How to set up Windows 2000 user profiles in a way that will make your users lives easier, as well as helping you to increase security.
It often seems that most of the computer-related books and magazines I read are geared toward making the administrator's life easier. Of course, this is no surprise, because these publications are usually written for systems administrators. But often such publications (including mine) forget all about the end user. Sometimes it's nice to do something to make the end user's life a little easier, too. In this series of articles, I'll explain how to set up user profiles in a way that will make your user's lives easier, as well as helping you to increase security.
What's a User Profile?
Let's face it, in the business world not all companies are created equal. Some companies are blessed with the financial freedom to buy new machines for everybody. Other companies have several people sharing the same old PC, either because they can't afford more or because the boss is too cheap to spring for new computers. In any case, sharing computers can be difficult.
One of the main reasons that sharing a system between multiple users is complicated is that any change one user makes to the PC affects all the other users. For example, I once worked in an office in which two users who shared a PC constantly fought over the Windows color scheme. One user would change it and the other user would change it back. In a much worse case, a user who didn't know any better accidentally erased the contents of the My Documents folder, which contained documents for everyone in the entire department.
You can get around these problems by implementing user profiles. User profiles provide each user with a unique computing experience. All the user has to do is enter a password, and they'll be taken into a session that's custom-tailored specifically to their preferences.
As I'll explain later, the most noticeable of these custom attributes is the Windows desktop. Now, if Joe erases an icon, he'll only erase it for himselfthe other users won't be affected. Likewise, if Bob wants a blue desktop and Bill wants a red desktop, they can both have what they want.
As you'll see throughout this series of articles, however, custom desktops are only the beginning. As I'll explain in the next section, plenty of other custom attributes are included with a user's profile. You can do things such as make a user's custom profile follow them from machine to machine. Or, if you prefer, you can dictate a mandatory profile, containing settings that the users can't change. Regardless of your preferences, user profiles are highly customizable from both a user and an administrative perspective.
What's Included in a Windows 2000 Professional Profile?
Before you can truly appreciate user profiles, you need to have an idea of the features they include. As I mentioned earlier, profiles are established on a user-by-user basis. This means that whenever a user logs on to a machine that has access to their profile, the first thing they'll see is their own individual desktop, complete with their icons, color scheme, wallpaper, and so on. Profiles include files that relate to the following items:
- All user-definable settings for Windows Explorer
- Mapped network drives
- Links within My Network Places
- The desktop
- Application data
- User-definable application settings
- Network printer connections
- User-definable characteristics within the Windows accessories, such as Calculator, Notepad, and so on
- Bookmarks within the Help system
Windows also maintains a list of recently opened documents. This list is maintained within the user's profile so that the user's privacy isn't compromised.
Certain configuration options within applications are also stored in user profiles. An example is Internet Explorer, which maintains a separate set of cookies for each user. Another example is the desktop clock; if a user changes the way the clock is displayed, the application is smart enough to know that it should be displayed that way only for one user.
As you can see, profiles offer users almost as much flexibility on shared computers as they would have on their own machine. The only difference is that the core system files are still shared by all users. For example, if by some freak chance a user figured out how to delete the WINNT directory, the process would affect everyone, regardless of their profile, because the user deleted a shared set of files. The same concept holds true for less extreme measures, as well. Any files other than those listed above are shared.
Naturally, a user's privacy can't be maintained if anyone who sits down at the computer can access the user's documents. Therefore, each user who has a profile also has a personal My Documents and My Pictures folder. Keep in mind, though, that just because such folders aren't readily available doesn't mean that no one else can access the folder: All the profiles and custom folders are stored in a central area.
Suppose I have a profile called Brien stored on a local machine. All that a nosy user has to do to access my files is to navigate to C:\Documents and Settings\Brien\My Documents. If you want to ensure total privacy for users, you'll have to regulate the permissions for each user's folders in the same way you'd secure any other folder. For example, in the situation I just described, you might set permissions on the Brien folder so that only Brien and the administrator have access.
The Three Types of Profiles
There are three different types of profiles, and it's important to know when to use each type. In the sections that follow, I'll explain each type of profile along with its limits and capabilities.
In the earlier examples, when I discussed the nightmares of not using profiles, I was referring to operating systems such as Windows 98. When a user logs in to a Windows 2000 Professional machine, Windows checks to see if the user has an existing profile in the Documents and Settings folder. If no profile exists, Windows automatically creates one for the user. The next time the user uses the machine, the machine will remember all of his or her settings.
Unfortunately, local profiles are limited to each local machine. If a user routinely uses 30 different machines, the user will have 30 different profiles. In such a situation, it may make more sense to use roaming profiles.
As the name suggests, a roaming profile follows the user from PC to PC. No matter where the user logs in, they will always have their own desktop, documents, application settings, and so on. Windows 2000 accomplishes this task by storing the profile on the server. The first time a user logs in on a given PC, the PC copies the user's profile from the server to the workstation and then deals with the profile as if it were a local profile. During this copy process, the workstation also downloads the user's documents.
The next time the user comes back to the PC, the login process is much quicker because a local profile already exists. However, this profile contains a flag that tells Windows 2000 the profile is a roaming profile. Windows then checks the server for updates to the profile and to the user's documents. This time, the workstation copies only the updated profile settings and documents. If nothing has changed, nothing has to be copied, and the user is logged in instantly.
This article was originally published on Monday Dec 4th 2000
A mandatory profile is basically a read-only version of a roaming profile. A user can make changes to the machine's configuration, but the next time the user logs on, the changes will be gone. Mandatory profiles are useful in situations in which administrators need to maintain high security and strict control over the user's environments. In Part 2 of this series, I'll explain how to set up roaming and mandatory profiles. //
Brien M. Posey is an MCSE who works as a freelance writer. His past experience includes working as the director of information systems for a national chain of health care facilities and as a network engineer for the Department of Defense. Because of the extremely high volume of e-mail that Brien receives, it's impossible for him to respond to every message, although he does read them all.