Chapter 3: Profile Management

  • Article

Now that you have prepared the computer and installed the Microsoft® Shared Computer Toolkit for Windows® XP, it is time to address the needs of your users. To do this, you will create user accounts and then customize each user profile.

A user profile is a collection of folders, files, and configuration settings that define the environment for a user who logs on with a particular user account—each user account has an associated profile. Typically, a user profile is not created until the first time that a user logs on to the computer with a new user account. When this logon happens, Windows automatically creates a new user profile for that user account.

Definition user profile 
A collection of folders, files, and configuration settings that define the user’s environment.

Bb457131.3squares(en-us,TechNet.10).gif

On This Page

Create Local Limited User Accounts
Set Up Local User Profiles
Optional Activity: Customize the All Users Start Menu
Optional Activity: Customize a User’s Start Menu

Create Local Limited User Accounts

The first step is to create accounts for the users of the computer. Depending on your environment, you can create:

  • A separate user account for each user. This solution is useful when you have relatively few users, a single computer, and each user has different needs. When you have many users and computers, creating separate accounts is unwieldy. You should consider using the Active Directory® directory service instead.  

    Note Note Local user accounts are used on stand-alone or workgroup computers. If the computer is a member of an Active Directory domain, see Chapter 10, “The Shared Computer Toolkit in Domain Environments,” for more information.

  • A single user account to be used by all users.  This is known as a shared account.

  • A few categories of user accounts to be used by all users. For example, in a library setting, you might create one account for children and a different account for adults.

How you structure accounts depends on your situation, but having fewer accounts typically means less management effort will be required.

If you plan to use a computer imaging or cloning approach in your environment, you could create a full array of different user accounts on your reference computer. Then, after you clone the original computer multiple times, disable the accounts not used on each cloned computer. This will reduce the number of original computer images you need to manage. For more information about cloning, see Chapter 9, “Advanced Scenarios.”

Windows XP supports two primary types of local user accounts:

  • Computer administrator. A computer administrator account has the rights to install and uninstall software and device drivers, change Windows configuration settings, create and delete users, and change security settings. You will use an administrative account to manage Windows and the Toolkit options.

  • Limited. A limited account does not, by default, have the rights to perform any of the actions listed for the administrator type account. By default, a limited user account can run programs, access the Internet and local network, change desktop settings, create folders and files, and perform other daily activities.

    Note Note  
    Windows XP Professional also supports groups to which various permissions and rights can be granted, providing a much more flexible configuration of user accounts. However, users of a shared computer should be given access only to limited user accounts whenever possible.

When you create accounts, you should create limited user accounts. You will then use the User Restrictions tool in the Toolkit to further restrict the activities of those users.

To create a new limited user account on a workgroup computer

  1. Log on as the Toolkit administrator.

  2. If Getting Started does not open automatically, click Start, point to All Programs, point to Microsoft Shared Computer Toolkit, and then click Getting Started.

  3. In Step 3 of Getting Started, click the Open User Accounts link at the bottom of the topic. A shortcut to User Accounts is also included in the Quick access section near the top of the Getting Started window.

  4. In the User Accounts window, click Create a new account.

  5. On the Name the new account page, type the name of the new user account, and then click Next.

  6. On the Pick an account type page, click Limited, and then click Create Account.

Giving users access to administrative accounts presents a number of security vulnerabilities. Sometimes, however, your users may want to run programs that require an administrative account to run properly. Many games fall into this category. In these situations, you might need to create administrator type accounts for certain users and then restrict those accounts to limit their access to potentially damaging configuration tools. You can learn more about this option in the "Restrict a Shared Administrative Account" section in Chapter 9, "Advanced Scenarios."

Set Up Local User Profiles

After you create local user accounts, the next step is to create and configure the user profiles for those accounts. To complete this process, you log on with the user accounts you have created, run programs for the first time, and configure Windows settings. Running programs for the first time on behalf of the users allows you to accept license agreements and configure settings that users would otherwise have to reconfigure each time they use the program.

Note Note  
You can use the Profile Manager tool to create user profiles, but first-time profile setup is still required.
For more information about user profiles, see Appendix A, “Technical Primer.”

To set up a local user profile

  1. Log on using one of the local user accounts you created. When you log on with an account for the first time, Windows automatically creates a new user profile.

  2. Perform first time setup activities for programs such as Microsoft Office and Windows Media Player. Configure programs such as:

    • Microsoft Office

    • Windows Media Player

    • MSN Messenger

    • MSN Games Loader

    • Macromedia Flash

    • Adobe Reader

    • Other programs or utilities needed on the shared computer.

  3. Configure any other important settings:

    • Install and configure printers that the user will need.

    • Install software and device driver settings the user may require.

    • Configure desktop settings such as wallpaper and screen saver.

    • Delete Windows Explorer shortcuts from the Start menu. Use My Computer shortcuts instead.

  4. If the computer uses script-blocking software, execute all Toolkit scripts (as listed in the following table) that might be run within a restricted user profile. When the software prompts you to allow or block the script, allow the script permanently to prevent future prompts to the user.

