Microsoft Windows NT 4.0 User's Manual
Contents
1. or POLICY MyPolicy KEYNAME VALUENAME ValueToBeChanged VALUEON 5 VALUEOFF 10 END POLICY 8 Save and test your file Note that if you modify an adm file while the System Policy Editor applica tion is running you will need to reload the file From the Options menu select Policy Template and press OK This reloads the structure and your new entries will be available You do not need to perform this step if you modify a file before starting the System Policy Editor the reload is done automatically Microsoft Windows NT Server White Paper 51 52 Microsoft Windows NT Server White Paper each time the System Policy Editor starts Configuring System Policies Based on Geographic Location You may choose to enforce certain environment settings based upon geo graphic site location or vicinity At least two methods are available to do this e Generate a System Policy that contains settings for specific computers In each of the machine specific settings configure the Remote Update path to a specific regional server that will be maintaining the regional System Policy file When the user logs on at the Windows NT based workstation for the first time because the default mode is Automatic the workstation will check the validating domain controller for a policy file The policy file it finds will point the policy update configuration to another serve2. e EDITTEXT Writes the value to the registry with data type REG_SZ for example PART MyPolicy EDITTEXT VALUENAME ValueToBeChanged END PART e REQUIRED Generates an error if the user does not enter a value for example PART MyPolicy EDITTEXT REQUIRED VALUENAME ValueToBeChanged END PART e EXPANDABLETEXT Writes the value to the registry with data type REG_EXPAND_ SZ for example PART MyPolicy EDITTEXT EXPANDABLETEXT VALUENAME ValueToBeChanged END PART e MAXLEN Specifies the maximum length of text for example PART MyPolicy EDITTEXT VALUENAME ValueToBeChanged AXLEN 4 END PART e DEFAULT Specifies the default value for text or numeric data for example PART MyPolicy EDITTEXT DEFAULT MySampleText VALUENAME ValueToBeChanged END PART or PART MyPolicy NUMERIC DEFAULT 5 VALUENAME ValueToBeChanged END PART e MIN and MAX These specify the lowest and highest valid values respectively for example PART MyPolicy NUMERIC IN 100 MAX 999 DEFAULT 55 VALUENAME ValueToBeChanged END PART e Use the keywords VALUEOFF and VALUEON to write specific values based on the state of the option for example POLICY MyPolicy KEYNAME VALUENAME ValueToBeChanged VALUEON Turned On VALUEOFF Turned Off END POLICY
3. Dialog Box Timeout Category Windows NT User Profiles Selection Timeout for dialog boxes Description When the user is presented with a dialog box requesting User Profile information this specifies the amount of time in seconds before the dialog box is closed and the default is accepted Key HKEY_LOCAL_MACHINE Software Microsoft Windows NT CurrentVersion Winlogon Microsoft Windows NT Server White Paper 79 Registry Value Registry Data Description Show REG_DWORD Off 0 or value is removed On time in sec onds in hexadecimal Decimal 0 600 default 30 80 Microsoft Windows NT Server White Paper REGISTRY ENTRIES NOT INCLUDED IN THE SYSTEM POLICY EDITOR The following section describes the locations and values for useful registry entries that are available in the operating system but not available in the Sys tem Policy Editor Autorun Category Subcategory Description Key Windows NT Shell Removable media Determines whether the Autorun feature is enabled on each drive connected to the system When Autorun is enabled media is started automatically when it is in serted in the drive This value is comprised of 32 bits The lower 26 bits each represent a drive with the lowest right most bit representing drive A and the 26th bit from the right representing drive Z If a bit is set to 0 the autorun feature is enabled on that drive If a bit is set to 1 the autorun feature is di
4. The profile does not need to be stored one directory below the server share The profile can be nested several directories below if desired e Alternatively a new profile can be made mandatory by the user logging on logging off and the administrator changing the User dat file to User man Maintaining User Profiles with Control Panel System Properties In Windows NT 4 0 much of the functionality provided by individual tools in Windows NT 3 5x has been consolidated in the Control Panel System Proper ties application And System Properties when used in conjunction with the System Policy Editor provides even greater functionality than Windows NT 3 5x delivered Some of the features of System Properties are described next NOTE In Windows NT 3 5x you used the User Profile Editor to modify User Profile properties In Windows NT 4 0 this tool has been replaced by a combination of the User Profile structure and System Policies User Profile Editor is not included in the Windows NT 4 0 package The User Profiles property sheet shown in the figure below allows you to view the list of User Profiles From there you can delete copy or modify the profile type for each of the profiles listed Note that the profiles listed are only for those users who have interactively logged onto the local machine User profiles that have been created and not used or profiles that are stored for use on remote machines are not included in this list Furth
5. Windows CurrentVersion Policies Explorer 3 Add the following DWORD value by clicking Edit New DWORD value LinkResolvelgnoreLinklnfo 4 Once entered double click this value and set the Value data to 1 Deploying Policies for Windows NT 4 0 Machines By default a Windows NT 4 0 based workstation checks the NETLOGON share of the validating domain controller for the user s logon domain It is therefore critically important that replication of the NTconfig pol file take place among the domain controllers performing authentication If a Windows NT 4 0 based workstation does not locate the policy file on its validating domain con troller it will not check any others You have another option when enforcing policies The UpdateMode registry setting configurable through the System Policy Editor forces the computer to retrieve the policy file from a specific location expressed as a UNC path re gardless of the user who logs on Default Computer Properties Eg Policies Default Computer E y Network iQ System policies update Remote update 3 System Windows NT Network Windows NT Printers G Windows NT Remote Access H A Windows NT Shell Windows NT System Windows NT User Profiles j E Settings for Remote update Update mode Manual use specific path X Path for manual update 5Sserverssharesmanual pol To retrieve the policy file f
6. HKEY_LOCAL_MACHINE System CurrentControlSet Services LanManServer Parameters Registry Value Registry Data Description AutoShareW ks REG_DWORD NT Workstation specific Off 0 On 1 70 Microsoft Windows NT Server White Paper Drive Shares Server Category Subcategory Selection Description Key Windows NT Network Sharing Create hidden drive shares server When enabled creates the administrative shares for physical drives These shares were created automatically under Windows NT 3 51 This policy setting gives ad ministrators the ability to control this feature This setting is specific to Windows NT Server HKEY_LOCAL_MACHINE System CurrentControlSet Services LanManServer Parameters Registry Value Registry Data Description AutoShareServer REG_DWORD NT Server specific Off 0 On 1 Printer Browse Thread Category Subcategory Selection Description Key Windows NT Printers Sharing Disable browse thread on this computer When this option is enabled the print spooler does not send shared printer information to other print servers HKEY_LOCAL_MACHINE System CurrentControlSet Control Print Registry Value Registry Data Description DisableServerThread REG_DWORD Off 0 or value is removed from registry On 1 Server Scheduler Category Subcategory Selection Key Windows NT Printers Sharing Scheduler priority HKEY LOCAL M
7. Part 2 Microsoft Windows NT Server White Paper 87 Call made to check Check for man extension in server profile 3 profile path Yes No Flag as mandatory Saal Start timer check the existence of the profile path and after completion stop timer y Determine type and version of profile Directory File Nothing Access denied error Does oe d Return error to p the client in usr or man No Windows NT 3 5x profile found Generate Yes Windows NT 4 0 profile Attempt to create the and return to origina directory and return to flowchart original flowchart Append pds or pdm as appropriate and look again what was found Directory Nothing Failed y Directory found with l Windows NT 4 0 profile Directory found Return to original with Windows flowchart NT 4 0 profile Noa Return to Check for slow original Yes link flowchart 4 Try to create Deny logon directory Yes No a Use default profile Use cached profile and return to and return to original flowchart original flowchart Flowchart 4 User Logon Accessing Server based Profile 88 Microsoft Windows NT Server White Paper System Policy Flowchart This flowchart illustrates how System Policy is applied in the Windows NT 4 0
8. System32 or systemroot System32 Config directories the following message appears Unable to log you on because your profile could not be loaded Encoding Permissions in the User Profile The registry portion of the User Profile NTuser xxx is encoded with the user or group that has permission to use that profile Once this is saved you can use the Registry Editor to modify this information if you want to change the permissions on a profile without replacing it To change encoded User Profile information 1 Follow the instructions to manually edit a profile Refer to the section Administering a User Profile Manually through the Registry later in this document 2 Change the permissions on the root of the key to include users and groups who will have permission to use the profile 3 Unload the hive Selecting a Location to Save User Profiles As with Windows NT 3 5x you can place a roaming profile in any shared di rectory and then configure the user account profile path to point to the profile The Profiles directory in the system root stores local User Profiles All Users profile settings which apply to any user who uses the computer the Default User profile and cached User Profiles of domain users You should avoid using the systemroot Profiles directory in the domain users profile path as a location to store server based profiles whether they are roaming or manda tory The path should allow t
9. User Shell Folders Registry Value Registry Data Description Common Start REG_EXPAND_ SZ Off value is removed from registry Menu Note REG_SZ can be On text of UNC path to folder used if no variables exist Default SystemRoot Profiles All Users Start Menu Shared Startup Folder Path Category Windows NT Shell Subcategory Custom shared folders Selection Custom shared Startup folder Description Specifies the UNC path the folder is to use to find folders files and shortcuts that should be started when the user logs on Key HKEY_LOCAL_MACHINE Software Microsoft Windows CurrentVersion Explorer User Shell Folders Registry Value Registry Data Description Common Startup REG_EXPAND_SZ Off value is removed from registry Note REG_SZ can be On text of UNC path to folder used if no variables exist Default SystemRoot Profiles All Users Start Menu Programs Startup Logon Banner Category Windows NT System Subcategory Logon Selection Logon banner Microsoft Windows NT Server White Paper 75 76 Microsoft Windows NT Server White Paper Description Before the user logs on displays a custom dialog box with text Key HKEY_LOCAL_MACHINE Software Microsoft Windows NT CurrentVersion Winlogon Registry Value Registry Data Description LegalNoticeCaption REG_SZ Off value is removed On text of caption LegalNoticeT ext REG_SZ Off value is removed O
10. and will be available on subsequent logons Flowchart 1 Administrator s First Tasks Will the user log on from Windows NT 3 5x machines in the future Yes a No changes are necessary The Windows NT 3 5x profile will be used automatically when the user logs on from Windows NT 3 5x based computers y After the user has successfully logged on and off for the first time and has saved the new Windows NT 4 0 profile remove the usr profile that exists for the user No changes to the Windows NT 4 0 profile directory are necessary Microsoft Windows NT Server White Paper 85 Workstation boots computer account is validated and user enters logon credentials Receive data from Domain Controller about User Account Y Does the user account contain a Yes User Profile path IS the server copy available See flowchart Accessing Server No based Profile o Pa Yesa FI t ilabl Does user override eae IN avalan e by having selected N Yes Local Set the Ignore Central internal 7 flag No Determine if local copy of profile is la 3 available Flag profile as mandatory or roaming Doe Central not availa
11. displayed stating that the operation failed create the folder manually be fore continuing Decide whether the user will receive a specific profile or if a default will be used instead e Ifthe user will receive a specific profile from the Windows 95 based computer hosting the profile to be used copy the complete contents of the local Profile folder to the folder created in Step 4 This writes the profile to the destination including the folder trees and the User xxx file originally included with the profile e f a default profile will be used no administrative action is required When the user logs on the Default User Profile from the local Windows 95 based machine will be used At log off this profile will be written to the user s home directory with any customizations the user has made NOTES If you need to troubleshoot problems with users not receiving their User Profiles have the users execute the command NET USE HOME from the command prompt on the client machine This verifies that the user can access the home directory and allows the user to verify that the User Pro file exists in that folder The profile does not need to be stored one directory below the server share The profile can be nested several directories below if desired Microsoft Windows NT Server White Paper 19 20 Microsoft Windows NT Server White Paper Creating a New Mandatory User Profile for Windows 95 If you have Windows 95 users in y
12. In this case the settings for Domain Admins override all other group s settings Groups highest on the list have the highest priority groups that have different settings for the same policy the setting for the group with the highest priority takes prec Group Order Members of the Departmental Group wall receive the settings from Domain Users first and then those of the Departmental Group will be applied Domain Admins 4 Departmental Group i Move U Domain Users 2 Move Down Users that are only a member of the Domain Users group will receive only these settings unless a user specific policy exists in which case no group policy settings will be applied OK Cancel Additional Implementation Considerations Although a properly implemented policy can simplify system administration in the long term such policy requires careful planning Before you implement system policies consider the following e Would administration be simplified by defining group settings rather than creating settings for individual users e Where are the computers located in your network Is geographic location an important aspect of your network s design for example is your net work distributed over a large geographic area If so computers from a certain locale may benefit from retrieving policy files from a machine that is close at hand as opposed to using a domain controller that may not be nearby Microsoft W
13. Make changes to the options desired For more information on each op tion see the portion of this guide titled Registry Keys Modified by the System Policy Editor Default Templates From the File menu click Save As and save the policy file with the appro priate name e f workstations will be set to Automatic mode use the file name NTconfig pol e f workstations will be set to Manual mode use the name of your choice If workstations will be set to Automatic mode place the file in the NETLOGON share of each of the domain controllers that will be perform ing authentication To simplify this process you can use directory replication from Windows NT to replicate the file to the other domain con trollers If you use replication and later make changes to the file the modified file will be duplicated across validating machines automatically Windows NT based workstations by default are set to download the policy file in Automatic mode If you modify the setting to specify manual update and to point to a specific machine you must inform the workstation about this location change There are two ways to do this e Place the policy file in the location specified for manual updates but maintain a policy file in the NETLOGON share that points to the man ual path Then leave the Windows NT based workstation in the default Automatic mode When the policy file is first downloaded this change will be made and at next logon and every log
14. Selection Description Key Windows NT Shell Restrictions Remove Taskbar from settings on Start menu Removes the Taskbar option from settings on the Start menu Removing the Taskbar Control Panel and Printer folders causes the Settings menu to be removed com pletely HKEY_CURRENT_USER Software Microsoft Windows CurrentVersion Policies Explorer Registry Value Registry Data Description NoSetTaskbar REG_DWORD Off 0 or value is removed On 1 Start Menu Find Command Category Windows NT Shell Subcategory Restrictions Selection Remove Find command from Start menu Description Completely removes the Find option from the Start menu Key HKEY_CURRENT_USER Software Microsoft Windows CurrentVersion Policies Explorer Registry Value Registry Data Description NoFind REG_DWORD Off 0 or value is removed On 1 56 Microsoft Windows NT Server White Paper My Computer Drive Icons Category Windows NT Shell Subcategory Restrictions Selection Hide drives in My Computer Description Removes the icons for the drives in My Computer Key HKEY_CURRENT_USER Software Microsoft Windows CurrentVersion Policies Explorer Registry Value Registry Data Description NoDrives REG_DWORD Off value is removed On 3fffffff Network Neighborhood Icon Category Windows NT Shell Subcategory Restrictions Selection Hide Network Neighborhood Description Removes the N
15. Setting Persistent Connections Working Around Slow Network Links Creating and Maintaining User Profiles csc0seeceseeeeseeeesseeeeeeseee Creating a New Roaming User Profile for Windows NT 4 0 Creating a New Mandatory User Profile for Windows NT 4 0 Making a Roaming Profile Mandatory in Windows NT 4 0 Changing the User s Ability to Modify a Profile Enforcing the Use of the Server based Profile Creating a New Roaming User Profile for a Windows 95 User Creating a New Mandatory User Profile for Windows 95 Maintaining User Profiles with Control Panel System Properties Deleting Profiles Changing the Profile Type from Roaming to Local Determining Which Profile ls Displayed Copying Profiles Viewing the Contents of the Profiles Directory on a Local Computer Log Files Used by Profiles The All Users Shared Profile Default User Template Profiles Profile Names and Storage in the Registry Manually Administering a User Profile through the Registry Modifying the Default User Profile Upgrading Windows NT 3 5x Server based Profiles to Windows NT 4 0 Roaming Profiles Upgrading Windows NT 3 5x Mandatory Profiles to Windows NT 4 0 Mandatory Profiles Extracting a User Profile for Use on Another Domain or Machine Creating Profiles Without User Specific Connections Troubleshooting User Profiles with the UserEnv log File System Policy An Introduction sccsceceseeseseeseeeeseeeeseeeeeeeeeee System Policy Files Policy Replication H
16. Windows NT the default behavior is for the computer to check for a policy file in the NETLOGON share of the validat ing domain controller If directory replication to a domain controller fails and a Windows NT based workstation does not find a policy file on that server no policy will be applied and the existing settings will remain possibly leaving the user with a nonstandard environment or more capabilities than you want that particular user to have How Policies Are Applied Once located policies are applied as follows e f the policy file includes settings for the specific user account those are applied to the HKEY_CURRENT_USER registry key Other group settings are discarded even if the user is a member of the group because the user settings take precedence e lf a user specific policy is not present and Default User settings exist the Default User settings are applied to the HKEY_CURRENT_USER registry key e f no user specific settings are present and group settings exist the user s group membership in each of those groups is checked If the user is a member of one or more groups the settings from each of the groups starting with the lowest priority and continuing through the highest priority are applied to the HKEY_CURRENT_USER key in the registry e applied to the HKEY_CURRENT_USER key in the registry NOTE If a setting is ignored gray in the group settings but the same setting is marked as enabled or disable
17. additional TCO reducing features appear in Micro soft Windows 98 Windows NT 5 0 and Microsoft Systems Management Server Central to these features is the idea of centralized desktop control This is accomplished through User Profiles and System Policies the subject of this paper What are User Profiles and System Policies A Microsoft Windows NT 4 0 User Profile describes the Windows NT configu ration for a specific user including the user s environment and preference settings For example those settings and configuration options specific to the user such as installed applications desktop icons color options and so forth are contained in a User Profile This profile is built in part from System Policy information for example those things that a user has access to and those things that the user can and cannot change and in part from permitted saved changes that a user makes to customize his or her desktop A System Policy is a set of registry settings that together define the com puter resources available to a group of users or an individual Policies define the various facets of the desktop environment that a system administrator needs to control such as which applications are available which applications appear on the user s desktop which applications and options appear in the Start menu who can change attributes of their desktops and who cannot and so forth With the addition of System Policies and the new User Profi
18. and regardless of where he or she logs on The settings available in the System Policy Editor provide a variety of options for managing the user environment For a detailed list of these options see the section Registry Keys Modified by the System Policy Editor Default Templates System Policy Files Policies can define a specific user s settings or the settings for a group of us ers The resulting policy file contains the registry settings for all users groups and computers that will be using the policy file Separate policy files for each user group or computer are not necessary If you create a policy that will be automatically downloaded from validating domain controllers you should name the file NTconfig pol As system admin istrator you have the option of renaming the policy file and by modifying the Windows NT based workstation directing the computer to update the policy from a manual path You can do this by either manually changing the registry or by using System Policy This path can even be a local path such that each machine has its own policy file but if a change is necessary to all machines Microsoft Windows NT Server White Paper 35 36 Microsoft Windows NT Server White Paper this change must be made individually to each workstation When auser of a Windows NT 4 0 based workstation logs on if the Windows NT 4 0 based machine is working in Automatic mode which is the default the workstation checks the NE
