- Advantages of the User Profile
User profiles provide the following advantages:
After a successful logon, users start working with their own working environment
(including desktop settings) that existed at the time he/she last logged out.
Many users can share a single computer, and each user will get individual settings
for their working environment.
User profiles can be stored on the server; they may be used independently from the
workstation where the user logs on to the network. These user profiles are called
roaming user profiles.
From the administrator's point of view, user profiles provide specific advantages and are
Creating customized user settings
Specifying common settings for each user group
Assigning mandatory user profiles which can't be changed by the users and don't
allow them to change the system's configuration
As was already mentioned in Chapter 1, Windows XP and Windows Server 2003 provide
the following types of user profiles:
Local User Profiles. User profiles of this type are stored on the local computer's
hard disk. Any changes that you might introduce to the local user profile are
computer-specific and only apply to the computer on which these changes are
Roaming User Profile. Roaming user profiles are stored on the server, and are
available any time the user logs onto a network. Any changes made to a roaming
user profile are updated on the server.
Mandatory User Profile. This type of user profile can be created or updated only
by system administrators. Any changes the user makes to this type of profile are
lost when he or she logs off.
Note Mandatory user profiles are included with Windows XP and later only in order to
provide backward compatibility with existing Windows NT 4.0 domains. If you
have Windows 2000 domains in native mode or have even migrated to Windows
Server 2003 domains, and need to provide managed desktop configurations for
users and groups, it is recommended that you use Group Policy rather than
mandatory user profiles. Group Policy basics will be discussed later in this chapter.
The Settings Stored in the User Profile
- Each user profile contains configuration settings and options customized for each
individual user. In practice, the user profile can be considered a "snapshot" of the user's
Main settings stored in the user profile are listed in Table 10.1.
Table 10.1: User Profile Settings
Working User profile settings
Windows GUI All user-specified settings of the Windows Explorer application
or My Computer)
Taskbar All personal program groups and their properties, all personal
programs and their properties, all individual settings of the taskbar
Printer settings All connections to network printers
Control Panel All individual user-specific settings specified using Control Panel
Accessories All user-specific customized settings of the applications that
influence Windows NT/2000, Windows XP, or Windows Server
2003 working environments, including individual settings for
Calculator, Notepad, Paint, Hyper-Terminal, etc.
Application settings All Windows applications allow individual settings in relation to
each individual user. If this information exists, it's stored in the
user's registry hive (HKEY_CURRENT_USER)
Bookmarks in the All Help bookmarks set by the user
online Help system
Favorites registry All registry keys marked by the user as Favorites
User Profile Structure
Each user profile consists of a registry hive (Ntuser.dat file, which is mapped to the
HKEY_CLASSES_ROOT registry key when the user logs on) and a set of folders in the
file system of your computer. Since the release of Windows NT 4.0, the default location
of user profiles has changed in order to allow administrators to provide better security for
the operating system folders without affecting user data. Let us consider the default
location of user profiles in more detail.
- All Windows NT user profiles are stored in the %SystemRoot%\Profiles folder. When
you log onto the system for the first time, the system creates a new profile for you based
on the Default User profile, present on each Windows NT Workstation or Windows NT
Server computer. The \Default User folder and profile folders for individual users contain
the Ntuser.dat and Ntuser.dat.log files (user profile hive and its log) together with the
The naming conventions for the user profile folders have changed with Windows 2000.
In general, the location of Windows 2000, Windows XP, or Windows Server 2003 user
profiles depends on the method used to install the operating system:
If Windows 2000, Windows XP, or Windows Server 2003 was installed fresh, the
Setup program will create a new folder for storing user profiles:
%SystemDrive%:\Documents and Settings (for example, C:\Documents and
If the system was installed as an upgrade from the previous Windows NT versions,
user profile folders will be located in the %SystemRoot%\Profiles folder (like in
Windows NT 4.0).
Note Later in this chapter, we'll use the %ProfilePath% variable to specify a path to the
folder that contains user profiles.
The locations of user profiles for each of the possible types of OS installation are briefly
described in Table 10.2.
Table 10.2: User Profile Locations
Installation type User profiles location
Clean installation of Windows 2000, %SystemDrive%\Documents and Settings; for
Windows XP or Windows Server 2003 example, C:\Documents and Settings
(no previous operating system)
Upgrade from Windows 2000 %SystemDrive%\Documents and Settings; for
example, C:\Documents and Settings
Upgrade from Windows NT 4.0 %SystemRoot%\Profiles; for example,
Windows 2000 or Windows XP systems %SystemDrive%\Documents and Settings; for
upgraded from Windows 9x/ME example, C:\Documents and Settings
Like the previous versions of Windows NT/2000, Windows XP and Windows Server
2003 automatically create a user profile when the new user first logs onto the system. To
store this profile, the system creates a new nested folder named after the login name of
- the new user and located under the %ProfilePath% folder. The path to this folder will be
saved in the system registry and associated with the user's security identifier (Security ID,
Note Also notice that many users, even experienced ones, often think that the system
identifies each user by his or her usemame (or login name) and the password. This
isn't so; it's the SID that uniquely identifies the user. User profiles are also identified
by their associated SIDs (Fig. 10.1).
