Managing User Profiles

Choose and create appropriate profiles for different situations

If you've worked very long with Windows XP Professional Edition, Windows 2000 Professional, or Windows NT Workstation client systems, you're probably familiar with user profiles. The purpose of a user profile is to save an individual's configuration information to a secure location from which it will be available to the user each time he or she logs on. This configuration information includes the arrangement of items on the Windows desktop, network and printer connections, personal program groups, and program items within the personal program groups. The user profile also stores other, potentially less important configuration settings such as screen colors, screen savers, mouse settings, and window size and position. When a user logs on, Windows loads the user's profile and configures the environment according to the settings that the profile contains.

User profiles are easy to dismiss as just "user settings stuff." If you dig a little deeper, however, you can find ways to leverage user profiles to help both users and yourself. The several types of user profiles that are available lend themselves to different situations and environments. Recognizing the capabilities and limitations of these profile types helps you implement the ones that are right for you and your users.

What's in a Profile?
A user profile consists of a registry hive and a group of folders and files that contains the user settings and data that I mention above. Windows loads the registry hive, ntuser.dat, into the HKEY_CURRENT_USER registry subtree when the user logs on. The hive, and therefore the subtree, contain the registry-based settings and preferences for a user's environment, such as items that the user configures through the Control Panel and mapped drives and printers.

Windows stores user-profile files in a user-specific folder with a name that's based on the user's logon name. The user-specific folder is the home for a large collection of files, including the user's documents, configuration files, application data, desktop files, and Start menu items. In XP and Win2K, the Documents and Settings folder in the system root (e.g., C:\documents and settings) contains the system's user-specific folders. In NT 4.0, the Profiles folder in the system root (e.g., C:\winnt\profiles) contains the user-specific folders.

User Profile Types
You can use one of three types of user profiles to provide a user's environment settings or, if necessary, to prevent a user or unauthorized person from altering a user's environment. These profile types are local user profiles, roaming user profiles, and mandatory user profiles. Windows automatically loads a fourth type of profile, a temporary user profile, to prevent user disruption when the OS can't load the user's usual profile.

Windows stores local user profiles on the local system's hard disk. Windows creates a local user profile the first time a user logs on to the system, and any environment changes the user makes apply only to that user on that computer. For example, if Betty logs on to an XP Pro system called ComputerX, any changes she makes to user settings will be available only to Betty and only when Betty is using ComputerX. You can use a local user profile for most standalone and network users.

As an administrator, you can't do much with local user profiles to control users' environments, but you can copy or delete these profiles. To perform these operations in XP Pro, open the Control Panel System applet, click the Advanced tab, then click Settings in the User Profiles area. You'll see a list of user profiles stored on the local system, as Figure 1 shows. You can select one profile at a time to delete or copy to an alternative location.

Roaming user profiles are local user profiles that reside on a centrally accessible server share so that users can use their profile on multiple systems. Client systems must have access to a Windows Server 2003, Win2K Server, or NT Server 4.0 system for users to be able to use a roaming user profile. When a user logs on to a client system, Windows downloads the profile and uses it as if it were local. When the user logs off, Windows copies any changes to the server so that they're available to the user the next time he or she logs on to a networked system. Roaming user profiles are user-specific but not computer-specific. You can use roaming profiles for users when profile portability is important or when you want the data protection of storing the profiles on a server.

You use the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in (in Win2K Server and later) or User Manager for Domains (in NT Server 4.0) to configure a path to the network share that will store user profiles. For a more detailed description of managing roaming user profiles in a Win2K environment, see Windows Client, "Using IntelliMirror to Manage User Data and Settings," July 2003,, InstantDoc ID 39193.

Local and roaming user profiles are fairly easy to configure and fit the needs of most Windows users. There might be situations, though, in which you don't want users to alter the settings that make up their profile or you want to enforce a consistent look and feel in the computer environment of a certain population of users. For example, if you managed a call center environment, you might want to give a group of users a consistent Start menu and Windows desktop layout regardless of which system they log on to so that all users can expect the same work environment regardless of which system they use or who used that system before them. Mandatory user profiles are up to the task when you have such requirements. Only an administrator can alter a mandatory profile; Windows doesn't save any changes a user makes to his or her profile while logged on. Mandatory user profiles have been around since NT 4.0, but many administrators don't know about them or just aren't accustomed to using them.

Windows creates and uses temporary user profiles when an error condition prevents the system from loading and using the appropriate user profile (e.g., if the share that hosts the roaming profile is inaccessible and a local copy of the profile doesn't exist). Windows doesn't save changes the user might have made to the temporary profile when the user logs off. Temporary profiles aren't available on NT 4.0 and earlier systems.

Configuring Mandatory User Profiles
If you think you might have a use for mandatory user profiles in your organization, you need to know how to work with these administrator-configured, read-only roaming profiles. To create a mandatory user profile, first create a user account to serve as a template for the profile. As an example, let's create an account named dummyuser (no disrespect intended) and give it the same permissions that you want to give to the users or groups to which you'll apply the mandatory user profile. Then, use the dummyuser account to log on to a client system so that Windows will create a new user profile. Make changes to the desktop, Start menu, and other user settings as desired, and log off the client system.

Now that Windows has created the new mandatory user profile, you need to copy it to a server share that the target clients can access. Create a folder on the server that will store the mandatory profile, give it an appropriate share name (e.g., Profiles), then share the folder. You can apply file system security to this folder to minimize the risk of tampering, but target users of the profile must have at least Read and Execute permissions.

Log on again to the same client system, but this time, use a domain account that provides administrator-level access to the client system. Open the System applet, click the Advanced tab, then click Settings in the User Profiles area. (These instructions are for XP Pro, but the steps are similar for Win2K Pro and NT Workstation 4.0.) Select the dummyuser profile, then click Copy To. In the Copy profile to field, type the path to the Profiles share or click Browse and select it, then append the name of a folder in which to store the dummyuser profile contents (e.g., \\server\profiles\mandatory). Click Change in the Permitted to use section and provide a group that contains all the users to whom you want to assign the mandatory profile (e.g., the Everyone group). Click OK twice to begin copying the profile.

When the copying has finished, on the server that contains the Profiles share, navigate to the folder to which you copied the contents of the dummyuser profile. The key to making the profile mandatory is to rename the ntuser.dat file in the folder to If you don't see the ntuser.dat file, choose Folder Options from the Tools menu and select the Show hidden files and folders option on the View tab.

Finally, you need to use the Active Directory Users and Computers snap-in or User Manager for Domains to assign the mandatory user profile to users. You do so just as you would assign roaming profiles—providing the full path to the server, share, and profile, as Figure 2 shows.

If you have an understanding of user profile contents and user profile types, you'll be better equipped to manage the myriad user settings for Windows client systems. And by implementing mandatory user profiles, you can ensure the integrity of user settings when necessary—without losing your sanity.

TAGS: Windows 8
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.