DOCUMENT:Q161334 27-SEP-2001 [crossnet] TITLE :Guide To Windows NT 4.0 Profiles and Policies (Part 1 of 6) PRODUCT :Windows for Workgroups and Windows NT Networking Issues PROD/VER::4.0 OPER/SYS: KEYWORDS:kbenv kbinterop ====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft Windows NT Server version 4.0 - Microsoft Windows NT Workstation version 4.0 - Microsoft Windows 95 ------------------------------------------------------------------------------- SUMMARY ======= This article is the first in a series of articles that provides information and procedures for implementing Microsoft Windows NT 4.0 Profiles and Policies on client workstations and servers. A whitepaper is available that contains all of this information and additional flowcharts, diagrams and examples and can be downloaded from the following web page: http://www.microsoft.com/ntserver/techresources/management/prof_policies.asp prof_policies.asp NOTE: The above link is one path; it has been wrapped for readability. For the other sections of this guide, please see the following article(s) in the Microsoft Knowledge Base: Q185587 Guide to Windows NT 4.0 Profiles & Policies Part 2 of 6 Q185588 Guide to Windows NT 4.0 Profiles & Policies Part 3 of 6 Q185589 Guide to Windows NT 4.0 Profiles & Policies Part 4 of 6 Q185590 Guide to Windows NT 4.0 Profiles & Policies Part 5 of 6 Q185591 Guide to Windows NT 4.0 Profiles & Policies Part 6 of 6 MORE INFORMATION ================ Windows NT Server Operating System White Paper Guide to Microsoft Windows NT 4.0 Profiles and Policies Copyright 1997 Microsoft Corporation. All rights reserved. The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. Microsoft, the BackOffice logo, MS-DOS, Windows, and Windows NT are registered trademarks of Microsoft Corporation. Other product or company names mentioned herein may be the trademarks of their respective owners. Microsoft Corporation One Microsoft Way Redmond, WA 98052-6399 USA 0997 Abstract ======== This guide provides information and procedures for implementing Microsoft Windows NT 4.0 Profiles and Policies on client workstations and servers. A Microsoft Windows NT 4.0 User Profile describes the Windows NT configuration for a specific user, including the user's environment and preference settings. A System Policy is a set of registry settings that together define the computer resources available to a group of users or an individual. With the addition of System Policies and the new User Profile structure to Windows NT 4.0, network administrators have a greater ability to control the user environment than they have ever had before. This document provides the details that administrators need to know to implement a rollout of User Profiles and System Policies under Windows NT 4.0. Although the primary emphasis is Windows NT, this paper also discusses how User Profiles are handled with Windows 95 clients and how the two platforms differ. You should use this guide in conjunction with your Windows NT 4.0 documentation and Resource Kits. CONTENTS ======== Introduction TCO and the User Profiles, Policies, and the Zero Administration Kit What are User Profiles and System Policies? Before You Begin Key Terminology Technical Notes Establishing User Profiles - An Overview Creating and Administering User Profiles User Profile Structure Configuration Preferences Stored in the Registry Hive Configuration Preferences Stored in Profile Directories Windows NT 4.0 and Windows 95 User Profile Differences How User Profiles Are Handled in Windows 95 User Profile Planning and Implementation Setting Permissions for User Profiles Encoding Permissions in the User Profile Selecting a Location to Save User Profiles Setting Persistent Connections Working Around Slow Network Links Creating and Maintaining User Profiles Creating a New Roaming User Profile for Windows NT 4.0 Creating a New Mandatory User Profile for Windows NT 4.0 Making a Roaming Profile Mandatory in Windows NT 4.0 Changing the User's Ability to Modify a Profile Enforcing the Use of the Server-based Profile Creating a New Roaming User Profile for a Windows 95 User Creating a New Mandatory User Profile for Windows 95 Maintaining User Profiles with Control Panel System Properties Deleting Profiles Changing the Profile Type from Roaming to Local Determining Which Profile Is Displayed Copying Profiles Viewing the Contents of the Profiles Directory on a Local Computer Log Files Used by Profiles The All Users Shared Profile Default User Template Profiles Profile Names and Storage in the Registry Manually Administering a User Profile through the Registry Modifying the Default User Profile Upgrading Windows NT 3.5x Server-based Profiles to Windows NT 4.0 Roaming Profiles Upgrading Windows NT 3.5x Mandatory Profiles to Windows NT 4.0 Mandatory Profiles Extracting a User Profile for Use on Another Domain or Machine Creating Profiles Without User-Specific Connections Troubleshooting User Profiles with the UserEnv.log File System Policy - An Introduction System Policy Files Policy Replication How Policies Are Applied Additional Implementation Considerations The System Policy Editor Installing the System Policy Editor on a Windows NT Workstation Installing the System Policy Editor on a Windows 95 Computer Updating the Registry with the System Policy Editor System Policy Editor Template (.Adm) Files Configuring