Solved

roaming user profiles local copy of

Posted on 1998-11-04
3
839 Views
Last Modified: 2013-12-23
I run a NT server and the powers that be want to enable roaming profiles. I have done so, however a local copy is always retained on the wkstation. I do not want this. I need to know how to bypass that dialog box that asks you if you want to save a local copy, and also to only run the profiles off their server directory.
0
Comment
Question by:dkearn
  • 2
3 Comments
 
LVL 6

Accepted Solution

by:
joe_massimino earned 200 total points
ID: 1546197
If your users are using Win95, you do not have much control over what they do. You can make it work, but the more savvy users can get over on you any time they wish.

Now, if you use NT, you can lockup your network very tight, users will only get what you let them get for a profile.

I can give you data on roaming profiles for Win95 on an NT server, but you will be wasting your time. Do you still want it? I can give you notes from TechNet on the subject. Just ask for them.
0
 
LVL 6

Expert Comment

by:joe_massimino
ID: 1546198
I suspect that you want the information so here it is. The graphic parts of the article don't copy into EE, so if there is a reference to a diagram, you will have to use your imagination.


Creating and Administering User Profiles
User Profiles can be created and administered in several different ways as will be described next. Note that as a system administrator, you determine whether users can modify their profiles.
·      You create a User Profile that is not modifiable for a particular user or group (this is a mandatory profile).
·      You establish a network Default User Profile that applies to all new users on Windows NT 4.0 computers. After downloading this default profile and logging on, the user can customize the profile (provided that it is not mandatory).
·      You allow a new user to use the local Default User Profile on the Windows NT 4.0 computer where the user logs on. After logging on, the user can customize the profile (provided that it is not mandatory).
·      You copy a template User Profile, and assign the copy to a user. The user can then customize the profile (provided that it is not a mandatory profile).
 
Profiles can be stored on a network server or cached on the local machine. (Cached profiles are located in the \%systemroot%\Profiles directory.) Caching a profile reduces the total time to log on and load the profile; however, in a roaming user or kiosk environment, this approach may not be optimal. This option is controlled by the administrator.
User Profile Structure
A User Profile is comprised of a Windows NT registry hive and a set of profile directories. The registry is a database used to store machine- and user-specific settings, and portions of the registry can be saved as files, called hives. These hives can then be reloaded for use as necessary. User Profiles take advantage of the hive feature to provide roaming profile functionality.
The User Profile registry hive is the NTuser.dat in file form, and is mapped to the HKEY_CURRENT_USER portion of the registry when the user logs on.The NTuser.dat hive maintains the user’s environment preferences when the user is logged on. It stores those settings that maintain network connections, Control Panel configurations unique to the user (such as the desktop color and mouse), and application-specific settings. The series of profile directories store shortcut links, desktop icons, startup applications, and so forth. Together, these two components record all user-configurable settings that can migrate from computer to computer. Details are provided below.
Configuration Preferences Stored in the Registry Hive
The NTuser.dat file contains the following configuration settings.
·      Windows NT Explorer settings. All user-definable settings for Windows NT Explorer, as well as persistent network connections.
·      Taskbar. All personal program groups and their properties, all program items and their properties, and all taskbar settings.
·      Printer settings. All network printer connections.
·      Control Panel. All user-defined settings made in the Control Panel.
·      Accessories. All user-specific application settings affecting the Windows NT environment, including: Calculator, Clock, Notepad, Paint, and HyperTerminal, among others.
·      Help bookmarks. Any bookmarks placed in the Windows NT Help system.
 
Configuration Preferences Stored in Profile Directories
The profile directories are designed to contain the following configuration settings.
·      Application data. Application-specific data, such as a custom dictionary for a word processing program. Application vendors decide what data to store in this directory.
·      Desktop. Desktop items, including files and shortcuts.
·      Favorites. Shortcuts to program items and favorite locations.
·      NetHood.* Shortcuts to Network Neighborhood items.
·      Personal. Shortcuts to program items. Also a central store for any documents that the user creates. Applications should be written to save files here by default.
·      PrintHood.* Shortcuts to printer folder items.
·      Recent. Shortcuts to the most recently used items.
·      SendTo. Shortcuts to document storage locations and applications.
·      Start Menu. Shortcuts to program items.
·      Templates.* Shortcuts to template items.
 
* These directories are hidden by default. To see these directories, change the View Options.
Windows NT 4.0 and Windows 95 User Profile Differences
Windows 95 Profiles are very similar in behavior to Windows NT 4.0 Profiles, but there are some differences.
Unlike Windows NT 4.0, Windows 95 downloads and writes User Profiles to the user’s home directory. When the Windows 95 user first logs on, the UNC path specified in the user account’s home directory path is checked for the Windows 95 User Profile. You can modify this behavior, however. See the Windows 95 Resource Kit for more information.
Windows 95 and Windows NT 4.0 User Profiles have the following additional functional differences:
·      Windows 95 does not support common groups.
·      Windows 95 can be configured to copy only the shortcut (.lnk) and Program Information Files (.pif) when the User Profile is downloaded, whereas Windows NT downloads all file, shortcut, and directory objects.
·      Windows 95 User Profiles do not support a centrally stored Default User Profile.
·      Windows 95 uses different files for the registry portion of User Profiles. (Refer to the following table.) Windows 95 and Windows NT 4.0 profiles are not interchangeable, primarily because the registry hive, which is a key component of the User Profile, is incompatible between operating system versions.
 

Windows NT 4.0 file      Equivalent Windows 95 file

NTuser.dat      User.dat
NTuser.dat.log      User.da0
NTuser.man      User.man
      NOTE   The Windows 95 User.da0 and Windows NT 4.0 Ntuser.dat.log, while equivalent, provide slightly different functionality. Windows 95 writes a copy of User.dat to User.da0 each time the user logs off. Windows NT uses the Ntuser.dat.log file as a transaction log file. This allows for fault tolerance in the event that a User Profile must be recovered.
·      Windows 95 and Windows NT 4.0 file structures are identical with the exception of the Application Data directory. Windows 95 does not support this directory.
 