Figure 10.1: The HKEY_USERS registry key
The HKEY_USERS registry key contains the default user profile as well as profiles for
all user accounts currently logged on to the computer. The HKEY_USERS\.DEFAULT
key contains parameters that the system applies before any user logs on to the system.
Other subkeys represent SIDs of the currently logged on user accounts:
HKEY_USERS\S-1-5-18 — This subkey contains parameters for the
LocalSystem, an identity used locally by the OS and by services configured to log
on as Local-System. Notice that this identity is a hidden member of the
Administrators group. That is, any process running as LocalSystem has the SID
for the Administrators built-in group in its access token.
HKEY_USERS\S-1-5-19 — This subkey contains parameters for the
LocalService, an identity used by services that do not need such extensive local
privileges as Local System, and do not need authenticated network access.
HKEY_USERS\S-1-5-20 — This subkey contains parameters for the
NetworkService, an identity used by services that do not need extensive local
privileges, but do require authenticated network access.
Note All three above-listed SIDs are well-known SIDs (more information on well-
known SIDs was provided in Chapter 9). Also notice that NetworkService
(S-1-5-20) and LocalService (s-1-5-19) are newly introduced built-in
accounts, only existing in Windows XP and Windows Server 2003 in order
to reduce the number of services running in the SYSTEM context. Therefore,
the HKEY_USERS registry key in Windows 2000 or earlier does not contain
subkeys identified by these SIDs.
- HKEY_USERS\CURRENT_USER_SID (in the example shown in Fig. 10.1, the
CURRENT_USER_SID is S-1-5-21-1292428093-1343024091-12804019-1107).
This subkey contains parameters that correspond to the current user, who has
logged on locally.
HKEY_USERS\SID_Classes — these subkeys contain file associations and COM
classes for specific SIDs
Starting with Windows 2000, Microsoft has introduced the so-called Run As
functionality, also known as secondary logon. This feature is designed to provide users
with the capability of starting programs under different security contexts. For example,
administrators can log on as ordinary users, and invoke a secondary logon
(administrative) in order to run administrative tools without needing to log off. To start a
program under a different security context, it is sufficient to right-click the file that you
want to start, and then select the Run As command from the context menu. The Run As
dialog will open (Fig. 10.2), where you will be able to select the user account with
Figure 10.2: Using a secondary logon
Note Secondary logons represent a security enhancement, which protects the system
against unintended actions, attacks on the local Administrator account and Trojan
Horse attacks while accessing non-trusted sites using Internet Explorer.
After the user invokes a secondary logon and provides credentials for the administrative
account, Windows will load additional settings for the secondary logon, and new subkeys
will appear under HKEY_USERS registry key (Fig. 10.3).
- Figure 10.3: The contents of the HEKY_USERS registry key after invoking a secondary
Note If Run As functionality is unavailable, check if the Secondary Logon service is
started (Fig. 10.4).
Figure 10.4: The Run As functionality depends on the Secondary Logon service
When the user logs into the local system using a local or domain user account, and the
%ProfilePath% folder doesn't contain a subfolder with a name like the user's login name,
the system will create such a folder. The path to this folder will be saved in the registry
and associated with the user's SID. For example, if "Olga" logs into the Windows
2000/XP or Windows Server 2003 system, the system will create a folder named
%SystemDrive%:\Documents and Settings\Olga to store a new user profile (Fig. 10.5).
Figure 10.5: Typical contents of the user profile folder
- Later, if a user from another domain, having the same login name, attempts to log on to
the network from this computer, the system will create another user profile folder for
them. The folder will be named using the following format: %SystemDrive%:\Documents
and Settings\Olga [DOMAIN_NAME], where [DOMAIN_NAME] is the name of the
domain to which the user account with the duplicated user name belongs to.
If both the login and domain names are the same, but the SIDs of two user accounts are
different (this may happen when you delete a user account, and then create another one
with the same name belonging to the same domain), the system will create a new user
profile folders named as follows: %SystemDrive%:\Documents and Settings\Olga
[DOMAIN_NAME].000, %SystemDrive%:\Documents and Settings\Olga
Note As I mentioned before, Windows NT 4.0 stores all locally cached user profiles in
the %SystemRoot%\Profiles folder. If you've installed the newer version as an
upgrade from Windows NT, the system will continue using this folder for storing
user profiles. If you've installed a new copy of Windows 2000, Windows XP, or
Windows Server 2003, the Setup program will create a new "Documents and
Settings" folder for storing user profiles. This folder will be located on the same
partition with the Windows 2000/XP or Windows Server 2003 operating system.
