User Profiles

User Profiles on Windows 2000 Workstation

What are User Profiles? A user profile represents what the user sees when they log into their computer. This includes the desktop wallpaper, the icons such as My Computer, Internet Explorer, Recycle Bin, the Start Menu, and the task bar. Some of these items can be customized by the user (such as the choice of wallpaper) and preserved when the user logs on at a later time. On a more technical level the user profile represents a collection of folders and files. The User Profile is comprised of a registry hive and a set of profile directories. The registry is a database used to store computer and user specific settings, and portions of the registry can be saved as files, called hives1 . These hives can then be reloaded for use as necessary. User Profiles take advantage of the hive feature to provide roaming profile functionality. These folders and files are updated each time the user successfully logs off their computer. The following screenshot depicts the typical folders and files that make up the user profile.

All User Profiles within the LS&A NT domain are configured as “roaming profiles”. Roaming profiles are the collection of folders and files comprising the user profile that are automatically copied to a common server—the s-lsa-prof server. Because of their location on a common server, user profiles are available on any LS&A NT domain computer that a user logs into. Hence, the user profile (i.e. the collection of folders and files) travels with the user as they move about logging into different NT4 or Win2K(P) computers.

Folders and Files that Make Up the User Profile The folders and files that make up the user profile for most users at LS&A are described in the table below. Some of these folders or files are normally hidden from view. These hidden objects are denoted with an asterisk. The hidden objects, however, can be seen if the “Admin Friendly Explorer View” has been enabled. Not all folders or files will be necessarily displayed for all users. Some folders will only display when a user is using a Win2K(P) computer. Folder *Application Data

Description Application-specific data, such as a custom dictionary for a word processing program. Application vendors decide what data to store in this directory. Users or DSAs do not normally work within this directory.

Cookies

Internet cookies are small signatures that indicate previous visits to a site. Cookies usually make the subsequent visits faster. These files are generally small in size (normally 1K) and do not require management by the DSA.

1

The registry hive is divided into hives. They are named hives for their resemblance to the cellular structure of a beehive. A hive is a discrete body of keys, sub keys, and values. Date: 11/11/2005 4:10 PM Page 1

User Profiles on Windows 2000 Workstation

Folder Desktop

Description Desktop icons/shortcuts that display on the desktop. This folder stores all shortcuts created by the user. The shortcuts in this folder can be very useful to the DSA. New shortcuts can be added directly to this folder. They can also be removed from this folder. Shortcut changes in the Desktop folder must be made when the user is not logged into a computer. The DSA should make the changes on the server-based version of the profile only. Favorites Listing of favorite web or URL network locations—mainly used by Internet Explorer. Favorites can be deleted by the DSA to manage the growth of favorites. Local Settings Application data for Internet applications. Not normally managed directly by the user or DSA. My Documents Storage point for documents and pictures. Location can be modified to point to a network path. Note: My Documents replaces “Personal” when the user profile moves to Windows 2000; they both serve the same process. My Webs Storage point for synchronized Web Information. *Net Hood Network Neighborhood information. Permanent drive mappings are stored here as shortcuts. The DSA can copy the drive mappings stored in this location to other profiles. *PrintHood Stores shortcuts to printer folder items. Recent Stores shortcuts to the most recently used documents. Can be managed by the DSA to maintain a “recent” listing of the most used documents. The DSA does this by removing files from the server-based profile. The user can trim this down by selecting Start / Settings / Task Bar and Start Menu / Advanced, and click on the box to Clear all recent document pointers. The Recent folder can become unwieldy to work with over time if not cleaned up occasionally. SendTo List of locations where you can send files and directories (e.g. Word or Notepad). Generally used to open documents. Start Menu Items that appear via the Start Menu. Normally applications that are specific to the user. *Templates Location of application templates. Windows Location of user-specific files and settings for applications installed into Windows 2000. *Ntuser.dat Represents the settings for NT Explorer, the taskbar, printer settings, control panel, accessories, and help bookmarks. The Ntuser.dat file is mapped to the HKEY_CURRENT_USER portion of the registry when the user logs on. *Ntuser.dat.LOG The Ntuser.dat.LOG file acts as a sort of transaction log file that can serve the purpose of profile recovery. This file is updated each time the user logs off the computer. *ntuser.ini Establishes the exclusion list of files not included as part of the Roaming Profile. This list currently includes Temporary Internet Files, History, Temp, and Local Settings\Application Data\Microsoft\Outlook * Hidden Directories or Files