Windows 95 User Profiles can be stored on NetWare servers. For more information on configuring a client with a Primary Network Logon of Client for NetWare Networks, see the chapter “Windows 95 on NetWare Networks” in the Windows 95 Resource Kit. For more information on configuring a client that uses Microsoft Service for NetWare Directory Services, see the online Help that accompanies the service.
How User Profiles Are Handled in Windows 95
When a user logs on to a Windows 95 machine, the local profile path, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Profile List, is checked for an existing entry for that user:
If the user has an entry in this registry location, Windows 95 checks for a locally cached version of the user’s profile. Windows 95 also checks the user’s home directory (or other specified directory if the location has been modified) on the server for the User Profile. If a profile exists in both locations, the newer of the two is used. If the User Profile exists on the server, but does not exist on the local machine, the profile on the server is downloaded and used. If the User Profile only exists on the local machine, that copy is used.
If a User Profile is not found in either location, the Default User Profile from the Windows 95 machine is used and is copied to a newly created folder for the logged on user. At log off, any changes that the user made are written to the user’s local profile. If the user has a roaming profile, the changes are written to the user’s profile on the server.
User Profile Planning and Implementation
A successful implementation of User Profiles requires planning and preparation. Before creating User Profiles, consider the following:
·      How much of the user environment do you wish to control? Would System Policies—either in conjunction with User Profiles, or by themselves—be a better solution?
·      Will users be required to use a specific set of desktop folders and environment settings?
·      Will users be able to make modifications to their profiles?
·      What features will you be implementing in User Profiles? Optional features include persistent network connections, custom icons, backgrounds, and so on.
·      For roaming profiles, will users be allowed to use the default profile from the client workstation or will a standardized server-based default profile be used instead?
·      Where will the profiles be stored, and is there enough drive space to store them?
·      Where do existing user home directories reside?
·      How will shortcuts and links be displayed for the user?
·      What are the speeds of the links between the clients and the server storing the profiles?
 
These issues are examined more fully in the following paragraphs. For more information, refer to the Windows NT Server Concepts and Planning Guide.
Setting Permissions for User Profiles
When troubleshooting or preparing for a rollout of User Profiles, you should pay careful attention to permissions at the Windows NT File System (NTFS) and share levels. If the profile is mandatory, the user account should have at least Read permissions on the network share where that user’s User Profile is stored. If the user’s profile is roaming, the user must have Change permissions (or better) because the client will need to write the changes back to the central profile on the shared network drive when the user logs off. If roaming profiles are stored on an NTFS partition, you can choose to remove the Delete permission from the default Change permissions at the NTFS level.
NOTE   Directories containing roaming User Profiles need at least Add and Read permissions for profiles to be read correctly. If you use Add permissions only, when Windows NT checks for the existence of the profile it will fail because it looks for the path first, and if Read rights are not given, the check will fail.
Permissions are also important on a client machine where the user is logging on interactively. If Windows NT is installed in an NTFS partition on the client computer, and the user does not have at least the default permissions as outlined in the Windows NT Server Concepts and Planning Guide (page 132), errors can occur. For example, if permissions are incorrect on the root of the system directory, the following message appears: “Can’t access this folder—the path is too long.” A blank desktop is displayed, and the user’s only option is to log off.
If permissions are set incorrectly in the %systemroot%, %systemroot%\System, %systemroot%\System32, or %systemroot%\System32\Config directories, the following message appears: “Unable to log you on because your profile could not be loaded.”
Encoding Permissions in the User Profile
The registry portion of the User Profile, NTuser.xxx, is encoded with the user or group that has permission to use that profile. Once this is saved, you can use the Registry Editor to modify this information if you want to change the permissions on a profile without replacing it.
To change encoded User Profile information:
 1.      Follow the instructions to manually edit a profile: (Refer to the section “Administering a User Profile Manually through the Registry” later in this document).
 2.      Change the permissions on the root of the key to include users and groups who will have permission to use the profile.
 3.      Unload the hive.
 
Selecting a Location to Save User Profiles
As with Windows NT 3.5x, you can place a roaming profile in any shared directory, and then configure the user account profile path to point to the profile. The Profiles directory in the system root stores local User Profiles, “All Users” profile settings (which apply to any user who uses the computer), the “Default User” profile, and cached User Profiles of domain users. You should avoid using the %systemroot%\Profiles directory in the domain users’ profile path as a location to store server-based profiles, whether they are roaming or mandatory. (The path should allow the user’s profile to roam with the user and be available on any networked computer that the user logs on to. If you specify a path to the %systemroot%\Profiles directory, the client computer always uses the local profile instead.)
Windows NT 4.0 profiles can be saved on any Windows NT 3.5x or 4.0 server because the client computer uses the path where the profile is stored only as a location to download the profile and to write the modified user profile at log off. This allows profiles to be stored on any shared network drive. The process of downloading the profile is controlled by the client computer—all the client needs is the correct path. Note that storing profiles on a Windows NT 4.0 Server makes it easier for the administrator to open a user’s NTuser.dat file to make any necessary modifications. You can also store User Profiles on Novell Servers provided that the client is configured correctly and can access the profile path.
If a client is not receiving a User Profile at logon, use the Start menu Run command to check the profile path. For example, to see if you can locate the profile, type \\server\share\mydomainuser. If the path to the user’s profile contains spaces, put quotation marks around the path when you type it in the Run command box.
Except in the case of mandatory profiles or when a slow network is detected, any changes to the user’s profile are saved to the central profile when the user logs off. (Because users cannot modify mandatory profiles, changes do not need to be written to the server.)
NOTE   In situations where the same user account logs on to multiple machines, the last user to log off dictates the profile settings because that user was the last one to write data to the profile. Similarly, if a group of users all point to the same profile, the final logoff settings are saved and will overwrite previous settings.
If the User Profile is flagged as a local profile and is not mandatory, any changes the user makes while logged on are written to the locally cached version of the profile, but not to the server-based copy.
NOTE   You should not make the home directory and User Profile path the same. If the profile path encompasses the home directory path and the server-based profile is more recent than the local profile on the workstation, all directories and files that exist in the user’s home directory will be copied to the user’s workstation at logon. These files are then written back to the server (if modified) when the user logs off. This process occurs at each logon. In addition, even if the user logs off and the administrator deletes all of the unnecessary files from the home directory, the versions of these files that reside on the workstation will not be deleted at logon and will be written back to the server again at log off. This file copy process is avoided if you place the profile in a subdirectory of the home directory, as follows: \\server\share\domainuser\profile.
Setting Persistent Connections
Persistent connections are stored in the User Profiles registry hive under the Network subkey. If you create a template User Profile that includes persistent connections and you have to supply credentials when making those connections, the credentials—with the exception of the password you used—are stored in the User Profile. When the new user receives the template User Profile, these saved credentials are passed (as opposed to the logged on user’s credentials), and the connection may fail.
There are three methods to correct this:
 1.      You can recreate the profile without supplying alternate credentials when connecting to network resources, or
 2.      Using Registry Editor (Regedt32.exe), use blank spaces to erase the contents of the USERNAME value under HKEY_CURRENT_USER\Network\drive letter. (Do not delete the value—just fill it with blank spaces.) Save the profile. For additional help, refer to the section “Administering a User Profile Manually Through the Registry” later in this document, or
 3.      Delete the network connection and reconnect.
 
