Note that mandatory profiles have a slightly different naming convention. A normal mandatory profile is one in which the ntuser.dat file has been renamed to ntuser.man. A super mandatory profile is a roaming profile in which the profile path ends in .man. For example, a roaming profile path called \\server\\profiles\stdprofile.man\ specifies a super mandatory profile.
Inside Profile Creation
The key to solving the mysteries of user profiles is to understand their wily ways, and to do that, you need to understand how Windows creates a profile. At a high level, the process is simple: If a user logs on to a Windows workstation for the first time and doesn't have a profile—either cached on the workstation or on a roaming server share—Windows creates a new default profile for that user. However, the process is more involved than you might think. Let's step through the user profilecreation process so that you can understand it thoroughly. Along the way, we'll review some details about profile creation that will help you if you ever need to troubleshoot profile problems. Because subtle differences exist in profile behavior between each of Microsoft's OS versions, I'm going to stick with XP in my example. This example assumes that a new AD domain user for whom you've defined a roaming profile path is logging on to the domain and to his or her workstation for the first time.
When a user logs on, Windows first checks the user's AD account to see whether a roaming profile path is defined.
Next, Windows pings the connection to the profile share to determine whether it's a slow link. A roaming profile download behaves differently if the OS detects a slow link. The slow link threshold is defined through Group Policy and defaults to 500Kbps.
After determining that you're not on a slow link, Windows checks the NTFS ownership of the roaming profile directory to ensure that it's owned by either the user who is logging on or the local Administrators group. This step is a new check as of XP Service Pack 1 (SP1) and Win2K SP4, and it ensures that someone hasn't tried to create a forged roaming profile that a user would download inadvertently.
Assuming the check in Step 3 is successful, Windows checks the roaming profile directory for the existence of either ntuser.dat or ntuser.man (indicating a mandatory profile). If neither exists, as in the case of a brand new user, Windows proceeds to the next step.
Windows determines whether the workstation has a cached copy of the user's profile in C:\documents and settings. However, instead of looking in the file system on the workstation, the OS consults the registry; all legitimate user profiles that are cached on a workstation must be registered under the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList registry subkey. Within the ProfileList subkey, all users who have a locally cached profile will have a key that contains a unique SID that refers to that user. This key contains values that identify in which folder the user's local profile is cached, the path to the user's roaming profile, and other information about when the profile was last written and its state.
If Windows determines that no roaming or local profile exists, it creates the appropriate entry in the registry, as I described in Step 5, then creates the user's local profile directory in the Documents and Settings folder.
Next, Windows issues the user a new default profile. You can control which default profile a user receives by using one of two methods. First, you can place a default user profile on the Netlogon share of your AD domain controllers (DCs)—specifically under \\<DC ServerName>\netlogon\default user. Windows checks this folder first to see whether you've put a default user profile there; if you haven't, Windows takes the default profile found on the local workstation under \%system root%\documents and settings\default user. If you provide your own default profile to either the Netlogon share or the local default user folder, the profile must be complete; it must contain all the folders and the ntuser.dat file that a profile expects to have. The Netlogon approach is much easier to maintain, but if you decide to use the default user folder on the local machine, you can include a default profile in your standard workstation image.
After the system finds the correct path for the default user profile, it copies the contents of that folder to the user-specific folder under Documents and Settings. More important, Windows sets file-system security on the \%systemroot%\documents and settings\%username% folder so that only the user's account and the local Administrators group on the workstation have Full Control access. And, because ntuser.dat is a registry hive file and the registry has security permissions associated with it, when the system copies this file from the default user profile location, the registry keys within the hive are set to the same permission that's set for the file portion of the user's profile. Therefore, only the user and members of the local Administrators group can access the settings in this profile. This is an important fact because it means that you can't simply copy a user's profile directory from one user to another. Even if you change the permissions on the file portion of the profile, the registry permissions will still point to the original user. To resolve this problem, you have two options: You can open the Control Panel System applet, select the Advanced tab, click Settings under the User Profiles section to open the dialog box that Figure 3 shows, and click Copy To, or you can take advantage of the Microsoft Windows 2000 Resource Kit's moveuser.exe utility. For more information about this utility, read Inside Out, "Move User Profiles," July 2003, http://www.winnetmag.com, InstantDoc ID 39192.
Picking a favorite product from an impressive crowd of competitive offerings is never an easy task, and such was the case with our Editors' Best and Community Choice awards this year. ...
Free CDs Offer Fundamental Content for IT Pros Are you up to speed on the latest technologies and solutions? Don't miss out on your chance to get up to speed quickly on fundamental, in-depth information on some of the hottest topics in our library of content.
Let Your Users Reset Their Own Passwords: Free Download Try a 30 day free trial of Desktop Authority Password Self-Service – it provides an easy-to-use, robust system for allowing users to reset their own forgotten passwords or locked accounts.
Get Windows IT Pro & Mark Minasi’s Favorite Power Tools Guide Order Windows IT Pro now and get "More of Mark Minasi's Favorite Power Tools"--a in-depth guide to the most useful Windows commands --FREE with your paid order! Subscribe today, and save 58% off the cover price!
Deep Dive into VMware vSphere, eLearning Series Join John Savill to explore the major functionality capabilities of the vSphere virtualization platform, including identification of the changes from ESX 3.5.
Register
