Xem mẫu

  1. Advantages of the User Profile User profiles provide the following advantages: After a successful logon, users start working with their own working environment (including desktop settings) that existed at the time he/she last logged out. Many users can share a single computer, and each user will get individual settings for their working environment. User profiles can be stored on the server; they may be used independently from the workstation where the user logs on to the network. These user profiles are called roaming user profiles. From the administrator's point of view, user profiles provide specific advantages and are capable of: Creating customized user settings Specifying common settings for each user group Assigning mandatory user profiles which can't be changed by the users and don't allow them to change the system's configuration As was already mentioned in Chapter 1, Windows XP and Windows Server 2003 provide the following types of user profiles: Local User Profiles. User profiles of this type are stored on the local computer's hard disk. Any changes that you might introduce to the local user profile are computer-specific and only apply to the computer on which these changes are made. Roaming User Profile. Roaming user profiles are stored on the server, and are available any time the user logs onto a network. Any changes made to a roaming user profile are updated on the server. Mandatory User Profile. This type of user profile can be created or updated only by system administrators. Any changes the user makes to this type of profile are lost when he or she logs off. Note Mandatory user profiles are included with Windows XP and later only in order to provide backward compatibility with existing Windows NT 4.0 domains. If you have Windows 2000 domains in native mode or have even migrated to Windows Server 2003 domains, and need to provide managed desktop configurations for users and groups, it is recommended that you use Group Policy rather than mandatory user profiles. Group Policy basics will be discussed later in this chapter. The Settings Stored in the User Profile
  2. Each user profile contains configuration settings and options customized for each individual user. In practice, the user profile can be considered a "snapshot" of the user's working environment. Main settings stored in the user profile are listed in Table 10.1. Table 10.1: User Profile Settings Working User profile settings environment item Windows GUI All user-specified settings of the Windows Explorer application (Windows Explorer or My Computer) Taskbar All personal program groups and their properties, all personal programs and their properties, all individual settings of the taskbar Printer settings All connections to network printers Control Panel All individual user-specific settings specified using Control Panel applets Accessories All user-specific customized settings of the applications that influence Windows NT/2000, Windows XP, or Windows Server 2003 working environments, including individual settings for Calculator, Notepad, Paint, Hyper-Terminal, etc. Application settings All Windows applications allow individual settings in relation to each individual user. If this information exists, it's stored in the user's registry hive (HKEY_CURRENT_USER) Bookmarks in the All Help bookmarks set by the user online Help system Favorites registry All registry keys marked by the user as Favorites key User Profile Structure Each user profile consists of a registry hive (Ntuser.dat file, which is mapped to the HKEY_CLASSES_ROOT registry key when the user logs on) and a set of folders in the file system of your computer. Since the release of Windows NT 4.0, the default location of user profiles has changed in order to allow administrators to provide better security for the operating system folders without affecting user data. Let us consider the default location of user profiles in more detail.
  3. All Windows NT user profiles are stored in the %SystemRoot%\Profiles folder. When you log onto the system for the first time, the system creates a new profile for you based on the Default User profile, present on each Windows NT Workstation or Windows NT Server computer. The \Default User folder and profile folders for individual users contain the Ntuser.dat and Ntuser.dat.log files (user profile hive and its log) together with the desktop shortcuts. The naming conventions for the user profile folders have changed with Windows 2000. In general, the location of Windows 2000, Windows XP, or Windows Server 2003 user profiles depends on the method used to install the operating system: If Windows 2000, Windows XP, or Windows Server 2003 was installed fresh, the Setup program will create a new folder for storing user profiles: %SystemDrive%:\Documents and Settings (for example, C:\Documents and Settings). If the system was installed as an upgrade from the previous Windows NT versions, user profile folders will be located in the %SystemRoot%\Profiles folder (like in Windows NT 4.0). Note Later in this chapter, we'll use the %ProfilePath% variable to specify a path to the folder that contains user profiles. The locations of user profiles for each of the possible types of OS installation are briefly described in Table 10.2. Table 10.2: User Profile Locations Installation type User profiles location Clean installation of Windows 2000, %SystemDrive%\Documents and Settings; for Windows XP or Windows Server 2003 example, C:\Documents and Settings (no previous operating system) Upgrade from Windows 2000 %SystemDrive%\Documents and Settings; for example, C:\Documents and Settings Upgrade from Windows NT 4.0 %SystemRoot%\Profiles; for example, C:\WinNT\Profiles Windows 2000 or Windows XP systems %SystemDrive%\Documents and Settings; for upgraded from Windows 9x/ME example, C:\Documents and Settings Like the previous versions of Windows NT/2000, Windows XP and Windows Server 2003 automatically create a user profile when the new user first logs onto the system. To store this profile, the system creates a new nested folder named after the login name of
