04McInerney.2 8/1/99 4:36 PM Page 61 FOUR User Profiles In This Chapter Introduction M This chapter introduces the concept of user profiles and User Profile Overview includes step-through examples on how to implement them M in a Windows NT environment. Creating a Roaming M User profiles are used in an NT environment to control User Profile for NT 4.0 the look and feel of the user desktop and available options at Profile Permissions the workstation. M This chapter focuses on user profiles defined within the NT Amending the Profile M workstation and server environment but also includes some with Regedt32 information on user profiles applied to Windows 95 clients. Default User Profile M Windows NT 3.5x M Profile Upgrades Introduction Creating a Roaming M Client/server technology has long been heralded as the way Profile for Windows 95 forward for large IT infrastructures. The days of the central- ized mainframe supplying the computer power for an enter- prise have passed! Now, anybody who has worked in the IT business for any number of years knows that this is not strictly true. The promised yield of the client/server environment has never quite come to fruition. The lower costs, ease of maintenance, less costly hardware, and lower administrative overheads have been very difficult to spot. 04McInerney.2 8/1/99 4:36 PM Page 62 62 Chapter Four • User Profiles Total cost of ownership (TCO) is a phrase that has been used more and more over the last few years. One of the main claims made all those years ago when the salesmen were trying to convince us to move away from the centralized mainframe systems was that client/server would lower the cost of owning and running an IT infrastructure. Client/server technology certainly had a large impact and brought with it some major benefits, including distributed systems, distributed manage- ment, well-known GUI interfaces, and applications that were much more user friendly. It also brought with it the unforeseen costs. The difference in costs between distributed and centralized hardware has been reduced dra- matically. Where once users had a terminal and were able to run one pro- gram interactively at a time, they are now faced with a desktop and many available applications. Training is not only needed now to run the applica- tions but also to run the operating system that used to be hidden from users. IT infrastructures are growing to huge proportions, and administrative costs escalate in proportion. In all, the cost of distributed systems is not quite as small as it may have been portrayed to be some years ago. Recent studies show that a large amount of the TCO goes to providing user support. This is hardly surprising considering the technology available to the average user at the moment. Of these costs, a high proportion is used fixing problems caused by user interference with the computer services due to lack of understanding or to the complex nature of the systems today. After all, users may be faced with a desktop with ten or more applications. Those users may only need to run two applications for their particular job but policy may dictate that a uniform desktop is required to make adminis- trative duties that bit “easier.” Some sort of control is needed to reduce the apparent complexity of the computer systems. Average users performing an accountancy role don’t need to know how or why a system works. They need to know where their appli- cations and resources are and how to use them. An investment in training so that everybody understands something about the computing environment is rarely wasted, but controls are needed to make sure that a little knowledge doesn’t cause a lot of damage. User Profile Overview One of the two main controls in a Microsoft Window NT network environment that helps lower the cost of administration and management is user profiles. The second control is system policies. System policies control availability and access to resources for a user or group and can be set either for users/groups or for the computer. System policies are discussed in Chapter Five. 04McInerney.2 8/1/99 4:36 PM Page 63 User Profile Overview 63 What Is a User Profile? A user profile is a group of settings that describe the look and feel of a user’s environment on a Windows NT or Windows 95 computer. It controls what appears on a desktop or what applications are accessible. User profiles contain settings that can be applied to a user, group, or computer and can be set up so that users can make changes and save them or so those users cannot save any changes made. User profiles were designed in part to answer the need for more con- trol over the ever-growing complexity of the desktop and network systems. Administrators can now deliver and manage from a central point the look and feel required by the enterprise workforce. All users don’t have to have the same desktop look. In addition, the profile can travel with the user (roaming profile) so that the same look and feel can be provided in different locations with a minimum of administrative overhead. From the point of view of the IT security professional, the user profile adds an invaluable tool that can be used to clamp down on unnecessary sys- tem access and possible security breaches. User profiles can be used to con- trol access to sensitive system tools such as the registry editor and the task manager. Types of User Profiles Three types of user profiles are available on Windows NT machines. I Local profiles. These profiles are local to a given machine and are only available to users when they log on to that one machine. I Roaming profiles. Roaming profiles, as the name suggests, are avail- able from a central source to users within the domain. They are used by the particular user or groups of users whenever they log on to a machine within the domain. If the roaming profile is not available, users can be logged on with a copy of the profile saved the last time they accessed the machine or with a default profile available to them. When users make changes to the desktop appearance or other objects stored in the profile, the changes are saved to the central copy of the profile at logoff time and are then provided the next time the user logs on. Roaming profiles give users a uniform base look on their desktop and then allow them to make changes as necessary. I Mandatory profiles. Mandatory profiles are similar to roaming profiles except that the user must use the profile to log on to the network. The two main differences between roaming and mandatory is that if the mandatory profile is not available, then the user is refused permission to log on or cannot make changes to the mandatory profile. Mandatory pro- files offer the greatest security and if implemented correctly can reduce 04McInerney.2 8/1/99 4:36 PM Page 64 64 Chapter Four • User Profiles the TCO by reducing the number of support incidents caused by inadver- tent system changes. These profiles are restrictive and could impact busi- ness (by not letting users log on when the profiles are unavailable), so you should consider both business and security needs when looking at this option. User Profile Location Parts of the user profile are stored in two separate places. Some of the set- tings are stored in a set of directories on either the local machine (local pro- file) or the validating server (roaming and mandatory profiles). The remainder of the settings are stored in system registry format in a file called ntuser.xxx (.dat or .man) in the profile directory structure. The profile settings are split along two distinct lines. The profiles direc- tory holds settings such as desktop icons, icons representing shortcuts to applications, user links (generally as icons), and any other settings repre- sented by visual objects such as folders, icons, files. The registry hive that stores user profile settings is HKEY_USERS (ntuser.xxx file); and it holds less tangible environmental preferences such as wallpaper and background settings, international settings, and keyboard/mouse settings. Security-related settings such as the ability to run applications and access to system tools are also stored here. Tables 4.1 and 4.2 list the settings available in the two loca- tions and briefly describe their use. TABLE 4.1 %SystemRoot%\Profiles\%Username% directory contents Directory Name Description Application Data Content defined by application programmers. Desktop Any items to be displayed on the desktop such as shortcuts. Favorites Shortcuts to the user’s favorite locations. Used with Internet Explorer. NetHood Shortcuts to Network Neighborhood objects. A hidden direc- tory by default. Personal Default storage location for files created by the user. Applica- tions are specifically designed to save files here by default. PrintHood Shortcuts to printer objects. A hidden directory by default. Recent Shortcuts to the most recently used files and objects. SendTo Shortcuts to locations required for placing files into. Refer- enced by the Explorer context menu for files. Start Menu Shortcuts to applications. Newly installed applications should place shortcuts here. Templates Shortcuts to template objects. A hidden directory by default. 04McInerney.2 8/1/99 4:36 PM Page 65 Creating a Roaming User Profile for NT 4.0 65 TABLE 4.2 ntuser.xxx registry hive contents Item Description NT Explorer Persistent network connections and user-defined explorer settings. Taskbar Taskbar settings and personal program groups and properties.