19. brief description of the situation the current status of the profiles on the server actions that you need to take to administer the profile properly any required user action references to sections of this guide that have more detailed infor mation and any applicable usage notes Existing Windows NT 3 5x Roaming Profile A domain user has an existing Windows NT 3 5x roaming profile and will con tinue to log on to Windows NT 3 5x based computers only e What currently exists A myuser usr file exists in the folder lmyserver myshare e Administrator action None e User action None Existing Windows NT 3 5x Roaming Profile A domain user has an existing Windows NT 3 5x mandatory profile and will continue to log on to Windows NT 3 5x based computers only e What currently exists A myuser man file exists in the folder lmyserver myshare e Administrator action None e User action None Migrating Windows NT 3 5x Roaming Profile to Windows NT 4 0 Roaming Profile A domain user has an existing Windows NT 3 5x roaming profile and moves to a Windows NT 4 0 based computer e What currently exists A myuser usr file exists in the folder lmyserver myshare e Administrator action None e User action To automatically upgrade the profile log on to the Windows NT 4 0 based computer and then log off The automatic upgrade creates a new folder with the name myuser pds in the existing directory lmyserver myshare Inside the new
20. folder is the upgraded User Profile for the domain user e For more information See the section Upgrading 3 5x Server Based Profiles to 4 0 Roaming Profiles Migrating Windows NT 3 5x Mandatory Profile to Windows NT 4 0 Mandatory Profile A domain user has an existing Windows NT 3 5x mandatory profile and moves to a Windows NT 4 0 based computer where the user will have a mandatory profile e What currently exists A myuser man file exists in the folder lmyserver myshare Administrator action Create a folder with the name myuser pdm in the existing folder myserver myshare and then place the desired mandatory profile into the new folder User action None Notes Once this procedure is performed the Windows NT 3 5x profile is still available to the user should he or she ever log on to a Windows NT 3 5x based computer again The Windows NT 4 0 User Profile is main tained separately The administrator can remove the Windows NT 3 5x profile if the user will only be using Windows NT 4 0 based computers For more information See the section Upgrading 3 5x Mandatory Pro files to 4 0 Mandatory Profiles Migrating Windows NT 3 5x Mandatory Profile to Windows NT 4 0 Roaming Profile A domain user has an existing Windows NT 3 5x mandatory profile and moves to a Windows NT 4 0 based computer where they will have a roaming profile What currently exists A myuser man file exists in the folder lmyserver myshare Admini
21. given the task of getting nonessential operations off the mainframe Their decision was to deploy personal computers in the enterprise with emulation software for mainframe access and local software for tasks where central processing or data sharing were not required Gradually as PCs became more powerful more and more operations moved to the desktop And as PC networking matured many businesses found that a PC based network built on commodity hardware and off the shelf software was their best business solution Lately however we ve come full circle on this It seems that the total cost of ownership or TCO the real cost of maintaining a distributed personal com puter network is far from trivial TCO includes the initial capital cost of hardware and software deployment and configuration expense costs associ ated with deploying hardware and software updates training and retraining day to day maintenance and administration and telephone and on site techni cal support With these escalating costs in mind Microsoft and others are working together on several initiatives to lower the total cost of ownership of personal computers TCO and the User One of the major costs highlighted in recent reports on Total Cost of Owner ship TCO is lost productivity at the desktop caused by user error such as changing the system configuration and rendering the computer unworkable or system distractions and complexities for example too m
22. is avoided if you place the profile in a subdirectory of the home directory as follows server share domainuser profile Setting Persistent Connections Persistent connections are stored in the User Profiles registry hive under the Network subkey If you create a template User Profile that includes persistent connections and you have to supply credentials when making those connec tions the credentials with the exception of the password you used are stored in the User Profile When the new user receives the template User Pro file these saved credentials are passed as opposed to the logged on user s credentials and the connection may fail There are three methods to correct this 1 You can recreate the profile without supplying alternate credentials when connecting to network resources or 2 Using Registry Editor Regedt32 exe use blank spaces to erase the contents of the USERNAME value under HKEY_CURRENT_USER Network drive letter Do not delete the value just fill it with blank spaces Save the profile For additional help refer to the section Administering a User Profile Manually Through the Registry later in this document or 3 Delete the network connection and reconnect Working Around Slow Network Links Slow Net which is configured in System Policy was designed to offer a user faster access to his or her User Profile if the system detects a slower network speed such as a modem line connectio
23. logged on to the local machine will have a SID recorded here in a subkey with a value that contains the path to that user s local profile ProfilelmagePath Should multiple users with the same account name log on to the network separate distinct profiles are created for each For example if Microsoft Windows NT Server White Paper 27 28 Microsoft Windows NT Server White Paper multiple users with the account name John Smith log on to the computer the first John Smith is assigned a folder named JohnSmith Subsequent users with the same name are assigned folders named JohnSmith with a numerical suffix appended for example JohnSmith 000 JohnSmith 001 and so forth Manually Administering a User Profile through the Registry As system administrator you may need to change a given setting to avoid un necessary user interaction to make modifications before setting the profile to mandatory or to add custom registry entries In addition you may need to modify the Default User Profile on a computer before new users log on and use it as the template You can open a specific user s profile or the Default User Profile and customize it manually as explained in the procedure below NOTE Make sure that the user is not logged on before using this procedure If the user is logged on while changes are made the changes will be overwritten by the user s preferences because profile settings are saved at log off As discussed earlier the NTus
24. operating system and gives the administrator an at a glance look at the internal processing that occurs when policies are implemented under Windows NT 4 0 Initiate application of policy Does User Specific Policy exist Yes n Read User Specific Policy and write Registry entries x we No ae Does Default User Policy exist Yes Read Default User Policy and write Registry entries ee Do Group Policies exist o Do not modify Registry Does Machine Specific Policy exist Yes an Read Machine Specific Policy and write Registry entries L No Yes b Apply policy of lowest priority group and continue through highest priority until complete If setting has already been set by Default User and the same option is gray in the Group Policy do not modify from the Default User setting a Does Default Computer Policy exist T Yes AA End policy process m Read Default Computer Policy and write Registry entries Flowchart 5 Policy Application Microsoft Windows NT Server White Paper 89 APPENDIX B IMPLEMENTING USER PROFILES 90 Microsoft Windows NT Server White Paper The following are typical user profile scenarios that you may encounter in the future or may have already encountered Each of these scenarios includes a
25. policies with the System Policy Editor The System Policy Editor is a graphical tool provided with Windows NT Server 4 0 that allows you to easily update the registry settings to generate the correct environment for a particular user or group of users The System Policy Editor creates a file that contains registry settings which are then written to the user or local machine portion of the registry database User Profile settings that are specific to a user who logs on to a given workstation or server are written to the registry under HKEY_CURRENT_USER Likewise machine specific settings are written under HKEY_LOCAL_MACHINE When you apply a System Policy the new policy overwrites the existing registry settings thus giving you as system administrator the ability to set restrictions for the client machine and user When a user logs on toa Windows NT 4 0 computer the user s profile is loaded first and then the Sys tem Policy is downloaded Any registry settings that you have reconfigured whether these are machine specific changes or are specific to the user logging on are changed before the user receives control of the desktop Note that System Policy changes are not dynamic if you make a change to the policy affected users must log off and log back on so that the new policy can be downloaded and applied With a properly implemented policy you can customize the user s environ ment to your specifications despite the user s preferences
26. that directory the registry hive NTuser dat and the rest of the profile structure folders are kept If a user is allowed to view context menus or has administrator privileges the user can right click the Start button click the Ex plore option and have the Explorer window automatically open to his or her profile directory with the contents displayed In addition administrators can click the Explore All Users option to display the All Users profile directory Microsoft Windows NT Server White Paper 25 26 Microsoft Windows NT Server White Paper BX Exploring roamuser ioj x File Edit View Tools Help All Folders Contents of toamuser a Profiles 4 Application Data administrator Desktop 3 All Users Favorites Cy Desktop NetHood a Start Menu 7 Personal i B Programs PrintHood Default User Recent ee J SendTo Policy a Start Menu Sy TENET C Application Data Templates H E Desktop 2 Ntuser dat G Favorites ntuser dat LOG C NetHood I Personal PrintHood Recent E SendTo H Q Start Menu I Templates xl 12 object s 121KB Disk free space 119MB You may notice that in a given user s profile directory there are more files and directories than those listed in the example above This may be due to the files and directories created by the user For example when the user logs on if the server based profile is found to be more recent than th
27. the workstation where he or she will interactively log on no further administration is required If the user s profile will be a copy of an existing user profile refer to Step 9 Otherwise use User Manager to create an account for establish ing a template profile So that you can easily identify this account we recommend that it be called TemplateUser Using the template account TemplateUsen log on to the local machine or domain A new directory with the same name as the user name created in Step 4 will be created in the systemroot Profiles directory when you first log on For example if the user name is TemplateUser the resulting directory name will be systemroot Profiles TemplateUser Modify any items that need to differ from the current default for example you may choose to modify the background color or bitmap shortcuts on the desktop and View options in My Computer Log off and then log back on to the same computer using an account with administrative privileges 8 Place the template profile in the appropriate location for the type of profile distribution that will be used The template profile including customiza tions is stored initially in systemroot Profiles T emplateUser e if the template profile will be distributed manually to multiple users e Create a directory where the template profile will be stored for distribution to each user account created From the Windows NT based machine hosting the
28. tions to network resources in the shared profile by granting the user creating the template profile sufficient permissions in advance e Before modifying the profile to be a mandatory profile run a REGINI script that removes the credentials from the UserName value Do not delete the value only the string data Troubleshooting User Profiles with the UserEnv log File The UserEnv log is an invaluable tool for troubleshooting the process of load ing and unloading User Profiles Each step in the User Profile process is recorded in the log including informational and error related messages The checked version of the UserEnv dll is the same dynamic link library dll as the retail version except that it contains debug flags that you can set and use with the kernel debugger This file which is included in both the Windows NT Device Driver Kit DDK and the Windows NT Software Devel opment Kit SDK when used in conjunction with a registry entry generates a log file that can be used in troubleshooting and debugging problems with roaming profiles and system policies on Windows NT 4 0 clients To enable logging 1 Rename the file UserEnv dll in the systemroot SYSTEM32 directory to UserEnv old or to a unique name of your choice 2 Copy the checked version of UserEnv dll to the systemroot S YSTEM32 directory of the client machine that you want to debug The checked version of the UserEnv file must match the version of the operating system
29. value is removed On text of color scheme name Start Menu Run Command Category Subcategory Selection Description Key Windows NT Shell Restrictions Remove Run command from Start menu Removes the user s ability to start applications or proc esses from the Start menu by removing the option completely Note that if the user still has access to the MS DOS prompt icon or command prompt the user can start unauthorized applications To further restrict the user s ability to run specific applications refer to the pol icy setting for Run only allowed Windows applications later in this section HKEY_CURRENT_USER Software Microsoft Windows CurrentVersion Policies Explorer Registry Value Registry Data Description NoRun REG_DWORD Off 0 or value is removed On 1 Settings Folders Category Subcategory Selection Description Key Windows NT Shell Restrictions Remove folders from settings on Start menu Removes the Control Panel and Printers folders from the Settings menu Removing the Taskbar Control Panel and Printer folders causes the Settings menu to be re moved completely HKEY_CURRENT_USER Software Microsoft Microsoft Windows NT Server White Paper 55 Windows CurrentVersion Policies Explorer Registry Value Registry Data Description NoSetFolders REG_DWORD Off 0 or value is removed On 1 Settings Taskbar Category Subcategory
30. 3 Click the Windows Setup tab and select Have Disk Microsoft Windows NT Server White Paper 39 40 Microsoft Windows NT Server White Paper 4 Browse to locate the directory x Admin Apptools Poledit where x is drive A through Z on the Windows 95 compact disc 5 Select both Group Policies and the System Policy Editor and then click OK to Install It is important that you run the setup program as described above Undesir able results will occur if you merely copy the Policy Editor and related files to the Windows 95 based computer To install the System Policy Editor from a Windows NT 4 0 Server 1 Copy the Poledit exe file from the Windows NT Server 4 0 to the windows directory of the Windows 95 based machine 2 Copy the Common adm and Windows adm files from the Windows NT 4 0 based server to the windows directory of the Windows 95 based machine 3 Create a shortcut to the System Policy Editor executable Poledit exe located in the windows directory of the Windows 95 based computer Updating the Registry with the System Policy Editor The System Policy Editor allows you to easily update the registry settings to generate the correct environment for a particular user or group of users You can use the System Policy Editor in two ways e You can open the local registry through the System Policy Editor and change the settings for the local user and computer e You can modify an existing policy file or create a new one to
31. 7 57 57 58 58 Start Menu Shut Down Command Saved Settings Registry Editing Tools Windows Applications Restrictions Custom Programs Custom Desktop Icons Start Menu Subfolders Custom Startup Folder Custom Network Neighborhood Custom Start Menu Shell Extensions Explorer File Menu Start Menu Common Program Groups Taskbar Context Menus Explorer Context Menu Network Connections Explorer Context Menu Autoexec bat Logon Scripts Task Manager Welcome Tips Default Computer Settings Remote Update Communities Permitted Managers Public Community Traps Run Command Drive Shares Workstation Drive Shares Server Printer Browse Thread Server Scheduler Error Beep Authentication Retries Authentication Time Limit RAS Call back Interval RAS Auto disconnect Shared Programs Folder Path Shared Desktop Icons Path Shared Start Menu Path Shared Startup Folder Path Logon Banner Logon Dialog Shut Down Button Logon Name Display Logon Scripts Long File Names Extended Characters in 8 3 File Names Read Only Files Last Access Time Cached Roaming Profiles Slow Network Detection Slow Network Timeout Dialog Box Timeout Registry Entries Not Included in the System Policy Editor Autorun Start Banner For More Information scccssssscscscencncencencneencseneencnecnesecsnsnesnesesneeneseses Appendix A Flowcharts 1 cscsseecesseeessesesseseeeeseeeesseseeseseeseseeeeseeees User Profile Flowcharts System Pol
32. ACHINE System CurrentControlSet Control Microsoft Windows NT Server White Paper 71 72 Microsoft Windows NT Server White Paper Print Registry Value Registry Data Description SchedulerThreadPriority REG _DWORD Above normal 1 Normal 0 Less than normal ffffffff Error Beep Category Windows NT Printers Subcategory Sharing Selection Beep for error enabled Description Enables beeping every 10 seconds when a remote job error occurs on a print server Key HKEY_LOCAL_MACHINE System CurrentControlSet Control Print Registry Value Registry Data Description BeepEnabled REG_DWORD Off 0 On 1 Authentication Retries Category Windows NT Remote Access Selection Max number of unsuccessful authentication retries Description Specifies the number of times authentication will be at tempted for a user Key HKEY_LOCAL_MACHINE System CurrentControlSet Services RemoteAccess Parameters Registry Value Registry Data Description AuthenticateRetries REG DWORD Off value is removed On Number of re tries in hexadecimal Decimal 1 10 default 2 Authentication Time Limit Category Windows NT Remote Access Selection Max time limit for authentication Description Defines the maximum time limit in seconds for authenti cation to occur Key HKEY_LOCAL_MACHINE System CurrentControlSet Services RemoteAccess Parameters Registry Value Registry Data
33. Description AuthenticateTime REG_DWORD Off value is removed On time in sec onds in hexadecimal Decimal 20 600 default 120 RAS Call back Interval Category Selection Description Key Windows NT Remote Access Wait interval for callback Specifies the time in seconds that Windows NT will wait before initiating the callback from a RAS dial in user HKEY_ LOCAL MACHINE System CurrentControlSet Services RemoteAccess Parameters Registry Value Registry Data Description CallbackTime REG_DWORD Off value is removed On time in seconds in hexadecimal Decimal 2 12 default 2 RAS Auto disconnect Category Selection Description Key Windows NT Remote Access Auto disconnect Specifies the amount of idle time in minutes to wait be fore disconnecting the RAS client HKEY_LOCAL_MACHINE System CurrentControlSet Services RemoteAccess Parameters Registry Value Registry Data Description AutoDisconnect REG_DWORD Off value is removed On time in min utes in hexadecimal Decimal minimum 0 default 20 Microsoft Windows NT Server White Paper 73 74 Microsoft Windows NT Server White Paper Shared Programs Folder Path Category Windows NT Shell Subcategory Custom shared folders Selection Custom shared Programs folder Description Specifies the UNC path for the folder to use when dis playing folders files and shortcuts below the divisio
34. Microsoft indows NT Server Server Operating System SSS White Paper Guide to Microsofts Windows NTo 4 0 Profiles and Policies 1997 Microsoft Corporation All rights reserved The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication Because Microsoft must respond to changing market conditions it should not be interpreted to be a commitment on the part of Microsoft and Microsoft cannot guarantee the accuracy of any information presented after the date of publication This White Paper is for informational purposes only MICROSOFT MAKES NO WARRANTIES EXPRESS OR IMPLIED IN THIS DOCUMENT Microsoft the BackOffice logo MS DOS Windows and Windows NT are registered trademarks of Microsoft Corporation Other product or company names mentioned herein may be the trademarks of their respective owners Microsoft Corporation One Microsoft Way Redmond WA 98052 6399 USA 0997 Microsoft SZ SK Windows NT Server Abstract This guide provides information and procedures for implementing Microsoft Windows NT 4 0 Profiles and Policies on client workstations and servers A Microsoft Windows NT 4 0 User Profile describes the Windows NT configuration for a specific user including the user s environment and preference settings A System Policy is a set of registry settings that together define the compute
35. NT_USER Software Microsoft Windows CurrentVersion Policies Explorer Registry Value Registry Data Description NoViewContextMenu REG DWORD Off 0 or value is removed On 1 Network Connections Category Subcategory Selection Description Key Windows NT Shell Restrictions Remove the Map Network Drive and Disconnect Net work Drive options Prevents users from making additional network connec tions by removing the Map Network Drive and Disconnect Network Drive buttons from the toolbar in Explorer and also removing the menu items from the Context menu of My Computer and the Tools menu of Explorer This option was added in Service Pack 2 HKEY_CURRENT_USER Software Microsoft Windows CurrentVersion Policies Microsoft Windows NT Server White Paper 65 66 Microsoft Windows NT Server White Paper Explorer Registry Value Registry Data Description NoNetConnectDisconnect REG DWORD Off 0 or value is removed On 1 Explorer Context Menu Category Subcategory Selection Description Key Windows NT Shell Restrictions Disable link file tracking When enabled link file tracking uses the configured path shown in properties for the shortcut to an application in stead of the absolute path This option disables link file tracking This option was added in Service Pack 2 HKEY_CURRENT_USER Software Microsoft Windows CurrentVersion Policies Explorer Registry Val