Policy Settings Setting Folder Paths Back to Defaults Creating a System Policy Creating Alternate Folder Paths Setting Up Shortcuts for Server-based Profiles Deploying Policies for Windows NT 4.0 Machines Deploying Policies for Windows 95 Machines Modifying Policy Settings on Stand-Alone Workstations Creating a Custom .Adm File Configuring System Policies Based on Geographic Location Clearing the Documents Available List Building Fault Tolerance for Custom Shared Folders Registry Keys Modified by the System Policy Editor Default Templates Default User Settings Control Panel Display Application Wallpaper Color Scheme Start Menu Run Command Settings Folders Settings Taskbar Start Menu Find Command My Computer Drive Icons Network Neighborhood Icon Network Neighborhood Display Network Neighborhood Workgroup Contents Desktop Display Start Menu Shut Down Command Saved Settings Registry Editing Tools Windows Applications Restrictions Custom Programs Custom Desktop Icons Start Menu Subfolders Custom Startup Folder Custom Network Neighborhood Custom Start Menu Shell Extensions Explorer File Menu Start Menu Common Program Groups Taskbar Context Menus Explorer Context Menu Network Connections Explorer Context Menu Autoexec.bat Logon Scripts Task Manager Welcome Tips Default Computer Settings Remote Update Communities Permitted Managers Public Community Traps Run Command Drive Shares - Workstation Drive Shares - Server Printer Browse Thread Server Scheduler Error Beep Authentication Retries Authentication Time Limit RAS Call-back Interval RAS Auto-disconnect Shared Programs Folder Path Shared Desktop Icons Path Shared Start Menu Path Shared Startup Folder Path Logon Banner Logon Dialog Shut Down Button Logon Name Display Logon Scripts Long File Names Extended Characters in 8.3 File Names Read Only Files - Last Access Time Cached Roaming Profiles Slow Network Detection Slow Network Timeout Dialog Box Timeout Registry Entries Not Included in the System Policy Editor Autorun Start Banner Appendix B - Implementing User Profiles Existing Windows NT 3.5x Roaming Profile Existing Windows NT 3.5x Roaming Profile Migrating Windows NT 3.5x Roaming Profile to Windows NT 4.0 Roaming Profile Migrating Windows NT 3.5x Mandatory Profile to Windows NT 4.0 Mandatory Profile Migrating Windows NT 3.5x Mandatory Profile to Windows NT 4.0 Roaming Profile Creating a New Windows NT 4.0 Roaming Profile Creating a New Windows NT 4.0 Mandatory Profile Updating and Changing a Roaming Profile to a Mandatory Profile Changing a Roaming Profile to a Mandatory Profile Appendix C - Usage Notes Important Information for Administrators Regarding User Logons and User Logoffs Recent Updates to Profiles Since Retail Release Recent Updates to Policies Since Retail Release APPENDIX D - Related Knowledge Base Articles Profiles Policies INTRODUCTION ============ Not too many years ago, information technology professionals faced a serious challenge in controlling the mounting costs of mainframe use. It seemed that everyone-clerks, writers, developers, and systems administrators-all had terminals and were using the system for everything from numbers crunching to typing letters. Networks became bogged down, and IT professionals were given the task of getting "nonessential operations" off the mainframe. Their decision was to deploy personal computers in the enterprise-with emulation software for mainframe access and local software for tasks where central processing or data sharing were not required. Gradually, as PCs became more powerful, more and more operations moved to the desktop. And as PC networking matured, many businesses found that a PC- based network built on commodity hardware and off-the-shelf software was their best business solution. Lately, however, we've come full circle on this. It seems that the total cost of ownership (or TCO)-the real cost of maintaining a distributed personal computer network-is far from trivial. TCO includes the initial capital cost of hardware and software, deployment and configuration expense, costs associated with deploying hardware and software updates, training and retraining, day-to-day maintenance and administration, and telephone and on-site technical support. With these escalating costs in mind, Microsoft and others are working together on several initiatives to lower the total cost of ownership of personal computers. TCO AND THE USER ================ One of the major costs highlighted in recent reports on Total Cost of Ownership (TCO), is lost productivity at the desktop caused by user error, such as changing the system configuration and rendering the computer unworkable, or system distractions and complexities, for example too many features or nonessential applications installed on the desktop. To solve these problems, system administrators need a means to control a user's access to key configuration files and to features and applications that are not required to do that user's particular job. To be successful, this means of control must be flexible and customizable-the system administrator must be able to control the computer configurations of individuals and groups of users based on user job responsibilities and computer literacy. PROFILES, POLICIES, AND THE ZERO ADMINISTRATION KIT =================================================== The Zero Administration Kit (ZAK) for the Microsoft Windows