Is a single default user optimal?

Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic

Having a single default user profile for all new users, regardless of a users group membership, seems like a throwback to the Windows 9X era. Vista introduced the concept of Multiple Local Group Policy Objects. This allows treating Administrators and Users on a differential basis, dependent on membership of a user in the Administrators group. This should be extended to the creation of new users profiles, by having multiple default profiles, to be selected for each new user account on the basis of group membership or %username%.

Consider that the existing directory...

\Users
      |_ Default

...be replaced with this directory structure:

\Users
      |_ Templates
                  |_ Administrators

                  |_ Users

                  |_ someUsername

On the creation of a new user profile, Windows checks that %username% == someUsername, and if equal applies the profile under \Users\Templates\someUsername, else the user is created using the \Users\Templates\Administrators profile if the they are a member of the Administrators group at the point their profile is initialized, else if they are not Administrators the profile is created using the files and folder structure under \Users\Templates\Users.

Example settings found only in \Users\Templates\Administrators\NTUSER.DAT and %AppData%:
Explorer
Customize StartPanelLink and TaskbarLinks
Start menu "All Programs" is customized. Ex: 'Administrative Tools' are visible (see Note)
Show hidden files and folders (checked)
Hide extensions for known file types (unchecked)
Hide protected operating system files (unchecked)
Start menu intro, tours and first-run wizards are disabled
Alternative set of desktop icons are visible/hidden
Solid color for desktop background
Console window: cols=128 lines=50 Font=Consolas QuickEdit=On
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
%ProgramFiles%\Sysinternals\Bginfo.exe /timer:0 /silent
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
ForceClassicControlPanel = 1
HKCU\Control Panel\International
sShortDate = YYYY-MM-DD
sTimeFormat = HH:mm:ss
Environment
_NT_SYMBOL_PATH=definition
VersionIdentifier=Windows Version
ProfilesDirectory=Profiles root path
Internet Explorer
Shortcut: %ProgramFiles%\Internet Explorer\iexplore.exe -extoff
Favorites: Microsoft Support, Technet, Sysinternals, IT doco, etc
Home page: Intranet IT porta
Alternative account picture
Alternative power scheme
Alternative sound scheme
Alternative help links
Links or shortcuts to reference documents
Open unknown file types with Notepad
Word, Excel & PowerPoint docs associated with Office Viewers (not Office)

Note 'Administrative Tools' shortcuts are moved from:

\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools

to

\Users\Templates\Administrators\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
This potentially overcomes the problem noted @ http://blogs.technet.com/b/deploymentguys/archive/2009/10/29/configuring-default-user-settings-full-update-for-windows-7-and-windows-server-2008-r2.aspx
The manual profile copy process can cause issues such as:
Whether the user is an administrator (and should therefore see the Administrative Tools, etc).
By giving Users and Administrators groups alternative default user profiles, this type of problem could be avoided by never copying the Administrators profile to \Users\Templates\Users and never copying a Users profile to \Users\Templates\Administrators.