The Ntuser.dat File The User Profile registry hive is the NTuser.dat in file form, and is mapped to the HKEY_CURRENT_USER portion of the registry when the user logs on.The NTuser.dat hive maintains the user’s environment preferences when the user is logged on. It stores those settings that maintain network connections, Control Panel configurations unique to the user (such as the desktop color and mouse settings), and application-specific settings. Together, the Ntuser.dat file and the other folders/files make up the user profile that provides the complete set of user profile settings. NTUSER.DAT The NTuser.dat file contains the following configuration settings. • Windows NT Explorer settings. All user-definable settings for Windows NT Explorer, as well as persistent network connections. • Taskbar. All personal program groups and their properties, all program items and their properties, and all taskbar settings. • Printer settings. All network printer connections. • Control Panel. All user-defined settings made in the Control Panel. For example, the wall paper and screen savers. Date: 11/11/2005 4:10 PM Page 2

User Profiles on Windows 2000 Workstation

• Accessories. All user-specific application settings affecting the Windows NT environment, including: Calculator, Clock, Notepad, Paint, and HyperTerminal, among others. • Help bookmarks. Any bookmarks placed in the Windows NT Help system. As a result of these settings being embedded within the Ntuser.dat file, these settings can only be changed when a user is logged into a computer. The user or DSA would have to make the changes on the cached profile, and log off to preserve them on the server-based version2 .

Types of User Profiles Roaming profiles are one type of user profile. Other profile types can include local profiles, cached profiles, and mandatory profiles. Each profile type is defined below: Roaming Profile A roaming profile is stored on a network share and can be accessed from any computer. A user who has a roaming profile can log on to any computer for which that profile is valid and access the profile. An NT4 profile is valid for both NT4 and Win2KP. However, NT4 or Win2K profiles cannot be used on Windows 9x computers due to differences in the registry. Local Profile A local profile is specific to a computer. A user who has a local profile on a particular computer can gain access to that profile only while logged on to that computer. The local profile will be stored in one of two locations on the computer depending on whether it is an NT4 or Win2K(P) computer. On NT4, the local profile is generally stored in the c:\winnt\profiles<UserName> folder. On Win2K(P) computers, the local profile is generally stored in the c:\Documents and Settings\<UserName folder> 3 . To determine the exact location of the local profile when logged into an NT4 or Win2K(P) computer, the user can type “set” at a command prompt. The set command will display the environment variables on the computer. The “UserProfile” variable will display the precise location of the local profile. Mandatory Profile A mandatory profile is a pre-configured roaming profile that the user cannot permanently change. In most cases, mandatory profiles are assigned to a person or a group of people for whom a common interface and standard configuration is required. At LS&A, mandatory profiles are generally used for instructional labs. Typically, a shared account is created with a mandatory profile. Students who use these accounts can make desktop modifications while logged into the computer, but the changes are not uploaded or preserved when the user logs off the computer. Changing the extension of Ntuser.dat to Ntuser.man inside the roaming profile directory will make a profile mandatory. Likewise, the mandatory profile can be “unlocked” by changing the file extension back to .dat.

How User Profiles are Initially Created Before a user logs into a new Win2K(P) computer for the first time, there are only two user profiles on the newly built computer. These profiles are called “All Users” and “Default User”. The screenshot below shows these profiles. Understanding how they are used to create the initial user profile for the user is important for later troubleshooting and management.

2

It is also possible to edit the registry hive, but directly editing the registry is not the recommended way to modify profiles. The location of the local profile on Win2K(P) systems can vary depending on whether it is a new build or an upgrade of an NT4 system. If a new computer, the User Profile path will be c:\Documents and Settings\<UserName>. If an upgrade from NT4, then the User Profile path will be c:\winnt\profiles\<UserName>. 3

Date: 11/11/2005 4:10 PM Page 3

User Profiles on Windows 2000 Workstation

All user accounts at L&SA are configured as roaming profiles. This is done with the User Account Management tool when the account is created.

