User Home Directory

 

Home
Nizwa
Islamic
Hot News
e commerce
AL Jabal AL Akhdar
Don't Be SAD
Who is me
Network NT
Love & Romance
Unix

View Year's Feedback

Send to me.. Salam AL-Riyami

USER ACCOUNT MANAGEMENT

USER HOME DIRECTORIES
Often, for security or other reasons, decisions are made which provide server based file storage features for users. In Windows NT server, these directories may be on any server in the network, and using User Manager for domains, it is possible to pre-connect a user to a specify directory at logon time. This is useful where users tend to use more than one computer in a network.

When Windows NT Server is installed, a directory called \users is created on the NT installation partition. This is also created as a share point, having the name users with the group Everyone full control.

An administrator would probably change the permissions on this share by removing the group Everyone and changing access by allowing the local group Users with full control permissions instead. When users are created in the domain, they are inserted into the Global group Domain Users, which is a member of Users.

When a home directory is specified for a user using User Manager for domains, that directory with the correct permissions is automatically created [provided access is granted to perform the creation].

The home directory can reside on the local computer [choose Local Path], or reside on a server in the domain [choose Connect x: to sharename].

Administrators can use the %username% environment variable to specify the directory under the share users, this simplifies administration.

Note: A problem exists in using environment variables to connect to share names. For example, you might want to to connect H: to \\server\users\%username%
This fails. It is recommended that you create a unique share name for each of the users home directories, and map their home drive to this newly created sharename instead.

PROFILES
Profiles are files which specify settings for users or groups of users. It is a way of configuring the users settings, desktop, drive, network and printer connections, etc. when the user logs onto the computer or domain.

The types of profiles provided in a Windows NT environment are

  1. System Default
    This profile is used to specify the display environment [colors, wallpaper] until the user logs on
  2. User Default
    This profile is used when a user first performs a logon to the computer, and is copied into their local profile
  3. Local
    This profile is one which is stored on the local computer and is associated with the user who is logged on at that computer
  4. Server Based
    This profile has been created using profile editor and has been stored on the server

Server based profiles are created using Profile Editor. There are two types of server based profiles

  1. Personal
    This allows users to customize their own settings, and any changes are saved when they log off. These files have the extension .USR, and when a user logs on, the last saved copy is loaded and used.
  2. Mandatory
    These profiles have the extension .MAN, and users cannot alter any settings. These can be assigned to individual users or groups of users.

Creating Server Based Profiles in Windows NT
Personal profiles have the extension .USR whilst mandatory profiles have the extension .MAN and cannot be altered by users.

To create a user profile, you should be logged on with administrative privileges. All settings and environment variables for the current logged on user are copied into the user profile, so it's a good idea to create a special administrative account with appropriate settings which is used specifically for creating and modifying user profiles.

Profiles are placed in the NETLOGON directory of the PDC, and copied into the local users/profile directory when the user logs onto the computer.

In Windows NT Server 4.0, the system icon under control panel has been expanded to include profiles. This option now allows an administrator to copy profiles from the local computer, rename profiles, and change the profile type from a local profile (applicable to the current computer), or a roaming profile (one in which applies to the user no matter where they logon in the network).

LOGON SCRIPTS
Logon scripts allow the deployment of a standard configuration for users , consisting of printer and network connections, environment settings, access to applications and auto loading of applications at log on.

Logon scripts were used in Lan Manager and Novell Netware networks to create environments for users. With profiles under Windows NT and Windows 95, the use of logon scripts is being somewhat superseded.

A logon script is a batch file which is run every time the user logs on. A logon script can be assigned to groups of users or individual users. By default, logon scripts are stored in the \<win_nt>\system32\repl\import\scripts subdirectory.

