Configuring and Managing User Profiles

Configuring and Managing User Profiles

Rating:

In Windows XP Professional, user profiles automatically create and maintain desktop settings for each user's work environment on a local computer. It can include such settings as installed applications, desktop icons, screensavers, etc. This article will describe you about user profiles and group policies. It will teach you how to configure group policies and give insight into group policy objects.

User Profile: A user profile contains data that defines a user's specific environment settings and preferences. A user profile is created for each user when he logs on to a computer for the first time. When the user logs on, the profile is downloaded to the local computer, and the environment settings there are changed accordingly.

A Microsoft Windows user profile describes the Windows configuration for a specific user, including the user's environment and preference settings. User profiles include all user-specific settings of a user's Windows XP Professional environment including program items, screen colors, network connections, printer connections, mouse settings, window size and position, and desktop preferences.

Exam Alert





User profiles provide several benefits to users. For example, when a user logs on to his workstation, he receives the desktop settings as they were when he logged off. Also, when a different user logs on to the same computer, he receives his own desktop settings. A local user profile is stored on a local computer and cannot be accessed from the network.

Adding a new user to the computer

When you add a new user to your computer, it means that the new user will be allowed to access the files and programs on your computer.

If your computer is a domain, you must be logged on as an administrator or a member of the administrators group to complete this process. If your computer is not on a domain, you must have a computer administrator account to add a new user to the computer.

Note: If you have administrative privileges, you can copy one user profile to another.

Some times a user profile can become corrupted due to a time-out that occurs upon logoff. Usually the common issues that arise are associated with opening or saving files especially in Adobe and Word. It is reported that files are locked or available only as read-only. In such circumstances, it is necessary to 'reset' a user profile, allowing the computer to recreate it the next time you log on.

A user profile consists of a home directory for the user, along with some standard subdirectories and files that allow the operating system to store per-user settings. User profiles come in four flavors: local, roaming, mandatory, and network default. A local user profile is stored on a local computer and has limited functionality. A local user profile is stored on a local computer's hard disk, and is created automatically when a user logs on to the computer for the first time. It cannot be accessed from the network.

You can store two types of profiles on a network server: roaming profiles and mandatory profiles. A roaming user profile is stored in a centralized place and can be accessed from the network. When you log on to your workstation, you receive the same desktop settings as they existed when you logged off. Also, when several users log on to the same computer, each receives a customized desktop.

Any time a user logs on to a Windows XP workstation, Windows automatically creates a profile for that user, if that user account does not already have a roaming profile. The profiles are stored in the Documents and Settings folder and are contained within a sub-folder bearing the user's name. The roaming profile takes precedence over any local profile that might exist. Therefore, the entire profile is copied from the server to the local C:Documents and Settings folder as a part of the login process, and when the user logs off, the local profile is copied to the network.

Note: By default, the local computer stores local profiles in the %Systemroot%Profiles folder. You locate both roaming and mandatory profiles on a network server available to client workstations in the domain.

A mandatory user profile is a roaming user profile that cannot be modified and saved by a user. It is created by changing the name of the NTUSER.DAT file in the directory to NTUSER.MAN and entering the profile UNC path into the User Profile path located in the User Environment Profile dialog box for each user. Windows NT uses a network default profile named Default User in the NetLogon share (%system%system32 eplimportscripts) on all domain controllers.

Gothrough the questions




Note: If you want to configure a common profile to be shared for a specific user group and do not want to restrict changes by users, you will have to rename NTUSER.DAT to NTUSER.MAN. Profiles with .MAN extension are mandatory profiles.

Exam Alert

Windows Installer, by default, uses Transacted Installation. It provides the

ability to undo all operations performed during an installation. It keeps all

transaction information to perform undo operations, in case the upgrade or the

installation fails. Files deleted or overwritten during the process of

installation or removal are temporarily saved to a backup location, so that

they can be restored, if necessary.



Windows Installer feature is used for reliable and resilient software installation and removal. It performs the following tasks:

• Restores original state of the computer upon installation failure.
• Helps prevent certain forms of inter-application conflicts.
• Reliably removes existing programs.
• Diagnoses and repairs corrupted applications.
• Supports on-demand installation of application features.
• Supports unattended application installation.

Group policy

Group policies specify programs, network resources, and the operating system working for users and computers in an organization. They are collections of user and computer configuration settings that are applied to users and computers (not to groups). Group policy objects are used to facilitate group policy administration in the Windows environment. Groups are listed by priority in the System Policy Editor dialog box, Group Priority tab. When a user is in multiple groups, the highest priority group's policy applies.

Group Policy can control a target object's (user or computer) registry (HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER), and NTFS security, audit and security policy, software installation, logon/logoff scripts, folder redirection, and Internet Explorer settings. The policy settings are stored in Group Policy Objects (GPOs).

In Windows Server 2003, Group Policy and the Active Directory services infrastructure enable IT administrators to automate one-to-many management of users and computers, thereby simplifying administrative goals and reducing IT costs. A GPO is internally referenced by a Globally Unique Identifier (GUID). Each object may be linked to multiple sites, domains or organizational units. Hence, thousands of computers and users can be updated via a simple change to a single GPO.

