Read an Excerpt
From Chapter 3: Managing Resources
Creating and Managing System Policies and User Profiles
The use of system policies and user profiles assists in the centralization of management in a Windows NT Enterprise network. System policies help an administrator implement common Registry settings across the enterprise. User Profiles store the user portion of the Registry. They can be implemented as either local profiles or roaming profiles. A roaming profile allows a user to have the user portion of their configuration follow them on the Windows NT network wherever they log on.
Local Profiles Versus Roaming Profiles
Whenever a user logs on at a system, they will create a local profile on that system. The local profile is implemented as a set of directory structures. This directory structure includes the desktop folder and the Start Menu folder. The user portion of the Registry is stored in the file NTUSER. DAT. All user-specific information (for example, Application Data, Favorites, SentTo, and so on) is kept in the \%systemroot%\profiles \ <user> directory.
When a user logs on to the network, his desktop and Start menu are also based on the local system that lie is logging on to. The desktop will be based on the user's profile directory and the ALL USERS directory. The same is true for the Start Menu directory.
The problem with local profiles is that every workstation that you log on to will have its own version of the local profile. User configuration settings will have to be set at each workstation that a user logs on to.
To overcome this problem, you must implement roaming profiles. Roaming profiles willhave the user portion of the Registry download from a designated system to the system that the user is currently logged on to. Any changes to their settings will be stored in the central location so that they can be retrieved at the next workstation that the user is logged on to.
Configuring Roaming Profiles in Windows NT
If you want to configure a user account to use a roaming profile, the first thing to do is set the profile path in the User Manager for Domains for that account. If a block of users is to use roaming profiles, the best method to use is a group property change; first select all users for whom you want to have roaming profiles, and then select Properties from the User menu.
The most common setting is to have a directory shared with a share name such as profiles. It should allow the local group USERS the permission of FULL CONTROL. With this share, you can now set the user's profile path to be \ \server\share\%username%. The next time the user logs on, her profile information can now be saved to this central profile directory. Profiles should be kept on NTFS partitions; because you cannot implement local security on FAT subdirectories, security must be implemented through NTFS.
Tuning Roaming Profiles
An administrator can determine whether the user profiles stored on the local system are roaming or local by viewing the User Profiles tab in the System applet in the Control Panel.
The User Profiles dialog box will show all of the profiles currently stored on the system and whether they arc roaming or local. The profile can be changed between a roaming an d local profile by clicking the Change To button, which brings tip a dialog box.
This dialog box is also used to configure how to handle roaming profiles when the user is logging on to the network over a slow WAN link. This is an extremely useful setting for laptop users that may log oil to the enterprise network from various locations. Remember that the roaming profile is stored on a specific server even though the user can be authenticated on any domain controller within the domain.
Implementing Roaming Profiles in Windows 95
Windows 95 users can also have roaming profiles configured so that their user-based configurations can follow them from workstation to workstation. Implementing roaming profiles in Windows 95 differs from Windows NT in the following ways:
- Separate user profiles are not Implemented automatically in Windows 95 as they are in Windows NT.
- The user portion of the Registry is saved in tile file USER.DAT in Windows 95; it is stored in NTUSER.DAT in Windows NT.
- The user profile path setting in the user's properties has no effect on Windows 95 clients. The user's roaming profile information is stored in his Windows NT Home directory.
System policies help the network administrator restrict the configuration changes that users can perform on their profiles. By combining roaming profiles and system policies, the administrator is able to provide the user with a consistent desktop, and control what the user can do to that desktop. Therefore, the administrator can be assured that the user cannot modify certain settings.
System policies work very much like a merge operation. You can think of system policies as a copy of your Registry. When you log on to the network and the NTCONFIG.POL file exists on the domain controller, it will merge Its settings into your Registry, changing your Registry settings as indicated in the system policy.
System policies are implemented by using the System Policy Editor, shown in Figure 3.11. The System Policy Editor is automatically installed with any Windows NT Domain Controller.
System policies can be configured to perform the following actions:
- Implement defaults for hardware configuration for all computers using the profile or for a specific machine.
- Restrict the changing of specific parameters that affect the hardware configuration of the participating system.
- Set defaults for all users on the areas of their personal settings that they can configure.
- Restrict the users from changing specific areas of their configuration to prevent tampering with the system. An example would be disabling all Registry editing tools for a specific user.
- Apply all defaults and restrictions on a group level rather than just a user level.