36. Networks in the Windows 95 Resource Kit For more information on configuring a client that uses Microsoft Service for NetWare Directory Services see the online Help that accompanies the service How User Profiles Are Handled in Windows 95 When a user logs on to a Windows 95 machine the local profile path HKEY_ LOCAL MACHINE Software Microsoft Windows CurrentVersion Profile List is checked for an existing entry for that user If the user has an entry in this registry location Windows 95 checks for a lo cally cached version of the user s profile Windows 95 also checks the user s Microsoft Windows NT Server White Paper 7 8 Microsoft Windows NT Server White Paper home directory or other specified directory if the location has been modified on the server for the User Profile If a profile exists in both locations the newer of the two is used If the User Profile exists on the server but does not exist on the local machine the profile on the server is downloaded and used If the User Profile only exists on the local machine that copy is used If a User Profile is not found in either location the Default User Profile from the Windows 95 machine is used and is copied to a newly created folder for the logged on user At log off any changes that the user made are written to the user s local profile If the user has a roaming profile the changes are writ ten to the user s profile on the server User Profile Planning and I
37. Policy Editor to modify a policy Knowing the location of these registry settings may help you to resolve problems Default User Settings The following data is specific to the options found in the Default User portion of the System Policy Editor Control Panel Display Application Category Control Panel Subcategory Display Selection Restrict display Description Removes or enables tabs from the Control Panel Display application Key HKEY_CURRENT_USER Software Microsoft Windows CurrentVersion Policies System Registry Value Registry Data Description NoDispCPL REG_DWORD Off 0 or value removed On 1 NoDispBackgroundPage REG_DWORD Off 0 or value removed On 1 NoDispScrSavPage REG_DWORD Off 0 or value removed On 1 NoDispAppearancePage REG_DWORD Off 0 or value removed On 1 NoDispSettingsPage REG_DWORD Off 0 or value removed On 1 Wallpaper Category Desktop Selection Wallpaper Description Defines the path to be used when loading wallpaper and determines whether to tile it or not Key HKEY_CURRENT_USER Control Panel Desktop Registry Value Registry Data Description Wallpaper REG_SZ Off value is removed On text of path to wallpaper TileW allpaper REG_SZ Off 0 or value is removed On 1 Color Scheme Category Selection Key Desktop Color scheme HKEY_CURRENT_USER Control Panel Appearance Registry Value Registry Data Description Current REG_SZ Off
38. RRENT _USER Software Microsoft Windows CurrentVersion Policies Explorer RestrictRun Registry Value Registry Data Description Number Increment Starting with 1 REG_SZ Off value is removed On text of applica tion name 60 Microsoft Windows NT Server White Paper Custom Programs Category Windows NT Shell Subcategory Custom Folders Selection Custom Program folder Description Specifies the UNC path for the folder to use when dis playing folders files and shortcuts available when the user selects Programs from the Start menu The user s profile Programs is an additional selection Key HKEY CURRENT USER Software Microsoft W indows CurrentVersion Explorer User Shell Folders Registry Value Registry Data Description Programs REG_REG_SZ Off value is removed On text of UNC path to folder Default Y USERPROFILE Start Menu Programs Custom Desktop Icons Category Windows NT Shell Subcategory Custom Folders Selection Custom desktop icons Description Specifies the UNC path the folder is to use when dis playing the folders files and shortcuts the user receives on the desktop Key HKEY_CURRENT_USER Software Microsoft Windows CurrentVersion Explorer User Shell Folders Registry Value Registry Data Description Desktop REG_SZ Off value is removed On text of UNC path to folder Default USERPROFILE Desktop Start M
39. Shell Folders Registry Value Registry Data Description NetHood REG_SZ Off value is removed On text of UNC path to folder Default USERPROFILE NetHood Custom Start Menu Category Subcategory Selection Description Key Windows NT Shell Custom Folders Custom Start menu Specifies the UNC path the folder is to use when dis playing the folders files and shortcuts the user receives as part of the Start menu HKEY_CURRENT_USER Software Microsoft Windows CurrentVersion Explorer User Shell Folders Registry Value Registry Data Description Start Menu REG_SZ Off value is removed On text of UNC path to folder Default USERPROFILE Start Menu Shell Extensions Category Subcategory Selection Key Windows NT Shell Restrictions Only use approved shell extensions HKEY_CURRENT_USER Software Microsoft Windows CurrentVersion Policies Explorer Registry Value Registry Data Description EnforceShellExtensionSecurity REG_DWORD Off 0 or value is removed On 1 Microsoft Windows NT Server White Paper 63 64 Microsoft Windows NT Server White Paper Explorer File Menu Category Subcategory Selection Description Key Windows NT Shell Restrictions Remove File menu from Explorer Removes the File option from Explorer s toolbar This option was added in Service Pack 2 HKEY_CURRENT_USER Software Mcrosoft Windows CurrentVersi
40. TLOGON share on the validating do main controller DC for the NTconfig pol file If the workstation finds the file it downloads it parses it for the user group and computer policy data and ap plies it if appropriate If a user logs on to a machine that has a computer account in a resource domain the search for the NTconfig pol file is redirected to the validating domain controller in the account domain In this situation the Windows NT 4 0 based workstation has a secure communication channel es tablished to a domain controller of the resource domain The Windows NT based workstation sends the user s logon request over this communication channel and expects a response the same way The domain controller in the resource domain receives this request forwards it to a domain controller in the user s account domain and waits for a response Once the domain controller in the resource domain receives this response from the account domain s DC it returns the authentication request to the client machine including the vali dating domain controller s name from the account domain The Windows NT based workstation now knows where to look for the NTconfig pol file Policy Replication If you implement a System Policy file for Windows NT users and computers and you intend to use the default behavior of Windows NT be sure that direc tory replication is occurring properly among all domain controllers that participate in user authentication With
41. Windows NT based machines As a result Windows 95 and Windows NT policy files are not interchangeable After you complete the installation the administrative tools group includes the System Policy Editor System Policy Editor Untitled oj x File Edit View Options Help Default Default User DomUser Domain Domain Users Computer Admins 5 entries Installing the System Policy Editor on a Windows NT Workstation You have two options when installing the System Policy Editor on a Windows NT Workstation based computer You can e Run the Setup bat file from the Windows NT 4 0 CD ROM Clients Svrtools Winnt directory or e Copy the System Policy Editor executable Poledit exe and template files to the workstation The template files have an adm extension and are lo cated in the systemroot INF directory which is hidden by default Installing the System Policy Editor on a Windows 95 Computer When you install the System Policy Editor on a Windows 95 based computer the installation process modifies the Windows 95 registry to allow system poli cies to function correctly You can install the policy editor from the Windows 95 Upgrade or Retail compact disc or you can install the editor that ships with Windows NT Server 4 0 To install the System Policy Editor from the Windows 95 compact disc 1 Insert the Windows 95 Upgrade compact disc in your CD ROM drive 2 Open Control Panel and click Add Remove Programs
42. Windows NT files The directory name is specified when Windows NT is installed normally this directory name is c winnt systemroot profiles A folder in the root directory that contains the user profiles for each user of the computer Yusername An environment variable that expands to become the user account ID for the current logged on user This identifies the user account to Windows NT Technical Notes Several portions of this guide refer to registry locations that allow you to change certain behaviors of Windows NT and modify settings For this reason we include the following warning Caution Using Registry Editor incorrectly can cause system wide problems that may require you to reinstall Windows NT to correct them Microsoft cannot guarantee that any problems resulting from the use of Registry Editor can be resolved In addition portions of this guide refer to a registry hive called NTuser xxx In instances where this is used xxx can be replaced with either dat or man ESTABLISHING USER PROFILES AN OVERVIEW A Microsoft Windows NT 4 0 User Profile describes the Windows NT configu ration for a specific user including the user s environment and preference settings A User Profile can be local roaming or mandatory A local profile is specific to a given computer A user who creates a local profile on a particular computer can gain access to that profile only while logged on to that computer Conversely a roami
43. ablish a network share Users who will have mandatory pro files need only Read permissions to the shared directory For more information on planning for this type of user read the sections Selecting a Location to Save User Profiles and Setting Permissions for User Profiles earlier in this document If your implementation stores user profiles within users home directories make the profile directory a subdirectory of the user s home directory Note that this approach precludes the use of the USERNAME variable To prevent the share from being browsable append to the share name 2 If this will be a domain user or if this will be a local account for a Windows NT Server use User Manager for Domains to create the ac count If this will be a Windows NT 4 0 Workstation account use the version of User Manager included in the Administrative Tools program group Refer to your operating system documentation and online Help for procedures when using these tools Note that for this example the user account is mydomainuser 3 Enter the User Profile path This is the location where the User Profile will be stored for example myserver myshare mydomainuser Or if the profile is being stored within the user s home directory use lmyserver myshare MyUsersHomeDir profile 4 Determine if an extension needs to be appended to the User Profile path If it will be mandatory that the user reads the profile from the server and
44. aded at each logon written to a temporary file and applied When the NoViewContextMenu policy was introduced it did not support the tree view on the left hand side of Explorer This was corrected in Service Pack 3 If this option is turned on context menus for both the list view and the tree view are disabled Manual mode policy path expansion support was added in Service Pack 3 If you specify a policy path in the registry rather than using Automatic mode Windows NT now supports paths in the form of lsomeserver share ntconfig pol If the administrator created a new policy file and turned on synchronous logon scripts saved it to disk and reloaded the policy file the policy set ting would be lost because the adm file needed modification in three different places This was corrected in Service Pack 3 Changing the location of a user s Start menu caused duplicate Programs items If you used the System Policy Editor to change the Custom Start Menu to point to a different directory even an empty one the user would receive the normal Programs menu item and a Programs menu item above it that pointed to the All Users programs directory This has been corrected in Service Pack 3 The Microsoft Office 97 Resource Kit contains adm files that administra tors can use when configuring the Office environment for their users This is available now from Microsoft APPENDIX D RELATED KNOWLEDGE BASE ARTICLES The articles below can be ref
45. ain controller c Modify the permissions to reflect the Everyone group To do this click the Change button select the account and click OK Click OK again to copy the profile e To copy a template profile manually to a number of users a Copy the entire contents files and subdirectories from the direc tory containing the template user profile created in Step 8 to the directory created in Step 9 b Repeat this for each of the user profile directories that will receive the template user profile NOTES When entering the path to the target directory you can use Uniform Naming Convention UNC names However if you are going to use the Browse function to locate the target directory for the profile it is important that you first map a drive to the server share where the profile will be stored The mydomainuser name shown in Step 2 does not have to be the user s name Many user accounts or groups can be configured to point to the same profile Of course if the profile is shared by a group of users and is not mandatory as each user logs off the user s changes are written back to the shared profile The profile does not need to be stored one directory below the server share The profile can be nested several directories below or the profile path can be local If the profile path points to a directory on the local machine a share is not needed The variable USERNAME is replaced by the user name only once in the User Profil
46. and Service Pack installed on the client computer 3 Start REGEDT32 and locate the following path HKEY_LOCAL_MACHINE SOFTWARE Microsoft WindowsNT CurrentVersion Winlogon 4 Create a new value called UserEnvDebugLevel as a REG_DWORD type Assign the hex value 10002 5 Reboot the computer Logging information will be recorded in the root directory of the C drive as UserEnv log You can use Notepad to view the log file A sample log is pro vided next Microsoft Windows NT Server White Paper 33 34 Microsoft Windows NT Server White Paper LoadUserProfile Entering hToken lt Oxac gt IpProfilelnfo 0x12f4f4 LoadUserProfile pProfilelnfo gt dwFlags lt 0x2 gt LoadUserProfile lpProfilelnfo gt lpUserName lt administrator gt LoadUserProfile NULL central profile path LoadUserProfile lpProfilelInfo gt lpDefaultPath lt DfsES netlogon Default User gt LoadUserProfile pProfilelnfo gt lpServerName lt DfsES gt LoadUserProfile pProfilelnfo gt lpPolicyPath lt DfsES netlogon ntconfig pol gt RestoreUserProfile Entering RestoreUserProfile Profile path lt gt RestoreUserProfile User is a Admin IsCentralProfileReachable Entering IsCentralProfileReachable Null path Leaving GetLocalProfilelmage Found entry in profile list for existing local profile GetLocalProfilelmage Local profile image filename lt System Root Profiles Administrator gt GetLocalProfilelmage Expanded local prof
47. any features or nones sential applications installed on the desktop To solve these problems system administrators need a means to control a user s access to key configuration files and to features and applications that are not required to do that user s particular job To be successful this means of control must be flexible and customizable the system administrator must be able to control the computer configurations of individuals and groups of users based on user job responsi bilities and computer literacy Profiles Policies and the Zero Administration Kit The Zero Administration Kit ZAK for the Microsoft Windows NT version 4 0 operating system is designed to help the corporate administrator address some of the issues arising from user operations ZAK is a set of methodologies for deploying Microsoft Windows NT 4 0 that greatly reduces the burden of individual desktop management for task based workers With ZAK system administrators can establish user profiles system policies and security to re duce some of the administrative costs associated with managing end users in an enterprise network ZAK s methodologies are based on the underlying technologies and capa Microsoft Windows NT Server White Paper 1 2 Microsoft Windows NT Server White Paper bilities of Windows NT 4 0 and as such these techniques can readily be adapted to accommodate a corporation s specific computing requirements In the near future you will see
48. ary NTuser xxx file In the directory that the profile was copied to in Step 3 check the NTUSER xxx file for the man extension If the extension is dat the profile will still be modifiable Change the extension to man if necessary NOTES When entering the path to the target directory you can use universal naming convention UNC names However if you are going to use the Browse function to locate the target directory for the profile it is important that you first map a drive to the server share where the profile will be stored The mydomainuser name shown in Step 2 does not have to be the user s name Many user accounts or groups can be configured to point to the same profile Because this is a mandatory profile this may be the desired use of the profile since the administrator wants all the users in the group to re ceive the same settings The profile does not need to be stored one directory below the server share The profile can be nested several directories below or the profile path can be local If the profile path points to a directory on the local machine a share is not needed The variable USERNAME is replaced by the user name only once in the User Profile path in User Manager and it must be the last subdirectory in the path However extensions can still be added such as usr or man The LOGONSERVER variable can be used for mandatory profiles to provide fault tolerance Do not place dou
49. ay avalie Hide Network Neighborhood No Entire Network in Network Neighborhood In this state this flags the setting such that it will No workgroup contents in Network Neighborhood overnite the target client machines registry with the disabled value Regardless of the current state when the policy file is applied next the user will have the Find command on the Start Mem Policies are applied as follows e f the box is checked it is implemented When the user next logs on the user s computer conforms to the policy If the option was checked the last time the user logged on Windows NT makes no changes Microsoft Windows NT Server White Paper 4 42 Microsoft Windows NT Server White Paper e f the box is cleared the policy is not implemented and if the settings were previously implemented they are removed from the registry e f the box is grayed the setting is ignored and unchanged from the last time the user logged on Windows NT does not modify this setting The grayed state ensures that Windows NT provides quick processing at sys tem startup because it does not need to process each entry every time a user logs on NOTE When you decide whether the value should be checked or cleared be careful of the terminology of the setting or unexpected results may occur For example the Don t save settings at exit option when checked does not allow settings to be saved If you clear the checkbox the settings can be sa
50. ble Central is available Central not available Central is available local is available local is available local not available local not available y Is the Ignore Central flag set Is this a new user a Yes NO Load local Reconcile both y profile by comparing amp continue to time stamps Part 2 N oe Is the central p ene 5 j gates profite ee profile Is Load central profile No it continue to Part 2 Is the local available No profile newer a Yes Flag profile Load local profile as a new continue to Part 2 Is profile local profile Yy mandatory No continue to Load local version of Download Yes Part 2 profile profile from Yes y server N Flag profile to only continue to 9 Return error y Part 2 save Aaa to P Copy the default Create temporary load continue to i written to the profile ASK user preference for Si 2 continue to Part 2 stored on the server server or local copy continue to Part 2 and load continue to Part 2 Flowchart 2 User Logon Part 1 86 Microsoft Windows NT Server White Paper Continued from Command to Load Profile Vv Load the User Profile y Set USERPROFILE environment variable Vv Check build number for version Different oe Process UserDiff Registry changes from L L major version change Apply System Policy Save settings to Registry Same Flowchart 3 User Logon
51. ble slashes in front of LOGONSERVER doing so will prevent the variable from being read properly See Microsoft Knowledge Base article Q141714 for more information You can use the TemplateUser account to test changes before making them available to users by copying the adjusted profile directory to test accounts prior to rollout You can select any group or a specific user when setting the permissions However only the user or group specified will be able to use the profile For this reason it is recommended that the Everyone group be given permission to use template profiles Making a Roaming Profile Mandatory in Windows NT 4 0 You have two options when configuring a mandatory roaming profile you can change the user s ability to modify the User Profile or you can change the user s ability to modify the User Profile and enforce the use of the server based profile at logon With the second option the user is not able to log on to the system if the network profile is unavailable Each of these procedures will be explained more fully below Changing the User s Ability to Modify a Profile When creating a User Profile or at any time thereafter you have the option of enforcing whether or not the user can modify the profile by changing the ex tension on the NTuser dat file The NTuser dat file is located in the root of the user s profile directory If you change the name of this file to NTuser man when Windows NT r
52. contain the settings that you want to enforce on a per user per computer or com bined user computer basis When you open the System Policy Editor in registry mode you can modify the registry of the local computer without having to use Regedt32 exe or Re gedit exe However you can modify only those values exposed by the templates the System Policy Editor does not give you access to the entire registry System Policy Editor Template Adm Files The System Policy Editor uses administrative adm files to determine which registry settings can be modified An adm file is a hierarchical template and consists of categories and subcategories that dictate which settings are avail able through the user interface An adm file contains the registry locations where changes should be made for a particular selection additional options for a particular selection restrictions and in some cases the default value for a selection When you run the System Policy Editor and select Policy Template from the Options menu a window similar to the one shown below appears This window displays the names of the adm files that are currently being used If you need to make changes to custom applications for example you can add a template to this list To ensure that the system uses the latest administrative information the System Policy Editor reads the custom adm files each time it starts For detailed instructions when creating adm files see the secti