Group Policies are analyzed and applied at startup for computers, and when users log on, it is applied for them. The client computer refreshes most of the Group Policy settings periodically (90-120 minutes).

Group Policy Object: Group policy object (GPO) is a collection of group policy settings. It can be created using a Windows utility known as the Group Policy snap-in. GPO affects the user and computer accounts located in sites, domains, and organizational units (OUs). The Windows 2000/2003 operating systems support two types of GPOs, local and non-local (Active Directory-based) GPOs.

Note: The computers that are members of a workgroup are not affected by the non-local GPO policy settings. They process only the local GPOs.

With the introduction of Group Policy Management Console (GPMC), policy-based management has become easier. To create a GPO, you use the Group Policy Management Console (GPMC) in conjunction with the Group Policy Object Editor. Administrators can efficiently implement security settings, enforce IT policies, and distribute software consistently across a given site, domain, or range of organizational units. The Microsoft Management Console (MMC) Group Policy snap-in can be used to create and manage Group Policy objects if the user has the correct permissions.

Gradual deployment of applications: You can choose gradual deployment of package files. It is a good practice to install a package file properly for a certain group, before releasing an application to the entire organization. As application deployments are through GPOs, you can use a group policy to limit your deployment to a particular group.

The following steps are required for gradual deployment of an application:

• Create a GPO to assign or publish an application.
• Remove the Assign Group Policy permission for the Authenticated Users group.
• Create a security group and grant this group Read and Assign Group Policy permissions.
• Apply the group policy, and make sure that the security group, created for testing a deployment, can install the software without any problem.

Local GPOs

Local GPOs are used to control the policies on a local server running Windows 2000/2003 Server. On each Windows 2000/2003 server, a local GPO is stored. The local GPO affects only the computer on which it is stored. By default, only the Security Settings nodes are configured. The rest of the settings are either disabled or not enabled. The local GPO is stored in the %systemroot%SYSTEM32GROUPPOLICY folder.

Non-local GPOs

Non-local GPOs are used to control the policies on an Active Directory-based network. A Windows 2000/2003 server needs to be configured as a domain controller on the network to use a non-local GPO. The non-local GPOs must be linked to a site, domain, or organizational unit (OU) to apply group policies to the user or computer objects. The non-local GPOs are stored in %systemroot%SYSVOL<domain name>POLICIES<GPO GUID>ADM, where <GPO GUID> is the GPO's globally unique identifier.

The following two non-local GPOs are created by default when the Active Directory is installed:

Default Domain Policy: This GPO is linked to the domain, and it affects all the users and computers in the domain.

Default Domain Controllers Policy: This GPO is linked to the Domain Controllers OU, and it affects all the domain controllers placed in this OU.

Multiple GPOs

When multiple group policy objects are assigned, the group policies are applied in the following order:

1. The local group policy object is applied first.
2. Then, the group policy objects linked to the sites are applied. If multiple GPOs exist for a site, they are applied in the order specified by an administrator.
3. GPOs linked to the domains are applied in the specified order.
4. Finally, GPOs linked to OUs are applied. The OU group policy objects are set from the largest to the smallest organizational unit, i.e., first the parent OU and then the child OUs.
   By default, a policy applied later overwrites a policy that was applied earlier. Hence, the settings in a child OU can override the settings in the parent OU.

Group policy settings are cumulative if they are compatible with each other. In case they conflict with each other, the GPO processed later takes precedence. The following are the exceptions with regard to the above-mentioned settings:

No Override: Any GPO can be set to No Override. If the No Override configuration is set to a GPO, no policy configured in the GPO can be overridden. If more than one GPO has been set to No Override, the one that is the highest in the Active Directory hierarchy takes precedence.

Block Policy Inheritance: The Block Policy Inheritance option can be applied to the site, domain, or OU. It deflects all group policy settings that reach the site, domain, or OU from the object higher in the hierarchy. However, the GPOs configured with the No Override option are always applied.

Loopback Setting: By default, user settings override computer settings in case of any conflict in policy settings. By configuring loopback setting, an administrator can reverse the process of the application of policies. When the Loopback option is configured, the computer settings take precedence on the user settings. The Loopback option can be set as Not Configured, Enabled, or Disabled. The enabled Loopback option can be set in the following two modes:

• Replace mode: In this mode, the computer policy settings override the user policy settings.
• Merge mode: In this mode, the computer policy settings are appended to the user policy settings.

Note: The non-local GPO policy settings do not affect the computers that are members of a workgroup. They process only the local GPOs.

Group Policy Inheritance

The group policies are inherited from parent to child within a domain. They are not inherited from parent domain to child domain. The following are the rules regarding group policy inheritance:

• If a policy setting is configured (Enabled or Disabled) for a parent OU, and the same policy setting is not configured for its child OUs. The child OUs inherit the parent's policy.
• If a policy setting is configured (Enabled or Disabled) for a parent OU, and the same policy setting is configured for its child OUs. The child OUs settings override the settings inherited from the parent OU.
• If any policy is not configured, no inheritance takes place.
• Compatible policy settings configured at the parent and child OUs are accumulated.
• Incompatible policy settings from the parent OU are not inherited.