    Note Note  
    The idle logoff timer in the User Restrictions tool uses screen saver settings. If you plan to set an idle logoff timer later for this user, don’t configure their screen saver now.

    Script file

    Path

    Accessibility.hta

    %ProgramFiles%\Microsoft Shared Computer Toolkit\

    Accessibility.wsf

    %ProgramFiles%\Microsoft Shared Computer Toolkit\scripts

    AutoRestart.vbs

    %ProgramFiles%\Microsoft Shared Computer Toolkit\bin

    SCTLogoff.vbs

    %ProgramFiles%\Microsoft Shared Computer Toolkit\bin

    Toast.hta

    %ProgramFiles%\Microsoft Shared Computer Toolkit\bin

    Toast.vbs

    %ProgramFiles%\Microsoft Shared Computer Toolkit\bin

    In addition to script-blocking warnings, there are other types of security software warnings or approvals that your environment might require. If such warnings occur, perform the following changes before you lock the profile:

    Note Note  
    Some script-blocking software does not allow you to permanently approve scripts. Script blocking must be turned off if you cannot permanently approve Toolkit scripts.

  5. Internet Explorer Home Page changed warning. Set the home page for Internet Explorer from within the profile (not from the User Restrictions tool) before you lock the profile.

  6. Registry Run keys added warning. User Restrictions (specifically the mandatory logoff timer) and the AutoRestart tool add Run keys to the user’s registry. Script-blocking software may warn the user about these applications. Make these changes and authorize them by logging on as the user and answering the script-blocking prompts before you lock the profile.

  7. Repeat steps 1-6 for each local user account.

Optional Activity: Customize the All Users Start Menu

By default, the User Restrictions tool enables the Windows Classic Start menu—a menu similar to that featured in previous versions of Windows. Using the Classic Start menu makes it easier to customize what programs appear on the Start menu for a user profile.

Important Important  
Changes made to the All Users Start menu affect all users of the computer. Most programs install Start menu shortcuts in the All Users profile.

You do not need to turn on the Classic Start menu manually, but you can arrange icons within the Start menu now so that they will appear in the right place after you run the User Restrictions tool later.

Windows XP builds the Start menu for a user based on program shortcuts that are stored by default in two locations:

  • The \Documents and Settings\All Users\Start Menu folder. This folder contains program shortcuts that are included on the Start menu for all user accounts.

  • The \Documents and Settings\ user name \Start Menu folder. This folder contains program shortcuts that are specific to a particular user profile.

Windows analyzes the contents of these two folders when it generates the program shortcuts displayed on the Start menu. To customize (and secure) the Start menus for users, you should first make sure that the All Users\Start Menu folder contains only those program shortcuts that you want all users to have access to. Later in this section, you’ll customize the Start menu for an individual user profile.

Some shared computer operators like to make sure that the All Users\Start Menu folder contains no programs and that the Start Menu folder for each profile includes the appropriate shortcuts instead. Note, however, that removing a shortcut from the Start menu does not necessarily make the program unavailable. For example, users could still double-click a .doc file to open Microsoft Word, even if a shortcut for Word is not available on the Start menu.

To customize the programs that appear on the All Users Start menu

  1. Log on using an administrative account.

  2. Right-click the Start button and then click Explore All Users. Shortcuts located in the Start Menu folder appear directly on the Start menu. Shortcuts in the Programs folder appear on the Programs submenu of the Start menu.

  3. Use Windows Explorer to drag shortcuts to the Start Menu folder to make them appear directly on the Start Menu for all users.

  4. Drag other shortcuts to and from the All Users folders to suit your needs.

Remove the following icons from the All Users Start menu so they are not available to the shared accounts you create:

  • Set Program Access and Defaults

  • Windows Catalog

  • Windows Update and Microsoft Update

  • Command Prompt

  • System Tools folder

Important Important  
When you customize the All Users Start menu, remove access to utilities that users should not access, such as antivirus, antispyware, Microsoft Update, and disk utilities.

Optional Activity: Customize a User’s Start Menu

Just as you can configure shortcuts that appear on the All Users Start menu, you can also configure the shortcuts that appear on the Start menu for an individual user profile.

Note Note  
If you plan to restrict access to the C: drive, replace any Windows Explorer shortcuts with My Computer shortcuts in the user’s Start Menu to avoid error messages. By default, Windows Explorer attempts to display profile folders, which are located on the C: drive.

To customize the programs that appear on an individual profile’s Start menu

  1. Log on using an administrative account.

  2. Right-click the Start button and then click Explore.

  3. Inside the Documents and Settings folder, you will see a subfolder for each user profile on the shared computer. If you do not see folders for user accounts, you probably have not yet created the user profiles. To do so, log on as each user on the computer, as described in the "Set Up Local User Profiles" procedure covered earlier in this chapter.

  4. Use Windows Explorer to copy shortcuts to the Start Menu folder for each user to make them appear directly on the Start menu for that user.

  5. Drag other shortcuts to and from each user's folder to suit your needs.