Windows 7 / Security and Privacy

Configuring Local User Profiles

Local user profiles are created the first time a user logs on to a computer, unless there is a roaming or mandatory profile previously configured. For Windows Vista and Windows Server 2008, this means that the contents of the %SystemDrive%\Users\ Default folder are copied to the new user's profile folder. This creates the user's desktop and Start menu.

Each new user has a unique path for the local user profile that includes the user's logon name as a subdirectory of the path. For Windows Vista and Windows Server 2008, the default location for profiles is %SystemDrive%\Users\%UserName%\Ntuser.dat, such as C:\Users\wrstanek\Ntuser.dat.

Note:
In the user's main subdirectory for his or her profile, there is a file with a default name of Ntuser.ini. By default, this file contains the items that will be excluded from the copy process. For example, Microsoft Internet Explorer temporary files and history files, and individual application data are not copied as part of the user profile.

Configuring local user profiles is similar to configuring domain profiles. On the local machine, start Computer Management and access the Local Users And Groups node. Double-click a user's local account, and then select the Profile tab. Type the local path for the profile. Domain controllers do not have local accounts, so you cannot access Local Users And Groups on a domain controller.

Configuring Roaming User Profiles

Roaming user profiles are settings that follow a user from computer to computer. They are especially valuable for administrators or troubleshooters who may need to log on to many different workstations or servers and need to maintain desktop and common settings for security and convenience reasons. To manage roaming profiles, you must be a member of the Account Operators, Domain Admins, or Enterprise Admins group in Active Directory, or have been delegated the right to configure roaming user profiles. Use either Active Directory Users And Computers or Server Manager to configure roaming profiles.

If you are using Active Directory Users And Computers to configure roaming profiles, double-click the user's account to display the related Properties dialog box. Click the Profile tab. Type the unique path of the roaming user profile chosen for that user in the Profile Path field. The path can be a local path on the user's computer such as C:\Profiles\%UserName% or a path to a network share on a remote server.

If you choose to put the user profiles on a remote server, the path should be in the Uniform Naming Convention (UNC) form such as \\ServerName\ShareName\ %UserName% where ServerName is the name of the server, ShareName is the name of the share created for storing roaming profiles, and %UserName% is an environment variable that allows the profile path to be unique for each user. For example, if you set the profile path to \\FileServer92\Profiles\%UserName% and were configuring the account for Ed K, the profile path would be set as \\File-Server92\Profiles\EdK. The subfolder, EdK, is created automatically, and the roaming profile is then stored in the folder as Ntuser.dat.

CAUTION:
When logged on to multiple computers using roaming profiles, changes to the profile settings and configuration may be lost if the order of logging off is incorrect. Imagine you are using a roaming profile and are logged on to two computers. You then change or install an application or program on the first computer. If you then log off that computer, any changes you made will be lost if you go to a second computer and log off without making the same changes. This is because your roaming profile on the second computer will be the one that is saved to the server and will not contain the changes made on the first computer. When using roaming profiles, the profile stored on the server is the one from the computer from which you logged off last.
[Previous] [Contents] [Next]

In this tutorial:

  1. Managing Users, Groups, and Computers
  2. Managing Domain User Accounts
  3. Configuring User Account Policies
  4. Enforcing Password Policy
  5. Configuring Account Lockout Policy
  6. Creating Password Settings Objects and Applying Secondary Settings
  7. Understanding User Account Capabilities, Privileges, and Rights
  8. Assigning User Rights
  9. Creating and Configuring Domain User Accounts
  10. Configuring Account Options
  11. Configuring Profile Options
  12. Troubleshooting User Accounts
  13. Implementing and Creating Preconfigured Profiles
  14. Configuring Local User Profiles
  15. Implementing Mandatory User Profiles
  16. Managing User Data
  17. Using Offline Files
  18. Configuring Offline Files on Clients
  19. Maintaining User Accounts
  20. Moving User Accounts
  21. Resetting a User's Domain Password
  22. Creating a User Account Password Backup
  23. Managing Groups
  24. Understanding the Scopes of Groups
  25. Creating a Group
  26. Creating group accounts at the command line
  27. Modifying Groups
  28. Managing Computer Accounts
  29. Moving a Computer Account
  30. Configuring Properties of Computer Accounts
  31. Troubleshooting Computer Accounts