When the user logs onto their computer for the first time, the local or cached version of the profile is created using the Default User Profile. In addition, shortcuts assigned to the All Users Profile are added to the new User Profile. When the user logs off the computer, the User Profile is copied (uploaded) to the s-lsa-prof server for the first time. As the user logs on and off the network, the roaming profile is updated with the changes. The Default User Profile and the All Users Profile are system profiles used to generate all initial user profiles.

The All Users Profile The All Users Profile provides common shortcuts to all users that log onto the computer. These shortcuts usually apply to application programs. When installing applications manually, the program can be installed for the “current user” or “all users” using the computer. If the program is installed for just the logged in user, then the shortcut for the program is only available for the one user. If the program is installed for all users, then the program is available for anyone who logs onto the computer.

The Default User Profile The Default User Profile is a hidden profile. The DSA will want to insure that their view of desktop files is set up with the administrative view. This will allow the visual view of the Default User profile. Right-mouse clicking on the Start button and selecting “Open All Users” or “Explore All Users” can easily display the user profiles. The profiles can also be displayed by navigating to the profile path. The contents of the Default User Profile resemble a normal user profile. The contents of this profile are used to create the initial user profile for all new users. The typical Default User profile is displayed below:

Date: 11/11/2005 4:10 PM Page 4

User Profiles on Windows 2000 Workstation

The Default User Profile is created by the Win2K(P) system during the installation of the operating system. It can also be modified as a custom template for users. See later section on “Management Tasks with User Profiles”.

Differences between NT4 and Win2K(P) User Profiles User profiles for NT4 and Win2K(P) are stored in different locations on the hard drive. For NT4 computers, the user profile is stored in the c:\winnt\profiles<User Name> path. For Win2K(P) computers, the default user profile is stored in the c:\documents and settings\<User Name> path. Microsoft made this change in order to move the user profile out of the secure location of the Win2K(P) operating system files under winnt. However, the default location for user profiles on Win2K(P) computers depends on whether the computer was newly installed or upgraded. If newly installed, the user profile path will be the c:\Documents and Settings\<User Name> path. If the NT4 computer is, instead, upgraded to Win2K(P), the user profile path will continue to use the former NT4 setting of c:\ winnt\profiles\<User Name>. The following table shows the possible location for user profiles on the local computer according to the method used to install Win2K(P). Installation Method for Win2K(P) Windows 2000 New Installation Windows 2000 Upgrade from NT4 Windows 2000 Upgrade from Win9x with User Profiles disabled Windows 2000 Upgrade from Win9x with User Profiles enabled

Location of the User Profile C:\Documents and Settings C:\winnt\profiles C:\Documents and Settings C:\windows\system\profiles

Logging into Both NT4 and Win2K with the same User Profile A user with a roaming profile who logs on to both NT4 and Win2K computers should have no issue with their user profile. The profile path, however, may vary depending on the version of Windows NT and the mode of Win2K(P) installation (i.e. new install or upgrade). While there may be no issue, there have been reports of two anomalies. First, the network applet under control panel on NT4 systems seems to disappear after logging into a Win2K computer with the same user profile. The present workaround is to access the network properties by selecting properties from the network neighborhood. Second, the login switching between NT4 and Win2K will occasionally bring up a password problem with Protected Storage. The workaround is to select cancel when presented with the password window. A fix is also available by editing the registry—see section on troubleshooting.

Roaming Profiles are Recommended LSAIT believes that roaming profiles are the recommended profile setups for most users at LS&A. Roaming profiles provide roving users a consistent desktop when traveling about the college. They also provide a backup of

Date: 11/11/2005 4:10 PM Page 5

User Profiles on Windows 2000 Workstation

user settings should the user’s main computer become inoperative. All the user’s settings are preserved and can be easily recovered should the computer have to be rebuilt. Once the issues of user profiles are well understood, most profile problems can be easily managed.

Changing the User Profile The user can make direct changes to their profile. Each time a user logs into Win2K(P) and makes changes to their desktop settings, the changes are preserved when the user logs off successfully. A successful log off occurs if the user receives no errors when logging off the computer, and the logon screen appears on the monitor. The CSG or DSA can also make modifications to the user profile in two ways. One, they can remotely connect to the user’s desktop with SMS remote control when the user is logged in and make desktop modifications that will be preserved when the user logs off. Two, they can make direct modifications to the user profile folders and files that are stored on the s-lsa-prof server. The user must not be logged into any computer when changes are made to the server-based profile. If the user is logged in, the changes will be overwritten by the upload of the cached profile when the user logs off.

