From the administrator's point of view, user profiles provide specific advantages and are capable of: Creating customized user settings Specifying common settings for each user gro
Trang 1Advantages of the User Profile
User profiles provide the following advantages:
After a successful logon, users start working with their own working environment (including desktop settings) that existed at the time he/she last logged out
Many users can share a single computer, and each user will get individual settings for their working environment
User profiles can be stored on the server; they may be used independently from the workstation where the user logs on to the network These user profiles are called roaming user profiles
From the administrator's point of view, user profiles provide specific advantages and are capable of:
Creating customized user settings
Specifying common settings for each user group
Assigning mandatory user profiles which can't be changed by the users and don't allow them to change the system's configuration
As was already mentioned in Chapter 1, Windows XP and Windows Server 2003 provide the following types of user profiles:
hard disk Any changes that you might introduce to the local user profile are
computer-specific and only apply to the computer on which these changes are made
available any time the user logs onto a network Any changes made to a roaming user profile are updated on the server
by system administrators Any changes the user makes to this type of profile are lost when he or she logs off
Note Mandatory user profiles are included with Windows XP and later only in order to provide backward compatibility with existing Windows NT 4.0 domains If you have Windows 2000 domains in native mode or have even migrated to Windows Server 2003 domains, and need to provide managed desktop configurations for users and groups, it is recommended that you use Group Policy rather than
mandatory user profiles Group Policy basics will be discussed later in this chapter
The Settings Stored in the User Profile
Trang 2Each user profile contains configuration settings and options customized for each
individual user In practice, the user profile can be considered a "snapshot" of the user's working environment
Main settings stored in the user profile are listed in Table 10.1
Table 10.1: User Profile Settings
Working
environment item
User profile settings
Windows GUI
(Windows Explorer
or My Computer)
All user-specified settings of the Windows Explorer application
Taskbar All personal program groups and their properties, all personal
programs and their properties, all individual settings of the taskbar Printer settings All connections to network printers
Control Panel All individual user-specific settings specified using Control Panel
applets Accessories All user-specific customized settings of the applications that
influence Windows NT/2000, Windows XP, or Windows Server
2003 working environments, including individual settings for Calculator, Notepad, Paint, Hyper-Terminal, etc
Application settings All Windows applications allow individual settings in relation to
each individual user If this information exists, it's stored in the user's registry hive (HKEY_CURRENT_USER)
Bookmarks in the
online Help system
All Help bookmarks set by the user
Favorites registry
key
All registry keys marked by the user as Favorites
User Profile Structure
Each user profile consists of a registry hive (Ntuser.dat file, which is mapped to the HKEY_CLASSES_ROOT registry key when the user logs on) and a set of folders in the file system of your computer Since the release of Windows NT 4.0, the default location
of user profiles has changed in order to allow administrators to provide better security for the operating system folders without affecting user data Let us consider the default location of user profiles in more detail
Trang 3All Windows NT user profiles are stored in the %SystemRoot%\Profiles folder When
you log onto the system for the first time, the system creates a new profile for you based
on the Default User profile, present on each Windows NT Workstation or Windows NT Server computer The \Default User folder and profile folders for individual users contain the Ntuser.dat and Ntuser.dat.log files (user profile hive and its log) together with the desktop shortcuts
The naming conventions for the user profile folders have changed with Windows 2000
In general, the location of Windows 2000, Windows XP, or Windows Server 2003 user profiles depends on the method used to install the operating system:
If Windows 2000, Windows XP, or Windows Server 2003 was installed fresh, the Setup program will create a new folder for storing user profiles:
%SystemDrive%:\Documents and Settings (for example, C:\Documents and
Settings)
If the system was installed as an upgrade from the previous Windows NT versions,
user profile folders will be located in the %SystemRoot%\Profiles folder (like in
Windows NT 4.0)
Note Later in this chapter, we'll use the %ProfilePath% variable to specify a path to the
folder that contains user profiles
The locations of user profiles for each of the possible types of OS installation are briefly described in Table 10.2
Table 10.2: User Profile Locations
Clean installation of Windows 2000,
Windows XP or Windows Server 2003
(no previous operating system)
%SystemDrive%\Documents and Settings; for
example, C:\Documents and Settings
