Managing User Profiles
|Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.|
from Chapter 6, Windows NT Administrator's Pocket Consultant by William R. Stanek.
User profiles contain settings for the network environment, such as desktop configuration and menu options. Problems with a profile can sometimes prevent a user from logging on. For example, if the display size in the profile isn't available on the system being used, the user may not be able to log on properly. In fact, the user may get nothing but a blank screen when trying to log on. You could reboot the machine, go into VGA mode, and then reset the display manually, but solutions for profile problems aren't always this easy and you may need to update the profile itself.
Windows NT provides several ways to manage user profiles:
You can assign profile paths in User Manager.
You can copy, delete, and change the type of an existing local profile with the System utility in the Control Panel.
You can set system policies that prevent users from manipulating certain aspects of their environment
In this section you'll learn how to manage existing profiles with the System utility. For complete information on profile types and setting initial profile paths, see Chapter 5. To learn how to set system policies, see Chapter 3, "Monitoring Windows NT Processes, Services, and Security."
Using the System Utility to Manage Local Profiles
To manage local profiles, you will need to log on to the user's computer. Afterward, you can use the System utility in the Control Panel to manage local profiles. To view current profile information, start the System utility, and then click on the User Profiles tab.
As shown in Figure 6-1, the User Profiles tab displays various information about the profiles stored on the local system. You can use this information to help you manage profiles. The fields have the following meanings:
Name The name of the local profile, which generally includes the name of the originating domain or computer and the user account name. For example, the name ZETA_D\GIJOE tells you the original profile is from the domain ZETA_D and the user account is GIJOE.Figure 6-1: The User Profiles tab in the System Properties dialog box lets you manage existing local profiles.
If you delete an account but don't delete the associated profile, you may also see an entry that says Account Deleted. Don't worry, the profile is still available for copying if you need it.
Size The size of the profile. Generally, the larger the profile, the more the user has customized the environment.
Type The profile type, which is either local or roaming.
Modified Tells you the date when the profile was last modified.
Deleting a Local Profile and Assigning a New One
Profiles are accessed when a user logs on to a computer. Windows NT uses local profiles for all users who do not have roaming profiles. Generally, local profiles are also used if the local profile has a more recent modification date than the user's roaming profile. Because of this, there are instances when you may need to delete a user's local profile. For example, if a user's local profile becomes corrupt, you can delete the profile and assign a new one. Keep in mind that when you delete a local profile that is not stored anywhere else on the domain, you can't recover the user's original environment settings.
To delete a user's local profile, follow these steps:
Log on to the user's computer.
Start the System utility and then click on the User Profiles tab.
Select the profile you want to delete and then click on the Delete button. When asked to confirm that you want to delete the profile, click Yes.
Note: You can't delete a profile that is currently in use. If the user is currently logged on to the local system (the computer you are deleting the profile from), the user will need to log off. In some instances Windows NT marks profiles as in use when they are not. This is typically a result of an environment change for the user that has not been properly applied. To correct this, you may need to reboot the computer.
Now the next time the user logs in, Windows NT will do one of two things. Either the operating system will give the user the default local profile for that system or it will retrieve the user's roaming profile stored on another computer. To prevent the use of either of these profiles, you will need to assign a new profile to the user. To do this, you can
Copy an existing profile to the user's profile directory. Copying profiles is covered in the next section.
Update the profile settings for the user in User Manager. Setting the profile path is covered in Chapter 5.
Copying a Profile
When you work with workgroups where each computer is managed separately, you'll often have to copy a user's local profile from one computer to another. Copying a profile allows users to maintain environment settings when they use different computers. Of course, in a Windows NT domain you can use a roaming profile to create a single profile that can be accessed from anywhere within the domain. The catch is that sometimes you may need to copy an existing local profile over the top of a user's roaming profile (when the roaming profile is corrupt) or you may need to copy an existing local profile to a roaming profile in another domain.
You can copy an existing profile to a new location by doing the following:
Log on to the user's computer, then start the System Control Panel utility and open the User Profile tab.
