Windows XP
Default User Configuration

This information is relevant mainly for Win-XP (through Service Pack 2); it has not been checked against later versions of Windows. In fact, it's likely overly intricate -or even incorrect- for more recent versions.

Windows user configurations can be per-individual, per-machine, or per-network. Per-machine configuration, where all users of a computer saw the same configuration, was true of Windows 3.1 and even to a considerable extent Windows 9x. Giving each user their own configuration which follows them to different computers on a network is a function of Windows XP Professional Edition (and Windows 2000 ?).

The per-individual over the entire network "roaming profiles" configuration can work reasonably well, and is used by some school administrators. But it still has problems. Chief among these is it isn't clear how to make use of it in a mixed environment where some of the older client computers run a version of Windows that doesn't provide support for roaming profiles. (Having all clients run Win-XP (or Win2000 ?) is an impossibility for many schools.) Other problems are:

• In theory applications installed for "all users" will be available only on those computers they are installed on. But in practice this would require every application to provide a choice of "all users" or "this user" during installation and the choice to always be made correctly, which often doesn't happen. In fact even Microsoft's own applications do a poor job of installing appropriately. It's easy to install Microsoft Office in such a way that it appears to be unavailable to all but specific users.
• If a user creates a new desktop shortcut icon on one computer, it will follow him to all other computers whether or not the application it points to is available on those computers.
• Even if all desktop icons and all menu items were correct, different users would get different screen savers, wallpaper, screen background, and taskbar icons.
• Some configuration options --for example the "classic" Start Menu-- will always be per-user and administrators will not be able to set them per-machine.

Administrators may desire that each user have their own login credentials, yet that all users who use a particular machine will get the exact same configuration. In other words they desire a configuration intermediate between per-machine and per-user. What's needed to do this is to preset a Generic New Account template so every user that logs in to the computer will start with a copy of the same configuration. Such a configuration is possible with Windows XP Professional Edition (or Windows 2000 ?); in fact doing so is even documented by Microsoft.

Roaming Profiles

To use a per-machine (or per-network) Generic New Account template, first turn off "roaming profiles". Start the Group Policy Editor (one way to do this is to Start->Run gpedit.msc). Navigate down into [Local Computer Policy / Computer Configuration / Administrative Templates / System / User Profiles]. Enable both [Only Allow Local User Profiles] and [Prevent Roaming Profile changes from propagating to the server].

(Most [but not all] policy settings are implemented by one or more registry entries. For example one of the roaming profile settings above is in the HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon registry key. However it is very strongly recommended you change these settings with the Group Policy Editor rather than making changes directly in the registry. Using the Group Policy Editor is much less confusing, much less prone to error, and can provide intelligent feedback about interaction with other features. Also, the Group Policy Editor is Microsoft's current method of administering systems, and has options to affect a whole group of machines rather than just one at a time.)

Per-Machine Generic New Us er Template

To set up a Generic New Account template:

1. Configure one particular model user account completely and exactly as you wish. (This might be easier if you use a local [not domain] user such as "Any User" or "Template", particularly if the machine hasn't joined a domain yet.) The user account for this purpose shouldn't be used normally and should be a local user. Sometimes you'll need to create a brand new user (ex: "Model") for this.
2. Reboot, then log in as some user with Administrator rights but not the user you configured. (If the user you configured is logged in, or even if that user isn't logged in any more but you haven't rebooted, some files will be "locked" and you will not be able to copy them.)
3. With Explorer navigate into \Documents and Settings\username-you-configured
4. Edit->SelectAll and Edit->Copy
5. Navigate to \Documents and Settings\Default user
   • Navigate back up to \Documents and Settings
   • Using Tools->Options turn on display of "hidden" files and folders if it isn't already turned on for the local Administrator (Default user does exist, but usually isn't seen because it's marked "hidden".)
   • Navigate back down inside .Default user
6. Edit->Paste
7. Navigate back up to \Documents and Settings
8. If you don't have a special user account set aside for Administration, take this opportunity to turn display of "hidden" files and folders back off Using Tools->Options.

Once the Generic New Account template is set up the way you want it, delete all the other user profiles (except "All Users" and "Administrator" and any other fixed local users and of course your model user). This will cause all users to be treated as "new" users and given a copy of the Generic New Account template the next time they login.

