Microsoft Windows Registry Guide, Second Edition
Deploying Default User Profiles
Deploying default user profiles is one of the easiest ways to deploy settings to new users. You can't use default user profiles to deploy settings to existing users, however, because they already have user profiles. These aren't settings that you want to manage. They're defaults that you want to establish for users while allowing users to change them when necessary. Essentially, deploying default user profiles is like modifying the default settings in Windows. If you want to define a setting that users can't change, use policies. Chapter 7, “Using Registry-Based Policy,” contains more information about managing settings.
To deploy a default user profile, follow these steps:
Create a template account.
You can use a local or a domain account, but the user profile is generally cleaner if you use a local account on a computer that's not joined to a domain. (Because I include network shortcuts in my profiles, I usually use a domain account to create default user profiles.) Also, for the template account, choose a name that you're sure is unique in the registry and is shorter than eight characters. You'll learn why using a unique name is important a bit later in this chapter.
Log on to the computer using the template account, and customize its settings. The section “Customizing User Settings,” later in this chapter, describes settings that I usually customize.
Clean up the user profile to remove artifacts that you don't want to deploy. The section “Cleaning User Profiles,” later in this chapter, describes how to clean the profile.
Copy the template account's user profile folder to a new location, and name it Default User.
Don't replace %SystemDrive%\Documents and Settings\Default User, however, because you might need to repeat the process a few times to get it right and you'll want the original default user profile handy. In the section “Creating Default User Folders,” later in this chapter, I describe an alternative method for building the Default User folder that I think is more precise because it yields a cleaner default user profile.
Deploy the default user profile.
You can put the Default User folder in %SystemDrive%\Documents and Settings on disk images and then deploy them, or you can put the Default User folder on the NETLOGON share of the server. I prefer the second method because it separates settings from the disk images, which allows me to update settings much more easily.
Alternatives to Default User Profiles
An alternative to customizing a bunch of settings in default user profiles is scripting. Create a script that configures Windows user settings per your company's requirements. This assumes that you have a specification, or at the very least, a list of settings that you want to customize for users. Then edit the NTUSER.DAT hive file in the disk image's Default User folder, adding the command that executes the script to the key HKCU\Software\Microsoft\Windows\ CurrentVersion\RunOnce. The NTUSER.DAT hive file in the Default User folder doesn't contain the RunOnce key by default, so you must add it. Then add a REG_SZ value to this key–the name is arbitrary–and put the command line that you want to execute in it. Each time Windows creates a new user profile, it executes the script to customize the user's settings.
Also, you can add a script that customizes the current user profile to HKLM\ Software\Microsoft\Windows\CurrentVersion\Run. Windows runs this script every time a user logs on to the computer. If you want to configure settings only the first time the user logs on to the computer, add code to the script that checks for a value in HKCU and runs only if that value doesn't exist. Then end the script with code that creates the missing value so that the script doesn't run the next time the user logs on to the computer. Chapter 11, “Scripting Registry Changes,” shows you how to write scripts using Windows Script Host, and these are ideal for this scenario.
Customizing User Settings
Log on to the template account that you created in step 1 of the previous section and customize the account's settings. When customizing settings for a default user profile, less is more. Preferably, you'll work from a list of settings that you've examined with other members of the deployment planning team. The following list gives you an idea of the settings that I frequently target with default user profiles:
Quick Launch toolbar
Start menu
Windows Explorer
Internet Explorer
My Network Places
Search Assistant
Tweak UI
Control Panel, in particular:
Display
Folder Options
Mouse
Power Options
Printers and Faxes
Sounds and Audio Devices
Taskbar and Start Menu
You want to customize per-user settings because those are the only settings that are in the user profile. How do you know that a setting is per-user when you're customizing a user profile? You don't necessarily. That's why you must test the settings in your list ahead of time. Sitting down to construct a default user profile isn't the time to begin wondering whether a particular setting is per-user or per-computer. The easiest way to find out is to log on to a new account and customize the settings in your list. Then copy that user profile to a clean installation of Windows, and see which settings made it. The settings that didn't make it are per-computer settings, and you'll want to scratch them off your list. There are a small number of settings that are per-user but still don't work well in default user profiles, and there's generally little you can do about it except edit the profile to make them work. The most prominent example is desktop wallpaper. Including wallpaper in a default user profile requires you to include the wallpaper graphic file inside the profile folder and then edit the profile hive to point to the new location.