NT version 4.0 operating system is designed to help the corporate administrator address some of the issues arising from user operations. ZAK is a set of methodologies for deploying Microsoft Windows NT 4.0 that greatly reduces the burden of individual desktop management for task-based workers. With ZAK, system administrators can establish user profiles, system policies, and security to reduce some of the administrative costs associated with managing end-users in an enterprise network. ZAK's methodologies are based on the underlying technologies and capabilities of Windows NT 4.0, and as such these techniques can readily be adapted to accommodate a corporation's specific computing requirements. In the near future, you will see additional TCO-reducing features appear in Microsoft Windows 98, Windows NT 5.0, and Microsoft Systems Management Server. Central to these features is the idea of centralized desktop control. This is accomplished through User Profiles and System Policies- the subject of this paper. WHAT ARE USER PROFILES AND SYSTEM POLICIES? =========================================== A Microsoft Windows NT 4.0 User Profile describes the Windows NT configuration for a specific user, including the user's environment and preference settings. For example, those settings and configuration options specific to the user-such as installed applications, desktop icons, color options, and so forth-are contained in a User Profile. This profile is built in part from System Policy information (for example, those things that a user has access to and those things that the user can and cannot change) and in part from permitted, saved changes that a user makes to customize his or her desktop. A System Policy is a set of registry settings that together define the computer resources available to a group of users or an individual. Policies define the various facets of the desktop environment that a system administrator needs to control, such as which applications are available, which applications appear on the user's desktop, which applications and options appear in the Start menu, who can change attributes of their desktops and who cannot, and so forth. With the addition of System Policies and the new User Profile structure to Windows NT 4.0, network administrators have a greater ability to control the user environment than they ever have had before. Many of the requests that customers submitted, including providing more options in controlling the user's desktop, accessibility to applications and system tools, minimizing administrative overhead, and scalability enhancements, have been added. And, as with every release, Microsoft encourages customer feedback on enhancements to the Windows NT operating system. This document provides the details that administrators need to implement a rollout of User Profiles and System Policies under Windows NT 4.0. Although the primary emphasis is Windows NT, this paper also discusses how User Profiles are handled with Windows 95 clients and how the two platforms differ. BEFORE YOU BEGIN ================ Before proceeding with this document, we recommend that you read Chapters 3 and 4 of the Windows NT 4.0 Concepts and Planning Guide. In addition, you should be familiar with the following terms and concepts. KEY TERMINOLOGY =============== Directory Replication The copying of a master set of directories from a server (called the export server) to specified servers or workstations (called import computers) in the same or other domains. Replication simplifies the task of maintaining identical sets of directories and files on multiple computers, because only a single master copy of the data is maintained. Files are replicated when they are added to an export directory and each time a change is saved to one of the exported files. Domain Structure In Windows NT, a domain is a collection of computers defined by the administrator of a Windows NT Server network that share a common directory database. A domain provides access to the centralized user accounts and group accounts maintained by the domain administrator. Each domain has a unique name. Home Directory A home directory is a directory that is accessible to the user and contains files and programs for that user. A home directory can be assigned to a single user or to a group of users. Local Profile A local profile is specific to a computer. A user who has a local profile on a particular computer can gain access to that profile only while logged on to that computer. Mandatory Profile A mandatory profile is a preconfigured roaming profile that the user cannot change. In most cases, these are assigned to a person or a group of people for whom a common interface and standard configuration is required. NetLogon Service For Windows NT Server, the NetLogon service authenticates domain logons and keeps the domain's directory database synchronized between the primary domain controller (PDC) and the backup domain controllers (BDCs). Regedt32.exe The 32-bit version of the Registry Editor. Registry The registry is a database where Windows NT internal configuration information and machine- and user-specific settings are stored. Registry Hive A hive is a section of the registry that is saved as a file. The registry subtree is divided into hives (named for their resemblance to the cellular structure of a beehive). A hive is a discrete