Working Around Slow Network Links
Slow Net (which is configured in System Policy) was designed to offer a user faster access to his or her User Profile if the system detects a slower network speed, such as a modem line connection. Instead of automatically downloading a profile that may be several hundred kilobytes to several megabytes large, Slow Net gives the user the option of either downloading the profile or using the locally cached version. If the cached file is used, it can significantly reduce the time it takes to log on to the computer. To detect a slow network, the operating system computes the amount of time it takes to receive a response from the server (which the profile path defines as part of the user account). As system administrator, you can determine the allowable slow network speed. Use the System Policy Editor to set this value.
If the user uses the Control Panel System application to change the profile type to Local, then the cached copy of the User Profile is opened every time the user logs on. Any changes that occur to the profile are written locally and not to the server location.
Creating and Maintaining User Profiles
Creating a New Roaming User Profile for Windows NT 4.0
To create a new roaming User Profile, you must first determine where the user’s profile will be stored. You then must create a user account (if one doesn’t already exist), and specify a User Profile path. Finally, you must specify whether a given user will use a specific profile or can use a default profile. These procedures are described below.
To create a new roaming user profile:
 1.      If a location has not already been prepared, create a directory on the server and establish a network share. Give the user a minimum of Change permissions to the shared directory. (For more information on planning for this type of user, read the sections “Selecting a Location to Save User Profiles” and “Setting Permissions for User Profiles” earlier in this document.) If your implementation stores user profiles within users’ home directories, make the profile directory a subdirectory of the user’s home directory. (Note that this approach precludes the use of the %USERNAME% variable.) To prevent the share from being browsable, append “$” to the share name.
 2.      If this will be a domain user or if this will be a local account for a Windows NT Server-based machine, use User Manager for Domains to create the account. If this will be a Windows NT 4.0 Workstation account, use the version of User Manager included in the Administrative Tools program group. Refer to your operating system documentation and online Help for procedures when using these tools. (Note that for this example, the user account is mydomainuser.)
 3.      Enter the User Profile path. This is the location where the User Profile will be stored, for example: \\myserver\myshare\mydomainuser.
      Or, if the profile is being stored within the user’s home directory, use: \\myserver\myshare\MyUsersHomeDir\profile.
 4.      If the user is to receive the Default User profile from the workstation where he or she will interactively log on, no further administration is required.
      If the user’s profile will be a copy of an existing user profile, refer to Step 9. Otherwise, use User Manager to create an account for establishing a template profile. So that you can easily identify this account, we recommend that it be called TemplateUser.
 5.      Using the template account (TemplateUser), log on to the local machine or domain. A new directory with the same name as the user name created in Step 4 will be created in the %systemroot%\Profiles directory when you first log on. For example, if the user name is TemplateUser, the resulting directory name will be %systemroot%\Profiles\TemplateUser.
 6.      Modify any items that need to differ from the current default (for example, you may choose to modify the background color or bitmap, shortcuts on the desktop, and View options in My Computer).
 7.      Log off, and then log back on to the same computer using an account with administrative privileges.
 8.      Place the template profile in the appropriate location for the type of profile distribution that will be used. (The template profile, including customizations, is stored initially in %systemroot%\Profiles\TemplateUser.)
·      If the template profile will be distributed manually to multiple users:
a.      Create a directory where the template profile will be stored for distribution to each user account created.
b.      From the Windows NT-based machine hosting the template profile to be used, log on as an administrator.
c.      From the Control Panel, click System. From the User Profiles page, use the Copy To option to enter the path of the directory you just created.
d.      Modify the permissions to allow the Everyone group to use the profile. To do this, click the Change button, select the group, and click OK.
e.      Continue to Step 9.
 
·      If the template profile will be distributed via the Default User folder on validating servers:
a.      Create a Default User directory in the NETLOGON share (which is %systemroot%\Repl\Import\Scripts by default) of validating domain controllers. This folder name must be named Default User or the profile will not be downloaded from the server. To keep the Default User profile consistent across domain controllers and to ease administrative overhead, you can create this folder on one computer and then use the directory replication service to export it to all validating domain controllers.
b.      If a user logs on and does not have an existing local or server-based profile and your implementation uses the Default User folder on validating domain controllers, Windows NT will check the NETLOGON share for the Default User profile before it uses the local default profile. (Workstations save the server Default User profile on a local cache.) Windows NT will check the time/date/size of the server copy against the locally cached copy before downloading the server copy. And, if the files are identical, Windows NT will use the local copy of the server Default User profile.
c.      Continue to Step 10.
 