You can even compel every user to get a fresh copy of the Generic New Account template on every login by arranging that their profile disappears before they login again. You might do this with a "reboot to restore clean" utility such as DeepFreeze. Or you might do this with a logout script. But don't do it unless you've provided users with some other place to store their files and ensured they're using it. Deleting a user's profile will also delete their My Documents folder and all its contents, which will cause great upset among users unless they store their files somewhere else.

Note well that if a user profile already exists (either as [possibly cached] local files, or as a "roaming" profile), it will supercede your Default User settings. In fact if roaming profiles are enabled and you test with a user account for which a profile already exists on the network, your tests will seem to indicate that Default user doesn't work at all.

Tweaking the Generic New Us er's Registry Hive

This extra procedure is only for exceptional cases and should simply be skipped most of the time.

The profile you just copied includes not only many settings in files but also registry hive data which will be loaded as HKEY_CURRENT_USER whenever a user uses the Generic New Account template.

Very occasionally a setting you wish to be machine-wide is in HKEY_CURRENT_USER, and once in a while you'd like to make one or two more changes after setting up the Generic New Account template. If you know of particular registry settings you want to make, simply make changes under HKEY_CURRENT_USER when you're setting up one particular user exactly as you wish and are logged in as that user. Then when you copy the entire profile to the Generic New Account template, you'll copy those registry settings too. On the other hand here's how to make one or two more changes to the Default User registry settings after copying everything into the Generic New Account template:

1. Log in as someone with Administrator rights
2. In an explorer panel, navigate to \Documents and Settings\Default User\NTUSER.DAT (If the files don't show up, you may need to modify the explorer viewing options to show "hidden" files too.)
3. Check the file attributes, and make a note of their initial values. If either S (System) or R (Read-only) attributes are set, temporarily unset them. (An alternate -and to some less confusing- way to do this is in a DOS-Box with commands similar to attrib -S -H -R NTUSER.DAT.)
4. Start regedit and move your mouse into its panel.
5. Highlight/select HKEY_USERS
6. From the menu select File->LoadHive
7. Navigate to \Documents and Settings\Default User\NTUSER.DAT (You may need to explicitly type in the Default User part or the NTUSER.DAT part or both, as they may be marked "hidden".)
8. Specify the new hive name Default User.
9. Select the desired entries within the new hive and make the desired changes.
10. Highlight/select the entire new hive HKEY_USERS\Default User
11. From the menu select File->UnloadHive
12. Return to the explorer panel, and restore all file and directory properties to their initial values. (Alternatively use DOS-Box commands similar to attrib +S +H +R NTUSER.DAT.)

If you propose significant changes to the registry, you should re-do the entire procedure of creating a Generic New Account template, which will supply an entirely new registry hive file. Use the above procedure only for making a very few tweaks.

Per-Network Generic New Us er Template

When a user logs on and doesn't already have a profile, Win-XP (and Win2000 ?) will first look for %LOGONSERVER%\NETLOGON\Default User and use it as a template if it exists. Only if it doesn't exist (the common case) will Win-XP (or Win2000 ?) then use the local \Documents and Settings\Default User. You can use this fact to set up a Generic New Account template for an entire network.

Create the contents of the network-side template by setting up one user exactly as you wish then copying that entire template --including the user's registry hive-- to %LOGONSERVER%\NETLOGON\Default User.

Possible Extensions (Exercises for the Reader:-)

You could customize your approach to Generic New Account templates --or even profiles for existing users-- with a "login" script.

You could point parts of the user's profile, such as their file repository, to some location outside of their profile.

Related Webpages

Hopefully this important topic has improved considerably in recent releases. For current information straight from the horse's mouth see:

• Microsoft Knowledge Base:  How to create a custom user profile

Although the technique described above on this page wasn't as widely known as other Windows management tips, it was completely legitimate (even recommended). And it was documented and explained in several places:

• Windows 2000 User Profiles
• Customize the Default User Profile in Windows XP/Win-XP
• Cannot Set Up a Default Network Printer for All Windows XP Users
• OSNN Forum>Windows Technical Support>Windows Desktop>Reg key
• How can I configure default settings for new users?