Upgrade from Windows 2000 %SystemDrive%\Documents and Settings; for
example, C:\Documents and Settings Upgrade from Windows NT 4.0 %SystemRoot%\Profiles; for example,
C:\WinNT\Profiles Windows 2000 or Windows XP systems
upgraded from Windows 9x/ME
%SystemDrive%\Documents and Settings; for
example, C:\Documents and Settings
Like the previous versions of Windows NT/2000, Windows XP and Windows Server
2003 automatically create a user profile when the new user first logs onto the system To store this profile, the system creates a new nested folder named after the login name of
Trang 4the new user and located under the %ProfilePath% folder The path to this folder will be
saved in the system registry and associated with the user's security identifier (Security ID, SID)
Note Also notice that many users, even experienced ones, often think that the system identifies each user by his or her usemame (or login name) and the password This isn't so; it's the SID that uniquely identifies the user User profiles are also identified
by their associated SIDs (Fig 10.1)
Figure 10.1: The HKEY_USERS registry key
The HKEY_USERS registry key contains the default user profile as well as profiles for all user accounts currently logged on to the computer The HKEY_USERS\.DEFAULT key contains parameters that the system applies before any user logs on to the system Other subkeys represent SIDs of the currently logged on user accounts:
HKEY_USERS\S-1-5-18 — This subkey contains parameters for the
LocalSystem, an identity used locally by the OS and by services configured to log
on as Local-System Notice that this identity is a hidden member of the
Administrators group That is, any process running as LocalSystem has the SID for the Administrators built-in group in its access token
HKEY_USERS\S-1-5-19 — This subkey contains parameters for the
LocalService, an identity used by services that do not need such extensive local privileges as Local System, and do not need authenticated network access
HKEY_USERS\S-1-5-20 — This subkey contains parameters for the
NetworkService, an identity used by services that do not need extensive local privileges, but do require authenticated network access
Note All three above-listed SIDs are known SIDs (more information on well-known SIDs was provided in Chapter 9) Also notice that NetworkService (S-1-5-20) and LocalService (s-1-5-19) are newly introduced built-in
accounts, only existing in Windows XP and Windows Server 2003 in order
to reduce the number of services running in the SYSTEM context Therefore, the HKEY_USERS registry key in Windows 2000 or earlier does not contain subkeys identified by these SIDs
Trang 5 HKEY_USERS\CURRENT_USER_SID (in the example shown in Fig 10.1, the
CURRENT_USER_SID is S-1-5-21-1292428093-1343024091-12804019-1107)
This subkey contains parameters that correspond to the current user, who has logged on locally
HKEY_USERS\SID_Classes — these subkeys contain file associations and COM
classes for specific SIDs
Starting with Windows 2000, Microsoft has introduced the so-called Run As
functionality, also known as secondary logon This feature is designed to provide users with the capability of starting programs under different security contexts For example, administrators can log on as ordinary users, and invoke a secondary logon
(administrative) in order to run administrative tools without needing to log off To start a program under a different security context, it is sufficient to right-click the file that you
want to start, and then select the Run As command from the context menu The Run As
dialog will open (Fig 10.2), where you will be able to select the user account with
administrative rights
Figure 10.2: Using a secondary logon
Note Secondary logons represent a security enhancement, which protects the system against unintended actions, attacks on the local Administrator account and Trojan Horse attacks while accessing non-trusted sites using Internet Explorer
After the user invokes a secondary logon and provides credentials for the administrative account, Windows will load additional settings for the secondary logon, and new subkeys will appear under HKEY_USERS registry key (Fig 10.3)
Trang 6Figure 10.3: The contents of the HEKY_USERS registry key after invoking a secondary logon
Note If Run As functionality is unavailable, check if the Secondary Logon service is
started (Fig 10.4)
Figure 10.4: The Run As functionality depends on the Secondary Logon service
When the user logs into the local system using a local or domain user account, and the
%ProfilePath% folder doesn't contain a subfolder with a name like the user's login name,
the system will create such a folder The path to this folder will be saved in the registry and associated with the user's SID For example, if "Olga" logs into the Windows
2000/XP or Windows Server 2003 system, the system will create a folder named
%SystemDrive%:\Documents and Settings\Olga to store a new user profile (Fig 10.5)
Figure 10.5: Typical contents of the user profile folder
Trang 7Later, if a user from another domain, having the same login name, attempts to log on to the network from this computer, the system will create another user profile folder for
them The folder will be named using the following format: %SystemDrive%:\Documents and Settings\Olga [DOMAIN_NAME], where [DOMAIN_NAME] is the name of the
domain to which the user account with the duplicated user name belongs to
