Establishing Roaming and Mandatory Profiles

by Brien M. Posey

Profiles make life easier for both users and administrators. Part 2 of our series on Creating User Profiles demonstrates how to create roaming and mandatory profiles.

In Part 1 of this series ( User Profile Basics), I discussed the three basic types of user profiles. I also discussed some of the basics involved in working with roaming profiles and mandatory profiles. In this article, I'll conclude the discussion by providing you with more specific information on how to establish roaming and mandatory profiles.

As you may recall from Part 1, a roaming profile follows users from computer to computer. A mandatory profileis nothing more than a roaming profile to which the user has read-only access. The only real difference between the two types of profiles is that a user can make changes to a roaming profile, but not to a mandatory profile. Any changes a user makes while logged in with a mandatory profile are gone the next time the user logs in.

Because of the similarities between the two types of profiles, I'll begin by talking about how to establish a roaming profile. After I've thoroughly covered roaming profiles, I'll explain how to turn a roaming profile into a mandatory profile.

How Roaming Profiles Work

Before I discuss how to create a roaming profile, it's important to know a little bit about how roaming profiles work. As you may recall, each Windows 2000 Professional machine has the ability to create local profiles automatically any time a new user logs on. These local profiles are stored on the local machine. However, roaming profiles must be accessible from anywhere. Therefore, the profile is initially stored on a server-based share point that can be accessed from across the network.

The first time a user logs in from a PC, the computer copies the profile and all the user's documents to the local computer. The next time the user logs in, the system checks for the existence of a local copy of the user's profile. If a copy exists, only the changes to the profile and documents will be downloaded from the server, rather than the entire profile. This saves time during the login process, because Windows doesn't have to download the entire profile and document set each time the user logs in.

Choosing a Server

When preparing to create roaming profiles, you must remember that although the server copies the profile and document files to each local machine the user logs in to, the files ultimately exist on the server. So, you should choose the server location for the profiles carefully. For starters, make sure the server you use to store the profiles is backed up regularly. Imagine the nightmare if the server failed and you lost all the users' documents, desktops, and all the other goodies that go along with a profile!

The other important criteria for a server is available workload. The process of copying profiles and documents can consume a lot of server resourcesparticularly bandwidth, processing power, and hard-disk capacity and performance. Therefore, you need to make sure your server can handle the workload. Unless you have a very small network, it's best to use a member server instead of a domain controller for this task. After all, domain controllers already have the additional responsibility of authenticating users into the domain.

Planning for Implementation

Setting up roaming profiles can be a lot of work, especially if you have a lot of users. So, before you get started, you need to make a few decisions. Are you going to try to tackle all the profiles in one night or one weekend, or do you need to span the process over a couple of weeks? And, do you want to start with a template profile?

A template profile is a generic profile that you can create yourself. You can set up the necessary desktop icons and menu choices while removing options that the users shouldn't have access to. Once you've created this template, you can copy it to every user on the network or to a group of users. From there, you can make the template mandatory, or you can allow users to custom-tailor it to their liking. The only downside to using a template is that some users tend to get mad when they log in for the first time and the desktop they're used to seeing is gone. Therefore, if you plan to use a template, it may be best to explain to the users that they'll be seeing some changes but they can still customize their desktop (if you permit it) when the process is complete. My personal opinion is that using templates is a good way to get the job done in a timely manner. For the purposes of this article, I'll be using templates in my examples.

Creating the Roaming Profile

The actual process of creating a roaming profile is quite simple. The first step is to create a directory on the server you've chosen. You can assign this directory a name like PROFILES. Once you've created the directory, share it and grant everyone full access to it.

Beneath the PROFILES directory, create directories based on the user names. For example, if my user name was BRIEN, I'd create a directory called \PROFILES\BRIEN. When you create the individual user directories, keep a couple of things in mind. First, make sure the directory name is spelled exactly the same as the corresponding user name. If you spell the names the same, you can use the variable %username% later on instead of typing each user's name individually. As you'll see later, doing so will save you lots of time. Also remember that although the main PROFILES directory should allow everyone full access, you don't want everyone to have full access to the individual directories. Therefore, you should use NTFS permissions to make sure that only the intended user and the administrator have access to the directory.

Next, create your template profile. You can do this by creating a new user account (I actually used the Guest account for this purpose, which works just as well). When you create the new account, go to the Profile tab on the user's properties sheet. From here, enter the profile's path in the Profile Path field, in the format \\SERVER\PROFILES\%username%. You can see an example in Figure 1. I mentioned earlier that using the %username% variable would save you time in the long run; notice in the figure that nothing listed in the dialog box is specific to the individual user. This makes it possible to select the text and press Ctrl-C to copy it to the Clipboard. When you get to the next user, you can simply press Ctrl-V to paste the text into the appropriate field, rather than retyping it.

Figure 1
Figure 1: You can specify the location of the profile from within the user's properties sheet.

When you've finished setting up the template user's account, log in as that user. Now, begin configuring the user's desktop in the way you want it to appear for all the other users who will be using that template. When you're done, log out of the machine and go to a different computer. At the new machine, log in as the template account to make sure that the profile you created follows you from machine to machine.

Once you've verified that the new user profile is working correctly, you're ready to begin distributing it to the other users. To do so, copy the entire contents of the template account's profile directory to the other users' profile directories. Next, go into each user's properties sheet and update the path to the profile, as I described earlier. Finally, log in as an existing user to make sure the new profile is now in effect.

Mandatory Profiles

As I mentioned, mandatory profiles are simply read-only versions of the standard roaming profiles I've already discussed. Creating a mandatory profile is probably one of the simplest administrative tasks you'll ever perform. If you look in each individual profile directory, you'll find a hidden file called NTUSER.DAT. This file contains all the user-configurable aspects of the profile. To create a mandatory profile, simply rename this file NTUSER.MAN.



As I've explained in this series, you can use profiles to make the users' lives easier, your life easier, or both. Roaming and mandatory profiles can be very handy to both administrators and users. //

Brien M. Posey is an MCSE who works as a freelance writer. His past experience includes working as the director of information systems for a national chain of health care facilities and as a network engineer for the Department of Defense. Because of the extremely high volume of e-mail that Brien receives, it's impossible for him to respond to every message, although he does read them all.

This article was originally published on Monday Dec 4th 2000