Solved

Shared User Profile in Windows 7

Posted on 2014-03-07
9
1,189 Views
Last Modified: 2014-03-24
I work for a university and manage several computer labs. We use a product called Deep Freeze which resets the system state every time the computer is restarted so that no changes the students make stick. This has been very useful while we have been using a generic account for lab use but we are in the process of changing the login process of our labs so that each student logs in using their own unique Active Directory account. This has presented me with a problem because the default profile I've created for this is very bloated but necessary and causes very slow login times for the students (up to 10 minutes). Since the computers are in a frozen state, they have to go through this process every time they login since their profiles are thrown out with every reboot. The default profile needs to be this large because of the large variety of software that is installed and the amount of first use configuration that would need to be done one each application if I used a clean default profile.

What I would like to do is set the workstations in my labs to use the same user profile folder with none of the copying that happens when using the default profile with every user that logs in or have all AD users somehow redirect to an existing local account. ForensIT has a third party app that does this but I don't have the budget to purchase it for all of my lab computers so I need a manual solution. The change needs to happen at the workstation level and not the AD level because this would only be used for labs inside my building and not throughout the rest of the university.

I tried using a script that another tech here at the University wrote that set the default profile to use a bunch of symbolic links to  folders outside of the default folder but the links don't copy over to the user profile when a new user logs in. I've copied the original version of the script below.

@ECHO OFF
mkdir c:\users\Default\AppData\Local
mkdir c:\users\Default\AppData\Roaming
mkdir c:\users\Default\AppData\LocalLow
:: Make the directories
xcopy c:\windows\web\AppData\Local\Mozilla c:\users\Default\AppData\Local\Mozilla\ /e /y /v /h /r
xcopy c:\windows\web\AppData\Local\Google c:\users\Default\AppData\Local\Google\ /e /y /v /h /r
xcopy c:\windows\web\AppData\Roaming\Mozilla c:\users\Default\AppData\Roaming\Mozilla\ /e /y /v /h /r
xcopy c:\windows\web\AppData\Roaming\Microsoft c:\users\Default\AppData\Roaming\Microsoft\ /e /y /v /h /r
:: Copy four full directories and place them into the specified location. Even if the dir is empty
dir /B c:\windows\web\AppData\Roaming >> c:\users\Default\AppData\Roaming\roaming.txt
dir /B c:\windows\web\AppData\Local >> c:\users\Default\AppData\Local\local.txt
dir /B c:\windows\web\AppData\LocalLow >> c:\users\Default\AppData\LocalLow\locallow.txt
::Get the information in the directories, names only. Append it to those files
for /f %%i in (c:\users\Default\AppData\Roaming\roaming.txt) do (

    mklink /h "c:\users\Default\AppData\Roaming\%%i" "C:\windows\web\AppData\Roaming\%%i"

)
:: copy all folders in .txt to that path, no duplicates
for /f %%i in (c:\users\Default\AppData\Local\local.txt) do (

    mklink /h "c:\users\Default\AppData\local\%%i" "C:\windows\web\AppData\local\%%i"

)
:: copy all folders in .txt to that path, no duplicates
for /f %%i in (c:\users\Default\AppData\LocalLow\locallow.txt) do (

    mklink /h "c:\users\Default\AppData\LocalLow\%%i" "C:\windows\web\AppData\LocalLow\%%i"

)
:: copy all folders in .txt to that path, no duplicates
@ECHO OFF
DEL c:\users\default\AppData\Local\local.txt
DEL c:\users\default\AppData\LocalLow\locallow.txt
DEL c:\users\default\AppData\Roaming\roaming.txt
::Clean up the mess
@ECHO OFF
ECHO Double Check the Directories, We will wait
:: Tell them to double check the work.
pause
::Wait for them and ask to exit

Are there any suggestions on how I should proceed with this?
0
Comment
Question by:Ins0mniac81
  • 6
  • 3
9 Comments
 
LVL 27

Expert Comment

by:serialband
ID: 39913895
It's taking so long because you're manually copying every file and recreating it.  Have you though of just using mandatory profiles?

Create the profile you need and once it's set the way you like it, rename NTuser.dat to NTuser.man

That's the way it was done way back in the NT4 days and it still works.  I used to set that for certain account groups.  If you have group policy, you can set accounts to use that mandatory profile as well.
0
 

Author Comment

by:Ins0mniac81
ID: 39914636
I had thought that mandatory profiles also made a copy the first time a user logged in. If that's not the case then this would be what I'm looking for. How do I implement that for all users locally without adding it to the AD user profile?
Thanks!
0
 

Author Comment

by:Ins0mniac81
ID: 39914638
Is it a setting in the local group policy that I could gain access to through gpedit.msc?
0
 
LVL 27

Expert Comment

by:serialband
ID: 39915318
If you use mandatory profiles, you don't have to reset the system every time the user logs out.  The mandatory profiles prevent the settings from taking effect.  Every time the user logs out, then logs back in, it's reset to the default mandatory profile.  You would only have to run deep freeze once per semester, although you'd probably need a new image with all the patches by the next semester.  The profiles don't get deleted each time and the students will have rather quick log after the first one.  You should still limit the profile size in active directory.

