Optimize Desktop Productivity with User Profiles
Several useful user profile management tools are available to administrators of managed Microsoft Active Directory directory service networks. A user profile is a collection of data that represents user state-that is, the result of a user’s work (such as user documents, data, and preferences).
Note: For a detailed discussion of user and computer state, see my article, Best Practices for Using USMT 2.6.
Most companies can benefit from a standardized, yet flexible user environment. This environment is possible when you use user profiles. User profiles can create a stable and familiar environment for users, resulting in higher yields of user productivity. User profiles also allow administrators to manage the server and client environment with more efficiency. In this article, I provide key considerations for configuring and managing user profiles on an Active Directory network. I also show how to choose the best user profile type for your environment, how to manage changes in user profiles, and how to find the right tool for administering user profiles.
Because of their distributed nature, local management of desktops is time-consuming and costly. Therefore, I recommend centralized user profile configuration and management on even the smallest Active Directory networks. Consider the following factors when managing user profiles:
Scalability. Because of the scalable nature of Active Directory and Group Policy, user profile configurations also scale well. However, some configurations may consume large amounts of bandwidth and disk space and may therefore be a poor choice for some environments.
Security. Security is an important consideration when managing user profiles. To manage user profiles on desktops directly, an administrator must have local administrator permissions on the target workstations. Active Directory and Group Policy settings also affect user profile configuration, and server-based permissions to use these two technologies are necessary for centralized administration.
Profile Type. There is only one type of user profile, but you can configure it in several ways. Although a full discussion of considerations for determining the best user profile configuration for your network is beyond the scope of this article, I do provide an overview of each profile configuration below. The topic Planning for User State Management in the Windows Server 2003 Deployment Guide provides planning information for most factors, but I recommend reviewing User Profiles best practices as well, which highlights some important considerations not covered in the planning guide.
Choosing the Right User Profile Configuration
The benefits and drawbacks of each type of user profile configuration require careful consideration. Note that you can make this decision for all users or create different scenarios for collections of users or even individuals.
Roaming User Profiles
A roaming user profile is a profile that is downloaded from a network location at logon, then uploaded to the same network location at logoff. Using this profile, user state can follow users as they move from one computer to another, thereby providing a more consistent and productive environment for them. Additional benefits include easy centralized backup of user state, centralization of new user profile settings, and transparent user state migration. Drawbacks include increased logon and logoff time, potentially large network storage requirements, high bandwidth utilization (especially at peak logon/logoff times), and lack of support for slow-link connections and for Encrypting File System (EFS).
The decision to implement roaming user profiles is significant, and despite their important advantages, you should test and weigh the various drawbacks carefully. Several techniques, such as Folder Redirection and Profile Quotas, can mitigate some of the more significant problems. Folder redirection allows you to offload what is often the largest part of the user profile to a network shared location so that it is not downloaded and uploaded with the profile. In relation to Folder Redirection, the following user profile controls are available:
Controlling the size of roaming profiles
Redirecting My Documents to a network share
Profile quotas allow you to prevent profiles from growing to a size that may affect performance or reach the limit of server storage capacity. Also, optimizations in the Microsoft Windows 2000 and Windows XP operating systems improve synchronization (download and upload) performance and reliability over previous Windows versions. For more information, see Configuring Roaming User Profiles in the Windows Server 2003 Deployment Guide.
Mandatory User Profiles
A mandatory user profile is a specialized form of a roaming user profile in which users download their profiles to their computers at logon and can then change the profiles locally. However, when users log off, the revised profiles are not uploaded. As a result, changes to user profile settings are discarded at the next logon. Because no user profile data is uploaded, multiple users can share the same path to a single network folder containing the mandatory user profile, and logoff performance is enhanced. While you can use Group Policy to tightly control aspects of the user profile, consider mandatory user profiles when you must ensure that each user sees the same profile and cannot save changes to it.
Note that with Active Directory, you can use one of two techniques for implementing mandatory user profiles. The Microsoft Windows NT method of renaming the NTuser.dat file to NTuser.man is still supported. However, a more straightforward technique is to use the new Group Policy setting Prevent Roaming Profile changes from propagating to the server. For more information on mandatory user profiles and these two techniques, see the Microsoft TechNet user profile how-to topics Create a mandatory user profile and New features and changes to user profiles, respectively.
Local User Profiles
If user profiles aren't roaming or mandatory, they are local only. Note that roaming user profiles and mandatory user profiles copy a profile from the network into the local user profile, which is always the profile from which the user works. If the user does not have a roaming or mandatory profile, the profile lives on the local computer. If a local profile doesn't exist for a user when he or she logs on, the computer's default profile is automatically copied for that user. You can view the local profiles cache from the Control Panel System item. To do so, in the System Properties property sheet, click the Advanced tab. Then, click Settings in the User Profiles area to display the User Profiles dialog box, as shown in Figure 1.
