capability to keep thevarious profile directories synchronized. Alternatively, you can switch users tomandatory profiles, which do not suffer from WAN update trouble because userscannot update them.

Although you log on successfully through a slow link, such as a WAN or aRAS connection, you want to switch from a roaming profile to a local profile.This switch economizes bandwidth utilization and eliminates synchronizationerrors. To switch to a local profile, go to Control Panel, System, and selectthe User Profiles tab. Select your roaming profile, and click Change Type. Aroaming profile will revert to a local profile. This change appears in the Typecolumn. You can switch back to a roaming profile at the end of the session toupdate your network profile.

Administrator-created Roaming User Profiles
Suppose you want to provide new users with predefined profiles. You couldvisit each workstation in the organization and modify the user's profiles, butyou can establish the user profile locally by copying a predefined profile tothe new user's network profile directory.

The first step is to create the profile that you will distribute. Toperform this step, create a separate user account specifically for profilemaintenance--I call mine Profile Admin. Log on with this account to aworkstation that has profile-dependent hardware characteristics compatible withthe computers on which the profile will be used. Then design the profile. Logout to save the profile.

While designing a profile, take care to ensure that any special files--suchas wallpapers, screen savers, and applications targeted by shortcuts--youincorporate into the profile are present on the target computer. System filesaren't usually a big deal because NT knows where to find them and installs mostof them by default.

Applications are a different matter. If the profiles you distribute includeshortcuts to applications, the shortcuts must point to valid folders and files.Consequently, you need to ensure that organization standards specify how andwhere to install applications.

The profile you create will be a local profile. After you design theprofile, copy it from the profile administrator's folder to the profile folderof the target user. The procedure to copy a profile is as follows:

You can use this procedure to modify the Default User profile on anyworkstation. But don't try to update the All Users profile, which has adifferent structure and serves only locally logged-on users. To modify the AllUsers profile, use NT Explorer to create folders and shortcuts under the AllUsers folder.

When you copy profiles for active users, the time stamps can get you intotrouble. Suppose that you copy changes to Harold's profile while Harold islogged on. When Harold logs out, NT will save his profile, overwriting theprofile you have copied.

Now, suppose that you update Harold's profile while he is working on hisPC, but he is not connected to the network. The profile you copy will be timestamped when NT saves it. Harold is working with a locally cached profile, whichis time stamped each time he logs out.

Harold returns to the office and connects to the network. His local profileis now more recent than the network profile, and he will probably select thelocal profile, ignoring all the changes you put in his network profile. Toprevent this sequence of events, you may need to update the time stamp on theprofile you want to have precedence. You can do so with the Touch utility, whichMicrosoft includes with the Microsoft Windows NT Resource Kit.

Sharing Roaming User Profiles
In one word, the guideline for sharing roaming user profiles is "Don't!"Yes, sharing roaming user profiles is possible, but all sorts of confusion canarise. Any user sharing the profile can change the environment, and thiscapability is confusing enough. If you have ever shared a Windows 3.1 computerwith someone who loved to mess around with the desktop, you know how much painand suffering sharing can entail.

To complicate matters further, suppose Buster and Harold log onsimultaneously with the same roaming profile. Buster logs out first. BecauseHarold still has the profile open, any changes Buster has made to the profilecannot be saved. When Harold logs off, only his changes are written to theprofile. Given the issues that can arise, imagining a solid reason for sharing aroaming profile among multiple users is difficult.

Mandatory User Profiles
The user cannot permanently modify mandatory profiles. Although users canchange their environment after logging on with a mandatory profile, NT does notsave the changes when the user logs out. Consequently, each time the user logson, NT will use the same profile.

Because users cannot modify mandatory profiles, they can share theseprofiles. Mandatory user profile sharing is a great way to establish a standarddesktop for many users, perhaps for dozens of employees who take telephoneorders. Simply assign the users the same mandatory profile in their user accountproperties.

Setting up a mandatory profile is embarrassingly easy. First, create aprofile, as described earlier in the article, and copy it to the directory youwant it in. In the Permitted to use field, specify the user or a groupof users who may use the profile. Then, use your favorite tool, such as NTExplorer, to rename the Ntuser.dat file to Ntuser.man.

Windows 95 User Profiles
Although Windows 95 supports profiles, they are incompatible with NTprofiles and are considerably less capable. Win95 profiles include only shortcut(.lnk) and program information files (.PIFs). Win95 profiles are also lessrobust than their NT relatives because they have no fault-tolerance mechanismsimilar to the one that the ntuser.dat.LOG file provides. A file nameduser.da0 provides a redundant copy of the user.dat file, which is theprimary profile repository, but this file does not provide fault tolerancethrough transaction logging and is used only when user.dat is lost or corrupted.

Win95 clients running the Microsoft network client or the Client forNetWare can access roaming user profiles, but these profiles must be stored inthe users' home directories. The User Profile Path property of the user accountis not used. Although mandatory profiles are supported for Win95 clients,mandatory profiles cannot be shared. You must create a separate profile for eachuser. To create a mandatory Win95 profile, rename the user.dat file to user.man.

NT's user profiles let administrators conFigure the user's networkenvironment. This feature is helpful if security dictates complete or partialcontrol, or if users are not quite up to speed with their system. NT helpsensure that users will log on to the correct desktop configuration every time.