Managing User Profiles

Article
12/09/2009

from Chapter 9, Microsoft Windows 2000 Administrator's Pocket Consultant by William R. Stanek.

User profiles contain settings for the network environment, such as desktop configuration and menu options. Problems with a profile can sometimes prevent a user from logging on. For example, if the display size in the profile isn't available on the system being used, the user may not be able to log on properly. In fact, the user may get nothing but a blank screen. You could reboot the machine, go into VGA (Video Graphics Adapter) mode, and then reset the display manually, but solutions for profile problems aren't always this easy and you may need to update the profile itself.

Windows 2000 provides several ways to manage user profiles:

You can assign profile paths in Active Directory Users And Computers.
You can copy, delete, and change the type of an existing local profile with the System utility in the Control Panel.
You can set system policies that prevent users from manipulating certain aspects of their environment.

Local, Roaming, and Mandatory Profiles

In Windows 2000 every user has a profile. Profiles control startup features for the user's session, the types of programs and applications that are available, the desktop settings, and a lot more. Each computer that a user logs on to has a copy of the user's profile. Because this profile is stored on the computer's hard disk, users who access several computers will have a profile on each one of them. Another computer on the network can't access a locally stored profile, called a local profile, and, as you might expect, this has some drawbacks. For example, if a user logs on to three different workstations, the user could have three very different profiles on each system. As a result, the user may get confused about what network resources are available on a given system.

To solve the problem of multiple profiles and reduce confusion, you may want to create a profile that can be accessed by other computers. This type of profile is called a roaming profile. With a roaming profile, users can access the same profile no matter which computer they're using within the domain. Roaming profiles are server-based and can only be stored on a Windows 2000 server. When a user with a roaming profile logs on, the profile is downloaded, which creates a local copy on the user's computer. When the user logs off, changes to the profile are updated both on the local copy and on the server.

As an administrator, you can control user profiles or let users control their own profiles. One reason to control profiles yourself is to make sure that all users have a common network configuration, which can reduce the number of environment-related problems.

Profiles controlled by administrators are called mandatory profiles. Users who have a mandatory profile can only make transitory changes to their environment. Here, any changes that users make to the local environment aren't saved, and the next time they log on they are back to the original profile. The idea is that if users can't permanently modify the network environment, they can't make changes that cause problems. A key drawback to mandatory profiles is that the user can only log on if the profile is accessible. If, for some reason, the server that stores the profile is inaccessible and a cached profile isn't accessible, the user won't be able to log on. If the server is inaccessible but a cached profile is accessible, the user will receive a warning message and will be logged onto the local Windows 2000 system using the system's cached profile.

Creating Local Profiles

In Windows 2000, user profiles are maintained either in a default directory or in the location set by the Profile Path field in the user's Properties dialog box. The default location for profiles depends on the workstation configuration in the following way:

Windows 2000 Upgrade Installation The user profile is located at %SystemRoot%\Profiles\*%UserName%\*NTUSER.DAT, where %SystemRoot% is the root directory for the operating system, such as C:\WINNT, and %UserName% is the user name, such as wrstanek.
New Installation of Windows 2000 The user profile is located at %SystemDrive%\Documents and Settings\%UserName%.%UserDomain%\ NTUSER.DAT, such as F:\Documents and Settings\WRSTANEK. WEBATWORK\NTUSER.DAT. If the user logs on to a domain controller, the profile may be located at %SystemDrive%\Documents and Settings\ %UserName%.<Logon Server>, such as F:\Documents and Settings\WRSTANEK. ZETA\NTUSER.DAT.

If you don't change the default location, the user will have a local profile.

Creating Roaming Profiles

Roaming profiles are stored on Windows 2000 servers. If you want a user to have a roaming profile, you must set a server-based location for the profile directory by completing the following steps:

Create a shared directory on a Windows 2000 server and make sure that the group Everyone has access to it.
Access the user's Properties dialog box in Active Directory Users And Computers, and then choose the Profile tab. Enter the path to the shared directory in the Profile Path field. The path should have the form \\server name\profile folder name\user name. An example is \\ZETA\USER_ PROFILES\GEORGEJ, where ZETA is the server name, USER_PROFILES is the shared directory, and GEORGEJ is the user name.
The roaming profile is then stored in the NTUSER.DAT file in the designated directory, such as \\ZETA\USER_PROFILES\GEORGEJ\NTUSER.DAT.

Note: You don't usually need to create the profile directory. The directory is created automatically when the user logs on.
As an optional step, you can create a profile for the user or copy an existing profile to the user's profile folder. If you don't create an actual profile for the user, the next time the user logs on, the user will use the default local profile. Any changes the user makes to this profile will be saved when the user logs off. Thus, the next time the user logs on, the user can have a personal profile.