body of keys, subkeys, and values. Roaming Profile A roaming profile is stored on a network share and can be accessed from any computer. A user who has a roaming profile can log on to any computer for which that profile is valid and access the profile. (Note that a profile is only valid on the platform for which it was created-for example, a Windows NT 4.0 profile cannot be used on a Windows 95 computer.) Roaming User A roaming user is a user who logs on to the network from different computers at different times. This type of user may use a kiosk or may share a bank of computers with other users. A roaming user stores his or her user profile on a network share, and can log on to any networked computer and access that profile. System Policy A System Policy is a set of registry settings that together define the computer resources available to a group of users or an individual. You create system policies with the System Policy Editor. System policies allow an administrator to control user work environments and actions, and to enforce system configurations. %systemroot% An environment variable that expands to become the root directory containing Windows NT files. The directory name is specified when Windows NT is installed (normally, this directory name is c:\winnt). %systemroot%\profiles A folder in the root directory that contains the user profiles for each user of the computer. %username% An environment variable that expands to become the user account ID for the current logged on user. This identifies the user account to Windows NT. TECHNICAL NOTES =============== Several portions of this guide refer to registry locations that allow you to change certain behaviors of Windows NT and modify settings. For this reason, we include the following warning. Caution: Using Registry Editor incorrectly can cause system-wide problems that may require you to reinstall Windows NT to correct them. Microsoft cannot guarantee that any problems resulting from the use of Registry Editor can be resolved. In addition, portions of this guide refer to a registry hive called NTuser.xxx. In instances where this is used, .xxx can be replaced with either .dat or .man. ESTABLISHING USER PROFILES - AN OVERVIEW ======================================== A Microsoft Windows NT 4.0 User Profile describes the Windows NT configuration for a specific user, including the user's environment and preference settings. A User Profile can be local, roaming, or mandatory. A local profile is specific to a given computer. A user who creates a local profile on a particular computer can gain access to that profile only while logged on to that computer. Conversely, a roaming profile is stored on a network share and can be accessed from any networked computer. A user who has a roaming profile can log on to any networked computer for which that profile is valid and access the profile. A mandatory profile is a preconfigured roaming profile that the user cannot change. As a system administrator, you may want to use mandatory profiles for a group of people who require a common interface and standard configuration. One of the primary goals of User Profiles is to allow a user's system and desktop customizations to travel with the user from computer to computer, without requiring the user to reconfigure any settings. When a user logs on to any computer that supports his or her roaming profile, the desktop appears-just as the user left it the last time he or she logged off. With roaming user support, users can share computers, but each user has his or her personal desktop on any computer in the network (both roaming and mandatory profiles support this functionality). CREATING AND ADMINISTERING USER PROFILES ======================================== User Profiles can be created and administered in several different ways as will be described next. Note that as a system administrator, you determine whether users can modify their profiles. - You create a User Profile that is not modifiable for a particular user or group (this is a mandatory profile). - You establish a network Default User Profile that applies to all new users on Windows NT 4.0 computers. After downloading this default profile and logging on, the user can customize the profile (provided that it is not mandatory). - You allow a new user to use the local Default User Profile on the Windows NT 4.0 computer where the user logs on. After logging on, the user can customize the profile (provided that it is not mandatory). - You copy a template User Profile, and assign the copy to a user. The user can then customize the profile (provided that it is not a mandatory profile). Profiles can be stored on a network server or cached on the local machine. (Cached profiles are located in the \%systemroot%\Profiles directory.) Caching a profile reduces the total time to log on and load the profile; however, in a roaming user or kiosk environment, this approach may not be optimal. This option is controlled by the administrator. USER PROFILE STRUCTURE ====================== A User Profile is comprised of a Windows NT registry hive and a set of profile directories. The registry is a database used to store machine- and user-specific settings, and portions of the registry can be saved as files, called hives. These hives can then be reloaded for use as necessary. User Profiles take advantage of the hive