When a user performs a logon to the domain, the server validating the logon will only execute the logon script if it resides on the server. For example, if the BDC validates the logon request, and the logon script actually resides on the PDC, the BDC will not execute the logon script [this is solved by replication of scripts]

Logon Script Variables

	%HOMEDRIVE
	The drive letter connected to the users home directory, if any
	%HOMEPATH%
	The full path to the users home directory, if any
	%OS%
	The operating system running on the users computer
	%PROCESSOR%
	The processor type of the users computer, INTEL, MIPS, ALPHA
	%USERDOMAIN%
	The domain name
	%USERNAME%
	The username of the user logging on

SYSTEM POLICIES
These were introduced with Windows 95, and allow much greater control over computer settings and user configurations. Polices can be applied to computers, users and groups.

Policies define what users can and cannot access or change on their computer. These policies override local registry values and are stored on an NT domain.

When a user performs a logon, the policies specified in the policy file overwrite the settings contained in the USER.DAT and SYSTEM.DAT files for Windows 95 users. Policy files end in .POL and are created using the system policy editor. Policies can apply to

individual users
groups
computers

Policies are created by running system policy editor and creating a new policy file which contains the policies you want to put in place. Save this file on the NT PDC in the NETLOGON directory as Ntconfig.pol for Windows NT Servers and Workstations.

[Start->Programs->Administrative Tools (Common)->System Policy Editor]

In the above picture, System Policy editor has been started, and a new policy created. This then allows setting to be applied for all users, groups of users, or individual and groups of computers.

Options are displayed in CHECK BOXES.

Checked
implemented, enable when user logs on
UnChecked
not implemented, disabled or removed when user logs on
Grayed
unchanged, no changes are made

In the diagram below, the properties for default users on the domain has been exploded. This gives you an idea of the sorts of control that you can exist over the desktop and computer.

It is usual to set entries for all the default users and computer entries first. This creates an environment for all users.

Next, create entries in the policy file for individual users or groups of users. These will INCLUDE the entries you made for default users and computers.

Next specify how the policies will be downloaded. Downloading of policy files to the computer can be done manually or automatically. To have policy files automatically downloaded to the computer at log on time, place the .POL file in the NETLOGON directory of the Windows NT PDC. Ensure that the client for Microsoft Networks is the Primary network Logon Client (under ControlPanel->Networks). Save the file as

\\primary-domain-controller-name\netlogon\NTconfig.pol

Overview of System Policy Settings for Users


Control Panel
	Display
		Restrict Display
			Deny Access to Display Icon
			Hide Background Tab
			Hide Screen Saver Tab
			Hide Appearance Tab
			Hide Settings Tab
	Desktop
		Wallpaper
		Color Scheme
	Shell
		Restrictions
			Remove Run command from Start menu
			Remove folders from Settings on Start menu
			Remove Taskbar from Settings on Start menu
			Remove Find command from Start menu
			Hide drives in My Computer
			Hide Network Neighborhood
			No Entire Network in Network Neighborhood
			No workgroup contents in Network Neighborhood
			Hide all items on Desktop
			Disable Shut Down command
			Don’t save settings at exit
	System
		Restrictions
			Disable Registry editing tools
			Run only allowed Windows applications
	Windows NT Shell
		Custom folders
			Custom Programs folder
			Custom desktop icons
			Hide Start menu subfolders
			Custom Startup folder
			Custom Network Neighborhood
			Custom Start menu
			Custom shared Programs folder
			Custom shared desktop icons
			Custom shared Start menu
			Custom shared Startup folder
		Restrictions
			Only use approved shell extensions
			Remove common program groups from Start menu
	Windows NT System
			Parse Autoexec.bat