You might also want to include settings for applications that you're deploying, whether you include them on your disk images or deploy them using other methods.
NOTE
Before you begin, here's a caveat: don't include settings for Windows Installer–based applications in a default user profile. Windows Installer provides superior methods for deploying settings. That means you shouldn't deploy settings for Office 2003 Editions using default user profiles. Instead, use tools such as Custom Installation Wizard and Office Profile Wizard. Both tools come with the Office 2003 Editions Resource Kit, and Chapter 17, “Deploying Office 2003 Settings,” describes how to use them. Install other types of applications and customize their settings to your requirements just as you would customize Windows settings.
This last step is optional but I recommend it: remove artifacts from the user profile that you don't want to deploy. Artifacts include history lists and similar items. I have a preset route that I use to clean up a user profile. First I clear the Start menu and Internet Explorer's history lists. To do this:
In Control Panel, launch Taskbar And Start Menu. On the Start Menu tab, click Customize. On the Customize Start Menu dialog box's Advanced tab, click the Clear List button.
In Control Panel, launch Internet Options. In the Internet Options dialog box, click Clear History to remove Internet Explorer's history lists.
You don't need to worry about removing temporary Internet files because these are in the profile's Local Settings folder, and Windows doesn't copy them with the profile. If you opened Internet Explorer to customize it, however, you might clear out the cookies and AutoComplete lists. In the Internet Options dialog box, on the General tab, click Delete Cookies, and then on the Content tab, click AutoComplete, followed by Clear Forms and Clear Passwords.
After you're finished customizing and cleaning the account's settings, log off Windows. My last word of advice is to be cautious; don't open dialog boxes and programs that you don't intend to customize. Doing so keeps their settings out of the default user profile. For example, if you don't intend to customize Microsoft Windows Media Player, don't open the program.
Cleaning User Profiles
You cleaned the user profile a little bit in the previous section, but only to remove some artifacts from the profile hive. The next major step is to open the profile hive in Regedit and scour it for settings that you don't want to deploy or that you must change before deploying.
The most significant example is paths. User profiles contain references to the profile folder: %SystemDrive%\Documents and Settings\ Name. If you deploy the user profile to countless users, they'll all have different profile folders. When they try accessing the profile folder Name, Windows and programs will fail because the user doesn't have access to that folder. A more concrete example will make this clear. Assume you created a user profile using a template account named DefUser and deployed that profile to a user named Jerry. The user Jerry has access to %SystemDrive%\Documents and Settings\Jerry, but the folder %SystemDrive%\Documents and Settings\DefUser doesn't even exist. When the user Jerry runs a program that uses a setting containing the path to the DefUser user profile folder, the program causes an error. To correct this situation, follow these steps:
Log on to the computer containing the template user profile as Administrator.
In Regedit, load the NTUSER.DAT hive file from the template user profile folder. (See Chapter 2, “Using Registry Editor,” to learn about using hive files.)
Search the hive file for references to the template user profile folder. If the name of the folder is longer than eight characters, search for the long and short versions of the folder's name.
Remove values that contain the path of the template user profile folder.
Unload the hive file, and restart the computer.
Restarting the computer is often necessary because Windows locks the file and you can't copy it. Restarting the computer is the quickest way to force it to let go of the file.
When you remove values that contain the path of the template user profile folder in step 4, you're assuming that Windows and other programs re-create missing settings. This isn't always true. Some of my favorite applications fail to re-create missing settings. You'll learn which do and which don't through trial and error. You can handle the problem easily, though. Rather than removing the value permanently, replace a REG_SZ value with a REG_EXPAND_SZ value of the same name. Then set the value to the original path, substituting %USERPROFILE% for the portion that is the user profile folder. For example, if you see a REG_SZ value named Templates that contains C:\Documents and Settings\Jerry\Templates, remove the value; then add the value Templates back as a REG_EXPAND_SZ value, and set it to %USERPROFILE%\Templates. Test these changes in your lab to make sure they work properly.
