Unicode Explained

User profiles provide the following advantages:

• After a successful logon, users start working with their own working environment (including desktop settings) that existed at the time he/she last logged out.

• Many users can share a single computer, and each user will get individual settings for their working environment.

• User profiles can be stored on the server; they may be used independently from the workstation where the user logs on to the network. These user profiles are called roaming user profiles.

From the administrator's point of view, user profiles provide specific advantages and are capable of:

• Creating customized user settings

• Specifying common settings for each user group

• Assigning mandatory user profiles which can't be changed by the users and don't allow them to change the system's configuration

As was already mentioned in Chapter 1, Windows XP and Windows Server 2003 provide the following types of user profiles:

• Local User Profiles. User profiles of this type are stored on the local computer's hard disk. Any changes that you might introduce to the local user profile are computer-specific and only apply to the computer on which these changes are made.

• Roaming User Profile. Roaming user profiles are stored on the server, and are available any time the user logs onto a network. Any changes made to a roaming user profile are updated on the server.

• Mandatory User Profile. This type of user profile can be created or updated only by system administrators. Any changes the user makes to this type of profile are lost when he or she logs off.

The Settings Stored in the User Profile

Each user profile contains configuration settings and options customized for each individual user. In practice, the user profile can be considered a "snapshot" of the user's working environment.

Main settings stored in the user profile are listed in Table 10.1.

User Profile Structure

Each user profile consists of a registry hive (Ntuser.dat file, which is mapped to the HKEY_CLASSES_ROOT registry key when the user logs on) and a set of folders in the file system of your computer. Since the release of Windows NT 4.0, the default location of user profiles has changed in order to allow administrators to provide better security for the operating system folders without affecting user data. Let us consider the default location of user profiles in more detail.

All Windows NT user profiles are stored in the %SystemRoot%\Profiles folder. When you log onto the system for the first time, the system creates a new profile for you based on the Default User profile, present on each Windows NT Workstation or Windows NT Server computer. The \Default User folder and profile folders for individual users contain the Ntuser.dat and Ntuser.dat.log files (user profile hive and its log) together with the desktop shortcuts.

The naming conventions for the user profile folders have changed with Windows 2000. In general, the location of Windows 2000, Windows XP, or Windows Server 2003 user profiles depends on the method used to install the operating system:

• If Windows 2000, Windows XP, or Windows Server 2003 was installed fresh, the Setup program will create a new folder for storing user profiles: %SystemDrive%:\Documents and Settings (for example, C:\Documents and Settings).

• If the system was installed as an upgrade from the previous Windows NT versions, user profile folders will be located in the %SystemRoot%\Profiles folder (like in Windows NT 4.0).

The locations of user profiles for each of the possible types of OS installation are briefly described in Table 10.2.

Like the previous versions of Windows NT/2000, Windows XP and Windows Server 2003 automatically create a user profile when the new user first logs onto the system. To store this profile, the system creates a new nested folder named after the login name of the new user and located under the %ProfilePath% folder. The path to this folder will be saved in the system registry and associated with the user's security identifier (Security ID, SID).

Figure 10.1: The HKEY_USERS registry key

The HKEY_USERS registry key contains the default user profile as well as profiles for all user accounts currently logged on to the computer. The HKEY_USERS\.DEFAULT key contains parameters that the system applies before any user logs on to the system. Other subkeys represent SIDs of the currently logged on user accounts:

• HKEY_USERS\S-1-5-18 — This subkey contains parameters for the LocalSystem, an identity used locally by the OS and by services configured to log on as Local-System. Notice that this identity is a hidden member of the Administrators group. That is, any process running as LocalSystem has the SID for the Administrators built-in group in its access token.

• HKEY_USERS\S-1-5-19 — This subkey contains parameters for the LocalService, an identity used by services that do not need such extensive local privileges as Local System, and do not need authenticated network access.

• HKEY_USERS\S-1-5-20 — This subkey contains parameters for the NetworkService, an identity used by services that do not need extensive local privileges, but do require authenticated network access.

  Note

  All three above-listed SIDs are well-known SIDs (more information on well-known SIDs was provided in Chapter 9). Also notice that NetworkService (S-1-5-20) and LocalService (s-1-5-19) are newly introduced built-in accounts, only existing in Windows XP and Windows Server 2003 in order to reduce the number of services running in the SYSTEM context. Therefore, the HKEY_USERS registry key in Windows 2000 or earlier does not contain subkeys identified by these SIDs.

• HKEY_USERS\CURRENT_USER_SID (in the example shown in Fig. 10.1, the CURRENT_USER_SID is S-1-5-21-1292428093-1343024091-12804019-1107). This subkey contains parameters that correspond to the current user, who has logged on locally.

• HKEY_USERS\SID_Classes — these subkeys contain file associations and COM classes for specific SIDs

Starting with Windows 2000, Microsoft has introduced the so-called Run As functionality, also known as secondary logon. This feature is designed to provide users with the capability of starting programs under different security contexts. For example, administrators can log on as ordinary users, and invoke a secondary logon (administrative) in order to run administrative tools without needing to log off. To start a program under a different security context, it is sufficient to right-click the file that you want to start, and then select the Run As command from the context menu. The Run As dialog will open (Fig. 10.2), where you will be able to select the user account with administrative rights.

Figure 10.2: Using a secondary logon

After the user invokes a secondary logon and provides credentials for the administrative account, Windows will load additional settings for the secondary logon, and new subkeys will appear under HKEY_USERS registry key (Fig. 10.3).