Select the existing profile you want to copy using the Profiles Stored On This Computer list box.
Copy the profile to the new location by clicking on the Copy To button, then enter the path to the new profile directory in the Copy Profile To field. For example, if you are creating the profile for JANEW, you could enter: \\GAMMA\USERPROFILES\ JANEW (see Figure 6-2).
Now you need to give the user permission to access the profile. Click on the Change button in the Permitted To Use area, then use the Choose User dialog box to grant access to the appropriate user account. By default, the Choose User dialog box only shows the names of group accounts. If you want to grant access to a group the new user is a member of, select this group and then use the Add button to copy the group to the Add Name field. To grant access to a specific user, click on the Show Users button.Figure 6-2: Use the Copy To dialog box to enter the new location of the profile directory and assign access permissions to the appropriate user.
This should add a list of available user accounts to the dialog box. Select the user account and then use the Add button to copy the user name to the Add Name field.
When you are finished, close the Copy To dialog box by clicking OK. Windows NT will then copy the profile to the next location.
Changing the Profile Type
With roaming profiles, the System utility lets you change the profile type on the user's computer. To do this, select the profile and then click on the Change Type button. The options of this dialog box allow you to
Change a roaming profile to a local profile If you want the user to always work with the local profile on this computer, set the profile for local use. Here, all changes to the profile are made locally and the original roaming profile is left untouched.
Change a local profile (that was defined originally as a roaming profile) to a roaming profile The user will use the original roaming profile for the next logon. Afterward, Windows NT will treat the profile like any other roaming profile, which means that any changes to the local profile will be copied to the roaming profile.
Specify that a roaming profile should be cached locally Instead of downloading the roaming profile when the user logs on, Windows NT will use a cached copy of the profile. Updates to the profile may be copied back to the original roaming profile.
Note: If these options aren't available, the user's original profile is defined locally.
Managing Multiple User Accounts
A little-known fact about User Manager is that you can use it to modify the properties of multiple accounts simultaneously. Any changes you make to the property settings are made for all the selected accounts.
You can select multiple accounts by doing the following:
Select multiple user names for editing by holding down the Ctrl key and clicking the left mouse button on each account you want to select.
Select a range of user names by holding down the Shift key, selecting the first account name, and then clicking on the last account in the range.
Use the Select Users dialog box to select multiple users based on group membership. To do this, open the dialog box shown in Figure 6-3 using the Select Users option on the User menu. Now, if you highlight a group and choose Select, members of that group are added to the selected users in the main window. On the other hand, if you highlight a group and choose Deselect, members of that group are added to the deselected users in the main window. When you are finished selecting accounts, click on the Close button.
When you are finished selecting accounts for management, choose Properties from the User menu. This opens the main User Properties window. As you can see, the User Properties dialog box has a different interface (see Figure 6-4). You should note the following changes:
The dialog box now has a Users field that shows the user account names that you are modifying.
The Full Name, Password, and Confirm Password fields are no longer available.
The Description field now sets a description for all the accounts.
If you see a selected check box that is partially shaded, this option is set for one or more of the accounts.
If you see a selected check box that is not partially shaded, all of the selected accounts currently have this option set.
Any changes you make to the main dialog box window are applied to all the accounts you are working with. For example, if you deselect a partially shaded check box, this option will be deselected for all the accounts. You can also use the Groups, Profile, Hours, Logon To, Account, and Dialin buttons. In the sections that follow you'll learn ways to set these properties for multiple accounts.
Setting Group Membership for Multiple Accounts
When you work with group membership for multiple accounts, the Group Memberships dialog box has a slightly different interface (see Figure 6-5). Be careful, because this new interface can be misleading. The dialog box only shows group membership when all of the users are members of a particular group. Because of this, the main list boxes are renamed as
All Are Members Of This list box only lists groups that all users are a member of.
Not All Are Members Of This list box shows all groups that aren't already assigned to all the users listed in the Users area.