53. d in the Default User settings the Default User setting are used The Default User settings take precedence over only those settings that are ignored in the group settings e f the policy file includes settings for the specific computer name these are applied to the HKEY_LOCAL_ MACHINE registry key Otherwise the De fault Computer settings are applied This process is independent of the user account for the user who is currently logged on All users receive these settings when they use this computer NOTES Group policies do not operate in a NetWare only environment because Windows NT checks for Windows NT global groups only not NetWare groups e Ifan administrator logs on a policy is in effect no explicit settings exist for the administrative ac count and the Default User settings are present the administrator will receive the settings of the Default User Administrative accounts are not exempt from policies This should be a key factor to consider when implementing policies The System Policy Editor provides a hierarchical Group Priority dialog that helps you see and manage the order in which group policies are applied The next illustration shows the dialog and explains these priorities Group Priority x Arrange the groups in order of priority Users that are members of multiple groups will receive the settings of each group lowest to highest but as they are applied the next highest group s settings take precedence
54. d server to generate a pol file for Windows 95 based clients because a policy file is valid only for the platform on which it was created For procedures when installing the System Policy Editor on a Win dows 95 based computer refer to the section Installing the System Policy Editor on a Windows 95 Computer earlier in this document After you have created the pol file you can enable a Windows 95 based computer to look for and accept system policies as is described below To deploy policies for a Windows 95 based computer 1 Open the Control Panel and click Passwords and then User Profiles 2 Toenable User Profiles select Users can customize and then click OK 3 Check the UpdateMode value in the following registry location HKEY_LOCAL_MACHINE System CurrentControlSet Control Update If this value is 0 policies will not be applied If this value is 1 the Auto matic Policy mode is in effect and when the user is validated on the domain the validating domain controllers NETLOGON share will be checked for the existence of the Config pol file If this value is 2 the Man ual Policy mode is in effect and when the user is validated on the domain the Windows 95 based machine will check the path specified in the value NetworkPath for the existence of the Config pol file Note that the default mode for a Windows 95 based machine is Automatic 4 Restart the computer and have the user log on The policy file will be downloaded from th
55. e configured location and applied Modifying Policy Settings on Stand Alone Workstations If you need to modify settings of a Windows NT 4 0 based workstation user who is not a member of the domain and thus will not be able to use the policy file located on the domain you have three options available to you e You can create a policy file for stand alone workstations where users log on locally or e You can change policy settings remotely or e You can change policy settings locally Procedures for each option are described next Note that you must have administrator rights to the stand alone workstations in question To create a policy file for stand alone workstations 1 Logon as administrator and create a policy file that includes Computer and User objects with appropriate settings for the computer and users re spectively The user objects may include the Default User or user accounts from the local workstation but global group objects will be ig nored if added to the policy file Windows NT recognizes machine specific policy settings for the computer if those are specified in the policy file 2 Place the policy file in a secure directory on the stand alone computer or on a network share to which the user has at least Read permissions 3 Inthe workstation registry locate the UpdateMode value in the following key HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet Control Update 4 Update the data to a hex value of 2 5 Inth
56. e one on the local computer the entire contents of the User Profile path is copied to the client workstation and is then written back to the server when the user logs off If the user has saved any documents in the home directory and the home directory is in the user s User Profile path the documents become part of the User Profile These documents are downloaded when you log on to the network and written back to the server when you log off the network Note that this process could slow down the logon process considerably Log Files Used by Profiles Log files are binary files that track changes to a profile As changes are made they are recorded in a log file and then written to NTuser xxx If for some rea son the changes cannot be recorded in NTuser xxx they are applied at the next logon When a user makes a change to his or her profile the change is made to the user s locally cached profile even if a mandatory profile is in use In this case the changes are not propagated to the server copy and are overwritten the next time the user logs on If the user has a roaming User Pro file when the user logs off the NTuser dat file is copied to the server and the changes are saved unless the profile is being used in a local mode The All Users Shared Profile The All Users profile directory contains common groups that apply to all users logging on locally to a given workstation When a user logs on programs and shortcuts from the All User
57. e path in User Manager and it must be the last subdirectory in the path However extensions can still be added such as usr or man You can select any group or a specific user when setting the permissions However only the user or group specified will be able to use the profile For this reason it is recommended that the Everyone group be given permission to use template profiles Once the above steps are completed the user receives the appropriate profile as follows e f the user is to receive the Default User profile from a Windows NT 4 0 based workstation the workstation s default profile is used when the user first logs on When the user logs off the profile is automatically written to the local cache and to the server based profile e Ifthe user is to receive the Default User profile from the validating domain controller the default profile from the server is used when the user first logs on When the user logs off this profile is automatically written to the local cache and to the server based profile e In all other cases the profile including the folder trees and the NTuser xxx file originally included with the profile is written to the user s profile directory The permissions are also encoded into the binary NTuser xxx file Creating a New Mandatory User Profile for Windows NT 4 0 To create a new mandatory User Profile 1 If alocation has not already been prepared create a directory on the server and est
58. e same registry subkey modify the NetworkPath value with the local or UNC path where the policy file resides If this path does not exist add it as a data type of REG_SZ For example if the policy file is named NTcon fig pol and is placed in the root directory of Windows NT NetworkPath should contain the path c Winnt Ntconfig pol 6 Have the user log on to the workstation Windows NT will read the policy file specified by NetworkPath and then apply the appropriate policy to the computer or to the user NOTES UNC paths may be used in the NetworkPath value This is beneficial to those administrators who want to centralize the policy file in use To change policy settings remotely 1 Log on as administrator open the System Policy Editor and from the File menu select Connect 2 Type the computer name of the workstation to be modified and click Enter A dialog will appear displaying the user name of the currently logged on Microsoft Windows NT Server White Paper 47 48 Microsoft Windows NT Server White Paper user for whom the changes will apply If the user is not currently logged on click Cancel The user must be logged on for the changes to take effect 3 If the user is logged on click OK The icons Local Computer and Local User will be displayed 5 Modify these just as you would modify a normal policy file Save your changes The next time the user logs on the changes made to the com puter and the user settings w
59. e the name of the folder where the Windows NT 4 0 roaming profile exists to folder name man If the user logs on to a Windows NT 4 0 based workstation and the User Profile path contains the extension man Windows NT will look for the directory path configured in the User Profile path If Win dows NT does not find the directory it will replace the man extension with pdm and will check again If you haven t already done so change the name of the NTuser xxx file to NTuser dat Refer to the section Changing the User s Ability to Modify a Profile in this document Creating a New Roaming User Profile for a Windows 95 User If you have Windows 95 users in your domain you can create roaming user profiles for them as well To create a roaming user profile for a Windows 95 user 1 On the client Windows 95 based computer start Control Panel and select Passwords From the User Profiles property page enable the option that allows users to have individual profiles and set the Primary Network Logon to Client for Microsoft Networks Reboot the client machine Use User Manager for Domains to create the user account if it does not already exist For the user s home directory specify the location where the User Profile will be stored An example would be m Home Directory i Local Path Connect fw To servershare usemame This automatically creates a folder with the user name If a dialog box is
60. e user logs on The NTuser dat hive maintains the user s environment preferences when the user is logged on It stores those settings that maintain network connec tions Control Panel configurations unique to the user such as the desktop color and mouse and application specific settings The series of profile di rectories store shortcut links desktop icons startup applications and so forth Together these two components record all user configurable settings that can migrate from computer to computer Details are provided below Configuration Preferences Stored in the Registry Hive The NTuser dat file contains the following configuration settings e Windows NT Explorer settings All user definable settings for Windows NT Explorer as well as persistent network connections e Taskbar All personal program groups and their properties all program items and their properties and all taskbar settings e Printer settings All network printer connections e Control Panel All user defined settings made in the Control Panel e Accessories All user specific application settings affecting the Windows NT environment including Calculator Clock Notepad Paint and HyperTerminal among others e Help bookmarks Any bookmarks placed in the Windows NT Help system Configuration Preferences Stored in Profile Directories The profile directories are designed to contain the following configuration settings e Application data Application spec
61. eads the profile it marks the profile as read only and any changes that the user makes while logged on are not written back to the server based profile when he or she logs off To change the user s ability to make modifications to the User Profile 1 Locate the user s profile in the account s User Profile path 2 While the user is logged off rename the NTuser dat file to NTuser man Note that if you make this change while the user is logged on the user s copy of the profile will overwrite your changes because at the time the user logged on he or she had permission to overwrite the profile Microsoft Windows NT Server White Paper 17 18 Microsoft Windows NT Server White Paper Be cautious if you use the Explorer interface to make these changes If you have the Hide file extensions for known file types option enabled this is the default be sure to check the properties to be sure that there are not two extensions For example say you want to make a profile man datory and you use Explorer to rename the NTuser dat file name to NTuser man Because of the Hide extensions default Explorer saves the file as type man but does not display the man extension Later you de cide to allow the user to make changes again and through Explorer you rename the file back to NTuser dat However because Explorer was hid ing that part of the file name that determines its type the only thing you rename is the prefix The file name i
62. eate a mandatory profile from the old profile 1 Replace the man extension on the existing mandatory profile with the extension usr 2 Change the extension on the user s profile path from man to usr Allow the user to log on This permits the conversion to take place 4 Have the user log off This creates a directory with the name of the profile and a pds extension 5 Change the pds folder extension to pdm and change the user s profile path back to man 6 Rename the NTuser dat file to NTuser man to To create the profile from an existing template profile 1 Inthe server share specified in the User Profile path create a folder with the directory name of the location where the profile is stored Use the pdm extension for this directory name For example if the user name is domainuser the directory name would be serverlshare domainuser pdm 2 On the Windows NT based computer hosting the profile log on as an ad ministrator and map a drive to the server share where the profile will be stored 3 From the Control Panel click System 4 Onthe User Profiles page select the profile to be copied Use the Copy To option to select the user s folder created in Step 1 modify the permis sions to reflect the proper account and click OK The profile is now written to the designated location including the folder trees and the NTuser xxx file originally included with the profile The per missions are also encoded in
63. entries in this subkey Public Community Traps Category Subcategory Selection Key System SNMP Traps for public community HKEY_LOCAL_MACHINE System CurrentControlSet Services SNMP Parameters TrapConfiguration Public Microsoft Windows NT Server White Paper 69 Registry Value Registry Data Description Increment numbers beginning with 1 REG_SZ On text of Trap Configuration x Off value is removed from registry NOTE There may be multiple entries in this subkey Run Command Category Subcategory Selection Description Key System Run Run Allows one or more applications to be run when the user logs on interactively HKEY_LOCAL_MACHINE Software Microsoft Windows CurrentVersion Run Registry Value Registry Data Description Application Text Name REG_SZ On executable text name for example Notepad is Notepad exe which may include parameters Off value is removed from the registry NOTE There may be multiple entries in this subkey Drive Shares Category Subcategory Selection Description Key Workstation Windows NT Network Sharing Create hidden drive shares workstation When enabled creates administrative shares for physical drives These shares were created automatically under Windows NT 3 51 This policy setting gives administra tors the ability to control this feature This setting is specific to Windows NT Workstation
64. enu Subfolders Category Windows NT Shell Microsoft Windows NT Server White Paper 61 62 Microsoft Windows NT Server White Paper Subcategory Selection Description Key Custom Folders Hide Start menu subfolders Hides subfolders such as the user s Programs folder if a custom Programs folder exists HKEY_CURRENT_USER Software Microsoft Windows CurrentVersion Policies Explorer Registry Value Registry Data Description NoStartMenuSubFolders REG_DWORD Off 0 or value is removed On 1 Custom Startup Folder Category Subcategory Selection Description Key Windows NT Shell Custom Folders Custom Startup folder Specifies the UNC path the folder is to use when folders files and shortcuts are to start at user logon HKEY_CURRENT_USER Software Microsoft Windows CurrentVersion Explorer User Shell Folders Registry Value Registry Data Description Startup REG_SZ Off value is removed On text of UNC path to folder Default USERPROFILE Start Menu Programs Startup Custom Network Neighborhood Category Subcategory Selection Description Key Windows NT Shell Custom Folders Custom Network Neighborhood Specifies the UNC path the folder is to use to create the folders files and shortcuts the user receives when navi gating through Network Neighborhood HKEY_CURRENT_USER Software Microsoft Windows CurrentVersion Explorer User
65. er dat file contains all of the registry settings located in HKEY_CURRENT_USER As system administrator you can modify the data contained in the NTuser dat portion of the profile by loading the hive into the registry To manually customize a User Profile 1 Locate the profile to be modified e f the profile is a server based profile locate the server share username and determine the extension on the NTuser xxx file e Ifthe profile is a local profile locate the system root Profiles username directory and determine the extension on the NTuser xxx file e f you need to edit the Default User Profile locate the system root Profiles Default User directory and determine the extension on the NTuser xxx file e f you need to edit the Network Default User Profile locate the Default User folder in the NETLOGON share of the domain controllers that are doing user authentication and determine the extension on the NTuser xxx file If there is more than one domain controller and di rectory replication is ensuring that the Default User profile is the same on all domain controllers open only the profile on the domain controller which is the export server 2 Start Regedt32 exe and select the HKEY_USERS on Local Machine window Highlight the root key of HKEY_USERS 3 From the Registry menu select Load Hive 4 Browse for the directory identified in Step 1 and select the NTuser xxx file located in that directory 5 Adialog wi
66. er profile 1 If a location has not already been prepared create a directory on the server and establish a network share Give the user a minimum of Change permissions to the shared directory For more information on planning for this type of user read the sections Selecting a Location to Save User Profiles and Setting Permissions for User Profiles earlier in this docu ment If your implementation stores user profiles within users home directories make the profile directory a subdirectory of the user s home di rectory Note that this approach precludes the use of the USERNAME variable To prevent the share from being browsable append to the share name If this will be a domain user or if this will be a local account for a Windows NT Server based machine use User Manager for Domains to create the account If this will be a Windows NT 4 0 Workstation account use the version of User Manager included in the Administrative Tools pro gram group Refer to your operating system documentation and online Help for procedures when using these tools Note that for this example the user account is mydomainuser Enter the User Profile path This is the location where the User Profile will be stored for example myserver myshare mydomainuser Or if the profile is being stored within the user s home directory use myserver myshare MyUsersHomeDir profile If the user is to receive the Default User profile from
67. erenced either on TechNet or by using the Microsoft Knowledge Base on Microsoft s Web site http Awww microsoft com kb Profiles Q141714 Q154120 Q156568 Q156697 Q158398 Q142682 Q146050 Q160546 Q161070 Q157069 Q161809 Q165398 Q164133 Q162790 Q162717 Q159927 Q160840 Q146192 Q158899 Q158682 Q155587 Q157621 Q156695 Q138321 Policies Q151176 Q151177 Q154120 Q156365 Q156689 Q156699 Q162774 Q162331 Q159936 Q160793 Q143164 Q158398 Q156698 How to Use LOGONSERVER to Distribute User Profiles Debugging User Profiles and System Policies in Windows NT 4 0 How to Assign the Administrator Profile to Other Users Updating Permissions for User Profiles Automating Network Printer Setup How to Create and Copy Roaming User Profiles in Windows NT 4 0 Modifying Ntuser dat Hive So New Users Get Defined Settings No User Profiles Were Found Step by Step Roaming Profiles Configuration Can t Access this Folder Path Is Too Long Error How to Create Mandatory Profiles for Windows 95 Users in Windows NT Domain Profiles for Members of Guests Group are Deleted Logon Allowed When Access Denied to Mandatory User Profile Auto Arrange Activates Itself in Copied User Profiles Autodial Settings Lost When Using Roaming Profiles Cannot Delete Certain User Profiles Sharing Violation When Accessing User Profiles How Windows NT Chooses Between Roaming and Local Profiles Prompted for Password When Restoring Persistent Connections Sho
68. ermore if a user does not have administrative rights only that user s profile is listed Administrators have permissions to see all available profiles System Properties 20x General Performance Environment Startup Shutdown Hardware Profiles User Profiles related to your logon A different profile can be created on each computer you use or you can select a roaming profile that is the same on every computer you use EA User profiles contain desktop settings and other information Profiles stored on this computer Size Type Modified AVIATION Administrator 139KB Local 4 15 97 AVIATION roamuser 131 KB Roaming 4 15 97 WORKSTATION Slocaluser 131KB Local 4 15 97 Delete Change Type Copy Io Cancel Apply Deleting Profiles The User Profiles property sheet allows users with administrator privileges to delete unused profiles that still exist on a local computer In Windows NT 3 5x this function was available in the Main group of the Windows NT Setup pro gram To delete a User Profile select the profile name and click the Delete Microsoft Windows NT Server White Paper 21 22 Microsoft Windows NT Server White Paper button This deletes the User Profile on the local machine but it does not de lete the associated User Account Note that sometimes the phrase Account Deleted is present in the list of profiles These are accounts that were deleted from the User Account Database but whose
69. etwork Neighborhood icon from the desktop In addition disables UNC capability from within the Explorer interface including the Start menu s Run command UNC paths configured by the administrator in Policies for shared folders desktop icons the Start command and so forth This does not impair the func tionality of the command line Net exe command Key HKEY_CURRENT_USER Software Microsoft Windows CurrentVersion Policies Explorer Registry Value Registry Data Description NoNetHood REG_DWORD Off 0 or value is removed On 1 Network Neighborhood Display Category Windows NT Shell Subcategory Restrictions Selection No Entire Network in Network Neighborhood Key HKEY_CURRENT_USER Software Microsoft Microsoft Windows NT Server White Paper 57 58 Microsoft Windows NT Server White Paper Windows CurrentVersion Policies Network Registry Value Registry Data Description NoEntireNetwork REG_DWORD Off 0 or value is removed On 1 Network Neighborhood Workgroup Contents Category Windows NT Shell Subcategory Restrictions Selection No workgroup contents in Network Neighborhood Key HKEY_CURRENT_USER Software Microsoft Windows CurrentVersion Policies Network Registry Value Registry Data Description NoWorkgroupContents REG_DWORD Off 0 or value is removed On 1 Desktop Display Category Windows NT Shell Subcategory Restrictions Selection Hide all i