 
 9.      In the \\server\share from Step 1, create the directory structure you specified as the path in Step 3. For example, create the directory mydomainuser under \\myserver\myshare. If the profile is to be stored within the user's home directory, use the directory structure \mydomainuser\profile under \\myserver\myshare.
10.      Copy the profile appropriate to your implementation.
·      To copy an existing user’s profile to another user:
a.      From the Windows NT-based machine hosting the profile to be used, log on as an administrator.
b.      From the Control Panel, click System. On the User Profiles page, select the profile to be copied and use the Copy To option to enter the path of the directory you created in Step 9.
c.      Modify the permissions to reflect the proper account. To do this, click the Change button, select the account, and click OK. Click OK again to copy the profile.
 
·      To copy the template profile to the Default User folder on validating domain controllers:
a.      From the Windows NT-based machine hosting the profile to be used, log on as an administrator.
b.      From the Control Panel, click System. On the User Profiles page, select the profile to be copied and use the Copy To option to enter the path of the Default User directory on the validating domain controller.
c.      Modify the permissions to reflect the Everyone group. To do this, click the Change button, select the account, and click OK. Click OK again to copy the profile.
 
·      To copy a template profile manually to a number of users:
a.      Copy the entire contents (files and subdirectories) from the directory containing the template user profile created in Step 8 to the directory created in Step 9.
b.      Repeat this for each of the user profile directories that will receive the template user profile.
 
 
 
NOTES
·      When entering the path to the target directory, you can use Uniform Naming Convention (UNC) names. However, if you are going to use the Browse function to locate the target directory for the profile, it is important that you first map a drive to the \\server\share where the profile will be stored.
·      The mydomainuser name shown in Step 2 does not have to be the user’s name. Many user accounts or groups can be configured to point to the same profile. Of course, if the profile is shared by a group of users and is not mandatory, as each user logs off, the user’s changes are written back to the shared profile.
·      The profile does not need to be stored one directory below the server\share. The profile can be nested several directories below, or the profile path can be local.
·      If the profile path points to a directory on the local machine, a share is not needed.
·      The variable %USERNAME% is replaced by the user name only once in the User Profile path in User Manager, and it must be the last subdirectory in the path. However, extensions can still be added, such as .usr or .man.
·      You can select any group or a specific user when setting the permissions. However, only the user or group specified will be able to use the profile. For this reason, it is recommended that the Everyone group be given permission to use template profiles.
 
Once the above steps are completed, the user receives the appropriate profile as follows:
·      If the user is to receive the Default User profile from a Windows NT 4.0-based workstation, the workstation’s default profile is used when the user first logs on. When the user logs off, the profile is automatically written to the local cache and to the server-based profile.
·      If the user is to receive the Default User profile from the validating domain controller, the default profile from the server is used when the user first logs on. When the user logs off, this profile is automatically written to the local cache and to the server-based profile.
·      In all other cases, the profile—including the folder trees and the NTuser.xxx file originally included with the profile—is written to the user’s profile directory. The permissions are also encoded into the binary NTuser.xxx file.
 
Creating a New Mandatory User Profile for Windows NT 4.0
To create a new mandatory User Profile:
 1.      If a location has not already been prepared, create a directory on the server and establish a network share. Users who will have mandatory profiles need only Read permissions to the shared directory. (For more information on planning for this type of user, read the sections “Selecting a Location to Save User Profiles” and “Setting Permissions for User Profiles” earlier in this document.) If your implementation stores user profiles within users’ home directories, make the profile directory a subdirectory of the user’s home directory. (Note that this approach precludes the use of the %USERNAME% variable.) To prevent the share from being browsable, append “$” to the share name.
 2.      If this will be a domain user or if this will be a local account for a Windows NT Server, use User Manager for Domains to create the account. If this will be a Windows NT 4.0 Workstation account, use the version of User Manager included in the Administrative Tools program group. Refer to your operating system documentation and online Help for procedures when using these tools. (Note that for this example, the user account is mydomainuser.)
 3.      Enter the User Profile path. This is the location where the User Profile will be stored, for example: \\myserver\myshare\mydomainuser.
      Or, if the profile is being stored within the user’s home directory, use: \\myserver\myshare\MyUsersHomeDir\profile.
 4.      Determine if an extension needs to be appended to the User Profile path. If it will be mandatory that the user reads the profile from the server, and if logon will be denied unless this is the case, add the extension .man to the User Profile path; for example: \\myserver\myshare\mydomainuser.man.
 5.      Use User Manager to create an account for establishing the template profile. So that you can easily identify this account, we recommend that it be called TemplateUser.
 6.      Using the template account (TemplateUser), log on to the local machine or domain. A new directory with the same name as the user name created in Step 2 will be created in the %systemroot%\Profiles directory when you first log on. For example, if the user name is TemplateUser, the resulting directory name will be %systemroot%\Profiles\TemplateUser.
 7.      Modify any items that need to differ from the current default (for example, you may choose to modify the background color or bitmap, shortcuts on the desktop, and View options in My Computer).
 8.      Log off, and then log back on to the same computer using an account with administrative privileges.
 9.      In the \\server\share from Step 1, create the directory structure you specified as the path in Step 3. For example, you would need to create the directory mydomainuser under \\myserver\myshare. Or, if the profile is stored in the user’s home directory, you would need to create the directory structure \mydomainuser\profile under \\myserver\myshare.
      If you appended the .man extension to the User Profile path in Step 4, append the .man suffix to the directory name for the folder where the profile will be stored. The .man extension identifies a Windows NT 4.0 mandatory profile that must be accessible for the user to logon. For example, if the user name is mydomainuser, the path to the mandatory profile would be \\myserver\myshare\mydomainuser.man.
      If you also have a mandatory Windows NT 3.5x profile for the user, use the .pdm extension in place of the .man extension (for example, \\myserver\myshare\mydomainuser.pdm). The .pdm extension is required because the profile folder cannot have the same name as the Windows NT 3.5x User Profile located in the same parent folder.
10.      From the Windows NT-based machine hosting the template profile to be used, log on as an administrator.
11.      From the Control Panel, click System. From the User Profiles page, select the profile to be copied and use the Copy To option to enter the path of the directory you created in Step 9.
12.      Modify the permissions to allow the user or group to use the profile. To do this, click the Change button, select the account, and click OK. You can select any group or specific user when setting the permissions; however only the user or group specified will be able to use the profile.
      The profile—including the folder trees and the NTuser.xxx file originally included with the profile—is written to the location you designated. The permissions are also encoded into the binary NTuser.xxx file.
13.      In the directory that the profile was copied to in Step 3, check the NTUSER.xxx file for the .man extension. If the extension is .dat, the profile will still be modifiable. Change the extension to .man if necessary.
 