Edited by Drewfus - 15 January 2012 at 8:57pm

Author	Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic
Drewfus Members Profile Send Private Message Find Members Posts Add to Buddy List Groupie Joined: 12 February 2010 Status: Offline Points: 44	Post Options Post Reply Quote Drewfus Report Post Thanks(0) Quote Reply Topic: Is a single default user optimal? Posted: 23 December 2010 at 1:09pm
	Having a single default user profile for all new users, regardless of a users group membership, seems like a throwback to the Windows 9X era. Vista introduced the concept of Multiple Local Group Policy Objects. This allows treating Administrators and Users on a differential basis, dependent on membership of a user in the Administrators group. This should be extended to the creation of new users profiles, by having multiple default profiles, to be selected for each new user account on the basis of group membership or %username%. Consider that the existing directory... \Users \|_ Default ...be replaced with this directory structure: \Users \|_ Templates \|_ Administrators \|_ Users \|_ someUsername On the creation of a new user profile, Windows checks that %username% == someUsername, and if equal applies the profile under \Users\Templates\someUsername, else the user is created using the \Users\Templates\Administrators profile if the they are a member of the Administrators group at the point their profile is initialized, else if they are not Administrators the profile is created using the files and folder structure under \Users\Templates\Users. Example settings found only in \Users\Templates\Administrators\NTUSER.DAT and %AppData%: Explorer Customize StartPanelLink and TaskbarLinks Start menu "All Programs" is customized. Ex: 'Administrative Tools' are visible (see Note) Show hidden files and folders (checked) Hide extensions for known file types (unchecked) Hide protected operating system files (unchecked) Start menu intro, tours and first-run wizards are disabled Alternative set of desktop icons are visible/hidden Solid color for desktop background Console window: cols=128 lines=50 Font=Consolas QuickEdit=On HKCU\Software\Microsoft\Windows\CurrentVersion\Run %ProgramFiles%\Sysinternals\Bginfo.exe /timer:0 /silent HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer ForceClassicControlPanel = 1 HKCU\Control Panel\International sShortDate = YYYY-MM-DD sTimeFormat = HH:mm:ss Environment _NT_SYMBOL_PATH=definition VersionIdentifier=Windows Version ProfilesDirectory=Profiles root path Internet Explorer Shortcut: %ProgramFiles%\Internet Explorer\iexplore.exe -extoff Favorites: Microsoft Support, Technet, Sysinternals, IT doco, etc Home page: Intranet IT porta Alternative account picture Alternative power scheme Alternative sound scheme Alternative help links Links or shortcuts to reference documents Open unknown file types with Notepad Word, Excel & PowerPoint docs associated with Office Viewers (not Office) Note 'Administrative Tools' shortcuts are moved from: \ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools to \Users\Templates\Administrators\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools This potentially overcomes the problem noted @ http://blogs.technet.com/b/deploymentguys/archive/2009/10/29/configuring-default-user-settings-full-update-for-windows-7-and-windows-server-2008-r2.aspx The manual profile copy process can cause issues such as: Whether the user is an administrator (and should therefore see the Administrative Tools, etc). By giving Users and Administrators groups alternative default user profiles, this type of problem could be avoided by never copying the Administrators profile to \Users\Templates\Users and never copying a Users profile to \Users\Templates\Administrators. Edited by Drewfus - 15 January 2012 at 8:57pm

Drewfus Members Profile Send Private Message Find Members Posts Add to Buddy List Groupie Joined: 12 February 2010 Status: Offline Points: 44	Post Options Post Reply Quote Drewfus Report Post Thanks(0) Quote Reply Posted: 04 January 2011 at 12:54pm
	It would also be interesting to have a method for initializing a user profile, other than via a Runas command, which requires the account password. For example, using the 'net user' command. net user username /init[ialize] [/exec:Script] [/y] The above command creates the folder structure for the new account, optionally executes an arbitary script, and perhaps executes Active Setup. Why is there no specific means of initializing a profile other than logging on as that user? Edited by Drewfus - 29 December 2011 at 1:22pm

tamahome Members Profile Send Private Message Find Members Posts Add to Buddy List Senior Member Joined: 06 January 2006 Status: Offline Points: 285	Post Options Post Reply Quote tamahome Report Post Thanks(0) Quote Reply Posted: 04 January 2011 at 5:51pm
	There's something called a mandatory profile, but I think it only works with Active Directory.

Drewfus Members Profile Send Private Message Find Members Posts Add to Buddy List Groupie Joined: 12 February 2010 Status: Offline Points: 44	Post Options Post Reply Quote Drewfus Report Post Thanks(0) Quote Reply Posted: 05 January 2011 at 1:54pm
	Combining the two ideas; The system copies \Users\username\NTUSER.DAT to \Users\Templates\username at (error free) logoff. Optionally, also copies \Users\username\AppData\Roaming to \Users\Templates\username\AppData\Roaming and any persistent profile data that could be backed up quickly at logoff. If the profile becomes corrupted, restore Last Known Good User Profile from \Users\Templates\username using net user username /init[ialize] [/appdata] /profilepath:"<Drive>\Users\username" [/y] /appdata = Include "\Users\Templates\username\AppData\Roaming\" in profile re/initialization During reinitialization of profile, check validity of restored NTUSER.DAT hive against \Users\Templates\LocalGroup*\NTUSER.DAT. Replace, add registry values as required. I believe this check would be similar in concept to the effects of this registry change: reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v FirstLogon /t REG_DWORD /d 1 /f See: http://seancolyer.com/howto-fix-windows-7-profiles-desktop-icons-not-load/ Edited by Drewfus - 29 December 2011 at 3:18pm