Changing the Roaming Profile to a Local Profile on One Computer The CSG or DSA may decide to change a user’s profile on a designated computer to a local profile instead of a roaming profile. A local profile is a user profile that does not upload or download to the s-lsa-prof server. The local profile is dedicated to a single computer—it does not roam with the user logging into other computers. The result of doing this is a dramatic improvement in the login time on the one computer. Some staff in the SST, for example, have elected to use a local profile rather than a roaming profile on their main work computer. The reason, typically, is to improve the login/logout time on the computer. By doing this on one computer does not mean that the roaming profile is no longer available. In fact, the roaming profile remains available when the user logs on to other computers. One other typical reason to enable a local profile is to prevent download of the roaming profile for dial-up users. Remote users should not use roaming profiles over slow links. To change the roaming profile to a local profile on one computer, the CSG or DSA would bring up the User Profiles program and change the profile to local. To do this, right-mouse click the My Computer icon, select properties, and select the User Profiles tab. This will bring up the User Profiles program. Select the appropriate user account and change the type to local.

Changing the user profile to a local profile from a roaming profile does have its consequences. A local profile is not preserved on the s-lsa-prof file server. As a result, it is not regularly backed up. Hence, if the user’s computer becomes unusable, the local profile will be lost.

Date: 11/11/2005 4:10 PM Page 6

User Profiles on Windows 2000 Workstation

How to Prevent Users from Changing the User Profile Type Only DSAs should change the local profile type from roaming to local. To prevent users from making this change, the DSA should remove the read permissions from the c:\winnt\system32\sysdm.cpl file for the users or groups that should not be able to modify profile settings. See Q file, Q150919.

Disabling the Roaming Profile Altogether If desired by the user, the roaming profile capability can be disabled altogether. The user should contact the CSG or DSA and request that the roaming profile be disabled. The CSG or DSA would remove the roaming profile entry as defined in the user’s account setting. The result will be that the user will get a profile that is local to their computer and all other computers they log into. The profile will not travel with the user if they log onto another computer. The user will always receive a local profile for each distinct computer they log into. Their customized profile will only be available on the computer they regularly use day to day. Removing the roaming profile altogether does have its consequences. A local profile is not preserved on the s-lsaprof file server. As a result, it is not regularly backed up. Hence, if the user’s computer becomes unusable, the local profile will be lost. All custom settings will have to be manually added.

Deleting a User Profile and Starting Over It may become necessary to delete a user’s profile and start fresh with a new user profile. To do this successfully, it is important that the local profile and the server-based profile be deleted. The deletion of the profile must be done with a different user account other than the user’s account. It is important to note that if a user is logged on locally to a machine and then attempts to delete his or her own profile, a message will appear stating that the profile is currently in use and cannot be deleted. The user must log off, log back on using a different account with administrator privileges, and delete the profile. In addition, if a service is running for a particular user account, the same message may appear. If this happens, stop the service and then delete the profile. Once the local and server-based profiles have been deleted, then the user can log in again starting with the standard profile defined by the Default User profile. The entire profile can be regenerated in two ways. One, copy the template profile in place of the existing user profile; two, have the user login in fresh to a computer thus creating a new profile from the existing default user profile. The steps to do this are defined below: Copy the Template Profile Over the Existing Profile If a template profile has been preserved for a particular department, the template profile can be copied to a user’s profile directory to replace a corrupted profile. Perform the following steps: 1. 2.

Instruct the user to log off their computer Connect to the \\s-lsa-prof\profiles share.

3. 4. 5.

Navigate to the target profile. For instance, to navigate to the kirk profile, change directories to k\kirk. Select the contents of the profile and delete everything Copy the template profile into this folder

6. 7.

Have the user log back into their computer The user will be prompted to select between the server-based profile and the local profile. Instruct the user to select the server-based profile. Note, the new server-based profile will replace the local profile on the user’s hard disk.

Copy the Local Profile to the s-lsa-prof Server If the server-based profile is corrupted, it is possible to copy the local profile to the server. Here are the steps. 1. 2.