Overview of System Policy Settings for Computers


Default Computer
	Network
		System Policies Update
			Remote update
	System
		SNMP
			Communities
			Permitted managers
			Traps for Public community
		Run
			Run
			Run once
	Windows NT Network
		Sharing
			Create hidden drive shares (workstation)
			Create hidden drive shares (server)
	Windows NT System
		Logon
			Logon banner
			Automatic logon
			Enable shutdown from Authentication dialog box
			Do not display last logged on user name
		File System
			Do not create 8.3 file names for long file names
			Allow extended characters in 8.3 file names
			Do not update last access time
		FTP logon
			Allow anonymous FTP logon
			Specify home directory
			Log successful anonymous logons
			Connection timeout
	Windows NT Printers
		Disable browse thread on this computer
		Scheduler priority
		Beep for error enabled
	Windows NT Remote Access
		Max number of unsuccessful authentication retries
		Max time limit for authentication
		Wait interval for callback
		Auto Disconnect
	Windows NT User Profiles
		Automatically detect slow network connections
		Slow network connection timeout
		Timeout for dialog boxes

Top System Policies and Windows 95
To use system policies for Windows 95 computers, perform the following steps,

  1. Setup an administration computer which has the system policy editor installed. This is found on the Windows 95 CD in the directory ADMIN\APPTOOLS\POLEDIT. Ensure that only administrators have access to this application.
  2. Enable user profiles to ensure that all settings can be managed. Failure to do so means only the computer settings will be managed.
  3. Install support for group policies on the client computers. By copying the GROUP.DLL into the SYSTEM directory and updating the registry.
  4. Run system policy editor and create a CONFIG.POL file which contains the policies you want to put in place. Save this file on the NT PDC in the NETLOGON directory.
  5. Set entries for all the default users and computer entries first. This creates an environment for all users.
  6. Next, create entries in the policy file for individual users or groups of users. These will INCLUDE the entries you made for default users and computers.
  7. Next specify how the policies will be downloaded.

STEP 1: INSTALLING THE SYSTEM POLICY EDITOR
The policy program and sample policy files are stored in the ADMIN\APPTOOLS\POLEDIT directory on the Windows 95 CD.

	controlpanel->add/remove programs->install/uninstall
	        have disk
	drive\path\admin\apptools\poledit

	where drive\path indicates the path to the Windows 95 CD

STEP 2: ENABLE INDIVIDUAL USER PROFILES

 	controlpanel->passwords->userprofiles
	Check the following boxes
		Users Can customize their preferences and desktop settings
		include destop icons ......
		include start menu ......

	Shut down and restart the computer to have the profiles enabled

On a Windows NT network, copies of the users profiles are stored in the users HOME directory. Ensure that the users primary network logon client is Microsoft Networks, and that users have a HOME directory mapped on the PDC.

MANDATORY USER PROFILES
Mandatory user profiles are profiles which users cannot change.

  1. enable user profiles on the client computer
  2. customize the desktop accordingly
  3. copy the required files to the HOME directory
  4. rename USER.DAT as USER.MAN

If the users desktop is already set-up, with the appropriate desktop and computer settings, and user profiles are enabled, you can simply do step 4.

STEP 3. INSTALL SUPPORT FOR GROUP POLICIES ON THE CLIENT COMPUTER

	controlpanel->add/remove programs->install/uninstall->install->next
	drive\path\admin\nettools\poledit
	double click on the icon for GROUPPOL.REG

STEP 4. RUN SYSTEM POLICY EDITOR AND CREATE YOUR POLICIES

	start->programs->accessories->system tools->Sytem Policy Editor
	start->run->poledit

	File->Open->

	Options are displayed in CHECK BOXES. 
	Checked:    implemented, enable when user logs on
	UnChecked:  not implemented, disabled or removed when user logs on
	Grayed:     unchanged, no changes are made

	Downloading of policy files to the computer can be done manually or automatically.

To have policy files automatically downloaded to the computer at log on time, place the .POL file in the NETLOGON directory of the Windows NT PDC. Ensure that the client for Microsoft Networks is the Primary network Logon Client (under ControlPanel->Networks). Save the file as

	\\primary-domain-controller-name\netlogon\config.pol

PreviousIndexNext

Salam Saif Said AL-Riyami Sultanate of Oman
Copyright © 2001 www.donya.8m.net All rights reserved.
Revised: ãÇíæ 09, 2001 .