70. ginal setting should be displayed pointing to the user s local machine NOTE Be sure to complete all steps completing Steps 1 and 2 only results in an empty Programs folder on the client machine Creating a System Policy Before you create a System Policy decide which settings will be enforced and how the settings will be grouped To create a new System Policy 1 On a Windows NT Server based machine in the domain where the policy file will apply open the System Policy Editor From the Start menu click Programs then click Administrative Tools Common then click Sys tem Policy Editor 2 From the File menu click New Policy 3 The Default Computer and Default User icons will be displayed Click the user computer or group to be modified NOTES If you need to add a user group or computer you can copy and paste the settings without having to manually go through each of the entries and make selections For example if you have made modifica tions to User1 and want to create a similar profile for another user User2 select User1 then from the Edit menu click Copy Select User2 then from the Edit menu click Paste Make any changes specific to User2 and save your changes You will be prompted to verify your changes and then the settings will be ap plied When you add users or computers to the policy file they automatically assume the properties of the icons Default User or Default Computer respectively 4
71. hanges to the priority or state of the individual proc esses This option was added in Service Pack 2 Key HKEY_CURRENT_USER Software Microsoft Windows CurrentVersion Policies System Registry Value Registry Data Description DisableTaskMgr REG_DWORD Off 0 or value is removed On 1 Welcome Tips Category Windows NT System Selection Show welcome tips at logon Description Enables or disables the display of the Welcome screen when the user logs on for the first and second time This option was added in Service Pack 2 Key HKEY_CURRENT_USER Software Microsoft Windows CurrentVersion Microsoft Windows NT Server White Paper 67 68 Microsoft Windows NT Server White Paper Explorer Tips Registry Value Registry Data Description Show REG_DWORD Off 0 On 1 Default Computer Settings The following data is specific to the options found in the Default Computer por tion of the System Policy Editor Remote Update Category Subcategory Selection Description Key Network System Policies update Remote update Controls how policies are applied to a Windows NT 4 0 based machine With UpdateMode set to 1 Automatic the default Windows NT makes a connection to the NETLOGON share of the validating domain controller in the user s context and checks for the existence of the policy file NTconfig pol With UpdateMode set to 2 Manual Windows NT reads the string specified in t
72. he NetworkPath value and checks that path for the exis tence of the policy file in this case the policy file name should be included in the NetworkPath value With Up dateMode set to 0 Off a policy file is not downloaded from any system and therefore is not applied HKEY_LOCAL_MACHINE System CurrentControlSet Control Update Registry Value Registry Data Description UpdateMode REG_DWORD Off 0 Automatic 1 Manual 2 NetworkPath REG_SZ Text of UNC path for manual update Verbose REG_DWORD Display error messages Off 0 or value not present On 1 LoadBalance REG_DWORD Off 0 or value not present On 1 Communities Category System Subcategory SNMP Selection Communities Key HKEY_ LOCAL MACHINE System CurrentControlSet Services SNMP Parameters ValidCommunities Registry Value Registry Data Description Increment numbers beginning with 1 REG_SZ On text of Valid Community x Off value is removed from registry NOTE There may be multiple entries in this subkey Permitted Managers Category Subcategory Selection Key System SNMP Permitted managers HKEY_LOCAL_MACHINE System CurrentControlSet Services SNMP Parameters PermittedManagers Registry Value Registry Data Description Increment numbers beginning with 1 REG_SZ On text of Permitted Manager x Off value is removed from registry NOTE There may be multiple
73. he user s profile to roam with the user and be available on any networked computer that the user logs on to If you specify a path to the systemroot Profiles directory the client computer always uses the local profile instead Windows NT 4 0 profiles can be saved on any Windows NT 3 5x or 4 0 server because the client computer uses the path where the profile is stored only as a location to download the profile and to write the modified user profile at log off This allows profiles to be stored on any shared network drive The process of downloading the profile is controlled by the client computer all the Microsoft Windows NT Server White Paper 9 10 Microsoft Windows NT Server White Paper client needs is the correct path Note that storing profiles on a Windows NT 4 0 Server makes it easier for the administrator to open a user s NTuser dat file to make any necessary modifications You can also store User Profiles on Novell Servers provided that the client is configured correctly and can access the pro file path If a client is not receiving a User Profile at logon use the Start menu Run command to check the profile path For example to see if you can locate the profile type serverlshare mydomainuser lf the path to the user s profile con tains spaces put quotation marks around the path when you type it in the Run command box Except in the case of mandatory profiles or when a slow network is de tected any changes to the u
74. ical Windows NT will use the local copy of the server Default User profile Continue to Step 10 9 Inthe server share from Step 1 create the directory structure you speci fied as the path in Step 3 For example create the directory mydomainuser under myserver myshare If the profile is to be stored within the user s home directory use the directory structure mydomainuser profile under myserver myshare Microsoft Windows NT Server White Paper 13 14 Microsoft Windows NT Server White Paper 10 Copy the profile appropriate to your implementation e To copy an existing user s profile to another user a From the Windows NT based machine hosting the profile to be used log on as an administrator b From the Control Panel click System On the User Profiles page select the profile to be copied and use the Copy To option to en ter the path of the directory you created in Step 9 c Modify the permissions to reflect the proper account To do this click the Change button select the account and click OK Click OK again to copy the profile e To copy the template profile to the Default User folder on validating domain controllers a From the Windows NT based machine hosting the profile to be used log on as an administrator b From the Control Panel click System On the User Profiles page select the profile to be copied and use the Copy To option to en ter the path of the Default User directory on the validating dom
75. icrosoft Windows NT Server White Paper 83 APPENDIX A FLOWCHARTS 84 Microsoft Windows NT Server White Paper User Profile Flowcharts These flowcharts illustrate how User Profiles operate within the Windows NT 4 0 operating system and give the administrator an at a glance look at the procedures to take and the internal processing that occurs when User Profiles are implemented under Windows NT 4 0 A user already have a profile from No Will the user be mandated to receive he profile for logon Begin Profile Process Does the Windows NT 3 5x Configure the user profile path for the account with server share lt username gt man Yes No Y Configure the user profile path for the account with Yes Is the profile usr or man 4 0 profile with the man extension in the share where profiles are stored server share lt username gt man y Create a directory for the Windows NT server share lt username gt no extension used Create a directory for the Windows NT 4 0 profile with the pdm extension in A the share where profiles are stored server share lt username gt pdm Create a directory for the Windows NT 4 0 Profile without an extension in the share where profiles are stored server share lt username gt y A ill the profile be mandatory s
76. icy Flowchart Appendix B Implementing User Profiles c0ssssesseseeeesseeeseeeees Existing Windows NT 3 5x Roaming Profile Existing Windows NT 3 5x Roaming Profile Migrating Windows NT 3 5x Roaming Profile to Windows NT 4 0 Roaming Profile Migrating Windows NT 3 5x Mandatory Profile to Windows NT 4 0 Mandatory Profile Migrating Windows NT 3 5x Mandatory Profile to Windows NT 4 0 Roaming Profile Creating a New Windows NT 4 0 Roaming Profile Creating a New Windows NT 4 0 Mandatory Profile Updating and Changing a Roaming Profile to a Mandatory Profile Changing a Roaming Profile to a Mandatory Profile Appendix C Usage Notes scscessscessesesseseeeeseeeeseeneeeeseeeeseeeeseeeees Important Information for Administrators Regarding User Logons and User Logoffs Recent Updates to Profiles Since Retail Release Recent Updates to Policies Since Retail Release APPENDIX D Related Knowledge Base Articles c000c00000 Profiles Policies 77 78 78 79 79 79 90 90 91 91 91 92 92 93 93 94 95 95 INTRODUCTION Not too many years ago information technology professionals faced a serious challenge in controlling the mounting costs of mainframe use It seemed that everyone clerks writers developers and systems administrators all had terminals and were using the system for everything from numbers crunching to typing letters Networks became bogged down and IT professionals were
77. if logon will be denied unless this is the case add the extension man to the User Profile path for example myserver myshare mydomainuser man 5 Use User Manager to create an account for establishing the template pro file So that you can easily identify this account we recommend that it be Microsoft Windows NT Server White Paper 15 16 Microsoft Windows NT Server White Paper 10 11 12 13 called TemplateUser Using the template account TemplateUser log on to the local machine or domain A new directory with the same name as the user name created in Step 2 will be created in the systemroot Profiles directory when you first log on For example if the user name is TemplateUser the resulting directory name will be systemroot Profiles T emplateUser Modify any items that need to differ from the current default for example you may choose to modify the background color or bitmap shortcuts on the desktop and View options in My Computer Log off and then log back on to the same computer using an account with administrative privileges In the server share from Step 1 create the directory structure you speci fied as the path in Step 3 For example you would need to create the directory mydomainuser under myserver myshare Or if the profile is stored in the user s home directory you would need to create the directory structure mydomainuser profile under myserver myshare If you appended the man exte
78. ific data such as a custom dictionary for a word processing program Application vendors decide what data to store in this directory e Desktop Desktop items including files and shortcuts e Favorites Shortcuts to program items and favorite locations e NetHood Shortcuts to Network Neighborhood items e Personal Shortcuts to program items Also a central store for any docu ments that the user creates Applications should be written to save files here by default e PrintHood Shortcuts to printer folder items e Recent Shortcuts to the most recently used items e SendTo Shortcuts to document storage locations and applications e Start Menu Shortcuts to program items e Templates Shortcuts to template items These directories are hidden by default To see these directories change the View Options Windows NT 4 0 and windows 95 User Profile Differences Windows 95 Profiles are very similar in behavior to Windows NT 4 0 Profiles but there are some differences Unlike Windows NT 4 0 Windows 95 downloads and writes User Profiles to the user s home directory When the Windows 95 user first logs on the UNC path specified in the user account s home directory path is checked for the Windows 95 User Profile You can modify this behavior however See the Win dows 95 Resource Kit for more information Windows 95 and Windows NT 4 0 User Profiles have the following addi tional functional differences e Windows 95 does
79. ile image filename lt D AWINNTDfs Profiles Administrator gt GetLocalProfilelmage Found local profile image file ok lt D WINNTDfs Profiles Administrator ntuser dat gt Local profile is reachable Local profile name is lt D WINNTDfs Profiles Administrator gt RestoreUserProfile No central profile Attempting to load local profile RestoreUserProfile About to Leave Final Information follows Profile was successfully loaded lpProfile gt szCentralProfile lt gt lpProfile gt szLocalProfile lt D WINNTDfs Profiles Administrator gt IpProfile gt dwinternalFlags 0x102 RestoreUserProfile Leaving UpgradeProfile Entering UpgradeProfile Build numbers match UpgradeProfile Leaving Successfully ApplyPolicy Entering ApplyPolicy Policy is turned off on this machine LoadUserProfile Leaving with a value of 1 hProfile lt 0x60 gt SYSTEM POLICY AN INTRODUCTION A System Policy is a set of registry settings that defines the computer re sources available to an individual or to a group of users Policies define the various facets of the desktop environment that a system administrator needs to control such as which applications are available which applications appear on the user s desktop which applications and options appear in the Start menu who can change their desktops and who cannot and so forth System policies can be implemented for specific users groups computers or for all users You create system
80. ill be in effect on the remote machine A To change policy settings locally 1 Log on as an administrator and copy the Poledit exe Common adm and Winnt adm files to the Windows NT based workstation where the changes for the computer or user need to be made 2 Log on with administrative permissions as the user for whom the modifica tions will apply 3 Open Poledit exe and load the templates that were copied to the local computer 4 From the File menu select Open Registry 5 The icons Local Computer and Local User will be displayed 6 Modify these just as you would modify a normal policy file Save your changes The next time the user logs on these changes will be in effect 6 Close the System Policy Editor and remove this tool from the workstation by deleting the Poledit exe file and any adm files used These changes modify the registry entries that control the behavior of Windows NT on the target computer A policy file is not created when this pro cedure is used This procedure is the same for Windows NT Workstation 4 0 and Windows NT Server 4 0 Creating a Custom Adm File The content of this section is also documented in the Windows 95 Resource Kit and the Windows 32 bit Software Developer s Kit which are available on the Microsoft Developer s Network or through Microsoft Sales This section refers extensively to the following adm files e Common adm this contains registry settings common to both Windows NT 4 0 a
81. indows NT Server Resource Kit for more information It is important to note that if a user is logged on locally to a machine and then attempts to delete his or her own profile a message will appear stating that the profile is currently in use and cannot be deleted The user must log off log back on using a different account with administrator privileges and delete the profile In addition if a service is running for a particular user account the same message may appear If this happens stop the service and then delete the profile Changing the Profile Type from Roaming to Local With the User Profiles Change Type feature a user can control which copy of the User Profile local or roaming is read when he or she logs on Note that the user can do this interactively while logged on Users do not need adminis trative privileges to change which profile is used if the profile is not a mandatory profile Valid profile types are e Local Profile A local profile is maintained on the local computer This option allows the user to specify that the once roaming profile is now local to this machine Although the remote profile is still avail able if the Local Profile option is selected the locally cached profile will be used instead The user should be aware that if he or she makes changes to the profile those changes will be saved in the lo cally cached version only and will not be replicated in the server based profile Note
82. indows NT Server White Paper 37 38 Microsoft Windows NT Server White Paper e What type of restrictions do you want to impose on users e Will users be allowed to access locally installed common group applica tions or will these be overridden by administrator defined program groups desktop icons Start menu programs and so forth e What other options are available if you simply want to restrict access to a specific icon or file Would modifying NTFS permissions be more effective e Will you be controlling computer specific settings only and not user set tings If after considering these issues you conclude that System Policies will sim plify administration of your system use the System Policy Editor to create the appropriate individual and or group policies as explained in the next section THE SYSTEM POLICY EDITOR The System Policy Editor is a graphical tool that allows you to easily update the registry settings to implement a System Policy The System Policy Editor is included with Windows NT Server 4 0 but you can install it on Windows NT Workstation based machines and on Windows 95 based machines as well Note that a policy file is valid only for the platform on which it was created For example if you run Poledit exe on a Windows 95 based machine and you save the policy file the file will be written in a format that can be interpreted by Windows 95 based machines only The same is true when you create policy files on
83. istry Hive A hive is a section of the registry that is saved as a file The registry subtree is divided into hives named for their resemblance to the cel lular structure of a beehive A hive is a discrete body of keys subkeys and values Roaming Profile A roaming profile is stored on a network share and can be accessed Microsoft Windows NT Server White Paper 3 4 Microsoft Windows NT Server White Paper from any computer A user who has a roaming profile can log on to any computer for which that profile is valid and access the profile Note that a profile is only valid on the platform for which it was cre ated for example a Windows NT 4 0 profile cannot be used on a Windows 95 computer Roaming User A roaming user is a user who logs on to the network from different computers at different times This type of user may use a kiosk or may share a bank of computers with other users A roaming user stores his or her user profile on a network share and can log on to any net worked computer and access that profile System Policy A System Policy is a set of registry settings that together define the computer resources available to a group of users or an individual You create system policies with the System Policy Editor System policies allow an administrator to control user work environments and actions and to enforce system configurations Y systemroot An environment variable that expands to become the root directory containing
84. le structure to Windows NT 4 0 network administrators have a greater ability to control the user environment than they ever have had before Many of the requests that customers submitted including providing more options in controlling the user s desktop accessibility to applications and system tools minimizing administra tive overhead and scalability ennancements have been added And as with every release Microsoft encourages customer feedback on enhancements to the Windows NT operating system This document provides the details that administrators need to implement a rollout of User Profiles and System Policies under Windows NT 4 0 Although the primary emphasis is Windows NT this paper also discusses how User Profiles are handled with Windows 95 clients and how the two platforms differ Before You Begin Before proceeding with this document we recommend that you read Chapters 3 and 4 of the Windows NT 4 0 Concepts and Planning Guide In addition you should be familiar with the following terms and concepts Key Terminology Directory Replication The copying of a master set of directories from a server called the export server to specified servers or workstations called import com puters in the same or other domains Replication simplifies the task of maintaining identical sets of directories and files on multiple com puters because only a single master copy of the data is maintained Files are replicated when they are added t
85. ll be parsed for this information and will replace the common groups from the local ma chine with the shortcuts applications and so forth from the folder that you created earlier NOTE This can be done per user for personal program groups and can also be done for other folder settings such as the startup group Start menu and desktop icons Setting Up Shortcuts for Server based Profiles You may notice that shortcuts created on any computer automatically embed a universal naming convention UNC path for the Ink file such as machine admins This embedded UNC in the link can be a problem when it is copied to a server and used in a server based profile By default such links are resolved to the original location of the file the absolute path before any other path is used these other paths are referred to as secondary or relative paths In this case the UNC path to the original file is always reachable which prevents the link from being resolved via a local path As a result the user trying to execute the shortcut will be asked for the administrator s password for the computer on which the link was created This problem was corrected in the latest Microsoft Windows NT 4 0 U S Service Pack After you install the service pack you can work around the problem by modifying the registry as explained next To resolve links correctly 1 Open Registry Editor Regedit exe 2 Go to the following key HKEY_Current_User Software Microsoft
86. ll prompt you to enter a Key Name You can use any value but you must remember this value so that you can select it during the unload process For this reason we recommend that you use the user name 6 Click Enter This adds the profile registry hive as a subkey to HKEY_USERS as shown in the illustration below Registry Editor HKEY_USERS on Local Machine ia Regist Edit Tree View Security Options Window Help amp HKEY_USERS DEFAULT gt DomainUser AppEvents Console Control Panel A Environment Keyboard Layout amp Software E UNICODE Program Groups S 1 5 21 124525095 708259637 7 Edit the existing values as necessary 8 After completing the changes highlight the root of the user s profile regis try key and from the Registry menu select Unload Hive This saves the changes to the user s profile When you first selected Load Hive the key was mapped to the file selected in the Open dialog A Save As option is therefore unnecessary Modifying the Default User Profile To modify a Windows NT based workstation s Default User Profile settings or to modify the Network Default User Profile load the NTuser xxx hive into the registry as outlined above make the necessary changes and unload the hive this automatically saves the changes e The workstation Default User Profile is located in the systemroot Profiles Default User directory e To make changes to the Ne
