User Profiles

04McInerney.2 8/1/99 4:36 PM Page 61

FOUR

User Profiles

In This Chapter

Introduction This chapter introduces the concept of user profiles and User Profile Overview includes step-through examples on how to implement them in a Windows NT environment. Creating a Roaming User profiles are used in an NT environment to control User Profile for NT 4.0 the look and feel of the user desktop and available options at Profile Permissions the workstation. This chapter focuses on user profiles defined within the NT Amending the Profile workstation and server environment but also includes some with Regedt32 information on user profiles applied to Windows 95 clients. Default User Profile Windows NT 3.5x Profile Upgrades Introduction Creating a Roaming Client/server technology has long been heralded as the way Profile for Windows 95 forward for large IT infrastructures. The days of the centralized mainframe supplying the computer power for an enterprise have passed! Now, anybody who has worked in the IT business for any number of years knows that this is not strictly true. The promised yield of the client/server environment has never quite come to fruition. The lower costs, ease of maintenance, less costly hardware, and lower administrative overheads have been very difficult to spot. 04McInerney.2 8/1/99 4:36 PM Page 62

62 Chapter Four • User Profiles

Total cost of ownership (TCO) is a phrase that has been used more and more over the last few years. One of the main claims made all those years ago when the salesmen were trying to convince us to move away from the centralized mainframe systems was that client/server would lower the cost of owning and running an IT infrastructure. Client/server technology certainly had a large impact and brought with it some major benefits, including distributed systems, distributed management, well-known GUI interfaces, and applications that were much more user friendly. It also brought with it the unforeseen costs. The difference in costs between distributed and centralized hardware has been reduced dra- matically. Where once users had a terminal and were able to run one program interactively at a time, they are now faced with a desktop and many available applications. Training is not only needed now to run the applications but also to run the operating system that used to be hidden from users. IT infrastructures are growing to huge proportions, and administrative costs escalate in proportion. In all, the cost of distributed systems is not quite as small as it may have been portrayed to be some years ago. Recent studies show that a large amount of the TCO goes to providing user support. This is hardly surprising considering the technology available to the average user at the moment. Of these costs, a high proportion is used fixing problems caused by user interference with the computer services due to lack of understanding or to the complex nature of the systems today. After all, users may be faced with a desktop with ten or more applications. Those users may only need to run two applications for their particular job but policy may dictate that a uniform desktop is required to make administrative duties that bit “easier.” Some sort of control is needed to reduce the apparent complexity of the computer systems. Average users performing an accountancy role don’t need to know how or why a system works. They need to know where their applications and resources are and how to use them. An investment in training so that everybody understands something about the computing environment is rarely wasted, but controls are needed to make sure that a little knowledge doesn’t cause a lot of damage.

User Profile Overview

One of the two main controls in a Microsoft Window NT network environment that helps lower the cost of administration and management is user profiles. The second control is system policies. System policies control availability and access to resources for a user or group and can be set either for users/groups or for the computer. System policies are discussed in Chapter Five. 04McInerney.2 8/1/99 4:36 PM Page 63

User Profile Overview 63

What Is a User Profile? A user profile is a group of settings that describe the look and feel of a user’s environment on a Windows NT or Windows 95 computer. It controls what appears on a desktop or what applications are accessible. User profiles contain settings that can be applied to a user, group, or computer and can be set up so that users can make changes and save them or so those users cannot save any changes made. User profiles were designed in part to answer the need for more control over the ever-growing complexity of the desktop and network systems. Administrators can now deliver and manage from a central point the look and feel required by the enterprise workforce. All users don’t have to have the same desktop look. In addition, the profile can travel with the user (roaming profile) so that the same look and feel can be provided in different locations with a minimum of administrative overhead. From the point of view of the IT security professional, the user profile adds an invaluable tool that can be used to clamp down on unnecessary system access and possible security breaches. User profiles can be used to control access to sensitive system tools such as the registry editor and the task manager. Types of User Profiles Three types of user profiles are available on Windows NT machines.