NOTES
·      When entering the path to the target directory, you can use universal naming convention (UNC) names. However, if you are going to use the Browse function to locate the target directory for the profile, it is important that you first map a drive to the \\server\share where the profile will be stored.
·      The mydomainuser name shown in Step 2 does not have to be the user’s name. Many user accounts or groups can be configured to point to the same profile. Because this is a mandatory profile, this may be the desired use of the profile since the administrator wants all the users in the group to receive the same settings.
·      The profile does not need to be stored one directory below the \\server\share. The profile can be nested several directories below, or the profile path can be local.
·      If the profile path points to a directory on the local machine, a share is not needed.
·      The variable %USERNAME% is replaced by the user name only once in the User Profile path, in User Manager, and it must be the last subdirectory in the path. However, extensions can still be added, such as .usr or .man.
·      The %LOGONSERVER% variable can be used for mandatory profiles to provide fault tolerance. Do not place double slashes ( \\) in front of %LOGONSERVER%; doing so will prevent the variable from being read properly. See Microsoft Knowledge Base article Q141714 for more information.
·      You can use the TemplateUser account to test changes before making them available to users by copying the adjusted profile directory to test accounts prior to rollout.
·      You can select any group or a specific user when setting the permissions. However, only the user or group specified will be able to use the profile. For this reason, it is recommended that the Everyone group be given permission to use template profiles.
 
Making a Roaming Profile Mandatory in Windows NT 4.0
You have two options when configuring a mandatory roaming profile: you can change the user’s ability to modify the User Profile, or you can change the user’s ability to modify the User Profile and enforce the use of the server-based profile at logon. With the second option, the user is not able to log on to the system if the network profile is unavailable. Each of these procedures will be explained more fully below.
Changing the User's Ability to Modify a Profile
When creating a User Profile or at any time thereafter, you have the option of enforcing whether or not the user can modify the profile by changing the extension on the NTuser.dat file. The NTuser.dat file is located in the root of the user’s profile directory. If you change the name of this file to NTuser.man, when Windows NT reads the profile, it marks the profile as read-only, and any changes that the user makes while logged on are not written back to the server-based profile when he or she logs off.
To change the user’s ability to make modifications to the User Profile
 1.      Locate the user’s profile in the account’s User Profile path.
 2.      While the user is logged off, rename the NTuser.dat file to NTuser.man. (Note that if you make this change while the user is logged on, the user’s copy of the profile will overwrite your changes, because at the time the user logged on, he or she had permission to overwrite the profile.)
      Be cautious if you use the Explorer interface to make these changes. If you have the “Hide file extensions for known file types” option enabled (this is the default), be sure to check the properties to be sure that there are not two extensions. For example, say you want to make a profile mandatory and you use Explorer to rename the NTuser.dat file name to NTuser.man. Because of the Hide extensions default, Explorer saves the file as type .man, but does not display the .man extension. Later, you decide to allow the user to make changes again, and through Explorer, you rename the file back to NTuser.dat. However, because Explorer was hiding that part of the file name that determines its type, the only thing you rename is the prefix. The file name is now NTuser.dat.man. To avoid this situation, you can either rename files from the command line or change the behavior of Explorer.
 
Enforcing the Use of the Server-based Profile
In addition to enforcing the read-only property of a profile, the administrator can duplicate the functionality that was available in Windows NT 3.5x of not allowing the user to log on unless the server profile is available.
To enforce the use of the server-based profile for a given user:
 1.      Append the .man extension to the User Profile path in User Manager as explained in the previous section. (Skip this step for users who have existing Windows NT 3.5x profiles and who already have the .man extension appended to their profile paths.)
 2.      If the user already has a Windows NT 3.5x mandatory profile on the server, change the name of the folder where the Windows NT 4.0 roaming profile currently exists to foldername.pdm. If the user logs on to a Windows NT 4.0-based workstation and the User Profile path contains the .man extension, Windows NT will determine that a mandatory Windows NT 3.5x profile exists and will automatically replace the .man extension with .pdm and will look for the directory path configured in the User Profile path. For example, at logon if the User Profile path is configured to use \\server\share\username.man, Windows NT will look for \\server\share\username.pdm for the correct profile to load.
      If only the Windows NT 4.0 user profile exists, change the name of the folder where the Windows NT 4.0 roaming profile exists to foldername.man. If the user logs on to a Windows NT 4.0-based workstation and the User Profile path contains the extension .man, Windows NT will look for the directory path configured in the User Profile path. If Windows NT does not find the directory, it will replace the .man extension with .pdm, and will check again.
 3.      If you haven't already done so, change the name of the NTuser.xxx file to NTuser.dat. (Refer to the section, “Changing the User’s Ability to Modify a Profile, ” in this document.)
 