87. loaded always check for the existence of the Default User profile If the locally cached copy of the User Profile is more current than the server based profile and if it is not mandatory the user will be prompted to select which profile to use If the user does not successfully receive a profile when he or she logs on the user should check to see if the profile path can be reached by con necting to that resource with Explorer File Manager or Start Run Users who are members of both the Domain Users and Guests group or who are members of just the Guests group will have their local profiles deleted automatically at logoff Recent Updates to Profiles Since Retail Release In the original retail release of Windows NT Server 4 0 if the administrator creates a mandatory profile that ends with man and the user is denied ac cess to the profile the user is still able to log on locally rather than being denied access This problem was resolved in Service Pack 3 Under certain conditions sharing violations when accessing roaming or mandatory profiles could occur Before this problem was resolved if multi ple users tried to log on at the exact same time a sharing violation could result on the files making up the User Profile because Windows NT was attempting to get exclusive access to the profile This was resolved in Service Pack 2 Administrators creating shortcuts on one machine for use on a central server have run into problems on user
88. ly exists A myuser pds folder containing the user s roaming profile exists in myserver myshare Administrator action Use User Manager to change the extension of the User Profile path to man changing the path to myserver myshare myuser man Then rename the existing folder that contains the user s roaming profile from myuser pds to myuser pam Fi nally rename the NTuser dat file which is located in the root of the user s profile folder to NTuser man User action None For more information See the section Making a Roaming Profile Man datory in Windows NT 4 0 APPENDIX C USAGE NOTES Important Information for Administrators Regarding User Logons and User Logoffs Changes that you make to server based profiles can be lost if you do not modify the last modification date time stamp When a locally cached ver sion of a profile is compared with the server based profile only the time date stamp of the NTuser xxx file is compared If the stamps are the same the local copy is used If you have made modifications to other fold ers within the profile these changes can be lost Utilities are available to update the last modified date If the Default User profile directory including the NTuser xxx file is not available at log on a new user who does not have a server based Default User Profile will be unable to log on When troubleshooting logon prob lems or if a user receives a message Stating that the profile could not be
89. m Dfs which runs as a service can provide a share that will refer the client to multiple servers for the same path For example on a Dfs server the administrator has defined that users connecting to the UNC path Dfsserver Dfsshare Customfolder will be returned a response with three dif ferent servers Server1 Customerfolder Server2 Customerfolder and Server3 Customerfolder all of which contain the same data The client ma chine which can be either a Windows NT based 4 0 machine or a Windows 95 based machine with the Dfs client software randomly selects one of these servers and uses that path to generate the custom shared folders for the user If one of the servers is unavailable the client has the other two serv ers to select from Note that the the Dfs host server must be running for this fault tolerant structure to work Although Dfs software currently supports a single host server Microsoft is developing a fault tolerant version of Dfs for a future release of Windows NT For more information on the Dfs server and client components see http www microsoft com ntserver info distributedfilesystem htm Microsoft Windows NT Server White Paper 53 REGISTRY KEYS MODIFIED BY THE SYSTEM POLICY EDITOR DEFAULT TEMPLATES 54 Microsoft Windows NT Server White Paper The following outlines the locations and values for registry entries that are written to a Windows NT based workstation or server when you use the Sys tem
90. mplementation A successful implementation of User Profiles requires planning and prepara tion Before creating User Profiles consider the following e How much of the user environment do you wish to control Would System Policies either in conjunction with User Profiles or by themselves be a better solution e Will users be required to use a specific set of desktop folders and envi ronment settings e Will users be able to make modifications to their profiles e What features will you be implementing in User Profiles Optional features include persistent network connections custom icons backgrounds and so on e For roaming profiles will users be allowed to use the default profile from the client workstation or will a standardized server based default profile be used instead e Where will the profiles be stored and is there enough drive space to store them e Where do existing user home directories reside e How will shortcuts and links be displayed for the user e What are the speeds of the links between the clients and the server stor ing the profiles These issues are examined more fully in the following paragraphs For more information refer to the Windows NT Server Concepts and Planning Guide Setting Permissions for User Profiles When troubleshooting or preparing for a rollout of User Profiles you should pay careful attention to permissions at the Windows NT File System NTFS and share levels If the profile is ma
91. n text of notice Logon Dialog Shut Down Button Category Windows NT System Subcategory Logon Selection Enable shutdown from Authentication dialog box Description Enables or disables the Shut Down button on the logon dialog window Key HKEY_LOCAL_MACHINE Software Microsoft Windows NT CurrentVersion Winlogon Registry Value Registry Data Description ShutdownWithoutLogon REG_SZ Off 0 On 1 Logon Name Display Category Windows NT System Subcategory Logon Selection Do not display last logged on user name Description Enables or disables display of the last logged on user name when the user presses CTRL ALT DEL and the logon dialog is displayed Key HKEY_LOCAL_MACHINE Software Microsoft Windows NT CurrentVersion Winlogon Registry Value Registry Data Description DontDisplayLastUserName REG_SZ Off 0 On 1 Logon Scripts Category Windows NT System Subcategory Logon Selection Run logon scripts synchronously Description Determines whether the shell waits for the logon script to complete or not If the value is 0 the logon script is run during the startup of the shell and allows items in the Startup group to start If the value is 1 the logon script completes before the shell or any items in the Startup group are started If this value is also set in the User sec tion this value takes precedence Key HKEY_LOCAL_MACHINE Software Microsoft Windows NT C
92. n Instead of automatically download ing a profile that may be several hundred kilobytes to several megabytes large Slow Net gives the user the option of either downloading the profile or using the locally cached version If the cached file is used it can significantly reduce the time it takes to log on to the computer To detect a slow network the oper ating system computes the amount of time it takes to receive a response from the server which the profile path defines as part of the user account As sys tem administrator you can determine the allowable slow network speed Use the System Policy Editor to set this value If the user uses the Control Panel System application to change the profile type to Local then the cached copy of the User Profile is opened every time the user logs on Any changes that occur to the profile are written locally and not to the server location Microsoft Windows NT Server White Paper 11 CREATING AND MAINTAINING USER PROFILES 12 Microsoft Windows NT Server White Paper Creating a New Roaming User Profile for Windows NT 4 0 To create a new roaming User Profile you must first determine where the user s profile will be stored You then must create a user account if one doesn t already exist and specify a User Profile path Finally you must spec ify whether a given user will use a specific profile or can use a default profile These procedures are described below To create a new roaming us
93. n line common groups when the user selects Programs from the Start menu Key HKEY_LOCAL_MACHINE Software Microsoft Windows CurrentVersion Explorer User Shell Folders Registry Value Registry Data Description Common REG_EXPAND_SZ Note Off value is removed from registry Programs REG_SZ can be used if On text of UNC path to folder De no variables exist fault SystemRoot Profiles All Users Start Menu Programs Shared Desktop Icons Path Category Windows NT Shell Subcategory Custom shared folders Selection Custom shared desktop icons Description Specifies the UNC path the folder is to use when dis playing the folders files and shortcuts the user receives as part of the desktop Key HKEY_LOCAL_MACHINE Software Microsoft Windows CurrentVersion Explorer User Shell Folders Registry Value Registry Data Description Common Desktop REG_EXPAND_ SZ Note REG_SZ can be used if no variables exist Off value is removed from registry On text of UNC path to folder Default SystemRoot Profiles All Users Desktop Shared Start Menu Path Category Windows NT Shell Subcategory Custom shared folders Selection Custom shared Start menu Description Specifies the UNC path the folder is to use when dis playing the folders files and shortcuts the user receives as part of the Start menu Key HKEY_LOCAL_MACHINE Software Microsoft Windows CurrentVersion Explorer
94. nd Windows 95 e Winnt adm This contains registry settings specific to Windows NT 4 0 e Windows adm this contains registry settings specific to Win dows 95 To create a custom adm file 1 Create a backup copy of the Winnt adm file in the systemroot inf directory 2 Use a text editor to open the Winnt adm file The first entry of this file is CLASS xxxx where xxxx could be either e MACHINE This section includes all entries available in the Local Computer DefaultComputer icon e USER This section includes all entries available to modify user specific settings 7 These are the only two classes that are valid within the System Policy Editor The System Policy Editor checks the syntax of each adm file when the files are loaded and displays a message if any errors are found Choose the CLASS in which you want your custom entries to appear Create categories by using the keyword CATEGORY followed by a space and variable The System Policy Editor requires that anything preceded by must have a string defined in the strings section of the adm file This allows the editor to use variables to define long strings of text that will appear in the user interface a single time even if these strings are used in multiple locations in the adm file For example to open a category you would use CATEGORY MyNewCategory To close the category after filling in the options you would use END CATEGORY MyNewCategory These can be
95. ndatory the user account should have at least Read permissions on the network share where that user s User Profile is stored If the user s profile is roaming the user must have Change permissions or better because the client will need to write the changes back to the central profile on the shared network drive when the user logs off If roaming profiles are stored on an NTFS partition you can choose to remove the Delete permis sion from the default Change permissions at the NTFS level NOTE Directories containing roaming User Profiles need at least Add and Read permissions for profiles to be read correctly If you use Add permissions only when Windows NT checks for the existence of the profile it will fail because it looks for the path first and if Read rights are not given the check will fail Permissions are also important on a client machine where the user is log ging on interactively If Windows NT is installed in an NTFS partition on the client computer and the user does not have at least the default permissions as outlined in the Windows NT Server Concepts and Planning Guide page 132 errors can occur For example if permissions are incorrect on the root of the system directory the following message appears Can t access this folder the path is too long A blank desktop is displayed and the user s only option is to log off If permissions are set incorrectly in the systemroot Ysystem root System systemroot
96. nested to create sub categories as follows CATEGORY FirstCategory CATEGORY SecondCategory CATEGORY ThirdCategory END CATEGORY ThirdCategory END CATEGORY SecondCategory END CATEGORY FirstCategory Be sure to specify the text for the variables you used above In this case in the strings section of the adm file you would need to include FirstCategory My First Category SecondCategory My Second Category ThirdCategory My Third Category Within each category define the registry key that will be modified To do this use the keyword KEYNAME followed by the registry path to the key that contains the value you want to change Note that due to the CLASS you are in you do not need to specify HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER For example you can use KEYNAME System CurrentControlSet Services LanManServer Parameters Identify the policy that specifies which options the user can modify Use the keyword POLICY for this followed by variable For example POLICY MyFirstPolicy Be sure to define MyFirstPolicy in the strings section of the adm file Complete the policy specifics and finish with an END POLICY statement Define the options available within the policy e Use the keyword VALUENAME to identify the registry value that an administrator can modify For example VALUENAME MyFirstValue Remember that the VALUENAME needs to be within a PART if
97. ng profile is stored on a network share and can be ac cessed from any networked computer A user who has a roaming profile can log on to any networked computer for which that profile is valid and access the profile A mandatory profile is a preconfigured roaming profile that the user cannot change As a system administrator you may want to use mandatory profiles for a group of people who require a common interface and standard configuration One of the primary goals of User Profiles is to allow a user s system and desktop customizations to travel with the user from computer to computer without requiring the user to reconfigure any settings When a user logs on to any computer that supports his or her roaming profile the desktop appears just as the user left it the last time he or she logged off With roaming user sup port users can share computers but each user has his or her personal desktop on any computer in the network both roaming and mandatory profiles support this functionality Creating and Administering User Profiles User Profiles can be created and administered in several different ways as will be described next Note that as a system administrator you determine whether users can modify their profiles e You create a User Profile that is not modifiable for a particular user or group this is a mandatory profile e You establish a network Default User Profile that applies to all new users on Windows NT 4 0 computers Afte
98. not support common groups e Windows 95 can be configured to copy only the shortcut Ink and Pro gram Information Files pif when the User Profile is downloaded whereas Windows NT downloads all file shortcut and directory objects e Windows 95 User Profiles do not support a centrally stored Default User Profile e Windows 95 uses different files for the registry portion of User Profiles Refer to the following table Windows 95 and Windows NT 4 0 profiles are not interchangeable primarily because the registry hive which is a key component of the User Profile is incompatible between operating system versions Windows NT 4 0 file Equivalent Windows 95 file NTuser dat User dat NTuser dat log User da0 NTuser man User man NOTE The Windows 95 User da0 and Windows NT 4 0 Ntuser dat log while equivalent provide slightly different functionality Windows 95 writes a copy of User dat to User da0 each time the user logs off Windows NT uses the Ntuser dat log file as a transaction log file This allows for fault toler ance in the event that a User Profile must be recovered e Windows 95 and Windows NT 4 0 file structures are identical with the ex ception of the Application Data directory Windows 95 does not support this directory Windows 95 User Profiles can be stored on NetWare servers For more in formation on configuring a client with a Primary Network Logon of Client for NetWare Networks see the chapter Windows 95 on NetWare
99. nsion to the User Profile path in Step 4 append the man suffix to the directory name for the folder where the pro file will be stored The man extension identifies a Windows NT 4 0 mandatory profile that must be accessible for the user to logon For exam ple if the user name is mydomainuser the path to the mandatory profile would be myserver myshare mydomainuser man If you also have a mandatory Windows NT 3 4x profile for the user use the pdm extension in place of the man extension for example Imyserver myshare mydomainuser pdm The pdm extension is required because the profile folder cannot have the same name as the Windows NT 3 5x User Profile located in the same parent folder From the Windows NT based machine hosting the template profile to be used log on as an administrator From the Control Panel click System From the User Profiles page select the profile to be copied and use the Copy To option to enter the path of the directory you created in Step 9 Modify the permissions to allow the user or group to use the profile To do this click the Change button select the account and click OK You can select any group or specific user when setting the permissions however only the user or group specified will be able to use the profile The profile including the folder trees and the NTuser xxx file originally included with the profile is written to the location you designated The permissions are also encoded into the bin
100. ntain a network Default User profile When a new user logs on a profile directory is created for that user and the default settings are written to the new user s di rectory The profile may or may not then be customizable depending upon how the administrator has configured profiles In Windows NT 4 0 administrators have the option of generating a network Default User profile that if present will be used before the local Default User profile is used With the original retail release of Windows NT 4 0 workstations downloaded this network Default User profile and the most recent NTconfig pol file and cached them in the local Default User Network and Policy folders respectively Then instead of automatically downloading these from the server whenever they were needed the logon process compared the time date size stamps of the two versions and if they were the same used the cached ver sions without performing another download With Windows NT 4 0 Service Pack 2 however the System Policy file NTconfig pol is downloaded during each logon The profile functionality remains unchanged the profile is downloaded only if the local copy is out of date Profile Names and Storage in the Registry Windows NT 4 0 records which profile should be used by which user by plac ing registry keys for the user s security ID SID in the registry in HKEY_ LOCAL MACHINE SOFTWARE Microsoft Windows NT CurrentVersion Pr ofileList Each user who has
101. o an export directory and each time a change is saved to one of the exported files Domain Structure In Windows NT a domain is a collection of computers defined by the administrator of a Windows NT Server network that share a common directory database A domain provides access to the centralized user accounts and group accounts maintained by the domain administra tor Each domain has a unique name Home Directory A home directory is a directory that is accessible to the user and con tains files and programs for that user A home directory can be assigned to a single user or to a group of users Local Profile A local profile is specific to a computer A user who has a local profile on a particular computer can gain access to that profile only while logged on to that computer Mandatory Profile A mandatory profile is a preconfigured roaming profile that the user cannot change In most cases these are assigned to a person or a group of people for whom a common interface and standard configu ration is required NetLogon Service For Windows NT Server the NetLogon service authenticates domain logons and keeps the domain s directory database synchronized be tween the primary domain controller PDC and the backup domain controllers BDCs Regedt32 exe The 32 bit version of the Registry Editor Registry The registry is a database where Windows NT internal configuration information and machine and user specific settings are stored Reg
102. o the computer as an administrator and create a local account that will be used only temporarily to house the profile during the conver sion process 2 Logon as a temporary user and immediately log off This will create a subdirectory underneath the systemroot Profiles directory with the name of the account that logged on 3 Log back on as an administrator and configure the workstation to join the domain 4 After the workstation has joined the domain reboot the computer 5 After the machine restarts log on as the user from the domain that will need the converted profile and then log off This sets up the directory structure needed to complete the conversion process 6 Log back on as an administrator and copy the profile structure including the NTuser xxx file and all subdirectories from the directory that stored the workgroup user s profile to the subdirectory created for the temporary user in Step 2 7 From the Control Panel click System 8 On the User Profiles property page select the temporary user profile and click Copy To Browse under systemroot Profiles to locate the subdi rectory that contains the profile for the domain user that logged on in Step 5 Click OK and then click the Change button for the permissions 9 Select the domain user who will use the profile Click OK to copy the profile 10 Log off and log on as the domain user The profile settings should now be available to that user NOTE Alternati
103. on Creating Your Own Custom Adm File later in this document Policy Template Options Policy options common to both Windows NT 4 0 and Windows 95 machines D WINNTSURSINFSCOMMON ADM D AWINNTSURAINFSWINNT ADM Policy options specific to Windows NT 4 0 machines NOTE The option to Add or Remove will be grayed out if there is a policy file currently open Close the file in use and then change the template configuration Configuring Policy Settings The configuration options available to you fall into a tree structure which is determined by the layout of the adm file By navigating through these options you can select a mode that determines the action that will be taken when the policy file is applied The figure below shows sample user options for the Shell Default User Properties IG Default User Flags this setting such that it will overanite the target Control Panel client machines registry with the enabled value Desktop Regardless of curent state when the policy file is L0 Shell applied next the user will no longer have the Run A command Remove Run command from Start menu In this state when the policy file is applied next the Remove folders from Settings on Start menu registry setting on the client machine will not be Remove Taskbar from Settings on Start menu moine Apa ea m aar iets O Remove Find command from Start menu ee ae eee ee O Hide drives in My Computer Pines iem b