If both the login and domain names are the same, but the SIDs of two user accounts are different (this may happen when you delete a user account, and then create another one with the same name belonging to the same domain), the system will create a new user
profile folders named as follows: %SystemDrive%:\Documents and Settings\Olga
[DOMAIN_NAME].000, %SystemDrive%:\Documents and Settings\Olga
[DOMAIN_NAME].001, etc
Note As I mentioned before, Windows NT 4.0 stores all locally cached user profiles in
the %SystemRoot%\Profiles folder If you've installed the newer version as an
upgrade from Windows NT, the system will continue using this folder for storing user profiles If you've installed a new copy of Windows 2000, Windows XP, or Windows Server 2003, the Setup program will create a new "Documents and
Settings" folder for storing user profiles This folder will be located on the same partition with the Windows 2000/XP or Windows Server 2003 operating system Notice that some legacy applications use hard-coded pathnames to access locally cached user profiles This may cause a problem in mixed environments For
example, if the path to the user profile is coded "%SystemRoot%\Profiles", the
program may behave as expected in Windows NT 4.0, but it will fail to find the user profile in Windows 2000, Windows XP, or Windows Server 2003
Now let us consider in more detail the preferences stored in the profile directories The screenshot shown in Fig 10.5 illustrates the typical structure of the user profile, which in Windows XP and Windows Server 2003 contains the following folders:
word processing program Application vendors decide what data to store in this directory
Usually either machine-specific, or too large to roam effectively
Trang 8 My Documents The new default location for any documents that the user creates
Applications should be written to save files here by default
Note By default, the Local Settings folder and its subfolders do not roam with the
profile This folder contains application data not required to roam with the user, such as temporary files, non-critical settings, and data too large to roam efficiently
The Ntuser.dat File
The Ntuser.dat file is the part of the registry that actually supports the user profile This file is the cached copy of the local HKEY_CURRENT_USER subtree (Fig 10.6) It stores the settings, which define the working environment for the currently logged on user
Figure 10.6: The settings defining the working environment for the currently logged on user are stored under HKEY_CURRENT_USER
Defining Initial Settings for New Users
Many tips and registry hacks that specify "how to" modify the settings related to specific users recommend that you log on to the system as that user and then modify specific parameters under the HKEY_CURRENT_USER registry key However, this approach seems impractical when you need to apply the setting to multiple users (just consider how many times you would need to log on, start the registry editor to introduce the same modification, then log off) If this is the case, the small tip provided here will help you to specify unified initial settings for all new users who log on to the system for the first
Trang 9time The main idea here is, that any modification that you can introduce to the
HKEY_CURRENT_USER registry key can also be made to the default user hive
To modify the default user profile hive, do the following:
1 Start Regedit.exe, highlight the HKEY_USERS key and select the Load Hive command from the File menu
2 Select the Ntuser.dat file from the %SystemDrive%\Documents and
Settings\Default User folder
3 Enter the name for the hive to be loaded (for example, NTUSER) into the Key Name dialog Now introduce any desired modification to any key or value entry
within the newly loaded NTUSER hive
4 Having finished, right-click the NTUSER hive, select the Permissions command
from the context menu, and assign Read permission to the Everyone group (Fig 10.7) Then click Advanced and make sure that permissions are inherited by all
subkeys of the default hive being modified
Figure 10.7: Setting permissions for the modified default user hive
5 Unload the hive and close registry editor Now all new users will have the settings that you specified
Note This tip also works for Windows 2000 and previous versions However, in this case, you'll need to use Regedt32.exe, and edit the default Ntuser.dat hive file, which is
usually located in the %SystemDrive%\Documents and Settings\Default User folder (Windows 2000) or under %windir%\Profiles\Default User directory (Windows NT
4.0)
Fixing a Corrupt User Profile
If you have a misbehaving user account, this might be due to a corrupt user profile To determine if the profile is corrupt, proceed as follows:
Trang 101 Create a new temporary account and assign it the same rights and group
membership as the suspect account
2 Log on to the system as a new temporary user The new profile for that user will
be created
3 Log off, then log on with administrative privileges Start the System applet in
Control Panel, go to the Advanced tab, and click the Settings button in the User Profiles group The User Profiles window (Fig 10.8) will open Select the
suspected profile and click the Copy To button
Figure 10.8: The User Profiles window
4 The Copy To window will open (Fig 10.9) Click the Browse button, select the
newly created temporary account under the %SystemDrive%\Documents and
Settings folder and click OK