Drewfus Members Profile Send Private Message Find Members Posts Add to Buddy List Groupie Joined: 12 February 2010 Status: Offline Points: 44	Post Options Post Reply Quote Drewfus Report Post Thanks(0) Quote Reply Posted: 05 January 2011 at 2:33pm
	Create a new profile template based on an existing account: net localgroup groupname username </default \| /mkdflt> [/y] [/xgrp] [/libfldrs] /y = confirm /xgrp = Cross groups. That is, confirms action when username is not a member of groupname. /libfldrs = Include library folders in profile copy This copies \Users\name\NTUSER.DAT and non-temp folders of \Users\name\* to \Users\Templates\groupname NTUSER.DAT is filtered to remove things like %username%, web/mail accounts, auto-complete, MRUs, recent files and credentials. Encryption, cache, credentials files and other inappropriate files are also filtered Presumably this cleanup process would be similar in function to the Sysprep Cleanup pass Existing files & folders under \Users\Templates\groupname are purged Edited by Drewfus - 29 December 2011 at 2:31pm

WindowsStar Members Profile Send Private Message Find Members Posts Add to Buddy List Senior Member Joined: 30 June 2010 Status: Offline Points: 496	Post Options Post Reply Quote WindowsStar Report Post Thanks(0) Quote Reply Posted: 17 February 2011 at 7:13am
	+1 Great Ideas. I might change the Default Profile to: \Users \|_ Templates \| \|_ LocalGroups \|_ Administrators \| \|_ Users \| \|_ Default (Last Resort if user is in no group) \| \|_ someGroupName (Linked to Groups on Local Machine) \| \|_ DomainGroups \|_ Administrators (Linked to Groups on Domain) \|_ Users (Linked to Groups on Domain) \|_ someGroupName (Linked to Groups on Domain)

Drewfus Members Profile Send Private Message Find Members Posts Add to Buddy List Groupie Joined: 12 February 2010 Status: Offline Points: 44	Post Options Post Reply Quote Drewfus Report Post Thanks(0) Quote Reply Posted: 18 February 2011 at 3:45am
	Thanks. That is a good extension of the original idea. I thought about the Default (last resort) template myself, but left it out on the basis that any new user should be a member of Users and not the Administrators group also (or any other), by default, but that is probably too restrictive. The alternative might be to have two templates, Administrators and Non-Administrators (like MLGPO), but maintaining a Default user profile would likely be required for compatibility reasons. Regarding your DomainGroups, i guess the obvious issue here would be how to sync the templates across client machines. Presumably domain Group Policy could (or could be made to) handle this task. Edited by Drewfus - 18 February 2011 at 4:02am

Drewfus Members Profile Send Private Message Find Members Posts Add to Buddy List Groupie Joined: 12 February 2010 Status: Offline Points: 44	Post Options Post Reply Quote Drewfus Report Post Thanks(0) Quote Reply Posted: 01 March 2011 at 4:51am
	Regarding Mandatory Profiles, registry permissions have to be changed on NTUSER.MAN to full access for "Everyone". This has consequences for security as outlined in this blog: Mandatory Profiles – Insecure by Default? Simply put, users are able to read/write to HKU\<Some other user’s SID>. Following Helge Klein's fix #3, and the main idea in this thread, perhaps what should happen with Mandatory Profiles is: NTUSER.MAN is downloaded (at logon) to \Users\Templates\Mandatory\NTUSER.MAN Make directory (if not exist) \Users\Templates\Mandatory\Username Copy the local copy of NTUSER.MAN to \Users\Templates\Mandatory\Username\NTUSER.MAN.TMP Re-ACL NTUSER.MAN.TMP, replacing "Everyone" with "Username" Move NTUSER.MAN.TMP to NTUSER.DAT Mount NTUSER.DAT to HKU\<SID-RIDofUser> Complete user logon Having all Mandatory Profiles in a single folder would also make cleanup operations easier. Edited by Drewfus - 01 March 2011 at 5:15am