Because of the accumulation of user files and other data, a user profile can grow quite large, as mine has over time. The User Profiles dialog box provides tools for manually deleting and copying local user profiles. (I discuss the Copy feature later in this article.)
Understanding the Default Profile
The default profile is the source of profiles for users who have no local user profile on a computer?for example, a new user or a user who logs on to a new computer and has no configured roaming (or mandatory) user profile. In these situations, the Windows operating system copies the default profile to create a new local user profile for the user.
In a managed environment, you might want to configure the default profile with the settings that you want to provide to users. Configuration of a local default profile is easy, although not obvious. Follow these instructions from Knowledge Base article 319974:
To configure the default user profile
Log on to the computer as the administrator, and then create a local user account.
Log off as the administrator, and then log on to the computer through the local user account that you just created.
Customize the profile appropriately. For example, install printers and map necessary drives.
Log off as the local user, and then log on again as the administrator.
Several of the files in the profile are hidden, but you must copy them into the new custom default user profile. To do so, turn on the Show hidden files and folders option:
Double-click My Computer. On the Tools menu, click Folder Options.
On the View tab, under Advanced settings, select the Show hidden files and folders option, and then click OK.
Replace the current default user profile with the customized default user profile:
Click Start, and then click Control Panel.
Click Performance and Maintenance, and then click System.
On the Advanced tab, under User Profiles, click Settings. Select the user profile that you just created, and then click Copy To.
In the Copy To dialog box, under Copy profile to, click Browse, select the C:\Documents and Settings\Default User folder, and then click OK.
Under Permitted to use, click Change, select Everyone, and then click OK.
Note that if you are imaging a Window XP Service Pack 2 machine the Administrator profile becomes the Default user profile at deploy time. For more information, see Knowledge Base Article 887816.
Now that you know how to manually set up a single default profile on a single computer, you're probably wondering how long this process would take for all your computers. No need to worry: You have a couple of options for automating default profile configuration. First, if you’re deploying new images, you can configure the default profile in the image. Second, if you’re configuring roaming or mandatory user profiles for existing profiles, you can copy the profile to each user’s profile path. This process is much simpler if you’re using a single shared profile path with mandatory user profiles. With roaming user profiles, this task can be tedious; however, you can instead configure a network-based default profile by copying the profile to each domain’s Netlogon\Default User folder. See the section of Configuring Roaming User Profiles entitled “To configure a new user account to use as a new user’s profile template.”
After all that, you’re probably wondering how you make changes to user profiles after they’re in use. I recommend that you don’t customize the default profile on computers at all. Instead of attempting to configure user profile contents using default profiles, use Group Policy. User policy is applied to user profiles while they are loaded and can be easily changed on the fly.
For restrictive user environments that don't allow users to change user profiles, a mandatory profile can also be centrally updated. However, this solution won't help you with roaming user profiles or if you don't have such a restrictive environment.
In this case, expand the scope of your Group Policy use to include whatever changes you want to make to the default profile. When users log on, the result will be the same from their perspective regardless of whether you use a Group Policy setting or a default profile setting to configure the desktop wallpaper. However, manageability increases significantly, because users can alter user profile settings with ease, but many Group Policy settings can actually restrict behavior.
Many organizations use Group Policy and Folder Redirection as a lightweight alternative to roaming user profiles, although you can certainly apply Group Policy to any profile configuration. I describe the concept of using Group Policy for controlling these settings for users and computers in the article, Understanding Group Policy Technologies for Desktop Deployment.
Tools for Working with User Profiles
The Control Panel System item is the primary interface for manually copying or deleting user profiles. However, the Microsoft Shared Computer Toolkit for Windows XP (in beta at the time of this writing) provides additional functionality for use in shared computer environments not managed with Active Directory. The Active Directory Users and Computers Microsoft Management Console (MMC) snap-in exposes the user profile path, which controls the location of a roaming or mandatory user profile. Otherwise, the fundamental technology?in terms of customizing settings, implementing Folder Redirection, and controlling the behavior of user profiles?for managing user profiles on Active Directory networked computers is Group Policy.
User profile management is an expansive topic, and I have only scratched the surface. However, you are now equipped with the fundamental principles, considerations, tools, and terminology. The next steps are to asses your network and objectives, and then determine whether to implement roaming or mandatory user profiles, whether to configure default profiles, and which Group Policy settings to apply.
For More Information
About the Author
Eric Voskuil is co-founder of DesktopStandard Corporation and has led the development of enterprise desktop-management products since 1997. He holds a Bachelor of Science degree in Computer Science from Rensselaer Polytechnic Institute, is an IBM-trained software developer and Microsoft MVP (Windows Server-Admin Frameworks), and is a former US Navy F/A-18 pilot and TopGun graduate. You can reach Eric at firstname.lastname@example.org; his full bio is available at http://www.desktopstandard.com/ExecutiveBios.aspx.