Local profiles. These profiles are local to a given machine and are only available to users when they log on to that one machine. Roaming profiles. Roaming profiles, as the name suggests, are available from a central source to users within the domain. They are used by the particular user or groups of users whenever they log on to a machine within the domain. If the roaming profile is not available, users can be logged on with a copy of the profile saved the last time they accessed the machine or with a default profile available to them. When users make changes to the desktop appearance or other objects stored in the profile, the changes are saved to the central copy of the profile at logoff time and are then provided the next time the user logs on. Roaming profiles give users a uniform base look on their desktop and then allow them to make changes as necessary. Mandatory profiles. Mandatory profiles are similar to roaming profiles except that the user must use the profile to log on to the network. The two main differences between roaming and mandatory is that if the mandatory profile is not available, then the user is refused permission to log on or cannot make changes to the mandatory profile. Mandatory profiles offer the greatest security and if implemented correctly can reduce 04McInerney.2 8/1/99 4:36 PM Page 64

64 Chapter Four • User Profiles

the TCO by reducing the number of support incidents caused by inadver- tent system changes. These profiles are restrictive and could impact business (by not letting users log on when the profiles are unavailable), so you should consider both business and security needs when looking at this option.

User Profile Location Parts of the user profile are stored in two separate places. Some of the settings are stored in a set of directories on either the local machine (local profile) or the validating server (roaming and mandatory profiles). The remainder of the settings are stored in system registry format in a file called ntuser.xxx (.dat or .man) in the profile directory structure. The profile settings are split along two distinct lines. The profiles directory holds settings such as desktop icons, icons representing shortcuts to applications, user links (generally as icons), and any other settings represented by visual objects such as folders, icons, files. The registry hive that stores user profile settings is HKEY_USERS (ntuser.xxx file); and it holds less tangible environmental preferences such as wallpaper and background settings, international settings, and keyboard/mouse settings. Security-related settings such as the ability to run applications and access to system tools are also stored here. Tables 4.1 and 4.2 list the settings available in the two locations and briefly describe their use.

TABLE 4.1 %SystemRoot%\Profiles\%Username% directory contents Directory Name Description Application Data Content defined by application programmers. Desktop Any items to be displayed on the desktop such as shortcuts. Favorites Shortcuts to the user’s favorite locations. Used with Internet Explorer. NetHood Shortcuts to Network Neighborhood objects. A hidden directory by default. Personal Default storage location for files created by the user. Applica- tions are specifically designed to save files here by default. PrintHood Shortcuts to printer objects. A hidden directory by default. Recent Shortcuts to the most recently used files and objects. SendTo Shortcuts to locations required for placing files into. Refer- enced by the Explorer context menu for files. Start Menu Shortcuts to applications. Newly installed applications should place shortcuts here. Templates Shortcuts to template objects. A hidden directory by default. 04McInerney.2 8/1/99 4:36 PM Page 65

Creating a Roaming User Profile for NT 4.0 65

TABLE 4.2 ntuser.xxx registry hive contents Item Description NT Explorer Persistent network connections and user-defined explorer settings. Taskbar Taskbar settings and personal program groups and properties. Printers Networked printer connections. Control Panel User-defined settings made in Control Panel. Accessories User-defined settings for all applications within the Accessories group. Help Bookmarks All bookmarks placed in Windows NT help.

User accounts are mapped to profiles by means of a registry entry in the local registry for every user who has logged on locally. Entries do not exist for users who only log on remotely. The registry entry is held in the HKEY_LOCAL_MACHINE registry hive under the key \SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ ProfileList. Listed under this key are the system identifiers of all users who have logged on interactively to this machine. One of the values stored under each SID key is the ProfileImagePath, which holds the location of the profile used by that user. This value can be edited to point the user account to a profile in another location. The profile directory can sometimes have a three-digit suffix appended to it. This usually means that more than one user with the same user name has logged into this machine (perhaps from two different domains). The second user profile is created in the Username.000 directory, and subsequent users with the same account name use directories .001, .002, etc. Figure 4.1 shows the registry entries for users on an NT workstation. The three users who have logged on interactively each have an entry listed here under their System Identifier key.

Creating a Roaming User Profile for NT 4.0 This next section takes you through all of the steps necessary to create a roaming user profile for users within your enterprise. The process consists of the following steps.