The CSG or DSA should log onto the user’s workstation as Administrator Right-mouse click on the My Computer icon and select Properties.

3. 4. 5.

Click on the User Profiles tab Highlight the local version of the User’s Profile and click on Copy To... At the Copy profile to field, enter the path to the user’s profile and click OK. If this were user Kirk’s profile, the path would be \\s-lsa-prof\profiles\k\kirk.

Date: 11/11/2005 4:10 PM Page 7

User Profiles on Windows 2000 Workstation

6.

Click on OK to close the System Properties Screen.

Making a Profile Mandatory A user profile can be made mandatory (not subject to change) by changing the file extension of Ntuser.dat to Ntuser.man. The change must occur on the server-based profile. The mandatory profile represents a Read-Only profile. Changes cannot be updated to the server-based profile. Users using a mandatory profile will be able to make changes to the desktop while logged into the computer. However, those changes will not be preserved when the user logs off the computer. Instead the original profile settings will recover automatically. A mandatory profile is typically used in instructional labs where desktop consistency is highly desirable and necessary. Users are denied the ability to save changes the desktop settings with a mandatory profile.

Forcing the Use of the Server-Based Profile Only Adding the .man extension to the server-based folder containing the roaming profile can enforce the use of the server-based profile. For instance, if the user profile named kirk was stored in the s-lsa-prof\k\kirk.man folder, the user kirk would not be able to log into the computer unless the server-based profile was available. In this case, the cached profile, even if it existed, would still not allow the user to login and access the profile. Only the server-based profile would be used if available.

Configuring NT4 or Win2K to not download the Roaming Profile over a Dial-up Connection NT4 or Win2K dial-up users could be frustrated by the download of their roaming profile over a slow dial-up connection. Dial-up users should not download their roaming profile. They should configure their off-site computer to use the local profile instead. A domain-wide policy can be set such that detection of a slow link automatically triggers the use of the local profile instead of the roaming profile. >, you can access the Dfs root with a domain name rather than the server name.

Best Practices for Department Systems Administrators 1.

The DSA should have an account without a roaming user profile. This will improve login time and minimize frustration of having zombie shortcuts installed on the foreign computer when performing administrative tasks. LSAIT recommends that DSAs have an account created that is called Sysadm. The math DSA, for instance, would request an account named “math sysadm”. The math sysadm account would not have a roaming profile. It would also be added to the math sysadm group as well. The NT department prefix is required.

2.

Obtain admin rights to the user profiles in your department. New user accounts already provide their local DSA Full Control rights over the profile. LSAIT is working on a script to provide this capability to long-term accounts as well.

3.

Confirm that all users in your department have Full Control rights to their roaming user profile. This will be critical for Windows 2000. Windows 2000 requires that users have Full Control rights to their server-based profiles in order that updates work correctly.

4.

Review TechNet or “support.Microsoft.com” for issues related to Us er Profiles. Just search on “user profiles”.

5.

Maintain a folder for common user shortcuts. The shortcuts can be copied to a user’s server-based profile when needed to correct a problem.

6.

Make the roaming profile mandatory for troublesome users. Making the profile mandatory will maintain a consistent desktop, prevent the user from corrupting their desktop, and minimize your support intervention. You can instruct the user to simply log off and log back on to correct desktop problems.

7.

Advise your users to not place data on their profile. Instead, advocate the use of shortcuts to point at the real data. One way to heighten the user’s interest in compliance is to explain that data on the profile becomes part of the cached profile on every machine they log into. Hence, it is possible that a user could risk access to their personal data on a computer where the permissions have been changed or modified directly. Other users on the computer could possibly access their data!

Date: 11/11/2005 4:10 PM Page 8

User Profiles on Windows 2000 Workstation

Troubleshooting User Profile Problems What happens to the profile when the user is logged into several machines at once? When a user is logged into multiple machines at the same time, the last computer that the user logs out from will represent the user profile that is saved to the server. Any changes made from other computers during the interim will be overwritten and therefore lost.