Creating Mandatory Profiles

Mandatory profiles are stored on Windows 2000 servers. If you want a user to have a mandatory profile, you define the profile as follows:

Follow steps 1–3 in the previous section, "Creating Roaming Profiles."
Create a mandatory profile by renaming the NTUSER.DAT file as %USERNAME%\Ntuser .MAN. Now when the user logs on the next time, the user will have a mandatory profile.

Note: NTUSER.DAT contains the registry settings for the user. When you change the extension for the file to NTUSER.MAN, you tell Windows 2000 to create a mandatory profile.

Using the System Utility to Manage Local Profiles

To manage local profiles, you'll need to log on to the user's computer. Afterward, you can use the System utility in the Control Panel to manage local profiles. To view current profile information, start the System utility, and then click the User Profiles tab.

As shown in Figure 9-9, the User Profiles tab displays various information about the profiles stored on the local system. You can use this information to help you manage profiles. The fields have the following meanings:

Name The name of the local profile, which generally includes the name of the originating domain or computer and the user account name. For example, the name WEBATWORK\WRSTANEK tells you that the original profile is from the domain WEBATWORK and the user account is WRSTANEK.

Figure 9-9: The User Profiles tab in the System Properties dialog box lets you manage existing local profiles.

If you delete an account but don't delete the associated profile, you may also see an entry that says Account Deleted or Account Unknown. Don't worry, the profile is still available for copying if you need it.
Size The size of the profile. Generally, the larger the profile, the more the user has customized the environment.
Type The profile type, which is either local or roaming.
Modified The date when the profile was last modified.

Creating a Profile by Hand

In some cases, you may want to create the profile by hand. You do this by logging on to the user account, setting up the environment, and then logging out. As you might guess, creating accounts in this manner is time-consuming. A better way to handle account creation is to create a base user account. Here, you create the base user account, set up the account environment, and then use this account as the basis of other accounts.

Copying an Existing Profile to a New User Account

If you have a base user account or a user account that you want to use in a similar manner, you can copy an existing profile to the new user account. To do this, you'll use the System Control Panel utility. You do that by completing the following steps:

Start the System Control Panel utility and open the User Profile tab.
Select the existing profile you want to copy using the Profiles Stored On This Computer list box (see Figure 9-9).
Copy the profile to the new user's account by clicking on the Copy To button. Next, enter the path to the new user's profile directory in the Copy Profile To field (see Figure 9-10). For example, if you were creating the profile for our user, GEORGEJ, you would type \\ZETA\USER_PROFILES\ GEORGEJ.

Figure 9-10: Use the Copy To dialog box to enter the location of the profile directory and to assign access permissions to the user.
Now you need to give the user permission to access the profile. Click the Change button in the Permitted To Use area, and then use the Select User Or Object dialog box to grant access to the new user account.
Close the Copy To dialog box by clicking OK. Windows 2000 will then copy the profile to the next location.

Tip If you know the name of the user or group you want to use, you can type it directly into the Name field. This will save you time.

Copying or Restoring a Profile

When you work with workgroups where each computer is managed separately, you'll often have to copy a user's local profile from one computer to another. Copying a profile allows users to maintain environment settings when they use different computers. Of course, in a Windows 2000 domain you can use a roaming profile to create a single profile that can be accessed from anywhere within the domain. The catch is that sometimes you may need to copy an existing local profile over the top of a user's roaming profile (when the roaming profile is corrupt) or you may need to copy an existing local profile to a roaming profile in another domain.

You can copy an existing profile to a new location by doing the following:

Log on to the user's computer, and then start the System Control Panel utility and open the User Profile tab.
Select the existing profile you want to copy using the Profiles Stored On This Computer list box.
Copy the profile to the new location by clicking the Copy To button, and then enter the path to the new profile directory in the Copy Profile To field. For example, if you're creating the profile for JANEW, you could type: \\GAMMA\USERPROFILES\ JANEW.
Now you need to give the user permission to access the profile. Click the Change button in the Permitted To Use area, and then use the Select User Or Group dialog box to grant access to the appropriate user account.
When you're finished, close the Copy To dialog box by clicking OK. Windows 2000 will then copy the profile to the new location.