104. on Policies Explorer Registry Value Registry Data Description NoFileMenu REG_DWORD Off 0 or value is removed On 1 Start Menu Common Program Groups Category Subcategory Selection Description Key Windows NT Shell Restrictions Remove common program groups from Start menu Disables the display of common groups when the user selects Programs from the Start menu HKEY_CURRENT_USER Software Microsoft Windows CurrentVersion Policies Explorer Registry Value Registry Data Description NoCommonGroups REG_DWORD Off 0 or value is removed On 1 Taskbar Context Menus Category Subcategory Selection Description Key Windows NT Shell Restrictions Disable context menus for the Taskbar Removes the context menus for the tray including the Start button Tab control and Clock This option was added in Service Pack 2 HKEY_CURRENT_USER Software Microsoft Windows CurrentVersion Policies Explorer Registry Value Registry Data Description NoTrayContextMenu REG_DWORD Off 0 or value is removed On 1 Explorer Context Menu Category Windows NT Shell Subcategory Restrictions Selection Disable Explorer s default context menu Description Removes the context menu that would normally appear when the user right clicks on the desktop or in the Ex plorer right results pane This option was added in Service Pack 2 Key HKEY_CURRE
105. on thereafter Windows NT will go to the new location for policy file updates e Visit each Windows NT based workstation either remotely or locally and make the required registry change to point to the new location Depending on the number of workstations affected this could be very time consuming Log on to the Windows NT based workstation to download and enact the policy Microsoft Windows NT Server White Paper 43 44 Microsoft Windows NT Server White Paper Creating Alternate Folder Paths You may need to create shared folders for groups of users who need a com mon set of tools and shortcuts Windows NT 4 0 System Policies allows you to create such shared folders To create shared folders and alternate folder paths 1 On a specific server create a folder that contains shortcuts to network applications or to locally installed programs If you are creating application shortcuts that will point to local paths on Windows NT machines refer to the section Setting Up Shortcuts for Server based Profiles 2 Share the folder 3 Using the System Policy Editor under computername or Default Com puter select the option Custom Shared Folders then select Custom Shared Program Folder 4 Enable this option By default the local All Users folder for the workstation will be used but you can replace the path to point to the folder that you created in Step 1 and 2 5 Save the policy file When the user logs on the policy file wi
106. ortant to note that the settings for these two profiles are completely independent changes made to the Windows NT 3 5x profile will not be reflected in the Windows NT 4 0 profile and vice versa NOTE As an administrator if you review the directory structures in the share where users roaming pro files are stored and no pds or pdm extensions are appended this is normal No extension is appended to roaming profile directories that are new to Windows NT 4 0 These extensions are only added when profiles are migrated from Windows NT 3 5x to 4 0 or when the administrator creates a new Windows NT 4 0 mandatory profile that requires a successful logon Upgrading Windows NT 3 5x Mandatory Profiles to Windows NT 4 0 Mandatory Profiles Upgrades of Windows NT 3 5x mandatory profiles to Windows NT 4 0 cannot be done automatically This is because the same restrictions that prevent a user from saving any changes to his or her profile also restricts the system s ability to generate a new Windows NT 4 0 mandatory profile from an existing profile When you upgrade a Windows NT 3 5x mandatory profile the profile path does not need to be modified However you will need to create a new man datory profile with the same desired settings To create the mandatory profile you can remove the mandatory extension from the old profile and force a con version or you can create the new profile from a template Both procedures are explained below To cr
107. our domain you can create new mandatory user profiles To create a mandatory user profile for a Windows 95 user 1 On the client Windows 95 based computer start Control Panel and select Passwords 2 From the User Profiles property page enable the option that allows users to have individual profiles and set the Primary Network Logon to Client for Microsoft Networks 3 Reboot the client machine 4 Use User Manager for Domains to create the user account if it does not already exist For the user s home directory specify the location where the User Profile will be stored An example would be m Home Directory Local Path Connect fw To server share usemame This automatically creates a folder with the user name If a dialog is dis played stating that the operation failed create the folder manually before continuing 5 Copy the Template Profile that you are using for mandatory profiles to the user s home directory e From the Windows 95 based machine hosting the mandatory copy the complete contents of the local Profile folder to the folder created previously This writes the profile to the destination including the folder trees and the User xxx file originally included with the profile e f you have not already done so rename the User dat file to User man At logon the user will download the mandatory profile cache it and no changes will be written back to the server at log off NOTES
108. ow Policies Are Applied Additional Implementation Considerations The System Policy Editor c0scscessesesseseeeeseeeeseeeeseeseeeeseeeeseeees Installing the System Policy Editor on a Windows NT Workstation Installing the System Policy Editor on a Windows 95 Computer Updating the Registry with the System Policy Editor System Policy Editor Template Adm Files Configuring Policy Settings Setting Folder Paths Back to Defaults Creating a System Policy Creating Alternate Folder Paths Setting Up Shortcuts for Server based Profiles Deploying Policies for Windows NT 4 0 Machines Deploying Policies for Windows 95 Machines Modifying Policy Settings on Stand Alone W orkstations Creating a Custom Adm File Configuring System Policies Based on Geographic Location Clearing the Documents Available List Building Fault Tolerance for Custom Shared Folders Registry Keys Modified by the System Policy Editor Default Templates csceseeeeseeeeseeeeeeeeeeeeseeeeeeeeeeeeeeeseeeeeeeseeeeeeeeeseneeeeseeeeseeees Default User Settings Control Panel Display Application Wallpaper Color Scheme Start Menu Run Command Settings Folders Settings Taskbar Start Menu Find Command My Computer Drive Icons Network Neighborhood Icon Network Neighborhood Display Network Neighborhood Workgroup Contents Desktop Display 30 31 32 33 35 36 36 37 39 39 40 40 41 42 42 44 44 45 46 47 48 52 52 52 54 54 54 55 55 55 56 56 5
109. profiles still exist on the local computer If you need to delete profiles on remote computers the Delprof exe utility available in the Windows NT Server Resource Kit version 4 0 provides this functionality Windows NT 4 0 User Profiles can grow quite large and can take up considerable disk space particularly if several people are using one com puter With Delprof exe you can reclaim disk space by removing profiles that are no longer needed This utility deletes User Profiles on computers running Windows NT and it can be used on a local or remote computer running Windows NT 4 0 or earlier However because Delprof exe is Unicode based it cannot run on Windows 95 NOTE Delprof exe will delete everything contained in a user s profile including settings colors and user documents Please be aware of any user documents that may be deleted before using this tool The syntax of Delprof exe is as follows delprof q i p c computername d days Where lq Runs Delprof exe in quiet mode with no confirma tion for each profile to be deleted N Indicates that Delprof exe should ignore errors and continue deleting p Prompts for confirmation before deleting each pro file c computername Specifies a remote computer name on which to run Delprof exe d days Specifies the number of days of inactivity days is an integer Profiles with longer inactivity will be deleted 1 Displays command line syntax See the W
110. ption NoSaveSettings REG_DWORD Off 0 or value is removed On 1 Registry Editing Tools Category Subcategory Selection Description Key System Restrictions Disable registry editing tools Disable user s ability to run Regedit exe or Regedt32 exe HKEY_CURRENT_USER Software Microsoft Microsoft Windows NT Server White Paper 59 W indows CurrentVersion Policies System Registry Value Registry Data Description DisableRegistryT ools REG_DWORD Off 0 or value is removed On 1 Windows Applications Restrictions Category Subcategory Selection Description Key System Restrictions Run only allowed Windows applications Restricts the applications that the user can start through the Explorer interface If an application is not specified a dialog box is presented that states Restrictions This operation has been canceled due to restrictions in effect on this computer Please contact your system adminis trator Be sure to include Systray exe in the list of allowed applications if this policy is to be enforced Note that users may still have the ability to start restricted ap plications from the command prompt if you give them access to Cmd exe HKEY_CURRENT_USER Software Microsoft Windows CurrentVersion Policies Explorer Registry Value Registry Data Description RestrictRun REG_DWORD Off 0 or value is removed On 1 Key HKEY_ CU
111. r Note however that this does not work for the first logon When the user next logs on Windows NT checks the remote path and continues to use that path until the System Policy file on the remote server directs otherwise e Manually configure each of the workstations in a given region or site to use a remote update path and change the remote update mode from the default of Automatic to Manual Clearing the Documents Available List As an alternative to removing the Documents option from the Start menu you can set and clear the documents available by clearing the MRUList value in the registry Use this registry key HKEY_CURRENT_USER Software Microsoft Windows CurrentVersion Explorer RecentDocs Value MRUList Note that you should not delete the value instead replace MRUList with a blank string Building Fault Tolerance for Custom Shared Folders If you want to create a user environment that includes a Custom Shared Pro grams Folder and a Custom Shared Desktop you need to place the source folders for these shared items on a central server for all users to access How ever this involves some degree of risk if the server is unavailable If that occurs the user s Programs menu and desktop would not contain the appro priate folders shortcuts and files To build fault tolerance into this configuration you can take advantage of the distributed file system Dfs available for the Windows NT Server 4 0 oper ating system platfor
112. r downloading this default profile and logging on the user can customize the profile provided that it is not man datory e You allow a new user to use the local Default User Profile on the Windows NT 4 0 computer where the user logs on After logging on the user can customize the profile provided that it is not mandatory e You copy a template User Profile and assign the copy to a user The user can then customize the profile provided that it is not a mandatory profile Profiles can be stored on a network server or cached on the local machine Cached profiles are located in the systemroot Profiles directory Caching a profile reduces the total time to log on and load the profile however in a roaming user or kiosk environment this approach may not be optimal This option is controlled by the administrator User Profile Structure A User Profile is comprised of a Windows NT registry hive and a set of profile directories The registry is a database used to store machine and user specific Microsoft Windows NT Server White Paper 5 6 Microsoft Windows NT Server White Paper settings and portions of the registry can be saved as files called hives These hives can then be reloaded for use as necessary User Profiles take advantage of the hive feature to provide roaming profile functionality The User Profile registry hive is the NTuser dat in file form and is mapped to the HKEY_CURRENT_USER portion of the registry when th
113. r resources available to a group of users or an individual With the addition of System Policies and the new User Profile structure to Windows NT 4 0 network administrators have a greater ability to control the user environment than they have ever had before This document provides the details that administrators need to know to implement a rollout of User Profiles and System Policies under Windows NT 4 0 Although the primary emphasis is Windows NT this paper also discusses how User Profiles are handled with Windows 95 clients and how the two platforms differ You should use this guide in conjunction with your Windows NT 4 0 documentation and Resource Kits CONTENTS Introduction scscceseseseeeeseeeseseeeeeeeeseseeeeeeeeeeseeeeneneeeeeeeeeeeeseseeeeeeeeeeeeneeeee TCO and the User Profiles Policies and the Zero Administration Kit What are User Profiles and System Policies Before You Begin Key Terminology Technical Notes Establishing User Profiles An Overview 2 s scessssesseseeeeseeneneeeees Creating and Administering User Profiles User Profile Structure Configuration Preferences Stored in the Registry Hive Configuration Preferences Stored in Profile Directories Windows NT 4 0 and Windows 95 User Profile Differences How User Profiles Are Handled in Windows 95 User Profile Planning and Implementation Setting Permissions for User Profiles Encoding Permissions in the User Profile Selecting a Location to Save User Profiles
114. rectories that start with the same prefix in the systemroot Profiles directory tree You can use the User Profiles property page to determine which file is associated with which user as follows 1 Compare the Modified and Size properties to those of the actual directo ries The Size property displayed in User Profiles is the total size of the directory residing in the profiles tree not the size of the NTuser xxx file alone Match the directory sizes in the profiles tree to the number dis played on the User Profiles property page 2 If the user is currently logged on right click the Start button If context menus have not been disabled select the option to Explore and Explorer Microsoft Windows NT Server White Paper 23 24 Microsoft Windows NT Server White Paper will open to the profile directory used by that account 3 If you don t know when the user last logged on look for the NTuser dat file with a time and date stamp that matches the Modified date displayed in the User Profiles property page Copying Profiles Use the User Profiles Copy To button to copy existing profiles from the local machine to another profile directory on the same machine or to a remote server where server based User Profiles are stored The Copy To dialog box see the figure below performs two functions First the Copy profile to option provides a Browse button that enables you to view local and remote drives to select the directory where the profile
115. ription NtfsDisableLastAccessUpdate REG _DWORD Off 0 or value is removed On 1 Cached Roaming Profiles Category Windows NT User Profiles Selection Delete cached copies of roaming profiles Description After a user logs off from an interactive session if this value is enabled the locally cached version of the roam ing User Profile is deleted Key HKEY_LOCAL_MACHINE Software Microsoft Windows NT CurrentVersion Winlogon Registry Value Registry Data Description DeleteRoamingCache REG_DWORD Off 0 or value is removed On 1 Slow Network Detection Category Windows NT User Profiles Selection Automatically detect slow network connections Description Enables or disables detection of a slow network Key HKEY_LOCAL_MACHINE Software Microsoft Windows NT CurrentVersion Winlogon Registry Value Registry Data Description SlowLinkDetectEnabled REG_DWORD Off 0 On No value empty or 1 Default On Slow Network Timeout Category Windows NT User Profiles Selection Slow network connection timeout Description Specifies the amount of time in milliseconds that Windows NT waits before a slow network is determined Key HKEY LOCAL MACHINE Software Microsoft Windows NT CurrentVersion Winlogon Registry Value Registry Data Description SlowLinkTimeOut REG_DWORD Off 0 or value is removed On time in milli seconds in hexadecimal Decimal 1 20000 default 2000
116. rom a specific location 1 Open either the specific machine policy or the Default Computer policy and navigate through the Network category and System policies update subcategory to reach the Remote update option 2 Check the Remote update box Microsoft Windows NT Server White Paper 45 46 Microsoft Windows NT Server White Paper 3 Inthe Update mode box select Manual use specific path 4 Inthe Path for manual update box type the UNC path and file name for the policy file 5 Click OK to save your changes The first time the workstation is modified locally via the System Policy Editor or receives a default System Policy file from the NETLOGON share of a do main controller this location is written to the registry Thereafter all future policy updates use the location you specified manually This is a permanent change until the policy file resets the option to Automatic The Windows NT 4 0 based computer will never again look at a domain controller to find a policy file until you either change the instruction in the local registry or modify the policy file in the location specified by the manual path to set the mode back to Automatic Deploying Policies for Windows 95 Machines When creating a system policy file for a Windows 95 based client you must first install the System Policy Editor on a Windows 95 based computer so that you can create the policy pol file You cannot run the System Policy Editor on a Windows NT 4 0 base
117. rtcuts Created Under Windows NT 4 0 Resolve to UNC Paths No Administrative Tools or Common Folders Available Personal Groups Not Visible If Systemroot Is Read Only Locating Windows NT 4 0 Profile Directories for Duplicate User Accounts Err Msg at Logon Unable To Log You On Because Your Profile Policy Registry Entries Default User Policy Registry Entries Default Computer Debugging User Profiles and System Policies in Windows NT 4 0 Hidden Shares Are no Longer Available After Using System Policy How to Change Print Job Priority in Windows NT 4 0 Limitations of Run Only Allowed Windows Application Policy Editor Crashes When Using Large Custom ADM Files Internet Explorer May Not Run with System Policies Using the Windows NT 4 0 or Windows 95 System Policy Editor Additional Desktop Restrictions Available through Registry Modification INF How to Protect Windows NT Desktops in Public Areas Automating Network Printer Setup Disabling Access to Network Resources Using System Policies Microsoft Windows NT Server White Paper 95 Q156432 Windows NT 4 0 Policy Restriction Error at Logon Q155956 Cannot Restore Default Setting for Shutdown Button Q163215 System Policies May Not Work With Third Party GINA DLLs 96 Microsoft Windows NT Server White Paper
118. s now NTuser dat man To avoid this situation you can either rename files from the command line or change the behavior of Explorer Enforcing the Use of the Server based Profile In addition to enforcing the read only property of a profile the administrator can duplicate the functionality that was available in Windows NT 3 5x of not allowing the user to log on unless the server profile is available To enforce the use of the server based profile for a given user 1 Append the man extension to the User Profile path in User Manager as explained in the previous section Skip this step for users who have ex isting Windows NT 3 5x profiles and who already have the man extension appended to their profile paths If the user already has a Windows NT 3 5x mandatory profile on the server change the name of the folder where the Windows NT 4 0 roaming profile currently exists to foldername padm If the user logs on to a Windows NT 4 0 based workstation and the User Profile path contains the man extension Windows NT will determine that a mandatory Windows NT 3 5x profile exists and will automatically replace the man extension with pdm and will look for the directory path configured in the User Profile path For example at logon if the User Profile path is config ured to use serverlsharelusername man Windows NT will look for lserver lshare username pdm for the correct profile to load If only the Windows NT 4 0 user profile exists chang
119. s profile are also available to the user in addition to the user s personal User Profile programs and shortcuts Note that the All Users profile on a domain controller does not apply to domain users logging on at remote workstations The All Users profile is workstation specific and con tains the common groups for just that computer If you want to specify programs shortcuts or directories to be used by everyone who logs on toa specific workstation you should place these in the All Users profile directory If you need to establish domain wide common groups and settings use the System Policy Editor to modify registry entries on remote workstations so that they point to server directories for common groups as opposed to pointing to the local All Users profile Later if you need to remove the domain wide set tings and have remote users point to the All Users profile from the local workstations once again you ll need to change the default path used in the System Policy Editor to ssystemroot Profiles All Users Start Menu Programs Refer to the System Policy portion of this guide for specific procedures Default User Template Profiles During Windows NT 4 0 Workstation installation the setup program creates a generic User Profile the Default User and saves it in a folder in the profiles directory These default settings define an environment for new users who log on to the computer locally or who log on to a domain that does not co
120. s workstations where a password prompt is displayed asking for credentials to the machine that originally created the shortcut This is due to the default behavior of Windows NT using the absolute path the path to the original location where the short cut was created to start an application even if the application is available in the specified path of the shortcut properties In Service Pack 2 support was added to give the administrator the ability to disable this behavior and use the path specified in the shortcut properties For more information reference Microsoft Knowledge Base article Q158682 Microsoft Windows NT Server White Paper 93 94 Microsoft Windows NT Server White Paper Recent Updates to Policies Since Retail Release The following changes have been made to System Policies support since the initial retail release of Windows NT 4 0 When a policy file was to be downloaded if the validating domain control ler name was 13 characters or longer the policy would not be applied This has been resolved in Service Pack 3 NoNetConnectDisconnect NoTrayContextMenu NoViewCon textMenu NoFileMenu and DisableTaskMgr were added in Service Pack 2 For more information on these see the section Registry Keys Modified by the System Policy Editor Default Templates In Service Pack 2 and later the policy file is no longer cached This change was made to increase security Instead of being cached the policy file is downlo