  4. the new user and located under the %ProfilePath% folder. The path to this folder will be saved in the system registry and associated with the user's security identifier (Security ID, SID). Note Also notice that many users, even experienced ones, often think that the system identifies each user by his or her usemame (or login name) and the password. This isn't so; it's the SID that uniquely identifies the user. User profiles are also identified by their associated SIDs (Fig. 10.1). Figure 10.1: The HKEY_USERS registry key The HKEY_USERS registry key contains the default user profile as well as profiles for all user accounts currently logged on to the computer. The HKEY_USERS\.DEFAULT key contains parameters that the system applies before any user logs on to the system. Other subkeys represent SIDs of the currently logged on user accounts: HKEY_USERS\S-1-5-18 — This subkey contains parameters for the LocalSystem, an identity used locally by the OS and by services configured to log on as Local-System. Notice that this identity is a hidden member of the Administrators group. That is, any process running as LocalSystem has the SID for the Administrators built-in group in its access token. HKEY_USERS\S-1-5-19 — This subkey contains parameters for the LocalService, an identity used by services that do not need such extensive local privileges as Local System, and do not need authenticated network access. HKEY_USERS\S-1-5-20 — This subkey contains parameters for the NetworkService, an identity used by services that do not need extensive local privileges, but do require authenticated network access. Note All three above-listed SIDs are well-known SIDs (more information on well- known SIDs was provided in Chapter 9). Also notice that NetworkService (S-1-5-20) and LocalService (s-1-5-19) are newly introduced built-in accounts, only existing in Windows XP and Windows Server 2003 in order to reduce the number of services running in the SYSTEM context. Therefore, the HKEY_USERS registry key in Windows 2000 or earlier does not contain subkeys identified by these SIDs.
  5. HKEY_USERS\CURRENT_USER_SID (in the example shown in Fig. 10.1, the CURRENT_USER_SID is S-1-5-21-1292428093-1343024091-12804019-1107). This subkey contains parameters that correspond to the current user, who has logged on locally. HKEY_USERS\SID_Classes — these subkeys contain file associations and COM classes for specific SIDs Starting with Windows 2000, Microsoft has introduced the so-called Run As functionality, also known as secondary logon. This feature is designed to provide users with the capability of starting programs under different security contexts. For example, administrators can log on as ordinary users, and invoke a secondary logon (administrative) in order to run administrative tools without needing to log off. To start a program under a different security context, it is sufficient to right-click the file that you want to start, and then select the Run As command from the context menu. The Run As dialog will open (Fig. 10.2), where you will be able to select the user account with administrative rights. Figure 10.2: Using a secondary logon Note Secondary logons represent a security enhancement, which protects the system against unintended actions, attacks on the local Administrator account and Trojan Horse attacks while accessing non-trusted sites using Internet Explorer. After the user invokes a secondary logon and provides credentials for the administrative account, Windows will load additional settings for the secondary logon, and new subkeys will appear under HKEY_USERS registry key (Fig. 10.3).
  6. Figure 10.3: The contents of the HEKY_USERS registry key after invoking a secondary logon Note If Run As functionality is unavailable, check if the Secondary Logon service is started (Fig. 10.4). Figure 10.4: The Run As functionality depends on the Secondary Logon service When the user logs into the local system using a local or domain user account, and the %ProfilePath% folder doesn't contain a subfolder with a name like the user's login name, the system will create such a folder. The path to this folder will be saved in the registry and associated with the user's SID. For example, if "Olga" logs into the Windows 2000/XP or Windows Server 2003 system, the system will create a folder named %SystemDrive%:\Documents and Settings\Olga to store a new user profile (Fig. 10.5). Figure 10.5: Typical contents of the user profile folder
  7. Later, if a user from another domain, having the same login name, attempts to log on to the network from this computer, the system will create another user profile folder for them. The folder will be named using the following format: %SystemDrive%:\Documents and Settings\Olga [DOMAIN_NAME], where [DOMAIN_NAME] is the name of the domain to which the user account with the duplicated user name belongs to. If both the login and domain names are the same, but the SIDs of two user accounts are different (this may happen when you delete a user account, and then create another one with the same name belonging to the same domain), the system will create a new user profile folders named as follows: %SystemDrive%:\Documents and Settings\Olga [DOMAIN_NAME].000, %SystemDrive%:\Documents and Settings\Olga [DOMAIN_NAME].001, etc. Note As I mentioned before, Windows NT 4.0 stores all locally cached user profiles in the %SystemRoot%\Profiles folder. If you've installed the newer version as an upgrade from Windows NT, the system will continue using this folder for storing user profiles. If you've installed a new copy of Windows 2000, Windows XP, or Windows Server 2003, the Setup program will create a new "Documents and Settings" folder for storing user profiles. This folder will be located on the same partition with the Windows 2000/XP or Windows Server 2003 operating system. Notice that some legacy applications use hard-coded pathnames to access locally cached user profiles. This may cause a problem in mixed environments. For example, if the path to the user profile is coded "%SystemRoot%\Profiles", the program may behave as expected in Windows NT 4.0, but it will fail to find the user profile in Windows 2000, Windows XP, or Windows Server 2003. Now let us consider in more detail the preferences stored in the profile directories. The screenshot shown in Fig. 10.5 illustrates the typical structure of the user profile, which in Windows XP and Windows Server 2003 contains the following folders: Application data[*]. Application-specific data, such as a custom dictionary for a word processing program. Application vendors decide what data to store in this directory. Cookies. Internet Explorer cookies. Desktop. Desktop items, including files and shortcuts. Favorites. Internet Explorer favorites. Local Settings[*]. Application settings and data that do not roam with the profile. Usually either machine-specific, or too large to roam effectively. Application data. Computer-specific application data. History. Internet Explorer history. Temp. Temporary files. Temporary Internet Files. Internet Explorer offline cache.