Figure 10.3: The contents of the HEKY_USERS registry key after invoking a secondary logon

Figure 10.4: The Run As functionality depends on the Secondary Logon service

When the user logs into the local system using a local or domain user account, and the %ProfilePath% folder doesn't contain a subfolder with a name like the user's login name, the system will create such a folder. The path to this folder will be saved in the registry and associated with the user's SID. For example, if "Olga" logs into the Windows 2000/XP or Windows Server 2003 system, the system will create a folder named %SystemDrive%:\Documents and Settings\Olga to store a new user profile (Fig. 10.5).

Figure 10.5: Typical contents of the user profile folder

Later, if a user from another domain, having the same login name, attempts to log on to the network from this computer, the system will create another user profile folder for them. The folder will be named using the following format: %SystemDrive%:\Documents and Settings\Olga [DOMAIN_NAME], where [DOMAIN_NAME] is the name of the domain to which the user account with the duplicated user name belongs to.

If both the login and domain names are the same, but the SIDs of two user accounts are different (this may happen when you delete a user account, and then create another one with the same name belonging to the same domain), the system will create a new user profile folders named as follows: %SystemDrive%:\Documents and Settings\Olga [DOMAIN_NAME].000, %SystemDrive%:\Documents and Settings\Olga [DOMAIN_NAME].001, etc.

Now let us consider in more detail the preferences stored in the profile directories. The screenshot shown in Fig. 10.5 illustrates the typical structure of the user profile, which in Windows XP and Windows Server 2003 contains the following folders:

• Application data^[*]. Application-specific data, such as a custom dictionary for a word processing program. Application vendors decide what data to store in this directory.

• Cookies. Internet Explorer cookies.

• Desktop. Desktop items, including files and shortcuts.

• Favorites. Internet Explorer favorites.

• Local Settings^[*]. Application settings and data that do not roam with the profile. Usually either machine-specific, or too large to roam effectively.

  • Application data. Computer-specific application data.

  • History. Internet Explorer history.

  • Temp. Temporary files.

  • Temporary Internet Files. Internet Explorer offline cache.

• My Documents. The new default location for any documents that the user creates. Applications should be written to save files here by default.

  • My Pictures. Default location for user's pictures.

  • My Music. Default locations for user's music files.

• NetHood^[*]. Shortcuts to Network Neighborhood items.

• PrintHood^[*]. Shortcuts to printer folder items.

• Recent. Shortcuts to the most recently used documents.

• SendTo. Shortcuts to document storage locations and applications.

• Start Menu. Shortcuts to program items.

• Templates^[*]. Shortcuts to template items.

The Ntuser.dat File

The Ntuser.dat file is the part of the registry that actually supports the user profile. This file is the cached copy of the local HKEY_CURRENT_USER subtree (Fig. 10.6). It stores the settings, which define the working environment for the currently logged on user.

Figure 10.6: The settings defining the working environment for the currently logged on user are stored under HKEY_CURRENT_USER

Defining Initial Settings for New Users

Many tips and registry hacks that specify "how to" modify the settings related to specific users recommend that you log on to the system as that user and then modify specific parameters under the HKEY_CURRENT_USER registry key. However, this approach seems impractical when you need to apply the setting to multiple users (just consider how many times you would need to log on, start the registry editor to introduce the same modification, then log off). If this is the case, the small tip provided here will help you to specify unified initial settings for all new users who log on to the system for the first time. The main idea here is, that any modification that you can introduce to the HKEY_CURRENT_USER registry key can also be made to the default user hive.

To modify the default user profile hive, do the following:

1. Start Regedit.exe, highlight the HKEY_USERS key and select the Load Hive command from the File menu.

2. Select the Ntuser.dat file from the %SystemDrive%\Documents and Settings\Default User folder.

3. Enter the name for the hive to be loaded (for example, NTUSER) into the Key Name dialog. Now introduce any desired modification to any key or value entry within the newly loaded NTUSER hive.

4. Having finished, right-click the NTUSER hive, select the Permissions command from the context menu, and assign Read permission to the Everyone group (Fig. 10.7). Then click Advanced and make sure that permissions are inherited by all subkeys of the default hive being modified.

   Figure 10.7: Setting permissions for the modified default user hive

5. Unload the hive and close registry editor. Now all new users will have the settings that you specified.

Fixing a Corrupt User Profile

If you have a misbehaving user account, this might be due to a corrupt user profile. To determine if the profile is corrupt, proceed as follows:

1. Create a new temporary account and assign it the same rights and group membership as the suspect account.

2. Log on to the system as a new temporary user. The new profile for that user will be created.

3. Log off, then log on with administrative privileges. Start the System applet in Control Panel, go to the Advanced tab, and click the Settings button in the User Profiles group. The User Profiles window (Fig. 10.8) will open. Select the suspected profile and click the Copy To button.

   Figure 10.8: The User Profiles window

4. The Copy To window will open (Fig. 10.9). Click the Browse button, select the newly created temporary account under the %SystemDrive%\Documents and Settings folder and click OK.

   Figure 10.9: The Copy To window

5. Click the Change button in the Permitted to use option group and set the appropriate permissions, then click OK.

6. Log off, then log on as a new temporary user. If you experience the same problem, then the user profile is actually corrupt. In this case, locate the corrupt user profile in the %SystemDrive%\Documents and Settings folder, and delete the whole user profile folder. When the user logs on, the system will create a new user profile. If the problem has been eliminated, this means that it was not caused by a corrupt user profile. Most probably, the user account itself is corrupt and must be deleted and recreated.

^[*]These directories are hidden by default. To see these directories, change the View | Options.