Define the location. Create the network share. Create a template user. Use the template user to create a base profile. Distribute the base profile. Set up users to access the copies of the base profile. Amend the copies of the base profile as necessary. 04McInerney.2 8/1/99 4:36 PM Page 66

66 Chapter Four • User Profiles

FIGURE 4.1 Registry entry that maps user accounts to profile directories

Define the Location The user profile should be stored on a network share accessible to the user. Consider two main factors when deciding where to locate the user profiles for your organization:

Storage space. Users profiles can range in size from hundreds of kilo- bytes to many megabytes. If a user copies a file to the desktop and then saves the roaming profile when logging off, the file is then trans- ferred with the rest of the profile information up to the network share and back down when the user logs on again. The location needs to have enough free disk space to be able to store all of the profiles used in your organization. Link speed. The link speed between the network share location and the workstation affects user perception of system performance. A profile can be quite large, and it needs to be downloaded at logon time and uploaded at logoff time. This can cause severe delays for the user at these times if the link speed is slow. Slow link speeds can be accommodated in system policy settings as described in Chapter Five, System Policies. 04McInerney.2 8/1/99 4:36 PM Page 67

Creating a Roaming User Profile for NT 4.0 67

Create the Network Share When you have chosen the location for the centrally stored profile, you must prepare the network share. For this example and in the remainder of this chapter, we will place the profiles on a network share called NetProfs on the domain controller. Profiles must reside on an NTFS partition so that correct permissions for them can be applied. We use the following information for the examples in this chapter.

The profiles directory resides on a domain controller named IBSNT03. The network share used to house the profiles is called NetProfs. A user account named Tempusr1 is created to use the profile.

You can substitute more relevant information from your own organization for any of the information listed above.

1. Use Microsoft Explorer to create a folder called NetProfs on the domain controller. 2. Right-click the new directory to bring up the context menu. 3. Select Sharing. 4. In the sharing dialog box select the Shared As radio button. Figure 4.2 shows the Network Share dialog box.

FIGURE 4.2 Sharing a directory on the network 04McInerney.2 8/1/99 4:36 PM Page 68

68 Chapter Four • User Profiles

5. Accept the default share name of NetProfs. 6. Select OK.

The directory is now shared on the network with the default share permissions of Everyone—Full Control. Ensure that the NTFS permissions on the directory are set to Everyone—Full Control as well. You can adjust these permissions to fit your own situation if you want to limit access to profile directories. Create a Template User Account This step-through example takes you through the processes involved in creating a new user account to be used to set up the look and feel for the new profile.

1. Start up User Manager on a workstation that can be used to build the profile. 2. Select New User from the User menu. 3. Enter the username Tempusr1 and password details for the new user. 4. Select the Profiles button. 5. Ensure that the Profiles Path remains empty. When the user logs on for the first time, a directory will be created in the local \%System- Root%\Profiles\ directory named after the new user. 6. Select Add to add the user. 7. Select Close. The user Tempusr1 is added to the SAM of the local workstation.

Create a Base Profile It is often useful to create a base profile that is common to all users. IT policies within large organizations often dictate requirements for everybody to use the same basic application. E-mail, word processing and spreadsheet applications are often licensed per enterprise and all staff have access automatically. A base profile supports a common desktop look that could include shortcuts to all of these applications. Other applications such as graphics applications for the Marketing department and number-crunching applications for the Accounts department are less widely used and would not necessarily appear on the base profile. Now that the template user is set up, it can be used to create a base user profile.

1. Log on locally as Tempusr1 to the workstation used in the previous step. Allow the default user profile on the machine to populate the desktop at this time. 04McInerney.2 8/1/99 4:36 PM Page 69

Creating a Roaming User Profile for NT 4.0 69

2. Make any changes to the desktop look and feel that you find necessary. This should include shortcuts to all applications that are common to everyone, as well as any other desktop settings common to all. 3. Log off. The new profile is saved to the %SystemRoot%\Profiles\ Tempusr1 directory when you log off.

The base profile is now created and is ready to be copied to the Net- Profs share for use by different users. At this point, make a copy of the base profile (Tempusr1 directory) to keep it safe. To do this, you must be logged on as a different user with sufficient permissions to the source and destination directory. If you attempt to copy the profile while you are logged on and using it, you will get a sharing violation error. Distribute the Base Profile You should be able to use the base profile in its present state as the starting point for all user logons within the enterprise. By making copies of the profiles for the different users or groups, you can have this profile loaded as a starting point and then amended to fit the more specific requirements of individual users or groups. Remember that although you have created shortcuts to all of your base applications, they still need to be installed and available to all of the required machines in the same directory and drive structure that is used in the shortcuts. There are two main methods used for distributing a base profile: manual distribution and Default User distribution.

MANUAL DISTRIBUTION To manually distribute the base profile to one or more users, follow these instructions.