  8. My Documents. The new default location for any documents that the user creates. Applications should be written to save files here by default. My Pictures. Default location for user's pictures. My Music. Default locations for user's music files. NetHood[*]. Shortcuts to Network Neighborhood items. PrintHood[*]. Shortcuts to printer folder items. Recent. Shortcuts to the most recently used documents. SendTo. Shortcuts to document storage locations and applications. Start Menu. Shortcuts to program items. Templates[*]. Shortcuts to template items. Note By default, the Local Settings folder and its subfolders do not roam with the profile. This folder contains application data not required to roam with the user, such as temporary files, non-critical settings, and data too large to roam efficiently. The Ntuser.dat File The Ntuser.dat file is the part of the registry that actually supports the user profile. This file is the cached copy of the local HKEY_CURRENT_USER subtree (Fig. 10.6). It stores the settings, which define the working environment for the currently logged on user. Figure 10.6: The settings defining the working environment for the currently logged on user are stored under HKEY_CURRENT_USER Defining Initial Settings for New Users Many tips and registry hacks that specify "how to" modify the settings related to specific users recommend that you log on to the system as that user and then modify specific parameters under the HKEY_CURRENT_USER registry key. However, this approach seems impractical when you need to apply the setting to multiple users (just consider how many times you would need to log on, start the registry editor to introduce the same modification, then log off). If this is the case, the small tip provided here will help you to specify unified initial settings for all new users who log on to the system for the first
  9. time. The main idea here is, that any modification that you can introduce to the HKEY_CURRENT_USER registry key can also be made to the default user hive. To modify the default user profile hive, do the following: 1. Start Regedit.exe, highlight the HKEY_USERS key and select the Load Hive command from the File menu. 2. Select the Ntuser.dat file from the %SystemDrive%\Documents and Settings\Default User folder. 3. Enter the name for the hive to be loaded (for example, NTUSER) into the Key Name dialog. Now introduce any desired modification to any key or value entry within the newly loaded NTUSER hive. 4. Having finished, right-click the NTUSER hive, select the Permissions command from the context menu, and assign Read permission to the Everyone group (Fig. 10.7). Then click Advanced and make sure that permissions are inherited by all subkeys of the default hive being modified. Figure 10.7: Setting permissions for the modified default user hive 5. Unload the hive and close registry editor. Now all new users will have the settings that you specified. Note This tip also works for Windows 2000 and previous versions. However, in this case, you'll need to use Regedt32.exe, and edit the default Ntuser.dat hive file, which is usually located in the %SystemDrive%\Documents and Settings\Default User folder (Windows 2000) or under %windir%\Profiles\Default User directory (Windows NT 4.0). Fixing a Corrupt User Profile If you have a misbehaving user account, this might be due to a corrupt user profile. To determine if the profile is corrupt, proceed as follows:
  10. 1. Create a new temporary account and assign it the same rights and group membership as the suspect account. 2. Log on to the system as a new temporary user. The new profile for that user will be created. 3. Log off, then log on with administrative privileges. Start the System applet in Control Panel, go to the Advanced tab, and click the Settings button in the User Profiles group. The User Profiles window (Fig. 10.8) will open. Select the suspected profile and click the Copy To button. Figure 10.8: The User Profiles window 4. The Copy To window will open (Fig. 10.9). Click the Browse button, select the newly created temporary account under the %SystemDrive%\Documents and Settings folder and click OK.
  11. Figure 10.9: The Copy To window 5. Click the Change button in the Permitted to use option group and set the appropriate permissions, then click OK. 6. Log off, then log on as a new temporary user. If you experience the same problem, then the user profile is actually corrupt. In this case, locate the corrupt user profile in the %SystemDrive%\Documents and Settings folder, and delete the whole user profile folder. When the user logs on, the system will create a new user profile. If the problem has been eliminated, this means that it was not caused by a corrupt user profile. Most probably, the user account itself is corrupt and must be deleted and recreated. [*] These directories are hidden by default. To see these directories, change the View | Options.