Creating a New Roaming User Profile for a Windows 95 User
If you have Windows 95 users in your domain, you can create roaming user profiles for them as well.
To create a roaming user profile for a Windows 95 user
 1.      On the client Windows 95-based computer, start Control Panel, and select Passwords.
 2.      From the User Profiles property page, enable the option that allows users to have individual profiles, and set the Primary Network Logon to Client for Microsoft Networks.
 3.      Reboot the client machine.
 4.      Use User Manager for Domains to create the user account (if it does not already exist). For the user’s home directory, specify the location where the User Profile will be stored. An example would be:
            This automatically creates a folder with the user name. If a dialog box is displayed stating that the operation failed, create the folder manually before continuing.
 5.      Decide whether the user will receive a specific profile or if a default will be used instead:
·      If the user will receive a specific profile, from the Windows 95-based computer hosting the profile to be used, copy the complete contents of the local Profile folder to the folder created in Step 4. This writes the profile to the destination, including the folder trees and the User.xxx file originally included with the profile.
·      If a default profile will be used, no administrative action is required. When the user logs on, the Default User Profile from the local Windows 95-based machine will be used. At log off, this profile will be written to the user’s home directory with any customizations the user has made.
 
 
NOTES
·      If you need to troubleshoot problems with users not receiving their User Profiles, have the users execute the command: NET USE * /HOME from the command prompt on the client machine. This verifies that the user can access the home directory, and allows the user to verify that the User Profile exists in that folder.
·      The profile does not need to be stored one directory below the \\server\share. The profile can be nested several directories below, if desired.
 
Creating a New Mandatory User Profile for Windows 95
If you have Windows 95 users in your domain, you can create new mandatory user profiles.
To create a mandatory user profile for a Windows 95 user:
 1.      On the client Windows 95-based computer, start Control Panel, and select Passwords.
 2.      From the User Profiles property page, enable the option that allows users to have individual profiles, and set the Primary Network Logon to Client for Microsoft Networks.
 3.      Reboot the client machine.
 4.      Use User Manager for Domains to create the user account (if it does not already exist). For the user’s home directory, specify the location where the User Profile will be stored. An example would be:
            This automatically creates a folder with the user name. If a dialog is displayed stating that the operation failed, create the folder manually before continuing.
 5.      Copy the Template Profile that you are using for mandatory profiles to the user’s home directory:
·      From the Windows 95-based machine hosting the mandatory, copy the complete contents of the local Profile folder to the folder created previously. This writes the profile to the destination, including the folder trees and the User.xxx file originally included with the profile.
·      If you have not already done so, rename the User.dat file to User.man.
 
 
At logon, the user will download the mandatory profile, cache it, and no changes will be written back to the server at log off.
NOTES
·      The profile does not need to be stored one directory below the \\server\share. The profile can be nested several directories below, if desired.
·      Alternatively, a new profile can be made mandatory by the user logging on, logging off, and the administrator changing the User.dat file to User.man.
 
Maintaining User Profiles with Control Panel System Properties
In Windows NT 4.0, much of the functionality provided by individual tools in Windows NT 3.5x has been consolidated in the Control Panel System Properties application. And System Properties, when used in conjunction with the System Policy Editor, provides even greater functionality than Windows NT 3.5x delivered. Some of the features of System Properties are described next.
NOTE   In Windows NT 3.5x, you used the User Profile Editor to modify User Profile properties. In Windows NT 4.0, this tool has been replaced by a combination of the User Profile structure and System Policies. User Profile Editor is not included in the Windows NT 4.0 package.
The User Profiles property sheet (shown in the figure below) allows you to view the list of User Profiles. From there you can delete, copy, or modify the profile type for each of the profiles listed. Note that the profiles listed are only for those users who have interactively logged onto the local machine. User profiles that have been created and not used or profiles that are stored for use on remote machines are not included in this list. Furthermore, if a user does not have administrative rights, only that user’s profile is listed. Administrators have permissions to see all available profiles.
Deleting Profiles
The User Profiles property sheet allows users with administrator privileges to delete unused profiles that still exist on a local computer. (In Windows NT 3.5x, this function was available in the Main group of the Windows NT Setup program.) To delete a User Profile, select the profile name and click the Delete button. This deletes the User Profile on the local machine, but it does not delete the associated User Account. Note that sometimes the phrase “Account Deleted” is present in the list of profiles. These are accounts that were deleted from the User Account Database, but whose profiles still exist on the local computer.
If you need to delete profiles on remote computers, the Delprof.exe utility available in the Windows NT Server Resource Kit, version 4.0, provides this functionality. Windows NT 4.0 User Profiles can grow quite large and can take up considerable disk space, particularly if several people are using one computer. With Delprof.exe, you can reclaim disk space by removing profiles that are no longer needed. This utility deletes User Profiles on computers running Windows NT, and it can be used on a local or remote computer running Windows NT 4.0 or earlier. However, because Delprof.exe is Unicode-based, it cannot run on Windows 95.
NOTE   Delprof.exe will delete everything contained in a user's profile, including settings, colors, and user documents. Please be aware of any user documents that may be deleted before using this tool.
The syntax of Delprof.exe is as follows:
 
    delprof [/q] [/i] [/p] [/c:\\computername] [/d:days] [/?]
 