70 Chapter Four • User Profiles

8. Select the user or group permitted to use this profile in the final location. These permissions are difficult to change and so unless you have a good reason for protecting the profiles at this point, choose Everyone. 9. Select Add > OK. 10. Select OK to begin copying the profile.

You can repeat this method to make multiple copies of the base profile that can then be amended to cater to individual or group preferences. How- ever, the easiest way to make multiple copies of this profile is to simply copy the whole Accounts profile directory created above, using Windows Explorer. As security is already set to allow the Everyone group to use the profile, then this is all you have to do to make multiple separate copies of the base profile.

DEFAULT USER DISTRIBUTION You can use the default user distribution method to supply the base profile as the first profile downloaded by new users logging on to the system. The users can then make changes as permitted and save the profile when they log off. Follow these instructions to set up the base profile as the default user profile.

1. Log on locally as Administrator on the machine that stores the base profile. 2. Select Settings from the Start menu and choose Control Panel. 3. Double-click on the System application. 4. Select the User Profiles tab. 5. Select the Tempusr1 profile and choose Copy To. 6. Enter the path to the NETLOGON share on the domain controller and append the directory name Default User. This can be in UNC form or can be a previously hard-coded drive letter, for example, \\IBSNT03\NETLOGON\Default User. 7. Select the Change button in the Permitted to use box. 8. Select the user or group permitted to use this profile in the final location. These permissions are difficult to change and so unless you have a good reason for protecting the profiles at this point, choose the Everyone group. 9. Select Add > OK. 10. Select OK to begin copying the profile. 11. Repeat steps 5 through 10 for each validating server (backup domain controllers) or use the Replication service to replicate the profile to the BDCs. 04McInerney.2 8/1/99 4:36 PM Page 71

Creating a Roaming User Profile for NT 4.0 71

User Setup Users need to be assigned a profile before they can load it. Profiles are assigned to users only. They are not assigned to groups. Follow these steps to assign the Accounts copy of the base profile to an already existing user named SmythJ. This procedure can be performed for any user.

1. Start up User Manager for Domains. 2. Double-click the user SmythJ. 3. Select the Profiles button. 4. In the Profile Path box, enter \\IBSNT03\NetProfs\Accounts. Figure 4.3 shows the Profiles dialog box.

FIGURE 4.3 User profiles dialog box

5. Enter login script and home directory information if you wish, and select OK. 6. Select OK to confirm the changes.

The next time James Smyth logs on, he will receive the new roaming profile. The profile can be used by many people; set up all users of the profile in the same manner. Amend the Roaming Profile The new roaming profile called Accounts can now be amended to reflect any required differences between the base profile and a profile for the Accounts department. If there is an application for sole use by the Accounts department then a shortcut can be created on this desktop for user SmythJ; it will be uploaded at log off to be included in the profile. In this way, the profiles can be amended to more closely suit the needs of the user community. 04McInerney.2 8/1/99 4:36 PM Page 72

72 Chapter Four • User Profiles

The basic way to amend a roaming profile is simply to log on as the user who is using the profile and make any changes at the desktop that are required. For example, you may wish to add a program to the Start menu by using the Taskbar editor, or you may wish to create a shortcut on the desktop pointing to a particular application. When you have amended the desktop you simply log off the machine. At logoff time, the roaming user profile is copied to the central location where you store user profiles and overwrites the stored copy. The locally stored copy is also updated at this point. When the user next logs on (or when any user authorized to use this profile logs on), the saved changes are downloaded to the desktop and used. This ability to change the roaming profile as easily as changing the desktop look can cause problems with desktop management. Imagine the scenario where you set the whole of the Accounts department to use a single roaming profile. The positive aspect of this would be that any of the Accounts users could log on at any machine and get the same desktop look. Everything goes well for a while and then one user, when he is working late, decides that he doesn’t require a shortcut to one of the accounts pack- ages on his desktop because his job responsibility doesn’t require him to use it. He deletes the icon. He is the last person in the department that night, and when he logs off, the changes he has made (deleting the icon) are copied to the roaming profile used by everybody in Accounts. When the users arrive the next day, they all download the profile, which is missing the icon, and nobody knows how to access the package anymore. This can be a common problem when a roaming profile is shared among multiple users. All users have the same rights to the profile folder, and any changes made to the local desktop are replicated to the centrally stored (single) copy. Even when you intend to make a change, you could make the change locally and log off to replicate the change to the central copy. However, if another user is logged on using that profile when you do this, the change you made will be overwritten when that user logs off and automatically copies the profile to the server. This problem has two resolutions. You can create a profile for every user, based on a profile template. This template is simply a saved copy of a basic template, which everyone can use and to which you add extra facili- ties, depending on the users needs. The overhead in managing this type of installation is quite large and it is not recommended for anything except the smallest of installations. The second way of tackling the problem is to use mandatory profiles. These are profiles that can be shared among many users and are basically read-only for these users. These profiles are discussed in the next section. 04McInerney.2 8/1/99 4:36 PM Page 73