To configure group memberships, click on the Groups button in the User Properties dialog box. As with single account management, you can add and remove group membership using the Add and Remove buttons. When you're finished assigning or removing group membership, click the OK button. For complete information on setting group membership, see Chapter 5.
Setting Profiles for Multiple Accounts
You set the profile information for multiple accounts using the User Environment Profile dialog box, which is displayed when you select the Profile button in the User Properties dialog box. One of the best reasons to work with multiple accounts in User Manager is to set all their environment profiles using a single interface. To do this, you will usually rely on the %UserName% environment variable, which lets you assign paths and file names that are based on individual user names. For example, if you assign the logon script name as %USERNAME%.CMD, Windows NT replaces this value with the user name—and it does so for each user you are managing. Thus, BOBS, JANEW, and ERICL would all be assigned unique logon scripts and those scripts would be named BOBS.CMD, JANEW.CMD, and ERICL.CMD.
An example of setting environment profile information for multiple accounts is shown in Figure 6-6. Note that the %UserName% variable is used to assign the user profile path, the user logon script name, and the home directory.
While you may want all users to have unique files and paths, there are times when you want users to share this information. For example, if you're using mandatory profiles for users, you may want to assign a specific user profile path rather than one that is dynamically created. For detailed information on setting user profiles, see Chapter 5.
Setting Logon Hours for Multiple Accounts
When you select multiple user accounts in User Manager, you can manage their logon hours collectively. To do this, select the Hours button in the User Properties dialog box.
User Manager warns you if the selected users have different logon settings. If you see the warning, you can cancel the operation or continue. If you choose to continue, the logon hours for all selected users are reset and you will need to reconfigure the logon hours as explained in Chapter 5. When you click OK, these settings are applied to all the selected user accounts.
Setting Permitted Logon Workstations for Multiple Accounts
You set the permitted logon workstations for multiple accounts using the Logon Workstations dialog box, which you get to by clicking on the Logon To button in the User Properties window. This dialog box has two radio buttons that let you configure the permitted logon workstations. If all the selected users share the same settings, these settings will be shown in the dialog box. Otherwise, neither radio button will be initially selected.
If you want to allow the users to log on to any workstation, select the User May Log On To All Workstations radio button. On the other hand, if you want to specify which workstations users are permitted to use, select the User May Log On To These Workstations radio button and then enter the names of up to eight workstations. When you click OK, these settings are applied to all the selected user accounts. For more information, see Chapter 5.
Note: Users on systems other than Windows NT are not subject to these restrictions. This means that MS-DOS or Mac users could log on to their system even if it is not specifically listed as a permitted workstation.
Setting Account Type and Expiration for Multiple Accounts
Account type and expiration is set using the Account Information dialog box. To open it, click on the Account button in the User Properties window. This dialog box has two pairs of radio buttons that let you configure the account type and expiration for all the users. If all the selected users share the same settings, these settings are shown in the dialog box. Otherwise, the affected pair of radio buttons will not be selected. In the example shown in Figure 6-7, on the following page, all users share the same account expiration—never—but there is a conflict in the account type settings so neither account type radio button is initially selected.
As outlined in Chapter 5, use the radio buttons to configure the account type and expiration date. When you are finished, click OK and the settings will be applied to all the selected user accounts.
Setting Dial-In Privileges for Multiple Accounts
You set dial-in privileges for multiple accounts using the Dial-in Information dialog box, which is accessible by clicking on the Dialin button in the User Properties window. This dialog box has a check box and a set of radio buttons that let you configure dial-in privileges. If all the selected users share the same settings, these settings will be shown in the dialog box. Otherwise, if there is a conflict, the conflicting element will be deselected initially.
As described in Chapter 5, use the check box and the radio buttons to configure dial-in privileges. When you are finished, click OK to apply the settings to all the selected user accounts.
from Windows NT Administrator's Pocket Consultant by William R. Stanek. Copyright © 1999 Microsoft Corporation.