Where:

/q      Runs Delprof.exe in quiet mode, with no confirmation for each profile to be deleted.
/I      Indicates that Delprof.exe should ignore errors and continue deleting.
/p      Prompts for confirmation before deleting each profile.
/c:\\computername      Specifies a remote computer name on which to run Delprof.exe.
/d:days      Specifies the number of days of inactivity (days is an integer). Profiles with longer inactivity will be deleted.
/?      Displays command-line syntax.
See the Windows NT Server Resource Kit for more information.
It is important to note that if a user is logged on locally to a machine and then attempts to delete his or her own profile, a message will appear stating that the profile is currently in use and cannot be deleted. The user must log off, log back on using a different account with administrator privileges, and delete the profile. In addition, if a service is running for a particular user account, the same message may appear. If this happens, stop the service and then delete the profile.
Changing the Profile Type from Roaming to Local
With the User Profiles Change Type feature, a user can control which copy of the User Profile (local or roaming) is read when he or she logs on. (Note that the user can do this interactively while logged on.) Users do not need administrative privileges to change which profile is used if the profile is not a mandatory profile.
Valid profile types are:
·      Local Profile—A local profile is maintained on the local computer. This option allows the user to specify that the once “roaming” profile is now “local” to this machine. Although the remote profile is still available, if the Local Profile option is selected, the locally cached profile will be used instead. The user should be aware that if he or she makes changes to the profile, those changes will be saved in the locally cached version only and will not be replicated in the server-based profile. Note that the system can choose this selection automatically if the server-based profile is unavailable.
·      Roaming Profile—If the user selects the roaming profile and the roaming profile is available, Windows NT determines whether the server or local copy is newer. If the local copy is newer, the user is asked to choose which copy he or she would like to use. Note that if the system detects a slow network link, the user will be given this same choice of profiles. The Roaming Profile selection is available if:
·      There is a valid path specified in the User Profile path portion of the user account properties, and
·      The User Profile path is accessible at the time of logon.
 
·      Roaming Profile with “Use cached profile on slow connections”—If a user selects this option, he or she is not asked which copy to use with a slow connection. Instead, the system uses the locally cached copy automatically.
 
If a user has a roaming profile, it is possible for that user to change the mode to Local and have Windows NT use the local version always, even though the roaming profile is still available. However, a user cannot do this if the system administrator assigns that user a mandatory profile and has added the .man extension to the user’s profile path.
Determining Which Profile Is Displayed
There may be cases where users who have identical names but are from different domains will log on to the same machine. If this occurs, you will notice several directories that start with the same prefix in the %systemroot%\Profiles directory tree. You can use the User Profiles property page to determine which file is associated with which user, as follows:
 1.      Compare the Modified and Size properties to those of the actual directories. The Size property displayed in User Profiles is the total size of the directory residing in the profiles tree, not the size of the NTuser.xxx file alone. Match the directory sizes in the profiles tree to the number displayed on the User Profiles property page.
 2.      If the user is currently logged on, right-click the Start button. If context menus have not been disabled, select the option to Explore and Explorer will open to the profile directory used by that account.
 3.      If you don’t know when the user last logged on, look for the NTuser.dat file with a time and date stamp that matches the Modified date displayed in the User Profiles property page.
 
Copying Profiles
Use the User Profiles Copy To button to copy existing profiles from the local machine to another profile directory on the same machine or to a remote server where server-based User Profiles are stored. The Copy To dialog box (see the figure below) performs two functions. First, the Copy profile to option provides a Browse button that enables you to view local and remote drives to select the directory where the profile should be copied. In addition, the dialog provides a Permitted to Use option that allows you to select the user account or group that has permission to use the profile.
When the permissions are written to the profile, they are stored in the NTuser.xxx file. When a new profile is created, the user that created the profile is given permission to use that profile. However, those with administrator permissions can use the Change button or the Registry Editor to change these permissions.
When you click the Browse button, the following dialog box appears. It is important to note that this dialog does not allow you to create directories. You must create the required directories before you copy the profile.
Viewing the Contents of the Profiles Directory on a Local Computer
All locally cached versions of User Profiles are stored in the profiles subdirectory of the Windows NT root directory. The profiles subdirectory maintains each user’s profile separately by generating a specific directory for each user. Within that directory, the registry hive, NTuser.dat, and the rest of the profile structure folders are kept. If a user is allowed to view context menus or has administrator privileges, the user can right-click the Start button, click the Explore option, and have the Explorer window automatically open to his or her profile directory with the contents displayed. In addition, administrators can click the Explore All Users option to display the All Users profile directory.
You may notice that in a given user’s profile directory, there are more files and directories than those listed in the example above. This may be due to the files and directories created by the user. For example, when the user logs on, if the server-based profile is found to be more recent than the one on the local computer, the entire contents of the User Profile path is copied to the client workstation and is then written back to the server when the user logs off. If the user has saved any documents in the home directory and the home directory is in the user’s User Profile path, the documents become part of the User Profile. These documents are downloaded when you log on to the network and written back to the server when you log off the network. Note that this process could slow down the logon process considerably.
Log Files Used by Profiles
Log files are binary files that track changes to a profile. As changes are made, they are recorded in a log file and then written to NTuser.xxx. If for some reason, the changes cannot be recorded in NTuser.xxx, they are applied at the next logon. When a user makes a change to his or her profile, the change is made to the user's locally cached profile, even if a mandatory profile is in use. (In this case, the changes are not propagated to the server copy and are overwritten the next time the user logs on.) If the user has a roaming User Profile, when the user logs off, the NTuser.dat file is copied to the server and the changes are saved (unless the profile is being used in a local mode).
The All Users Shared Profile
The All Users profile directory contains common groups that apply to all users logging on locally to a given workstation. When a user logs on, programs and shortcuts from the All Users profile are also available to the user—in addition to the user’s personal User Profile programs and shortcuts. Note that the All Users profile on a domain controller does not apply to domain users logging on at remote workstations. The All Users profile is workstation-specific and contains the common groups for just that computer. If you want to specify programs, shortcuts, or directories to be used by everyone who logs on to a specific workstation, you should place these in the All Users profile directory.
If you need to establish domain-wide common groups and settings, use the System Policy Editor to modify registry entries on remote workstations so that they point to server directories for common groups, as opposed to pointing to the local All Users profile. Later, if you need to remove the domain-wide settings and have remote users point to the All Users profile from the local workstations once again, you’ll need to change the default path used in the System Policy Editor to:
 