Deleting a Local Profile and Assigning a New One

Profiles are accessed when a user logs on to a computer. Windows 2000 uses local profiles for all users who don't have roaming profiles. Generally, local profiles are also used if the local profile has a more recent modification date than the user's roaming profile. Because of this, there are times when you may need to delete a user's local profile. For example, if a user's local profile becomes corrupt, you can delete the profile and assign a new one. Keep in mind that when you delete a local profile that isn't stored anywhere else on the domain, you can't recover the user's original environment settings.

To delete a user's local profile, complete the following steps:

Log on to the user's computer.
Start the System utility and then click the User Profiles tab.
Select the profile you want to delete and then click Delete. When asked to confirm that you want to delete the profile, click Yes.

Note: You can't delete a profile that's in use. If the user is logged on to the local system (the computer you're deleting the profile from), the user will need to log off. In some instances Windows 2000 marks profiles as in use when they are not. This is typically a result of an environment change for the user that hasn't been properly applied. To correct this, you may need to reboot the computer.

Now the next time the user logs on, Windows 2000 will do one of two things. Either the operating system will give the user the default local profile for that system or it'll retrieve the user's roaming profile stored on another computer. To prevent the use of either of these profiles, you'll need to assign the user a new profile. To do this you can

Copy an existing profile to the user's profile directory. Copying profiles is covered in the next section.
Update the profile settings for the user in Active Directory Users And Computers. Setting the profile path is covered in this chapter in the section entitled "Configuring the User's Environment Settings."

Changing the Profile Type

With roaming profiles, the System utility lets you change the profile type on the user's computer. To do this, select the profile and then click Change Type. The options in this dialog box allow you to

Change a roaming profile to a local profile If you want the user to always work with the local profile on this computer, set the profile for local use. Here, all changes to the profile are made locally and the original roaming profile is left untouched.
Change a local profile (that was defined originally as a roaming profile) to a roaming profile The user will use the original roaming profile for the next logon. Afterward, Windows 2000 will treat the profile like any other roaming profile, which means that any changes to the local profile will be copied to the roaming profile.

Note: If these options aren't available, the user's original profile is defined locally.

Updating User and Group Accounts

Active Directory Users And Computers is the tool to use when you want to update a domain user or group account. If you want to update a local user or group account, you'll need to use Local Users And Groups.

Renaming User and Group Accounts

To rename an account, complete the following steps:

Access Active Directory Users And Computers or Local Users And Groups, whichever is appropriate for the type of account you're renaming.
Right-click the account name, and then choose Rename. Type the new account name when prompted.

SIDs

When you rename a user account, you give the account a new label. As discussed in Chapter 7, user names are meant to make managing and using accounts easier. Behind the scenes, Windows 2000 uses SIDs (security identifiers) to identify, track, and handle accounts independently from user names. SIDs are unique identifiers that are generated when accounts are created.

Because SIDs are mapped to account names internally, you don't need to change the privileges or permissions on the renamed account. Windows 2000 simply maps the SID to the new account names as necessary.

One common reason for changing the name of a user account is that the user gets married. For example, if Jane Williams (JANEW) gets married, she may want her user name to be changed to Jane Marshall (JANEM). When you change the user name from JANEW to JANEM, all associated privileges and permissions will reflect the name change. Thus, if you view the permissions on a file that JANEW had access to, JANEM will now have access (and JANEW will no longer be listed).

Changing Other Information

When you change JANEW to JANEM, the user properties and names of files associated with the account aren't changed. This means you should update the account information. The information you may need to change includes:

Display Name Change the user account's Display Name in Active Directory Users And Computers.
User Profile Path Change the Profile Path in Active Directory Users And Computers, and then rename the corresponding directory on disk.
Logon Script Name If you use individual logon scripts for each user, change the Logon Script Name in Active Directory Users And Computers, and then rename the logon script on disk.
Home Directory Change the home directory path in Active Directory Users And Computers, and then rename the corresponding directory on disk.

Note: Changing directory and file information for an account when a user is logged on may cause problems. So you may want to update this information after hours or ask the user to log off for a few minutes and then log back on.

Copying Domain User Accounts

Creating domain user accounts from scratch every time can be tedious. Instead of starting anew each time, you may want to use an existing account as a starting point. To do this, follow these steps:

Right-click the account you want to copy in Active Directory Users And Computers, and then choose Copy. This opens the Copy Object – User dialog box.
Create the account as you would any other domain user account. Then update the properties of the account, as appropriate.

As you might expect, when you create a copy of an account, Active Directory Users And Computers doesn't retain all the information from the existing account. Instead, Active Directory Users And Computers tries to copy only the information you'll need and to discard the information that you'll need to update. The properties that are retained include

City, state, zip code, and country/region values set on the Address tab
Department and company set on the Organization tab
Account options set using the Account Options fields on the Account tab
Logon hours and permitted logon workstations
Account expiration date
Group account memberships
Profile settings
Dial-in privileges

Note: If you used environment variables to specify the profile settings in the original account, the environment variables are used for the copy of the account as well. For example, if the original account used the %UserName% variable, the copy of the account will also use this variable.