You could also run delprof.exe (which used to be in the Windows resource kits) and remove the profiles if the disk gets too full.  Roaming profiles normally get deleted, but they remain on disk if someone reboots the system without logging out first.  I had to do that when I was still working with 9 GB SCSI disks just 5 years ago.  There was 1 GB of free space available, which was just enough for 30 different lingering profiles which had to be periodically cleared.  I was glad when they finally replaced those systems.

The environment I worked with had a mix of mandatory, local, and roaming profiles.

I'm not sure about your last post.  Are you asking about how to create a mandatory profile?  You log into one account.  Set everything the way you want.  Log out of the account.  Rename that account's NTuser.dat to NTuser.man.  When you create accounts, point the profile file to the NTuser.man on the master account.

http://msdn.microsoft.com/en-us/library/windows/desktop/bb776895%28v=vs.85%29.aspx

You can also load the NTuser.man or NTuser.dat hive to temporary hive in your registry, make the registry modifications then export it back.  This requires a much deeper understanding of the registry  http://oakdome.com/k5/tutorials/windows-7-mandatory-roaming-profile.php

Here's some background on mandatory profiles.
http://www.sepago.de/e/helge/2009/02/17/mandatory-profiles-the-good-the-bad-and-the-ugly
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 

Author Comment

by:Ins0mniac81
ID: 39917327
Thank you Serialband for the suggestion. Now that I understand it a bit further, this is not what I'm looking for. There are a few reasons. First, Deep Freeze is a program that runs constantly in order to maintain the current frozen system state and cannot be run to restore the system to a previous state. It prevents changes to the system as a whole and not just to a profile as it seems a mandatory profile does. Also, it seems that you are saying that I would need to create a local account and point it to the mandatory profile. The computers are on a domain and are free for any domain user to log into and so I would need a solution that works for any user that might log in. My own understanding of roaming/mandatory profiles leads me to believe that the only way to use a mandatory profile in a way that might be useful in my circumstances would be to add the profile to each account at the AD level. Unfortunately, I can't do this as this profile would only apply within my building and the students need to be able to log into the labs in other building which are supported by different teams.

What I really need is some way to assign a group to an existing profile at the local level so that a profile does not need to be created at each login (since each login is essentially a first login due to Deep Freeze maintaining a frozen system state). Either something like this or a way to drastically reduce the size of the Default profile by redirecting things like Appdata and Documents to a central folder as I attempted to do with the symbolic links in my attached script.

Thanks you!
0
 

Author Comment

by:Ins0mniac81
ID: 39923321
Can anyone else offer a suggestion?
0
 
LVL 27

Expert Comment

by:serialband
ID: 39923773
Microsoft had Steady State for XP, but they have alternatives for Windows 7.  You could try Windows Automated Installation Kit (WAIK) and the Microsoft Deployment Toolkit (MDT)

https://blogs.technet.com/b/panosm/archive/2011/07/07/windows-7-steadystate-solution-simplified.aspx
0
 

Accepted Solution

by:
Ins0mniac81 earned 0 total points
ID: 39939396
Its not a perfect solution but I've had some limited success using a slightly modified version of the script I pasted into the original post to set all of the AppData folders in the Default profile to junctions to a separate location on the HD (I had to modify it to recognize the folder name spaces in the text files). Then using a startup script using ln.exe found here (http://schinagl.priv.at/nt/ln/ln.html) to copy the junctions to the new account manually.

ln --splice --copy c:\users\default\appdata %userprofile%\appdata

There are still a few bugs to work out since Autodesk products are still treating it as if it is their first time being run even after this process.
0
 

Author Closing Comment

by:Ins0mniac81
ID: 39949790
This result is still imperfect but better than nothing.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Lync meeting or Lync conferencing is what many organizations would like to deploy to allow them save money. But companies are now giving up for various reasons, one of which is that they cannot join external meetings (non-federated company meetings)…
Citrix XenApp, Internet Explorer 11 set to Enterprise Mode and using central hosted sites.xml file.
The view will learn how to download and install SIMTOOLS and FORMLIST into Excel, how to use SIMTOOLS to generate a Monte Carlo simulation of 30 sales calls, and how to calculate the conditional probability based on the results of the Monte Carlo …
This Micro Tutorial will give you basic overview of the control panel section on Windows 7. It will depth in Network and Internet, Hardware and Sound, etc. This will be demonstrated using Windows 7 operating system.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now