Print Page | Close Window

Is a single default user optimal?

Printed From: Sysinternals
Category: Windows Discussions
Forum Name: Internals
Forum Description: Windows internals information
Printed Date: 24 February 2018 at 9:55pm
Software Version: Web Wiz Forums 11.06 -

Topic: Is a single default user optimal?
Posted By: Drewfus
Subject: Is a single default user optimal?
Date Posted: 23 December 2010 at 1:09pm
Having a single default user profile for all new users, regardless of a users group membership, seems like a throwback to the Windows 9X era. Vista introduced the concept of" rel="nofollow - . This allows treating Administrators and Users on a differential basis, dependent on membership of a user in the Administrators group. This should be extended to the creation of new users profiles, by having multiple default profiles, to be selected for each new user account on the basis of group membership or %username%.
Consider that the existing directory...
      |_ Default replaced with this directory structure:
      |_ Templates
                  |_ Administrators
                  |_ Users
                  |_ someUsername
On the creation of a new user profile, Windows checks that %username% == someUsername, and if equal applies the profile under \Users\Templates\someUsername, else the user is created using the \Users\Templates\Administrators profile if the they are a member of the Administrators group at the point their profile is initialized, else if they are not Administrators the profile is created using the files and folder structure under \Users\Templates\Users.
Example settings found only in \Users\Templates\Administrators\NTUSER.DAT and %AppData%:
  • Explorer
    •" rel="nofollow - - TaskbarLinks
    • Start menu "All Programs" is customized. Ex: 'Administrative Tools' are visible (see Note)
    • Show hidden files and folders (checked)
    • Hide extensions for known file types (unchecked)
    • Hide protected operating system files (unchecked)
    • Start menu intro, tours and first-run wizards are disabled
    • Alternative set of desktop icons are visible/hidden
  • Solid color for desktop background
  • Console window: cols=128 lines=50 Font=Consolas QuickEdit=On
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    • %ProgramFiles%\Sysinternals\Bginfo.exe /timer:0 /silent
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
    • ForceClassicControlPanel = 1
  • HKCU\Control Panel\International
    • sShortDate = YYYY-MM-DD
    • sTimeFormat = HH:mm:ss
  • Environment
    •" rel="nofollow - _NT_SYMBOL_PATH =definition
    • VersionIdentifier=" rel="nofollow - Windows Version
    • ProfilesDirectory=" rel="nofollow - Profiles root path
  • Internet Explorer
    • Shortcut: %ProgramFiles%\Internet Explorer\iexplore.exe -extoff
    • Favorites: Microsoft Support, Technet, Sysinternals, IT doco, etc
    • Home page: Intranet IT porta
  • Alternative account picture
  • Alternative power scheme
  • Alternative sound scheme
  • Alternative help links
  • Links or shortcuts to reference documents
  • Open unknown file types with Notepad
  • Word, Excel & PowerPoint docs associated with Office Viewers (not Office)
Note 'Administrative Tools' shortcuts are moved from:
\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools
\Users\Templates\Administrators\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools

This potentially overcomes the problem noted @" rel="nofollow - The manual profile copy process can cause issues such as:

  • Whether the user is an administrator (and should therefore see the Administrative Tools, etc).
By giving Users and Administrators groups alternative default user profiles, this type of problem could be avoided by never copying the Administrators profile to \Users\Templates\Users and never copying a Users profile to \Users\Templates\Administrators.

Posted By: Drewfus
Date Posted: 04 January 2011 at 12:54pm
It would also be interesting to have a method for initializing a user profile, other than via a Runas command, which requires the account password.
For example, using the 'net user' command. 
net user username /init[ialize] [/exec:Script] [/y]
The above command creates the folder structure for the new account, optionally executes an arbitary script, and perhaps executes Active Setup.
Why is there no specific means of initializing a profile other than logging on as that user?

Posted By: tamahome
Date Posted: 04 January 2011 at 5:51pm
There's something called a mandatory profile, but I think it only works with Active Directory.