What happens to the profile during slow network connections? If network traffic is heavy when the user logs in to the LSA NT network, they may receive a message stating that a slow network connection has been detected. Furthermore, they will be prompted to use the locally cached version of their user profile. In almost all cases, the user should continue to select the server-based version. One thing to consider, however, is where the most recent profile changes are located and how long the serverbased profile has been unavailable. If the user has been using the local profile for many days and has been making changes to their desktop, then they should select the local, not server-based, profile when prompted with this dialogue box. In only this way will they preserve changes to their profile? Note: the best way to determine the degree to which the cached profile and the server-based profile are in sync is to compare the timestamp of the Ntuser.dat files.

What happens when the user is unable to log on because the profile cannot be loaded? This indicates that permissions have been set too tightly within the “winnt” directory, “winnt\system” directory, “winnt\system32” directory, or the “winnt\system32\config” directory. The DSA can use the “fixacls.exe” resource kit utility to restore the default Win2K security access control (acl) list. Note: The use of fixacls should be used only after consulting the CSG or SST group. The fixacls command will remove all lockdown and expose the local computer to the Everyone Group.

What happens if the roaming user profile is unavailable at login? Once the user logs in successfully to their Win2K computer, the user profile from s-lsa-prof is downloaded to their local hard drive as a cached version. If the s-lsa-prof server were unavailable at login, the user would be prompted to use the locally cached version. Hence, users should always have access to their computer even if the s-lsa-prof server is unavailable. However, this does require one previous successful login onto their computer. If the user has never logged into their computer successfully, and the s-lsa-prof server is unavailable, then the user would get the profile for the “default user” provided they could authenticate to the NT domain with their login credentials. If none of the login servers (s -lsa-01, s-lsa-02, s-lsa-m1) were available for a user who has never logged into the workstations before, then the user would not be able to login at all. The user would require an account on the local computer.

What happens if all LS&A NT domain servers were unavailable at login? Provided that the user has logged in at least one time successfully to their computer, they will be able to authenticate using the locally cached profile information on their computer, and thus gain access to the desktop. If they have never logged in successfully to the computer, they will be denied access to the computer. In this latter case where the user has never logged into the computer, the only way the user could gain access to the desktop is to obtain a local user account on the machine. A local user account can be provided by the DSA in the department or by the CSG (936-3279; [email protected]). Access to remote NT file services, of course, will not be available. Access to programs like Microsoft Word or SPSS would be available since they are stored on the local computer. Once access to the LSA NT servers is available, the user should log out and log back in to reconnect all services. ile will not download from the s-lsa-prof server. The locally cached version of the profile maintains updates, but does not upload to the server-based version.

Date: 11/11/2005 4:10 PM Page 9

User Profiles on Windows 2000 Workstation

If this occurs, the first thing to examine is the timestamp on the Ntuser.dat file. The timestamp on the server-based version and the local version should be compared. If the timestamp on the local version is significantly newer than the timestamp on the server-based version, then something is wrong with the update mechanism. After checking that all settings are correct for the roaming profile with the user’s account, you should examine the User Profiles settings on the local computer. To do this, Right-mouse click My Computer and select Properties. Click on the User Profiles Tab. Review the profile type. It is possible that the profile type was changed to local instead of roaming. If the profile is set to roaming, then you should delete the cached version of the profile and see if the roaming profile begins to download. Before doing this, you should confirm that the user’s profile is absent of data files.

Can other users access data that is stored as part of a roaming profile on the local computer? Users who place data on their profile risk having others gain access to their data. Data should never be stored on the profile. Not only is it a security risk, but it also slows the login and logout time of the login process. By default, Windows NT or Windows 2000 grants Full Control permissions for the “everyone group” to the storage location of cached profiles. For NT4, this would be c:\winnt\profiles; for Win2K, this would be c:\Documents and Settings. However, the user’s cached profile that is stored in this location provides Full Control permissions to the user, the local administrator on this computer, and the System (operating system). According to Q file, Q243420, the default security for roaming profiles is “change”. Only the user who owns the profile has full control rights to their cached profile. While this security is generally okay, the user should understand that any member of the local administrative group could potentially access their data if it is part of the roaming profile. Moreover, permissions could be changed on the local computer by a systems administrator, thus opening access to locally stored profiles.