Creating a Roaming User Profile for NT 4.0 73

Making a Profile Mandatory The new roaming profile called Accounts, which is being used by SmythJ, can be shared among many users. The whole of the Accounts department could use the same roaming profile. As described above, the one real drawback of this approach is that if one person makes a change to the desktop and logs off, then the profile is overwritten at the central storage point and the new settings are downloaded when the next person logs on. This can quickly negate all of the benefits of a common desktop. This is where the mandatory profile comes in. A mandatory profile is simply a roaming profile that is set so that the user cannot save any changes to the settings contained in the profile and must use the profile to log on. These two restrictions are placed on a roaming profile in two separate stages. To change a roaming profile to a mandatory profile so that the user cannot save changes to the profile, follow these instructions.

1. Using Windows Explorer navigate to the folder represented by the \\IBSNT03\NetProfs\profilename. 2. Double-click the Accounts directory. 3. Select Folder Options from the View menu. 4. Select the View tab. 5. Make sure that the Hide file extensions for known file types button is not selected. This will ensure that all file extensions are shown in Explorer. 6. Select OK. 7. Right-click the file ntuser.dat and select Rename. 8. Change the file extension from .dat to .man. The profile is now a mandatory profile.

Follow the instructions below to change a roaming profile into a mandatory profile so that the user must load this profile in order to log on (i.e., if the server holding the mandatory profile is unavailable, the user cannot log on). This is a separate stage from the one above, which makes the profile read-only and does not have to be set if not required.

1. Using Windows Explorer, navigate to the folder \\IBSNT03\NetProfs\ profilename. 2. Right-click the directory Accounts and select Rename. 3. Add the file extension .man to the directory name. The resulting directory name is \\IBSNT03\NetProfs\Accounts.man. 4. Start User Manager for Domains. 04McInerney.2 8/1/99 4:36 PM Page 74

74 Chapter Four • User Profiles

5. Double-click user SmythJ. This could be any user that you wish to apply this profile and restriction to. 6. Select the Profiles button. 7. In the Profile Path enter \\IBSNT03\NetProfs\Accounts.man. 8. Select OK and then OK again to confirm.

A cautionary note. Mandatory profiles can be useful if you need to use a common desktop for many users and the users do not need to make changes of their own. However: some application programmers write their applications to hold user-dependent information in the registry. An example of this could be a word processing application that stores the user’s pre- ferred settings (file locations, etc.) in the registry. Because the user cannot save any of the settings stored in a mandatory profile an error occurs when you try to save these settings (usually at program exit). This error can lead to loss of functionality, so you must be careful to fully test all applications to be included in a mandatory profile before a widespread rollout.

Profile Permissions

User profiles are protected by up to three sets of permissions.

Network share permissions. Although network share permissions can protect user profiles, they can add difficulty to troubleshooting if you need to find out where permissions are being derived. If at all possible, you should avoid using share permissions in favor of NTFS file and folder permissions. NTFS file and folder permissions. When you copy a user profile and set the Permitted to Use flag, you are actually setting NTFS permissions on the destination directory structure. NTFS permissions can be changed easily to further restrict access to a profile if necessary. We discussed NTFS permissions in Chapter Three, File and Directory Security. Encoded permissions contained in the ntuser.xxx file. The permissions set with the Permitted to Use flag when a user profile is copied are also set in the ntuser.xxx file, which is a binary repre- sentation of a registry hive. These permissions can only be changed with the registry editor, so if permissions need to be made more restrictive, it is easier to use just NTFS permission. If permissions need to be made less restrictive or need to be set for extra users, then they must be set in the ntuser.xxx file as well as at the NTFS level. The steps required to change permissions for the registry portion of the profile are described below. 04McInerney.2 8/1/99 4:36 PM Page 75