Posted By: Drewfus
Date Posted: 05 January 2011 at 1:54pm
Combining the two ideas;
The system copies \Users\username\NTUSER.DAT to \Users\Templates\username at (error free) logoff.
Optionally, also copies \Users\username\AppData\Roaming to \Users\Templates\username\AppData\Roaming and any persistent profile data that could be backed up quickly at logoff.
If the profile becomes corrupted, restore Last Known Good User Profile from \Users\Templates\username using
net user username /init[ialize] [/appdata] /profilepath:"<Drive>\Users\username" [/y]
/appdata = Include "\Users\Templates\username\AppData\Roaming\*" in profile re/initialization
During reinitialization of profile, check validity of restored NTUSER.DAT hive against \Users\Templates\LocalGroup\NTUSER.DAT. Replace, add registry values as required. I believe this check would be similar in concept to the effects of this registry change:
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v FirstLogon /t REG_DWORD /d 1 /f
See:" rel="nofollow -

Posted By: Drewfus
Date Posted: 05 January 2011 at 2:33pm
Create a new profile template based on an existing account:
net localgroup groupname username </default | /mkdflt> [/y] [/xgrp] [/libfldrs]
/y = confirm
/xgrp = Cross groups. That is, confirms action when username is not a member of groupname.
/libfldrs = Include library folders in profile copy
This copies \Users\name\NTUSER.DAT and non-temp folders of \Users\name\* to \Users\Templates\groupname
  • NTUSER.DAT is filtered to remove things like %username%, web/mail accounts, auto-complete, MRUs, recent files and credentials.
  • Encryption, cache, credentials files and other inappropriate files are also filtered
  • Presumably this cleanup process would be similar in function to the Sysprep Cleanup pass
  • Existing files & folders under \Users\Templates\groupname are purged

Posted By: WindowsStar
Date Posted: 17 February 2011 at 7:13am
+1 Great Ideas.
I might change the Default Profile to:
                   |_ LocalGroups |_ Administrators
                   |              |_ Users
                   |              |_ Default (Last Resort if user is in no group)
                   |              |_ someGroupName (Linked to Groups on Local Machine)
                   |_ DomainGroups |_ Administrators (Linked to Groups on Domain)
                                   |_ Users (Linked to Groups on Domain)
                                   |_ someGroupName (Linked to Groups on Domain)

Posted By: Drewfus
Date Posted: 18 February 2011 at 3:45am
That is a good extension of the original idea. I thought about the Default (last resort) template myself, but left it out on the basis that any new user should be a member of Users and not the Administrators group also (or any other), by default, but that is probably too restrictive. The alternative might be to have two templates, Administrators and Non-Administrators (like MLGPO), but maintaining a Default user profile would likely be required for compatibility reasons.
Regarding your DomainGroups, i guess the obvious issue here would be how to sync the templates across client machines. Presumably domain Group Policy could (or could be made to) handle this task.

Posted By: Drewfus
Date Posted: 01 March 2011 at 4:51am
Regarding Mandatory Profiles, registry permissions have to be changed on NTUSER.MAN to full access for "Everyone". This has consequences for security as outlined in this blog: - Mandatory Profiles – Insecure by Default?
Simply put, users are able to read/write to HKU\<Some other user’s SID>.
Following Helge Klein's fix #3, and the main idea in this thread, perhaps what should happen with Mandatory Profiles is:
  1. NTUSER.MAN is downloaded (at logon) to \Users\Templates\Mandatory\NTUSER.MAN
  2. Make directory (if not exist) \Users\Templates\Mandatory\Username
  3. Copy the local copy of NTUSER.MAN to \Users\Templates\Mandatory\Username\NTUSER.MAN.TMP
  4. Re-ACL NTUSER.MAN.TMP, replacing "Everyone" with "Username"
  6. Mount NTUSER.DAT to HKU\<SID-RIDofUser>
  7. Complete user logon
Having all Mandatory Profiles in a single folder would also make cleanup operations easier.

Print Page | Close Window

Forum Software by Web Wiz Forums® version 11.06 -
Copyright ©2001-2016 Web Wiz Ltd. -