In the previous section, you cleared some of the history lists using the Windows user interface. Take this opportunity to further neaten your work by removing the keys listed in Table 12-4. These correspond to most of the history lists that Windows keeps, including the Search Assistant and common dialog boxes.
History List | Key |
Internet Explorer's address bar | HKCU\Software\Microsoft\Internet Explorer\TypedURLs |
Run dialog box | HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU |
Documents menu | HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs |
Common dialog boxes | HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU |
Search Assistant | HKCU\Software\Microsoft\Search Assistant\ACMru |
Creating Default User Folders
The template user profile is ready to go. All you have to do now is copy it. To open the User Profiles dialog box, in Control Panel, launch System. On the Advanced tab, click Settings in the User Profiles frame. In the User Profiles dialog box, click the template user profile and then click Copy To. In the Copy Profile To text box, shown in Figure 12-6, type the path to which you want to copy the profile. To keep things simple, I usually copy the profile folder to C:\Default User. Just make sure that the folder doesn't already exist. Also, give the Everyone group permission to use the profile, which is appropriate for a default user profile: click Change, type Everyone, and then click OK. The default user profile is ready to deploy, which you learn how to do in the next section.
Figure 12-6 Copy the template user profile using this dialog box; don't copy the folder using Windows Explorer because doing so copies artifacts that you don't want in the profile.
The method that I just described is common for creating a default user profile from a template user profile. I don't like it because user profiles expand greatly in size and complexity after Windows loads and uses them. A default user profile created using the method that I just described contains more files and folders than necessary. To use the more precise method that I prefer, follow these steps:
Copy %SystemDrive%\Documents and Settings\Default User to another location, such as C:\Default User. You want to keep the original Default User folder, just in case you have to start over again.
Copy the NTUSER.DAT hive file from the template user profile to your copy of the Default User folder, C:\Default User.
Copy other files from the template user profile folder to your copy of the Default User folder, C:\Default User. I tend to copy files from the following folders, assuming they contain files that I want to deploy:
\Application Data\Microsoft\Internet Explorer\Quick Launch
\Desktop
\Favorites
\NetHood
\PrintHood
\SendTo
\Templates
Deploying Default User Folders
After completing the steps in the preceding section, you have a default user profile that's ready for deployment. You have two choices. If you're deploying Windows using disk-imaging techniques, you can include the default user profile on the disk image. Replace %SystemDrive%\Documents and Settings\Default User with your own Default User folder. After replacing the Default User folder with your own, clone and deploy the disk image. When new users log on to the computer, they'll receive your default user profile and thus your settings.
I don't like customizing the local Default User folder as my sole means of deploying default settings, however. I prefer to separate settings from configurations. What if I need to update a setting down the line? I don't want to update the Default User folder on each computer in the organization.
The alternative is to copy the customized Default User folder to the NETLOGON share of the server. As you learned earlier in the chapter, Windows looks first for the network version of the Default User folder and then the local version. The first time users log on to a computer, Windows gets my default user profile from the network. Of course, the benefit is that I can always update it later. The primary problem with this method is that if users log on to their computers locally, they still get the local default user profile. That's the reason that I prefer doing both at the same time. I replace the Default User folder on disk images and also copy the same folder to the NETLOGON share of the server.
NOTE
An alternative to copying a default user profile to the NETLOGON share is keeping a user profile handy on the network and then copying it to users' network profile folders when you create new accounts. For example, stash away a default user profile somewhere on your server. Assuming that you're using roaming user profiles, copy the default user profile into new accounts' profile folders. The first time those users log on to Windows, the operating system downloads their roaming user profile, which you've already preconfigured. This is useful in one-off scenarios when you want users to have a profile other than the default. It's also useful in a heterogeneous environment, which often requires different user profiles for different versions of Windows.