    %systemroot%\Profiles\All Users\Start Menu\Programs

 
Refer to the System Policy portion of this guide for specific procedures.
Default User Template Profiles
During Windows NT 4.0 Workstation installation, the setup program creates a generic User Profile, the Default User, and saves it in a folder in the profiles directory. These default settings define an environment for new users who log on to the computer locally or who log on to a domain that does not contain a network Default User profile. When a new user logs on, a profile directory is created for that user, and the default settings are written to the new user’s directory. (The profile may or may not then be customizable, depending upon how the administrator has configured profiles.)
In Windows NT 4.0, administrators have the option of generating a network Default User profile that, if present, will be used before the local Default User profile is used. With the original retail release of Windows NT 4.0, workstations downloaded this network Default User profile and the most recent NTconfig.pol file, and cached them in the local Default User (Network) and Policy folders, respectively. Then, instead of automatically downloading these from the server whenever they were needed, the logon process compared the time/date/size stamps of the two versions, and if they were the same, used the cached versions without performing another download. With Windows NT 4.0 Service Pack 2, however, the System Policy file, NTconfig.pol, is downloaded during each logon. (The profile functionality remains unchanged—the profile is downloaded only if the local copy is out of date.)
Profile Names and Storage in the Registry
Windows NT 4.0 records which profile should be used by which user by placing registry keys for the user’s security ID (SID) in the registry in:
 
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

 
Each user who has logged on to the local machine will have a SID recorded here in a subkey, with a value that contains the path to that user’s local profile, ProfileImagePath. Should multiple users with the same account name log on to the network, separate distinct profiles are created for each. For example, if multiple users with the account name John Smith log on to the computer, the first John Smith is assigned a folder named JohnSmith. Subsequent users with the same name are assigned folders named JohnSmith with a numerical suffix appended, for example JohnSmith.000, JohnSmith.001, and so forth.
Manually Administering a User Profile through the Registry
As system administrator, you may need to change a given setting to avoid unnecessary user interaction, to make modifications before setting the profile to mandatory, or to add custom registry entries. In addition, you may need to modify the Default User Profile on a computer before new users log on and use it as the template. You can open a specific user’s profile or the Default User Profile and customize it manually as explained in the procedure below.
NOTE   Make sure that the user is not logged on before using this procedure. If the user is logged on while changes are made, the changes will be overwritten by the user’s preferences because profile settings are saved at log off.
As discussed earlier, the NTuser.dat file contains all of the registry settings located in HKEY_CURRENT_USER. As system administrator, you can modify the data contained in the NTuser.dat portion of the profile by loading the hive into the registry.
To manually customize a User Profile:
 1.      Locate the profile to be modified.
·      If the profile is a server-based profile, locate the \\server\share\username and determine the extension on the NTuser.xxx file.
·      If the profile is a local profile, locate the %systemroot%\Profiles\username directory, and determine the extension on the NTuser.xxx file.
·      If you need to edit the Default User Profile, locate the %systemroot%\Profiles\Default User directory, and determine the extension on the NTuser.xxx file.
·      If you need to edit the Network Default User Profile, locate the Default User folder in the NETLOGON share of the domain controllers that are doing user authentication, and determine the extension on the NTuser.xxx file. If there is more than one domain controller and directory replication is ensuring that the “Default User” profile is the same on all domain controllers, open only the profile on the domain controller which is the export server.
 
 2.      Start Regedt32.exe, and select the HKEY_USERS on Local Machine window. Highlight the root key of HKEY_USERS.
 3.      From the Registry menu, select Load Hive.
 4.      Browse for the directory identified in Step 1, and select the NTuser.xxx file located in that directory.
 5.      A dialog will prompt you to enter a Key Name. You can use any value, but you must remember this value so that you can select it during the unload process. For this reason, we recommend that you use the user name.
 6.      Click Enter. This adds the profile registry hive as a subkey to HKEY_USERS, as shown in the illustration below.
       7.      Edit the existing values as necessary.
 8.      After completing the changes, highlight the root of the user’s profile registry key, and from the Registry menu, select Unload Hive. This saves the changes to the user’s profile. (When you first selected Load Hive, the key was mapped to the file selected in the Open dialog. A Save As option is therefore unnecessary.)
 
Modifying the Default User Profile
To modify a Windows NT-based workstation’s Default User Profile settings or to modify the Network Default User Profile, load the NTuser.xxx hive into the registry as outlined above, make the necessary changes, and unload the hive (this automatically saves the changes).
·      The workstation Default User Profile is located in the \%systemroot%\Profiles\Default User directory.
·      To make changes to the Network Default User Profile, use the NTuser.xxx file from the scripts export directory (%systemroot%\system32\repl\export\scripts) of the domain controller that is the export server for the domain. Any changes that you make to this file will be replicated to the other domain controllers (which are import servers).
 
To provide users with a Default User Profile that contains custom shortcuts, folders, and files that are not centrally managed, place the icons in the appropriate folder within the Default User Profile. New users will receive the shortcuts, folders, and files as part of their new profiles. For example, if you want each new user that logs on to a given computer to receive a folder called “My Storage” on the desktop, just create this folder in the path:
 
    \%systemroot%\Profiles\Default User\Desktop.

 

0
 

Author Comment

by:dkearn
ID: 1546199
The other part of this question was not answered. What I need is for no locally cached copy. The profile needs to copy to the local machine and on user logoff, be deleted from the local computer. If it is not, in a network this size (71 users) the local copies of the profiles take up way too much space. Is this even possible to do? I have been through the knowledge base for info, and have hit a brick wall.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Sometimes you might need to configure routing based not only on destination IP address, but also on a combination of destination IP address (or hostname) and destination port number. I will describe a method how to accomplish this with free tools. …
Are you one of those front-line IT Service Desk staff fielding calls, replying to emails, all-the-while working to resolve end-user technological nightmares? I am! That's why I have put together this brief overview of tools and techniques I use in o…
This video discusses moving either the default database or any database to a new volume.
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now