Contents:

• Overview
• Roaming Profiles
• Per-Machine "Default User"
• Tweaking the Default User's Registry Hive
• Per-Network "Default User" Template
• Possible Extensions
• Related Webpages

The per-individual over the entire network "roaming profiles" configuration can work reasonably well, and is used by some school administrators. But it still has problems. Chief among these is it isn't clear how to make use of it in a mixed environment where some of the older client computers run a version of Windows that doesn't provide support for roaming profiles. (Having all clients run Windows XP (or Windows 2000 ?) is an impossibility for many schools.) Other problems are:

• In theory applications installed for "all users" will be available only on those computers they are installed on. But in practice this would require every application to provide a choice of "all users" or "this user" during installation and the choice to always be made correctly, which often doesn't happen. In fact even Microsoft's own applications do a poor job of installing appropriately. It's easy to install Microsoft Office in such a way that it appears to be unavailable to all but specific users.
• If a user creates a new desktop shortcut icon on one computer, it will follow him to all other computers whether or not the application it points to is available on those computers.
• Even if all desktop icons and all menu items were correct, different users would get different screen savers, wallpaper, screen background, and taskbar icons.
• Some configuration options --for example the "classic" Start Menu-- will always be per-user and administrators will not be able to set them per-machine.

Administrators may desire that each user have their own login credentials, yet that all users who use a particular machine will get the exact same configuration. In other words they desire a configuration intermediate between per-machine and per-user. What's needed to do this is to preset a "Default User" template so every user that logs in to the computer will start with a copy of the same configuration. Such a configuration is possible with Windows XP Professional Edition (or Windows 2000 ?); in fact doing so is even documented by Microsoft.

Roaming Profiles

To use a per-machine (or per-network) Default User template, first turn off "roaming profiles". Start the Group Policy Editor (one way to do this is to Start->Run gpedit.msc). Navigate down into [Local Computer Policy/Computer Configuration/Administrative Templates/System/User Profiles]. Enable both [Only Allow Local User Profiles] and [Prevent Roaming Profile changes from propagating to the server].

(Most [but not all] policy settings are implemented by one or more registry entries. For example one of the roaming profile settings above is in the HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon registry key. However it is very strongly recommended you change these settings with the Group Policy Editor rather than making changes directly in the registry. Using the Group Policy Editor is much less confusing, much less prone to error, and can provide intelligent feedback about interaction with other features. Also, the Group Policy Editor is Microsoft's current method of administering systems, and has options to affect a whole group of machines rather than just one at a time.)

Per-Machine "Default User" Template

To set up a "Default User" template:

1. Configure one particular model user account completely and exactly as you wish. (This might be easier if you use a local [not domain] user such as "Any User" or "Template", particularly if the machine hasn't joined a domain yet.) The user account for this purpose shouldn't be used normally and should be a local user. Sometimes you'll need to create a brand new user (ex: "Model") for this.
2. Reboot, then log in as some user with Administrator rights but not the user you configured. (If the user you configured is logged in, or even if that user isn't logged in any more but you haven't rebooted, some files will be "locked" and you will not be able to copy them.)
3. With Explorer navigate into \Documents and Settings\username-you-configured
4. Edit->SelectAll and Edit->Copy
5. Navigate to \Documents and Settings\Default User
   • Navigate back up to \Documents and Settings
   • Using Tools->Options turn on display of "hidden" files and folders if it isn't already turned on for the local Administrator (Default User does exist, but usually isn't seen because it's marked "hidden".)
   • Navigate back down inside .\Default User
6. Edit->Paste
7. Navigate back up to \Documents and Settings
8. If you don't have a special user account set aside for Administration, take this opportunity to turn display of "hidden" files and folders back off Using Tools->Options.

Once the "Default User" template is set up the way you want it, delete all the other user profiles (except "All Users" and "Administrator" and any other fixed local users and of course your model user). This will force all users to be treated as "new" users and given a copy of the Default User template the next time they login.

You can even force every user to get a fresh copy of the Default User template on every login by arranging that their profile disappears before they login again. You might do this with a "reboot to restore clean" utility such as DeepFreeze. Or you might do this with a logout script. But don't do it unless you've provided users with some other place to store their files and ensured they're using it. Deleting a user's profile will also delete their My Documents folder and all its contents, which will cause great upset among users unless they store their files somewhere else.

Note well that if a user profile already exists (either as [possibly cached] local files, or as a "roaming" profile), it will supercede your Default User settings. In fact if roaming profiles are enabled and you test with a user account for which a profile already exists on the network, your tests will seem to indicate that Default User doesn't work at all.

Tweaking the Default User's Registry Hive

This extra procedure is only for exceptional cases and should simply be skipped most of the time.

The profile you just copied includes not only many settings in files but also registry hive data which will be loaded as HKEY_CURRENT_USER whenever a user uses the Default User template.

Very occasionally a setting you wish to be machine-wide is in HKEY_CURRENT_USER, and once in a while you'd like to make one or two more changes after setting up the Default User template. If you know of particular registry settings you want to make, simply make changes under HKEY_CURRENT_USER when you're setting up one particular user exactly as you wish and are logged in as that user. Then when you copy the entire profile to the Default User template, you'll copy those registry settings too. Onn the other hand here's how to make one or two more changes to the Default User registry settings after copying everything into the Default User template:

1. Log in as someone with Administrator rights
2. Start regedit.
3. Highlight/select HKEY_USERS
4. From the menu select File->LoadHive
5. Navigate to \Documents and Settings\Default User\NTUSER.DAT (You may need to explicitly type in the Default User part, as it may not appear for you to click on since it's marked "hidden".)
6. Specify the new hive name Default User.
7. Select the desired entries within the new hive and make the desired changes.
8. Highlight/select the entire new hive HKEY_USERS\Default User
9. From the menu select File->UnloadHive

Per-Network "Default User" Template

When a user logs on and doesn't already have a profile, Windows XP (and Windows 2000 ?) will first look for %LOGONSERVER%\NETLOGON\Default User and use it as a template if it exists. Only if it doesn't exist (the common case) will Windows XP (or Windows 2000 ?) then use the local \Documents and Settings\Default User. You can use this fact to set up a "Default User" template for an entire network.

Create the contents of the network-side template by setting up one user exactly as you wish then copying that entire template --including the user's registry hive-- to %LOGONSERVER%\NETLOGON\Default User.

Possible Extensions

You could customize your approach to Default User templates --or even profiles for existing users-- with a "login" script.

You could point parts of the user's profile, such as their file repository, to some location outside of their profile.

Related Webpages

Although this technique may not be as widely known as other Windows management tips, it's completely legitimate -- even recommended. And it's documented and explained in several places:

• Windows 2000 User Profiles
• Microsoft Knowledge Base:  How to create a custom user profile
• Customize the Default User Profile in Windows XP
• Real Men don't:  User Profile Management
• Cannot Set Up a Default Network Printer for All Windows XP Users
• OSNN Forum>Windows Technical Support>Windows Desktop>Reg key
• How can I configure default settings for new users?

Location: N42 40.86' W070 50.35'  (North America> USA> Massachusetts> Boston> North Shore> Ipswich) Time: UTC-5 (USA Eastern Time Zone)  (UTC-4 summertime --"daylight savings time") Email comments to Chuck Kollars

All content on this Personal Website (including text, photographs, audio files, and any other original works), unless otherwise noted, are available to anyone for re-use (reproduction, modification, derivation, distribution, etc.) for any non-commercial purpose under a Creative Commons License.