Deleting User and Group Accounts

Deleting an account permanently removes the account. Once you delete an account, you can't create an account with the same name to get the same permissions. That's because the SID for the new account won't match the SID for the old account.

Because deleting built-in accounts can have far-reaching effects on the domain, Windows 2000 doesn't let you delete built-in user accounts or group accounts. You could remove other types of accounts by selecting them and pressing the Del key or by right-clicking and selecting Delete. When prompted, click OK and then click Yes.

With Active Directory Users And Computers, you can select multiple accounts by doing one of the following:

Select multiple user names for editing by holding down the Ctrl key and clicking the left mouse button on each account you want to select.
Select a range of user names by holding down the Shift key, selecting the first account name, and then clicking on the last account in the range.

Note: When you delete a user account, Windows 2000 doesn't delete the user's profile, personal files, or home directory. If you want to delete these files and directories, you'll have to do it manually.

Changing and Resetting Passwords

As an administrator, you'll often have to change or reset user passwords. This usually happens when users forget their passwords or their passwords expire.

To change or reset a password, complete the following steps:

Access Active Directory Users And Computers or Local Users And Groups, whichever is appropriate for the type of account you're renaming.
Right-click the account name, and then choose Reset Password or Set Password, as appropriate.
Type a new password for the user and confirm it. The password should conform to the password policy set for the computer or domain.
Double-click the account name, and then clear Account Is Disabled and Account Is Locked Out, whichever is appropriate and necessary. In Active Directory Users And Computers, these check boxes are on the Account tab.

Enabling User Accounts

User accounts can become disabled for several reasons. If a user forgets the password and tries to guess it, the user may exceed the account policy for bad logon attempts. Or another administrator could have disabled the account while the user was on vacation. Or the account could have expired. What to do when an account is disabled, locked out, or expired is described below.

Account Disabled

When an account is disabled, complete the following steps:

Access Active Directory Users And Computers or Local Users And Groups, whichever is appropriate for the type of account you're renaming.
Right-click the user's account name, and then select Enable Account.

Account Locked Out

When an account is locked out, complete the following steps:

Access Active Directory Users And Computers or Local Users And Groups, whichever is appropriate for the type of account you're renaming.
Double-click the user's account name, and then clear the Account Is Locked Out check box. In Active Directory Users And Computers, this check box is on the Account tab.

Note: If users frequently get locked out of their accounts, consider adjusting the account policy for the domain. Here, you may want to increase the value for acceptable bad logon attempts and reduce the duration for the associated counter. For more information on setting account policy, see the section of Chapter 8 entitled "Configuring Account Policies."

Account Expired

Only domain accounts have an expiration date. Local user accounts do not have an expiration date.

When a domain account is expired, complete the following steps:

Access Active Directory Users And Computers.
Double-click the user's account name, and then select the Account tab.
In the Account Expires panel, select End Of and then click the down arrow on the related field. This displays a calendar that you can use to set a new expiration date.

Troubleshooting Logon Problems

The previous section listed ways in which accounts can become disabled. Beyond the typical reasons for an account being disabled, some system settings can also cause access problems. Specifically, you should look for the following:

User gets a message that says that the user can't log on interactively The user right to log on locally isn't set for this user and the user isn't a member of a group that has this right.

The user may be trying to log on to a server or domain controller. If so, keep in mind that the right to log on locally applies to all domain controllers in the domain. Otherwise, this right only applies to the single workstation.

If the user should have access to the local system, configure the Logon Locally user right as described in the section of Chapter 8 entitled "Configuring User Rights Policies."
User gets a message that the system could not log the user on If you've already checked the password and account name, you may want to check the account type. The user may be trying to access the domain with a local account. If this isn't the problem, the global catalog server may be unavailable and as a result, only users with administrator privileges can log on to the domain.
User has a mandatory profile and the computer storing the profile is unavailable When a user has a mandatory profile, the computer storing the profile must be accessible during the logon process. If the computer is shut down or otherwise unavailable, users with mandatory profiles won't be able to log on.
User gets a message saying the account has been configured to prevent the user from logging on to the workstation The user is trying to access a workstation that isn't defined as a permitted logon workstation. If the user should have access to this workstation, change the logon workstation information as described in the section of this chapter entitled "Setting Permitted Logon Workstations."

Click to order