Amending the Profile with Regedt32 75

Amending the Profile with Regedt32

You can easily adjust the portion of the profile stored in the directory structure by simply adding shortcuts to the folder representing the functionality you wish to achieve. To place an application icon on the desktop, you simply add the icon to the Desktop folder within the profile structure. The next time the profile is loaded, the new icon will appear. The profile attributes held in the binary ntuser.xxx file are a little more difficult to get to. To make changes to these settings, you must use the registry editing tool REGEDT32.EXE for Windows NT 4.0 profiles. Remember that you should not make profile changes while the user is logged on unless the profile is mandatory. Roaming profile changes will be overwritten when the user logs off if the profile is already in use when the changes are made. The example below takes you through some sample changes to the Accounts user profile created previously.

1. Log on to a machine with Administrative rights and Full Control permission to the Accounts profile directory on the NetProfs share. 2. Select Run from the Start menu. 3. Enter Regedt32 and select OK. 4. Select the HKEY_USERS hive. 5. Select Load Hive from the Registry menu. 6. Navigate to the \\IBSNT03\NetProfs\Accounts directory (or the directory holding the profile that you wish to amend). 7. Choose the ntuser.xxx (.dat or .man) file and select Open to display the Load Hive dialog box. The Key Name being asked for is a unique name that can be used by you to distinguish it as the loaded hive. This is impor- tant because the hive needs to be unloaded after the changes are made. 8. Enter a unique key name. For this example, enter Accounts. 9. Select Open. The Accounts hive is added to the HKEY_USERs hive. Figure 4.4 shows the Accounts registry hive. Now you can make any changes that you wish to make. Take care whenever you use the registry editing tool not to make any changes in any registry hive unless you are certain of the outcome. When you have finished making the changes, unload the profile hive. 10. Select the root of the Accounts hive. 11. Select Unload Hive from the Registry menu to unload the hive and to save the settings to the original ntuser.xxx file. 04McInerney.2 8/1/99 4:36 PM Page 76

76 Chapter Four • User Profiles

The ntuser.xxx registry file opened as a hive in FIGURE 4.4 Regedt32.exe

Ntuser.xxx Registry Permission Changes Permissions are set in the registry portion of the user profile in two ways. First, NTFS file and directory permissions need to be set so that the required users can gain the correct access. Second, there are permissions set by the registry editor in the same way as for any other registry hive. To view or change the permissions set in the registry file, follow these instructions.

1. Load the required registry hive following the instructions in steps 1 through 9 above. 2. Select the root of the Accounts registry hive or the hive that you have loaded. 3. Select Permissions from the Security menu. 4. Change the permissions to match your requirements. 5. Select OK to confirm the changes. 6. Unload the registry hive following steps 10 and 11 above.

When the registry hive is unloaded, it is written back to the ntuser.xxx file that opened during the Load Hive process. Further details on registry permissions can be found in Chapter Eight, Registry. 04McInerney.2 8/1/99 4:36 PM Page 77

Creating a Roaming Profile for Windows 95 77

Default User Profile

During Windows NT installation, a generic user profile called the Default User profile is created. This profile exists in the local %SystemRoot%\Profiles directory as the subdirectory Default User. Users who log on locally and who are not set up to receive any other profile will store a copy of the Default User directory under their own user name as their locally cached profile.

Windows NT 3.5x Profile Upgrades

When a user who is set up to use a Windows 3.5x profile (a \\server\ share\profilefolder.usr directory) logs on to an NT 4.0 workstation, the NT 4.0 machine recognizes an earlier profile version and creates an NT 4.0 profile in the same share directory and with the same directory name except for a .pds suffix. This profile contains the same settings that the earlier version contains. The format of the Windows NT 3.5x and 4.0 profile interaction is such that users on a mixed network can log on from either version of workstation and receive a profile. The older Windows 3.5x profile is not overwritten; it is copied to a new directory and updated to NT 4.0 format. Once the NT 4.0 version of the profile is created, it is used as a separate profile and changes made in one of the profiles are not reflected in the other. If the Windows NT 3.5x profile is mandatory, then the automatic copy and conversion process will not work. To make the copy and conversion work, you must remove the mandatory file extension from the NT 3.5x profile directory and then log on from an NT 4.0 workstation. This procedure starts the copy and conversion process for the now nonmandatory profile. After the conversion process has completed, you can then make both the NT 3.5x and NT 4.0 profiles mandatory again.

