A new user should get a decent default configuration when he logs into his new account for the first time. On Unix we copy a .profile or .cshrc and a few more bits to his new home and are done. On windows we can do this too, its just a wee little bit more complex. Who would have thought?

When a user accesses his account for the first time, Windows copies an initial profile for the user from C:\Documents and Settings\Default User.

This is not ideal because the Default User directory is local to every machine and not easy to customize. We would rather have this on our server. This fortunately is a features which is built into windows already. When you login on a machine and windows can not find your profile it first looks for a directory called

%LOGONSERVER%\NETLOGON\Default User

if this exists its contents is used as a default profile for the user. Windows will only use the local Default User if this global directory does not exist.

All the users configuration ends up in his profile. Whenever a user logs in or out on a machine the whole profile directory gets copied back and forth between the server. This is nice for disconnected operation. But since we run our desktops on a network this has no real advantages except making things SLLLLLOOOOOOW.

Fortunately windows allows you to redirect most things which are located in the profile to other places. This is called Folder Redirection. In the GPO editor you even find a plug-in where you can define the location for (only) 4 folders. Well there are many more in the users profile directory, just have a look. In the registry we find:

HKEY_CURRENT_USER
     \Software\Microsoft\Windows
          \CurrentVersion\Explorer
                  \User Shell Folders

This key contains a long list of folders which can be redirected. By default all these entries point to folder in:

%USERPROFILE%\...

as expected. Logon time can be improved massively by moving as much material as possible out of the profile into a directory which gets shared from the server. In our setup we keep these folders a special subdirectory in the users home share called Windows Config. So we change the Folder Redirection settings to:

%LOGONSERVER%\home\%USERNAME%\Windows Config\...

Note: If you have a setup with several LOGONSERVERs, this approach will not do as the users home directories will not be on all servers. You may want to assign a drive letter to the users home in the account settings (not in the logon script) and then redirect to this drive letter.

Only the Local Settings and Temp directories should remain in the profile. By default these folders do not get roamed. They stay local on each machine and are therefor no problem for us. They can even be removed if space is tight and will get recreated when the user logs in again. The folders that do not get roamed are controlled by:

HKEY_CURRENT_USER
    \Software\Microsoft\Windows NT
                   \CurrentVersion\Winlogon

"ExcludeProfileDirs" =
      "Local Settings;Temporary Internet Files;History;Temp"

The only thing that remains in the users profile is the registry database: ntuser.dat.

We have defined a home directory for each user in his active directory account and have set the profile path to

%LOGONSERVER%\home\%USERNAME%\profile

Now we have a second directory in every users home:

%LOGONSERVER%\home\%USERNAME%\Windows Config

Note, that we have chosen to redirect My Documents to

%LOGONSERVER%\home\%USERNAME%\data

To make sure it stays separate from the application configuration data.

The reason for having a central Default User directory on the NETLOGON share is that we now can easily define default settings for our new accounts. The easy way is:

• create a new user
  
• login and modify all the settings to your hearts delight, especially also the User Shell Folders section of the registry
  
• logout
  
• login as domain administrator and copy the ntuser.dat from this new users profile to Default User directory on the NETLOGON share of your server.
  

now whenever a new user logs in he gets this customized ntuser.dat.

The 'modify all the settings to your hearts delight' bit is not exactly reproducible, so we have chosen to use a more controled approach. Using the Install Capture function of our software packaging tool (Wise for Windows Installer) we figured out the registry keys making up the necessary changes we wanted in our environment and then used regedit to save this information into a reg file. Now you can use regedit32 to load a pristine copy of ntuser.dat under the name 'MyDefaultUser'. Edit the reg file and replace all occurances of HKEY_CURRENT_USER with HKEY_LOCAL_MACHINE\MyDefaultUser. Now double click (aargh) the reg file to load it into the registry. Its information will go into the loaded hive. Now unload the hive and use this patched copy of ntuser.dat in your NETLOGON share. (thanks to simon.ringrow@orange.net).

You might also want to look at the reg utility from the resource kit, it allows to load hives from the commandline as well as apply reg files.

In a normal setup all the users data lives in his profile directory. And when he logs in for the first time all the necessary default files and directories get copied from the Default User directory. With our approach where most of the folders live outside the profile, users will not get a default setup for their Start Menu or other structures living outside the registry.

To solve this we must provide a default set of files to the user when he logs in for the first time. One way to solve this would be to supply a logon script which copies the files if they do not exist. We found a more elegant solution by using the:

HKEY_CURRENT_USER
  \Software\Microsoft\Windows\CurrentVersion\Runonce

key. We set it (in the Default Users's ntuser.dat) to

inituser=%LOGONSERVER%\NETLOGON\inituser.cmd

And in the initusers.cmd file we do a (all on one line!)

start "Copying ..." /min
  xcopy /I /E /H /K /Y
     "%LOGONSERVER%\NETLOGON\Default Windows Config"
                              "%HOMESHARE%\Windows Config"

In the Default Windows Config directory we keep copies of all the directories and files which we have redirected away from the Default Users tree.

If IE can not access the Favorites Folder in its location on the server it picks a new folder to store it. This folder is on the local machine. Even when the server comes back, IE will remain hooked to the local favorites folder (which is empty). To fix this:

• Delete local profile.
  
• Connect to profile server:
  
• Run regedt32. Open HKLM Registry - > Load Hive and from profile server\home\user_name\profile open NTUSER.DAT

  Key Name: user_name
  

  
• Open user_name\Software\Microsoft\Windows\CurrentVersion\Explorer

  In UserShellFolders write:

  Favourites: REG_EXPAND_SZ: %logonserver%\home\%username%\WindowsConfig\Favorites
  

  In ShellFolders write:

  Favorites: REG_SZ:\\CHARON\home\user_name\Windows Config\Favorites
  

  

The in the documentation for NewSID at http://www.sysinternals.com there are some interesting notes on HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList which contains the list of unloaded profile hives.

To be independant from an initial profile we developed userinit. This scipt configures a users session when he logs in for the first time. userinit is started due to an entry in the registry in ntuser.dat inclued in the default user profile:

[HKEY_USERS\defaultuser\Software\Microsoft\Windows\CurrentVersion\Policies\System]
 "RunLogonScriptSync"=dword:00000001

[HKEY_USERS\defaultuser\Software\Microsoft\Windows\CurrentVersion\RunOnce]
 "RunUserinit"="c:\perl\bin\perl.exe \\winpack.ee.ethz.ch.\isgtc\bin\win32-userinit"

In addition userinit is started by loginmgr as a login script to be sure, that userinit is executed in every case.

The userinit script patches the user registry, copies the profile, and sets environment variables.