Notice that some legacy applications use hard-coded pathnames to access locally
cached user profiles. This may cause a problem in mixed environments. For
example, if the path to the user profile is coded "%SystemRoot%\Profiles", the
program may behave as expected in Windows NT 4.0, but it will fail to find the user
profile in Windows 2000, Windows XP, or Windows Server 2003.
Now let us consider in more detail the preferences stored in the profile directories. The
screenshot shown in Fig. 10.5 illustrates the typical structure of the user profile, which in
Windows XP and Windows Server 2003 contains the following folders:
Application data[*]. Application-specific data, such as a custom dictionary for a
word processing program. Application vendors decide what data to store in this
Cookies. Internet Explorer cookies.
Desktop. Desktop items, including files and shortcuts.
Favorites. Internet Explorer favorites.
Local Settings[*]. Application settings and data that do not roam with the profile.
Usually either machine-specific, or too large to roam effectively.
Application data. Computer-specific application data.
History. Internet Explorer history.
Temp. Temporary files.
Temporary Internet Files. Internet Explorer offline cache.
- My Documents. The new default location for any documents that the user creates.
Applications should be written to save files here by default.
My Pictures. Default location for user's pictures.
My Music. Default locations for user's music files.
NetHood[*]. Shortcuts to Network Neighborhood items.
PrintHood[*]. Shortcuts to printer folder items.
Recent. Shortcuts to the most recently used documents.
SendTo. Shortcuts to document storage locations and applications.
Start Menu. Shortcuts to program items.
Templates[*]. Shortcuts to template items.
Note By default, the Local Settings folder and its subfolders do not roam with the
profile. This folder contains application data not required to roam with the user,
such as temporary files, non-critical settings, and data too large to roam efficiently.
The Ntuser.dat File
The Ntuser.dat file is the part of the registry that actually supports the user profile. This
file is the cached copy of the local HKEY_CURRENT_USER subtree (Fig. 10.6). It
stores the settings, which define the working environment for the currently logged on
Figure 10.6: The settings defining the working environment for the currently logged on
user are stored under HKEY_CURRENT_USER
Defining Initial Settings for New Users
Many tips and registry hacks that specify "how to" modify the settings related to specific
users recommend that you log on to the system as that user and then modify specific
parameters under the HKEY_CURRENT_USER registry key. However, this approach
seems impractical when you need to apply the setting to multiple users (just consider how
many times you would need to log on, start the registry editor to introduce the same
modification, then log off). If this is the case, the small tip provided here will help you to
specify unified initial settings for all new users who log on to the system for the first
- time. The main idea here is, that any modification that you can introduce to the
HKEY_CURRENT_USER registry key can also be made to the default user hive.
To modify the default user profile hive, do the following:
1. Start Regedit.exe, highlight the HKEY_USERS key and select the Load Hive
command from the File menu.
2. Select the Ntuser.dat file from the %SystemDrive%\Documents and
Settings\Default User folder.
3. Enter the name for the hive to be loaded (for example, NTUSER) into the Key
Name dialog. Now introduce any desired modification to any key or value entry
within the newly loaded NTUSER hive.
4. Having finished, right-click the NTUSER hive, select the Permissions command
from the context menu, and assign Read permission to the Everyone group (Fig.
10.7). Then click Advanced and make sure that permissions are inherited by all
subkeys of the default hive being modified.
Figure 10.7: Setting permissions for the modified default user hive
5. Unload the hive and close registry editor. Now all new users will have the settings
that you specified.
Note This tip also works for Windows 2000 and previous versions. However, in this case,
you'll need to use Regedt32.exe, and edit the default Ntuser.dat hive file, which is
usually located in the %SystemDrive%\Documents and Settings\Default User folder
(Windows 2000) or under %windir%\Profiles\Default User directory (Windows NT
Fixing a Corrupt User Profile
If you have a misbehaving user account, this might be due to a corrupt user profile. To
determine if the profile is corrupt, proceed as follows:
- 1. Create a new temporary account and assign it the same rights and group
membership as the suspect account.
2. Log on to the system as a new temporary user. The new profile for that user will
3. Log off, then log on with administrative privileges. Start the System applet in
Control Panel, go to the Advanced tab, and click the Settings button in the User
Profiles group. The User Profiles window (Fig. 10.8) will open. Select the
suspected profile and click the Copy To button.
Figure 10.8: The User Profiles window
4. The Copy To window will open (Fig. 10.9). Click the Browse button, select the
newly created temporary account under the %SystemDrive%\Documents and
Settings folder and click OK.
- Figure 10.9: The Copy To window
5. Click the Change button in the Permitted to use option group and set the
appropriate permissions, then click OK.
6. Log off, then log on as a new temporary user. If you experience the same problem,
then the user profile is actually corrupt. In this case, locate the corrupt user profile
in the %SystemDrive%\Documents and Settings folder, and delete the whole user
profile folder. When the user logs on, the system will create a new user profile. If
the problem has been eliminated, this means that it was not caused by a corrupt
user profile. Most probably, the user account itself is corrupt and must be deleted
These directories are hidden by default. To see these directories, change the View |