feature to provide roaming profile functionality. The User Profile registry hive is the NTuser.dat in file form, and is mapped to the HKEY_CURRENT_USER portion of the registry when the user logs on. The NTuser.dat hive maintains the user's environment preferences when the user is logged on. It stores those settings that maintain network connections, Control Panel configurations unique to the user (such as the desktop color and mouse), and application-specific settings. The series of profile directories store shortcut links, desktop icons, startup applications, and so forth. Together, these two components record all user- configurable settings that can migrate from computer to computer. Details are provided below. CONFIGURATION PREFERENCES STORED IN THE REGISTRY HIVE ===================================================== The Ntuser.dat file contains the following configuration settings. - Windows NT Explorer settings. All user-definable settings for Windows NT Explorer, as well as persistent network connections. - Taskbar. All personal program groups and their properties, all program items and their properties, and all taskbar settings. - Printer settings. All network printer connections. - Control Panel. All user-defined settings made in the Control Panel. - Accessories. All user-specific application settings affecting the Windows NT environment, including: Calculator, Clock, Notepad, Paint, and HyperTerminal, among others. - Help bookmarks. Any bookmarks placed in the Windows NT Help system. Configuration Preferences Stored in Profile Directories The profile directories are designed to contain the following configuration settings. - Application data. Application-specific data, such as a custom dictionary for a word processing program. Application vendors decide what data to store in this directory. - Desktop. Desktop items, including files and shortcuts. - Favorites. Shortcuts to program items and favorite locations. - NetHood.* Shortcuts to Network Neighborhood items. - Personal. Shortcuts to program items. Also a central store for any documents that the user creates. Applications should be written to save files here by default. - PrintHood.* Shortcuts to printer folder items. - Recent. Shortcuts to the most recently used items. - SendTo. Shortcuts to document storage locations and applications. - Start Menu. Shortcuts to program items. - Templates.* Shortcuts to template items. * These directories are hidden by default. To see these directories, change the View Options. WINDOWS NT 4.0 AND WINDOWS 95 - USER PROFILE DIFFERENCES ======================================================== Windows 95 Profiles are very similar in behavior to Windows NT 4.0 Profiles, but there are some differences. Unlike Windows NT 4.0, Windows 95 downloads and writes User Profiles to the user's home directory. When the Windows 95 user first logs on, the UNC path specified in the user account's home directory path is checked for the Windows 95 User Profile. You can modify this behavior, however. See the Windows 95 Resource Kit for more information. Windows 95 and Windows NT 4.0 User Profiles have the following additional functional differences: - Windows 95 does not support common groups. - Windows 95 can be configured to copy only the shortcut (.lnk) and Program Information Files (.pif) when the User Profile is downloaded, whereas Windows NT downloads all file, shortcut, and directory objects. - Windows 95 User Profiles do not support a centrally stored Default User Profile. - Windows 95 uses different files for the registry portion of User Profiles. (Refer to the following table.) Windows 95 and Windows NT 4.0 profiles are not interchangeable, primarily because the registry hive, which is a key component of the User Profile, is incompatible between operating system versions. Windows NT 4.0 file Equivalent Windows 95 file ------------------------------------------------ Ntuser.dat User.dat Ntuser.dat.log User.da0 Ntuser.man User.man NOTE: The Windows 95 User.da0 and Windows NT 4.0 Ntuser.dat.log, while equivalent, provide slightly different functionality. Windows 95 writes a copy of User.dat to User.da0 each time the user logs off. Windows NT uses the Ntuser.dat.log file as a transaction log file. This allows for fault tolerance in the event that a User Profile must be recovered. Windows 95 and Windows NT 4.0 file structures are identical with the exception of the Application Data directory. Windows 95 does not support this directory. Windows 95 User Profiles can be stored on NetWare servers. For more information on configuring a client with a Primary Network Logon of Client for NetWare Networks, see the chapter "Windows 95 on NetWare Networks" in the Windows 95 Resource Kit. For more information on configuring a client that uses Microsoft Service for NetWare Directory Services, see the online Help that accompanies the service. Additional query words: wpaper ====================================================================== Keywords : kbenv kbinterop Technology : kbWinNTsearch kbWinNTWsearch kbWinNTW400 kbWinNTW400search kbWinNT400search kbWinNTSsearch kbWinNTS400search kbWinNTS400 kbWin95search kbZNotKeyword3 Version : :4.0 Issue type : kbinfo ============================================================================= THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright Microsoft Corporation 2001.