121. sabled on that drive For example if the value of this entry is 0x8 1000 bi nary autorun is disabled on drive D Note that a value of 1 in the bit representing the CD ROM drive takes prece dence over the value of Autorun HKEY_CURRENT_USER Software Microsoft Windows CurrentVersion Policies Explorer Registry Value Registry Data Description NoDriveAutoRun REG_DWORD 0x0 0x3FFFFFF Start Banner Category Subcategory Description Key Windows NT Shell Start banner Hides the arrow and Click here to start caption that ap pears on the taskbar when you start Windows NT HKEY_CURRENT_USER Software Microsoft Windows CurrentVersion Policies Explorer Microsoft Windows NT Server White Paper 81 Registry Value Registry Data Description NoStartBanner REG_DWORD 0 enabled 1 disabled 82 Microsoft Windows NT Server White Paper FOR MORE INFORMATION For more information when configuring your network refer to the following e Windows NT Server Concepts and Planning Guide Chapter 3 Manag ing User Work Environments part of the Windows NT Server product documentation e Kixtart Resource Kit Utility available in the Windows NT Server Resource Kit for version 4 0 For the latest information on Windows NT Server check out our World Wide Web site at http Awww microsoft com backoffice or the Windows NT Server Forum on the Microsoft Network GO WORD MSNTS M
122. ser s profile are saved to the central profile when the user logs off Because users cannot modify mandatory profiles changes do not need to be written to the server NOTE In situations where the same user account logs on to multiple machines the last user to log off dictates the profile settings because that user was the last one to write data to the profile Similarly if a group of users all point to the same profile the final logoff settings are saved and will overwrite previous settings If the User Profile is flagged as a local profile and is not mandatory any changes the user makes while logged on are written to the locally cached ver sion of the profile but not to the server based copy NOTE You should not make the home directory and User Profile path the same If the profile path encom passes the home directory path and the server based profile is more recent than the local profile on the workstation all directories and files that exist in the user s home directory will be copied to the user s workstation at logon These files are then written back to the server if modified when the user logs off This process occurs at each logon In addition even if the user logs off and the administrator deletes all of the unnecessary files from the home directory the versions of these files that reside on the workstation will not be deleted at logon and will be written back to the server again at log off This file copy process
123. server myshare myuser man Then manually create the myuser man folder manually in the lmyserver myshare directory Places the mandatory profile for the user in this new folder User action None For more information See the section Creating a New Mandatory User Profile for Windows NT 4 0 Updating and Changing a Roaming Profile to a Mandatory Profile A domain user has an existing Windows NT 4 0 roaming User Profile that was not upgraded from Windows NT 3 5x and the administrator is going to man date that the profile be read or logon will denied What currently exists A myuser folder containing the user s roaming profile exists in lmyserver myshare Administrator action Use User Manager to add the man extension to the User Profile path thus changing the path to lmyserver myshare myuser man Then rename the existing folder that contains the user s roaming profile from myuser to myuser man Finally rename the NTuser dat file which is located in the root of the user s profile folder to NTuser man User action None For more information See the section Making a Roaming Profile Man datory in Windows NT 4 0 Changing a Roaming Profile to a Mandatory Profile A domain user has an existing Windows NT 4 0 roaming User Profile that was upgraded from Windows NT 3 5x and the administrator is going to mandate that the profile be read or logon will denied 92 Microsoft Windows NT Server White Paper What current
124. should be copied In addition the dialog provides a Permitted to Use option that allows you to select the user account or group that has permission to use the profile Copy To HEI m Copy profile to ay le Browse crea m Permitted to use AVIATION newuser When the permissions are written to the profile they are stored in the NTuser xxx file When a new profile is created the user that created the profile is given permission to use that profile However those with administrator per missions can use the Change button or the Registry Editor to change these permissions When you click the Browse button the following dialog box appears It is important to note that this dialog does not allow you to create directories You must create the required directories before you copy the profile Browse for Folder 21x Select a directory to place the profile in C administrator E All Users Default User localuser Policy roamuser repair E system j a a HAR sustem x OK Cancel Viewing the Contents of the Profiles Directory on a Local Computer All locally cached versions of User Profiles are stored in the profiles subdirec tory of the Windows NT root directory The profiles subdirectory maintains each user s profile separately by generating a specific directory for each user Within
125. strator action Change the user s profile path to lmyserver myshare myuser and then allow the user to log on and log off User action When instructed to do so log on to the Windows NT 4 0 based computer and then log off This creates the folder lmyserver myshare myuser on the server containing the user s new roaming profile For more information See the section Creating a New Roaming User Profile for Windows NT 4 0 Creating a New Windows NT 4 0 Roaming Profile A new user will be logging onto Windows NT 4 0 based computers only and will be using a roaming profile What currently exists Nothing currently exists for the user in lmyserver myshare Administrator action In User Manager specify the User Profile path without an extension For example use myserver myshare myuser User action Log on and then log off This creates the folder on the server myserver myshare myuser that contains the user s new roaming profile For more information See the section Creating a New Roaming User Profile for Windows NT 4 0 Creating a New Windows NT 4 0 Mandatory Profile A new user will be logging onto Windows NT 4 0 based computers only and will be using a mandatory profile What currently exists Nothing currently exists for the user in lmyserver myshare Administrator action In User Manager specify the User Profile path with Microsoft Windows NT Server White Paper 91 the extension man For example use my
126. template pro file to be used log on as an administrator From the Control Panel click System From the User Profiles page use the Copy To option to enter the path of the directory you just created Modify the permissions to allow the Everyone group to use the profile To do this click the Change button select the group and click OK Continue to Step 9 e if the template profile will be distributed via the Default User folder on validating servers a c Create a Default User directory in the NETLOGON share which is systemroot Repl Import Scripts by default of validating do main controllers This folder name must be named Default User or the profile will not be downloaded from the server To keep the Default User profile consistent across domain controllers and to ease administrative overhead you can create this folder on one computer and then use the directory replication service to export it to all validating domain controllers If a user logs on and does not have an existing local or server based profile and your implementation uses the Default User folder on validating domain controllers Windows NT will check the NETLOGON share for the Default User profile before it uses the local default profile Workstations save the server Default User profile on a local cache Windows NT will check the time date size of the server copy against the locally cached copy before downloading the server copy And if the files are ident
127. tems on desktop Description Hides all desktop items regardless of menus folders and shortcuts defined either by profiles or by other pointers in the policy file for custom program folders custom desk top icons and so on Key HKEY_CURRENT_USER Software Microsoft Windows CurrentVersion Policies Explorer Registry Value Registry Data Description NoDesktop REG_DWORD Off 0 or value is removed On 1 Start Menu Shut Down Command Category Windows NT Shell Subcategory Selection Description Key Restrictions Disable Shut Down command Disables the Shut Down option on the Start menu Note that this does not disable the user s ability to shut down the computer using the CTRL ALT DEL sequence If you want to remove the user s ability to use CTRL ALT DEL remove the user s name from the Shut down the system user right in User Manager HKEY_CURRENT_USER Software Microsoft Windows CurrentVersion Policies Explorer Registry Value Registry Data Description NoClose REG_DWORD Off 0 or value is removed On 1 Saved Settings Category Subcategory Selection Description Key Windows NT Shell Restrictions Don t save settings at Exit Disables or enables the ability to save modifications that the user makes during the logon session HKEY_CURRENT_USER Software Microsoft Windows CurrentVersion Policies Explorer Registry Value Registry Data Descri
128. that the system can choose this selection auto matically if the server based profile is unavailable e Roaming Profile lIf the user selects the roaming profile and the roaming profile is available Windows NT determines whether the server or local copy is newer If the local copy is newer the user is asked to choose which copy he or she would like to use Note that if the system detects a slow network link the user will be given this same choice of profiles The Roaming Profile selection is available if e There is a valid path specified in the User Profile path portion of the user account properties and e The User Profile path is accessible at the time of logon e Roaming Profile with Use cached profile on slow connec tions If a user selects this option he or she is not asked which copy to use with a slow connection Instead the system uses the lo cally cached copy automatically If a user has a roaming profile it is possible for that user to change the mode to Local and have Windows NT use the local version always even though the roaming profile is still available However a user cannot do this if the system administrator assigns that user a mandatory profile and has added the man extension to the user s profile path Determining Which Profile Is Displayed There may be cases where users who have identical names but are from dif ferent domains will log on to the same machine If this occurs you will notice several di
129. the Microsoft Windows NT Server White Paper 49 50 Microsoft Windows NT Server White Paper option is selected within the lower pane of the System Policy Editor see the discussion of PART and the code example below If not specified otherwise the value will be written in the following format when any administratory checks or unchecks the option Checked REG_DWORD with a value of 1 Unchecked Removes the value completely Other options can specify what the user selects from and what gets written to the registry Use the keyword PART to specify options drop down list boxes text boxes and text in the lower pane of the System Policy Editor PART is similar to CATEGORY and uses the syntax PART MyVariable FLAG END PART where FLAG is one or more of the following e TEXT Displays text only for example PART MyPolicy TEXT END PART e NUMERIC Writes the value to the registry with data type REG_DWORD for example PART MyPolicy NUMERIC VALUENAME ValueToBeChanged END PART e DROPDOWNLIST Displays a list box of options to choose from for example PART MyPolicy DROPDOWNLIST VALUENAME ValueToBeChanged ITEMLIST AME First VALUE NUMERIC 1 AME Second VALUE NUMERIC 2 AME Third VALUE NUMERIC 3 AME Fourth VALUE NUMERIC 4 END ITEMLIST END PART Z lt z Z Z E 2
130. to the binary NTuser xxx file 5 Inthe directory that the profile was copied to check the NTuser xxx file for the man extension If the extension is dat the profile will still be modifi able Change the extension to man if necessary Note that because the User Profile was saved into a directory with a pdm extension both the Windows NT 3 5x and Windows NT 4 0 profiles exist on the server A user can log on from either a Windows NT 3 5x or Windows NT 4 0 based computer and the appropriate profile will be used Extracting a User Profile for Use on Another Domain or Machine As explained previously in this document a user is given explicit permissions to use a profile and these permissions can be created and controlled by an administrator or generated automatically by the system when the user first logs on Microsoft Windows NT Server White Paper 31 32 Microsoft Windows NT Server White Paper If a profile has permissions that differ from those needed by the user for example if the profile was created for a user on a different domain the profile permissions must be changed to function correctly As an example suppose you have a Windows NT based workstation that you would like to have join the domain but you want the user to be able to retain his or her profile settings The Windows NT based workstation is currently a part of the WORKER work group and will be joining the domain BIGDOMAIN To change the profile 1 Log on t
131. twork Default User Profile use the NTuser xxx file from the scripts export directory systemroot system32 repl export scripts of the domain controller that is the export server for the domain Any changes that you make to this file will be replicated to the other domain controllers which are import servers To provide users with a Default User Profile that contains custom shortcuts folders and files that are not centrally managed place the icons in the appro priate folder within the Default User Profile New users will receive the shortcuts folders and files as part of their new profiles For example if you want each new user that logs on to a given computer to receive a folder called My Storage on the desktop just create this folder in the path systemroot Profiles Default User Desktop Microsoft Windows NT Server White Paper 29 30 Microsoft Windows NT Server White Paper Upgrading Windows NT 3 5x Server based Profiles to Windows NT 4 0 Roaming Profiles When you upgrade Windows NT 3 5x roaming profiles usr profiles you do not need to change anything in the profile path configured in the user account When the user logs on to a Windows NT 4 0 based machine and the profile is found to be a Windows NT 3 5x profile a process automatically looks for the equivalent Windows NT 4 0 profile If the profile isn t found a conversion proc ess creates a new Windows NT 4 0 profile using the settings established in the Windo
132. uch that the user cannot make changes No Will the user use a default profile from the server 1 Log on to a Windows NT 4 0 based computer and create a User Profile with the settings for the mandatory profile This will be a template profile 2 Log off the computer and log back on as Administrator 3 Using the User Profile Tab in Control Panel System select the template profile click the Copy To option set the permissions on the profile for the account or group that will have rights to use this profile 4 Enter or browse for the profile directory created earlier and click OK 5 Rename the NTuser dat file located in the profile directory created earlier to NTuser man Nothing needs to be done to the profile path or to the profile The Windows NT4 0 profile will be automatically upgraded and be placed in a directory called lt username gt pds Copy the default user profile from the no profiles directory to the NETLOGON share and modify it to meet specific needs When users log on for the first time without a local profile or a server based profile the default user profile from the server will be used y No changes necessary The Default User profile from the user s workstation will be used when no profile is found on the server or locally for the user on first logon When the user logs off their profile will be written to the server
133. ue Registry Data Description LinkResolvelgnoreLinklinfo REG_DWORD Off 0 or value is removed On 1 Autoexec bat Category Selection Description Key Windows NT System Parse Autoexec bat When this value is 1 the environment variables declared in the Autoexec bat file are included in the user s envi ronment HKEY_ CURRENT _USER Software Microsoft Windows NT CurrentVersion Winlogon Registry Value Registry Data Description ParseAutoexec REG_SZ Off 0 or value is removed On 1 Logon Scripts Category Selection Description Windows NT System Run logon scripts synchronously Determines whether the shell waits for the logon script to complete or not If the value is 0 the logon script is run during the startup of the shell and allows items in the Startup group to start If the value is 1 the logon script completes before the shell or any items in the Startup group are started If this value is also set in the Computer section the Computer section value takes precedence Key HKEY_CURRENT_USER Software Microsoft Windows NT CurrentVersion Winlogon Registry Value Registry Data Description RunLogonScriptSync REG_DWORD Off 0 or value is removed On 1 Task Manager Category Windows NT System Selection Disable Task Manager Description Enables or disables the user s ability to start Task Man ager to view processes applications running and make c
134. urrentVersion Winlogon Registry Value Registry Data Description RunLogonScriptSync REG_SZ Off 0 or value is removed On 1 Long File Names Category Windows NT System Subcategory File system Selection Do not create 8 3 file names for long file names Key HKEY_LOCAL_MACHINE System CurrentControlSet Control FileSystem Registry Value Registry Data Description NtfsDisable8dot3NameCreation REG DWORD _ Off 0 or value is removed On 1 Extended Characters in 8 3 File Names Category Windows NT System Subcategory File system Selection Allow extended characters in 8 3 file names Description Short file names with extended characters may not be viewable on computers that do not have the same char acter code page Microsoft Windows NT Server White Paper 77 78 Microsoft Windows NT Server White Paper Key HKEY_ LOCAL MACHINE System CurrentControlSet Control FileSystem Registry Value Registry Data Description NtfsAllowExtendedCharacterIn8dot3Name REG _DWORD _ Off 0 or value is removed On 1 Read Only Files Last Access Time Category Windows NT System Subcategory File system Selection Do not update last access time Description For files that are only to be read specifies do not update the last access time This increases the file system s performance Key HKEY_LOCAL_MACHINE System CurrentControlSet Control FileSystem Registry Value Registry Data Desc
135. ved When you select an option the pane below it contains other configurable items that relate to the setting you modified as well as information about the option you selected When administering System Policies if you specify paths for particular op tions such as wallpaper ensure that the paths are consistent across all workstations that will receive the policy file Setting Folder Paths Back to Defaults If you create a policy file and then change the path to any of the custom shared folders or custom user specific folders the change overrides the de fault setting established in the adm file For example by default a user s program folder path is USERPROFILE Start Menu Programs If the policy file is not modified from the default this value is not changed for the client computer However you can modify this value to point to a server location that contains different shortcuts To do this click the option in the System Policy Editor and specify the path to the folder containing the short cuts Once this change is applied the user will receive the new shortcuts Suppose however that you want to restore the user s environment to the state it was in before the change was made To do this follow the procedure described next To restore the defaults 1 Open the policy file and click the option to clear the check box 2 Save and close the policy file 3 Reopen the policy file and click the option to re enable it The ori
136. vely you can copy the profile and use the instructions from the section Encoding Per missions in the User Profile to change the permissions However this requires that you manually edit the registry Creating Profiles Without User Specific Connections In some cases you may want to create profiles that include preconfigured per sistent connections However if you need to supply alternate credentials when you Create the template profile this can cause problems for users later when the profile is used Information about persistent connections is stored in the registry location HKEY_CURRENT_USER Network This key has subkeys that list the persis tent drive connections by drive letter For each of these subkeys there is a value of UserName lf alternate credentials must be supplied to make the con nection those credentials are also stored here Note that this includes only the domain and user account name the password is not included When the user receives this profile and logs on Windows NT attempts to reconnect the drive but the alternate credentials are sent rather than those of the logged on user Note that if the UserName value contains a blank string the credentials of the logged on user are sent which is the desired behavior in this case To avoid inadequate credentials or wrong credentials being sent use one of the following approaches e Avoid having to supply alternate credentials when you create the connec
137. ws NT 3 5x profile During the conversion process Windows NT 4 0 creates a directory for the new profile in the same location as the existing Windows NT 3 5x profile The resulting directory has a pds extension which stands for Profile Directory Structure rather than the previous Windows NT 3 5x usr extension For ex ample if the User Profile path for the Windows NT 3 5x user mydomainuser is lmyserver myshare mydomainuser usr and the user logs on to a Windows NT 4 0 based machine the profile directory mydomainuser pds would be created within myserver myshare This approach allows the user to log on to the network from either a Windows NT 3 5x or 4 0 based workstation If the user were to log on from a Windows NT 3 5x based computer the profile path would direct the Windows NT 3 5x based machine to the User Profile used prior to the Windows NT 4 0 upgrade If the user then moved to a Windows NT 4 0 based computer the user s Windows NT based workstation would recognize that the profile contained Windows NT 3 5x syntax would replace the usr with pds and would then use that string to locate the Windows NT 4 0 profile The re sulting Windows NT 4 0 structure will be the Windows NT 3 51 profile now NTuser xxx and the Default User Profile folders It is important to emphasize that the Windows NT 3 5x profile is not de leted it is still available to the user should they ever log on from a Windows NT 3 5x based computer It is also imp
Download Pdf Manuals
Related Search