Creating a Roaming Profile for Windows 95

Windows 95 users can use roaming profiles similar to those in use on Win- dows NT machines. Follow the instructions below to set up a Windows 95 roaming profile held on a central server. Client Workstation Setup There are two stages in the client workstation setup. First, enable profiles for the workstation and then set the default Primary logon to Client for Microsoft Networks. The following steps are carried out on the Windows 95 client workstation. 04McInerney.2 8/1/99 4:36 PM Page 78

78 Chapter Four • User Profiles

TO ENABLE PROFILES: 1. Select Settings from the Start menu. 2. Select Control Panel. 3. Run the Passwords applet. 4. Select the User Profiles tab. By default, profiles are turned off. 5. Select the radio button beginning Users can customize their preferences to switch on profiles. Figure 4.5 shows the profiles dialog box with profiles enabled.

FIGURE 4.5 Windows 95 Passwords applet

6. In the User Profiles Settings box, choose the options that you wish to enable. 7. Select OK to confirm the settings. You must reboot the system before profiles are enabled.

TO SET THE PRIMARY LOGON:

1. Select Settings from the Start menu. 2. Select Control Panel. 3. Run the Networks applet. 4. Ensure that the Primary Network Logon is set to Client for Microsoft Networks, as in Figure 4.6. 04McInerney.2 8/1/99 4:36 PM Page 79

Creating a Roaming Profile for Windows 95 79

5. Double-click the Client for Microsoft Networks service and ensure that the radio button Log onto a Windows NT Domain is checked and the correct domain name is entered. 6. Make any necessary changes and choose OK to confirm. If changes were made, you must reboot to enable them.

FIGURE 4.6 Windows 95 Networks applet

Domain User Setup The next step in enabling a roaming profile for Windows 95 users is to create the user account in the domain and set it up with a home directory. The example below uses the account name BrownJ and a home directory under the previously created NetProfs share.

1. Log on to the domain as an administrator and start up User Manager for Domains. 2. Select New User from the User menu. 3. Enter the username BrownJ and password details for the new user. 4. Select the Profiles button. 5. Ensure the Profiles Path remains empty. Windows 95 users store their profiles in their home directory. 6. In the Home Directory section, select a drive letter for a home directory and enter the path to the network share. Append the user name to the end of the path. Figure 4.7 shows the completed profiles page for this user. 04McInerney.2 8/1/99 4:36 PM Page 80

80 Chapter Four • User Profiles

FIGURE 4.7 Windows 95 user profile destination folder setup

7. Select OK. 8. Select Add to add the user. The home directory should be created automatically. Under certain circumstances, this will not happen and a message will ask you to create it manually. Remember to give the correct permissions if you create the directory manually. 9. Select Close.

Create the Profile The next stage in the process is to create the profile for the Windows 95 user. This stage is accomplished on the Windows 95 workstation.

1. Log on to the Windows 95 workstation as the user concerned (BrownJ). A message stating “You have not logged on here before [since the profile settings were enabled], would you like to retain individual settings for use later” is displayed. 2. Answer Yes. A yes answer creates a directory called Profiles as a subdirectory to the %Windir% directory if it is the first profile on the machine and also creates a subdirectory below Profiles named after the user. In this case, it creates C:\Windows\Profiles\BrownJ and populates it with the default profile information. 3. Enter the password confirmation if this is the first time this user has logged on to this machine. 4. Make any required changes to the profile. 5. Log off. The changes will be saved to the local profiles directory. 04McInerney.2 8/1/99 4:36 PM Page 81

Creating a Roaming Profile for Windows 95 81

The profile will be copied to the network share when the user next logs on and is then used as a roaming profile. The profile in its entirety exists as the directory structure and files within %Windir%\Profiles\%username%. This directory structure is copied to the network share that was entered as the user’s home directory in User Manager for Domains. When the user next logs on, he will receive the copy of the profile stored on the network share; any changes made to the profile will be saved back to the network share. Making the Windows 95 Profile Mandatory The Windows 95 roaming profile that has just been created can be made into a mandatory profile in a manner similar to that for the Windows NT profiles. A file called User.dat exists in the users profile directory, and you simply change the extension of this file from .dat to .man to change to a mandatory profile.

When changing file extensions, always make sure that the Hide file extensions of known file types is turned off, to ensure that you can see the file extension and replace it properly without placing a double extension on the file. 04McInerney.2 8/1/99 4:36 PM Page 82