Filtering Scope of GPOs

Although GPOs are linked to a site, domain, or OUs, and they cannot be linked to the security groups directly, applying permissions to a GPO can filter its scope. The policies in a non-local GPO apply only to the users who have the Read and Apply Group Policy permissions set to Allow. By specifying appropriate permissions to the security groups, administrators can filter a GPO's scope for the computers and users.

Note: The Apply Group Policy permission is not available with the local GPO.

Apply Group Policy permission: 'Apply Group Policy' is a type of permission such as Read, Write, Execute permissions. Only that user will get affected with a GPO settings who has
Read and Apply Group Policy permission to the GPO. Assigning this permission to the Authenticated Users group will enable all the members of the Active Directory container to use the software installation GPO for the deployment of an application.

Take the question



Assigning Applications: When an application is assigned to a user, it is advertised to the user the next time he logs on to a client computer. The application assigned appears on the Start menu and the registry is updated accordingly. This process is known as 'advertisement'. The application is installed when the user selects the application from the Start menu for the first time or when a document associated with the application is activated.

When an application is assigned to a computer, the application is advertised and the installation is performed when the computer starts up.

Publishing Applications: When an application is published to a user, the published application stores the advertisement attributes in Active Directory. Users can then install the application either by using Add/Remove Programs in Control Panel or by clicking any file associated with the application.

Publishing an application creates no shortcuts on the desktop or Start menu. It does not change the local registry on a user's computer.

Note: An application cannot be published to computers.
Gradual deployment is preferred for smooth deployment of software or an application throughout an organization.

Home Folder: If you assign a home folder to a user, you can store the user's data in a shared folder on a file server or on a network server, and make backup and recovery of data easier and more reliable. In case no home folder is assigned, a computer will assign default folder for the user.

My Documents Folder: When there is more than one person using the computer, Windows creates a My Documents folder for each user on the computer. The My Documents folder is your personal folder that stores your documents, graphics, and other personal files.

By default, the target or actual location of the My Documents folder is C :Documents and Settingsuser nameMy Documents, where C is the drive on which Windows is installed, and user name is the currently logged-on user. You can change the target location for the My Documents folder.

Exam Alert



In Windows XP, the My Documents folder is an alternative for home folders but does not replace them. When a user tries to save or open a file, most programs determine whether to use the home folder or My Documents in one of the following two ways:

1. If a file with *.doc or *.txt extension is found, the program opens the home folder and ignores My Documents.
2. If a file of that type is not found, the program opens My Documents. In other programs, the home folder is ignored, regardless of whether or not the home folder contains any files.

In addition to the My Documents folder, you can also have home folders to store your personal documents. You can store your home folders on a file server and access it from any client computer on the network.

Logon Script: As part of the User Management in Computer Management, you can define a Logon script, which will be executed when you log on locally to your computer. Such logon script can contain any valid Windows XP Command line instruction. To complete this procedure, you must log on as an administrator or as a member of the Administrators group. If your computer is connected to a network, network policy settings also affect your ability to complete this procedure.

Note: This logon script runs when the local user logs on locally to the computer but does not run when the user logs on to the domain.

GUID: It is a unique 128-bit number that is produced by the Windows OS or by some Windows applications to identify a particular component, application, file, database entry, and/or user. For example, a Web site may generate a GUID and assign it to a user's browser to record and track the session.

A GUID is also used in a Windows registry to identify COM DLLs. Knowing where to look in the registry and having the correct GUID yields a lot information about a COM object (i.e., information in the type library, its physical location, etc.). Windows also identifies user accounts by a username (computer/domain and username) and assigns it a GUID. Some database administrators will even use GUIDs as primary key values in databases.

Summary

• A user profile contains data that defines a user's specific environment settings and preferences. A user profile is created for each user when he logs on to a computer for the first time.
• A user profile contains all user settings for the user environment, including Start menu entries, desktop icons, display settings, and background colors. User profiles come in four flavors: local, roaming, mandatory, and network default.
• A local user profile is stored on a local computer and has limited functionality. It cannot be accessed from the network. In addition, a hard disk crash or computer failure will destroy a local profile, and you will have to reconfigure the desktop settings.
  
• Group policies specify how programs, network resources, and the operating system work for users and computers in an organization. They are collections of user and computer configuration settings that are applied on the users and computers (not on groups).
• Groups are listed by priority in the System Policy Editor dialog box, Group Priority tab. When a user is in multiple groups, the highest priority group's policy applies. The groups may be moved up and down the list which sets their relative priorities.
• The Microsoft Management Console (MMC) Group Policy snap-in can be used to create and manage Group Policy objects if the user has the correct permissions. Enterprise Admins, Domain Admins groups and domain Administrators have correct permissions.

Rating: