Sysinternals Homepage
Forum Home Forum Home > Windows Discussions > Internals
  New Posts New Posts RSS Feed - Is a single default user optimal?
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

Is a single default user optimal?

 Post Reply Post Reply
Author
Message
Drewfus View Drop Down
Groupie
Groupie


Joined: 12 February 2010
Status: Offline
Points: 44
Post Options Post Options   Thanks (0) Thanks(0)   Quote Drewfus Quote  Post ReplyReply Direct Link To This Post Topic: Is a single default user optimal?
    Posted: 23 December 2010 at 1:09pm
Having a single default user profile for all new users, regardless of a users group membership, seems like a throwback to the Windows 9X era. Vista introduced the concept of Multiple Local Group Policy Objects. This allows treating Administrators and Users on a differential basis, dependent on membership of a user in the Administrators group. This should be extended to the creation of new users profiles, by having multiple default profiles, to be selected for each new user account on the basis of group membership or %username%.
 
Consider that the existing directory...
 
\Users
      |_ Default
 
...be replaced with this directory structure:
 
\Users
      |_ Templates
                  |_ Administrators
                    
                  |_ Users
                     
                  |_ someUsername
 
                    
On the creation of a new user profile, Windows checks that %username% == someUsername, and if equal applies the profile under \Users\Templates\someUsername, else the user is created using the \Users\Templates\Administrators profile if the they are a member of the Administrators group at the point their profile is initialized, else if they are not Administrators the profile is created using the files and folder structure under \Users\Templates\Users.
 
Example settings found only in \Users\Templates\Administrators\NTUSER.DAT and %AppData%:
  • Explorer
    • Customize StartPanelLink and TaskbarLinks
    • Start menu "All Programs" is customized. Ex: 'Administrative Tools' are visible (see Note)
    • Show hidden files and folders (checked)
    • Hide extensions for known file types (unchecked)
    • Hide protected operating system files (unchecked)
    • Start menu intro, tours and first-run wizards are disabled
    • Alternative set of desktop icons are visible/hidden
  • Solid color for desktop background
  • Console window: cols=128 lines=50 Font=Consolas QuickEdit=On
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    • %ProgramFiles%\Sysinternals\Bginfo.exe /timer:0 /silent
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
    • ForceClassicControlPanel = 1
  • HKCU\Control Panel\International
    • sShortDate = YYYY-MM-DD
    • sTimeFormat = HH:mm:ss
  • Environment
  • Internet Explorer
    • Shortcut: %ProgramFiles%\Internet Explorer\iexplore.exe -extoff
    • Favorites: Microsoft Support, Technet, Sysinternals, IT doco, etc
    • Home page: Intranet IT porta
  • Alternative account picture
  • Alternative power scheme
  • Alternative sound scheme
  • Alternative help links
  • Links or shortcuts to reference documents
  • Open unknown file types with Notepad
  • Word, Excel & PowerPoint docs associated with Office Viewers (not Office)
 
Note 'Administrative Tools' shortcuts are moved from:
 
\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools
 
to
 
\Users\Templates\Administrators\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools

This potentially overcomes the problem noted @ http://blogs.technet.com/b/deploymentguys/archive/2009/10/29/configuring-default-user-settings-full-update-for-windows-7-and-windows-server-2008-r2.aspx

The manual profile copy process can cause issues such as:
  • Whether the user is an administrator (and should therefore see the Administrative Tools, etc).
By giving Users and Administrators groups alternative default user profiles, this type of problem could be avoided by never copying the Administrators profile to \Users\Templates\Users and never copying a Users profile to \Users\Templates\Administrators.
 


Edited by Drewfus - 15 January 2012 at 8:57pm
Back to Top
Drewfus View Drop Down
Groupie
Groupie


Joined: 12 February 2010
Status: Offline
Points: 44
Post Options Post Options   Thanks (0) Thanks(0)   Quote Drewfus Quote  Post ReplyReply Direct Link To This Post Posted: 04 January 2011 at 12:54pm
It would also be interesting to have a method for initializing a user profile, other than via a Runas command, which requires the account password.
For example, using the 'net user' command. 
 
net user username /init[ialize] [/exec:Script] [/y]
 
The above command creates the folder structure for the new account, optionally executes an arbitary script, and perhaps executes Active Setup.
 
Why is there no specific means of initializing a profile other than logging on as that user?
 


Edited by Drewfus - 29 December 2011 at 1:22pm
Back to Top
tamahome View Drop Down
Senior Member
Senior Member


Joined: 06 January 2006
Status: Offline
Points: 338
Post Options Post Options   Thanks (0) Thanks(0)   Quote tamahome Quote  Post ReplyReply Direct Link To This Post Posted: 04 January 2011 at 5:51pm
There's something called a mandatory profile, but I think it only works with Active Directory.

Back to Top
Drewfus View Drop Down
Groupie
Groupie


Joined: 12 February 2010
Status: Offline
Points: 44
Post Options Post Options   Thanks (0) Thanks(0)   Quote Drewfus Quote  Post ReplyReply Direct Link To This Post Posted: 05 January 2011 at 1:54pm
Combining the two ideas;
 
The system copies \Users\username\NTUSER.DAT to \Users\Templates\username at (error free) logoff.
Optionally, also copies \Users\username\AppData\Roaming to \Users\Templates\username\AppData\Roaming and any persistent profile data that could be backed up quickly at logoff.
 
If the profile becomes corrupted, restore Last Known Good User Profile from \Users\Templates\username using
 
net user username /init[ialize] [/appdata] /profilepath:"<Drive>\Users\username" [/y]
 
/appdata = Include "\Users\Templates\username\AppData\Roaming\*" in profile re/initialization
 
During reinitialization of profile, check validity of restored NTUSER.DAT hive against \Users\Templates\LocalGroup\NTUSER.DAT. Replace, add registry values as required. I believe this check would be similar in concept to the effects of this registry change:
 
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v FirstLogon /t REG_DWORD /d 1 /f
 
 


Edited by Drewfus - 29 December 2011 at 3:18pm
Back to Top
Drewfus View Drop Down
Groupie
Groupie


Joined: 12 February 2010
Status: Offline
Points: 44
Post Options Post Options   Thanks (0) Thanks(0)   Quote Drewfus Quote  Post ReplyReply Direct Link To This Post Posted: 05 January 2011 at 2:33pm
Create a new profile template based on an existing account:
 
net localgroup groupname username </default | /mkdflt> [/y] [/xgrp] [/libfldrs]
 
/y = confirm
/xgrp = Cross groups. That is, confirms action when username is not a member of groupname.
/libfldrs = Include library folders in profile copy
 
This copies \Users\name\NTUSER.DAT and non-temp folders of \Users\name\* to \Users\Templates\groupname
 
  • NTUSER.DAT is filtered to remove things like %username%, web/mail accounts, auto-complete, MRUs, recent files and credentials.
  • Encryption, cache, credentials files and other inappropriate files are also filtered
  • Presumably this cleanup process would be similar in function to the Sysprep Cleanup pass
  • Existing files & folders under \Users\Templates\groupname are purged


Edited by Drewfus - 29 December 2011 at 2:31pm
Back to Top
WindowsStar View Drop Down
Senior Member
Senior Member
Avatar

Joined: 30 June 2010
Status: Offline
Points: 625
Post Options Post Options   Thanks (0) Thanks(0)   Quote WindowsStar Quote  Post ReplyReply Direct Link To This Post Posted: 17 February 2011 at 7:13am
+1 Great Ideas.
 
I might change the Default Profile to:
 
\Users
      |_
         Templates
                   |
                   |_ LocalGroups |_ Administrators
                   |              |_ Users
                   |              |_ Default (Last Resort if user is in no group)
                   |              |_ someGroupName (Linked to Groups on Local Machine)
                   |
                   |_ DomainGroups |_ Administrators (Linked to Groups on Domain)
                                   |_ Users (Linked to Groups on Domain)
                                   |_ someGroupName (Linked to Groups on Domain)
Back to Top
Drewfus View Drop Down
Groupie
Groupie


Joined: 12 February 2010
Status: Offline
Points: 44
Post Options Post Options   Thanks (0) Thanks(0)   Quote Drewfus Quote  Post ReplyReply Direct Link To This Post Posted: 18 February 2011 at 3:45am
Thanks.
 
That is a good extension of the original idea. I thought about the Default (last resort) template myself, but left it out on the basis that any new user should be a member of Users and not the Administrators group also (or any other), by default, but that is probably too restrictive. The alternative might be to have two templates, Administrators and Non-Administrators (like MLGPO), but maintaining a Default user profile would likely be required for compatibility reasons.
 
Regarding your DomainGroups, i guess the obvious issue here would be how to sync the templates across client machines. Presumably domain Group Policy could (or could be made to) handle this task.
 


Edited by Drewfus - 18 February 2011 at 4:02am
Back to Top
Drewfus View Drop Down
Groupie
Groupie


Joined: 12 February 2010
Status: Offline
Points: 44
Post Options Post Options   Thanks (0) Thanks(0)   Quote Drewfus Quote  Post ReplyReply Direct Link To This Post Posted: 01 March 2011 at 4:51am
Regarding Mandatory Profiles, registry permissions have to be changed on NTUSER.MAN to full access for "Everyone". This has consequences for security as outlined in this blog:
 
 
Simply put, users are able to read/write to HKU\<Some other user’s SID>.
 
Following Helge Klein's fix #3, and the main idea in this thread, perhaps what should happen with Mandatory Profiles is:
  1. NTUSER.MAN is downloaded (at logon) to \Users\Templates\Mandatory\NTUSER.MAN
  2. Make directory (if not exist) \Users\Templates\Mandatory\Username
  3. Copy the local copy of NTUSER.MAN to \Users\Templates\Mandatory\Username\NTUSER.MAN.TMP
  4. Re-ACL NTUSER.MAN.TMP, replacing "Everyone" with "Username"
  5. Move NTUSER.MAN.TMP to NTUSER.DAT
  6. Mount NTUSER.DAT to HKU\<SID-RIDofUser>
  7. Complete user logon
 
Having all Mandatory Profiles in a single folder would also make cleanup operations easier.
 


Edited by Drewfus - 01 March 2011 at 5:15am
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down