How does a systems administrator remove zombie shortcuts or broken “.lnk” files? Over time a user profile may have several shortcuts or links to programs that no longer exist. They are “dead shortcuts —zombies—that no longer run the program they were originally attached. The user can delete these shortcuts one at a time. Better than this, the DSA can run the “chklnks.exe” resource kit program on the user’s computer and delete them all quickly. The chklnks.exe program is a resource kit utility that executes a wizard that checks to see if the shortcut points to an existing application or document. If the associated application or document is not found, the Wizard lists that file as a dead link, providing the option to remove it.

Why does the profile upload and download take so long? There are three reasons for a slow download or upload of user profiles. One, the network is very slow. There is considerable traffic resulting in delays of file transfers. This may occur at 8am or 5pm when many other college users are logging into or off the network. Two, the user profile is large. The user may have copied data files to the profile. A large profile is any profile over 20MB. Three, the virus software may be inspecting the file download at login. This problem was noted with DSAVand the Winguard program. Disabling the Winguard program from its file inspection dramatically improved the user profile upload and download times in some cases. Note: LSAIT does not recommend as a matter of course that the WinGuard program be disabled to speed the login/logout time. Users should be fully aware of this change if this is enabled for them. They, not the DSA, should take responsibility for this.

Why does a custom program work well for the administrator account, but not new users? Assuming this is not a permissions problem, then the problem is most likely the result of the program not being properly configured for the Default User Account. This can be remedied by the DSA. The DSA can copy the administrator account profile in place of the Default User Profile with the User Profile tool. The user profile tool is accessed according to the following steps: • • •

Right-mouse click the My Computer Icon Select Properties Click on User Profiles

Date: 11/11/2005 4:10 PM Page 10

User Profiles on Windows 2000 Workstation

• • •

Click on the Administrator Profile Change permitted to use to Domain Users Copy in place of the Default User Profile

After doing this, the DSA should log back in using the normal administrator account and delete the temporary admin account. Note: A temporary admin equivalent account is necessary to copy the administrator profile. The administrator cannot copy their own profile while logged in and using it.

What to do if the user is prompted for a Protected Storage Password at login? There have been a few reports of users getting a prompt for the protected storage password at just after the initial login to NT4 or Win2K(P). The problem seems to be related to users who log into both NT4 and Win2K(P) computers. There also seems to be some evidence that this is related to use of Office 2000 as well. While LSAIT continues to investigate, there is a remedy to the problem. To fix the problem, the registry will have to be changed by the DSA. Here are the steps: 1. 2. 3.

4. 5. 6. 7.

Stop the Protected Storage Service with the Services Tool. Use regedt32 to navigate to the HKEY_CURRENT_USER\Software\Microsoft\Protected Storage System Provider Registry key. Double-click this key and you will see at least one subkey that has a name that is equivalent to your Windows NT user account’s SID. You need to delete this subkey, but you don’t have permission to do so. So you need to give yourself permission to do this. Highlight the key that represents the SID, and select Permissions from the Security menu. Add your user account to the ACL with Full Control rights. Delete the subkey. Restart the Protected Storage Service.

Why do user profiles get corrupted? While there is no exact answer for user profile corruption, there does appear to be some indication that user profiles can be corrupted by an incomplete logoff. This normally occurs when the user logs off and powers off the computer before the logoff has completed or the computer has crashed. The interrupted logoff results in a corrupted profile. Logoff times for normal roaming profiles take about 30 seconds. However, users with large profiles over 20MB could experience logoff times that take several minutes. In this case, the user may become impatient waiting for logon screen to select Shutdown.

Why are changes to the User Profile not preserved? Let’s assume that the user has a roaming profile that is functioning correctly. It is not a mandatory profile either. And they only log in to one computer—there is no other occurance of their login on another computer. Yet, each time they log in and log off the computer, all changes to the user profile are lost. No error messages are generated. However, if the user is made an administrator of the local workstation, all changes to the user profile are retained properly. The likely cause of changes not being preserved to the profile is that the user is not a member of the local workstation Users group. If a user is not an explicit member of the local workstation Users group or another group other than the Guest group, the user is considered a guest. All guest profiles are deleted when the user logs off the computer.

Why are Win2K users getting an error message stating that their roaming profile cannot be updated? This normally indicates that the user does not have full control permissions for the roaming profile stored on the s lsa-prof server. Change the permissions so that the user has full control permissions to all profile folders and files.

Date: 11/11/2005 4:10 PM Page 11