Training
Find Training
Manage My Learning
Training Options
Browse by Subject
Guide My Training
Certifications
Certification Overview
Browse by Subject
Browse by Name
Find an Exam
Prepare for an Exam
Register for an Exam
Books
Books Overview
New and Upcoming
Find Books
Where to Buy
Special Offers
What's New
Community
Learning Community
Member Sites
Worldwide Sites
Help and Support




 
Microsoft® Windows® 2000 Administrator's Pocket Consultant, Second Edition
Author William R. Stanek
Pages 560
Disk N/A
Level All Levels
Published 08/14/2002
ISBN 9780735617926
Price $29.99
To see this book's discounted price, select a reseller below.
 

More Information

About the Book
Table of Contents
Sample Chapter
Index
Related Series
Related Books
About the Author

Support: Book & CD

Rate this book
Barnes Noble Amazon Quantum Books

 

Chapter 9: Managing Existing User and Group Accounts

Chapter 9   Managing Existing User and Group Accounts

In a perfect world, you could create user and group accounts and never have to touch them again. Unfortunately, we live in the real world. After you create accounts, you'll spend a lot of time managing them. This chapter provides guidelines and tips to make that task easier.

Managing User Contact Information

Active Directory is a directory service. When you create user accounts, those accounts can have detailed contact information associated with them. The contact information is then available to anyone in the domain tree or forest and can be used to search for users and to create address book entries.

Setting Contact Information

You can set contact information for a user account by completing the following steps:

  1. Double-click the user name in Active Directory Users And Computers. This opens the account's Properties dialog box.

  2. Select the General tab, shown in Figure 9-1. Use the following fields to set general contact information:

    • First Name, Initials, Last Name  Sets the user's full name.

    • Display Name  Sets the user's display name as seen in logon sessions and in Active Directory directory service.

    • Description  Sets a description of the user.

    • Office  Sets the user's office location.

    • Telephone Number  Sets the user's primary business telephone number. If the user has other business telephone numbers that you want to track, click Other and then use the Phone Number (Others) dialog box to enter additional phone numbers.

    • E-Mail  Sets the user's business e-mail address.

    • Web Page  Sets the Uniform Resource Locator (URL) of the user's home page, which can be either on the Internet or on the company intranet. If the user has other Web pages that you want to track, click Other and then use the Web Page Address (Others) dialog box to enter additional Web page addresses.

    Click to view graphic
    Click to view graphic

    Figure 9-1. Use the General tab to configure general contact information for the user. This information can then be used in searches and address books.

    TIP

    The E-Mail and Web Page fields must be filled in if you want to use the Send Mail and Open Home Page features of Active Directory Users And Computers. For more information, see the section later in this chapter entitled "Updating User and Group Accounts."

  3. Select the Address tab. Use the fields provided to set the user's business or home address. You'll usually want to enter the user's business address. In this way, you can track the business locations and mailing addresses of users at various offices.

    4. CAUTION

    You need to consider privacy issues before you enter users' home addresses. Discuss the matter with your Human Resources and Legal departments. Be sure to determine the circumstances, if any, under which you can release that information to others.

  4. Select the Telephones tab. Type the primary telephone numbers that should be used to contact the user, such as home phone, pager, mobile phone, fax, and Internet Protocol (IP) phone.

  5. Other numbers can be configured for each type of telephone number. Click the associated Other button and then use the dialog box provided to enter additional phone numbers.

  6. Select the Organization tab. As appropriate, type the user's title, department, and company.

  7. To specify the user's manager, click Change and then select the user's manager in the Select User Or Contact dialog box. When you specify a manager, the user shows up as a direct report in the manager's account.

  8. Click Apply or OK to apply the changes.

Searching for Users and Creating Address Book Entries

Active Directory makes it easy for you to find users in the directory and then create address book entries using search results. Normally, these are tasks that you'll need to help users with. You do that by completing the following steps:

  1. Click Start, point to Search, and then click For People. This opens the dialog box shown in Figure 9-2.

    2. Click to view graphic
    Click to view graphic

    Figure 9-2. Use the Find People dialog box to search for users in Active Directory and then use the results to create address book entries.

  2. Click the Look In list box, select Active Directory, and then type the name or e-mail address of the user you want to search for.

  3. Click Find Now to begin the search. If matches are found, the search results are displayed. Otherwise, type new search parameters and search again.

  4. You can view an account's properties by selecting a display name and then clicking Properties.

  5. You can add contact information to an address book by selecting a display name and then clicking Add To Address Book.

Configuring the User's Environment Settings

User accounts can also have profiles, logon scripts, and home directories associated with them. To configure these optional settings, double-click a display name in Active Directory Users And Computers and then select the Profile tab, as shown in Figure 9-3. In the Profile tab you can set the following fields:

  • Profile Path  The path to the user's profile. Profiles provide the environment settings for users. Each time a user logs on to a computer, that user's profile is used to determine desktop and control panel settings, the availability of menu options and applications, and more. Setting the profile path is covered later in this chapter in the section entitled "Managing User Profiles."

  • Logon Script  The path to the user's logon script. Logon scripts are batch files that run whenever a user logs on. You use logon scripts to set commands that should be executed each time a user logs on. Chapter 4, "Automating Administrative Tasks, Policies, and Procedures," discusses logon scripts in detail.

  • Local Path  The directory the user should use for storing files. Here, you assign a specific directory for the user's files. If the directory is available to the network, the user can access the directory from any computer on the network.

Click to view graphic
Click to view graphic

Figure 9-3. The Profile tab allows you to create a user profile. Profiles let you configure the network environment for a user.

System Environment Variables

System environment variables often come in handy when you're setting up the user's environment, especially when you work with logon scripts. You'll use environment variables to specify path information that can be dynamically assigned. The environment variables you'll use the most are the following:

  • %SystemRoot%  The base directory for the Microsoft Windows 2000 operating system, such as C:\WINNT. Use it with the Profile tab of the user's Properties dialog box and logon scripts.

  • %UserName%  The user account name, such as wrstanek. Use it with the Profile tab of the user's Properties dialog box and logon scripts.

  • %HomeDrive%  The drive letter of the user's home directory followed by a colon character, such as C:. Use it with logon scripts.

  • %HomePath%  The full path to the user's home directory on the respective home drive, such as \Users\Mkg\Georgej. Use it with logon scripts.

  • %Processor_Architecture%  The processor architecture of the user's computer, such as x86. Use it with logon scripts.

Figure 9-4 shows how you might use environment variables when creating user accounts. Note that by using the %UserName% variable, you allow the system to determine the full path information on a user-by-user basis. If you use this technique, you can use the same path information for multiple users and all the users will have unique settings.

Click to view graphic
Click to view graphic

Figure 9-4. When you use the Profile tab, environment variables can save you typing, especially when you create an account based on another account.

Logon Scripts

Logon scripts set commands that should be executed each time a user logs on. You can use logon scripts to set the system time, network drive paths, network printers, and more. Although you can use logon scripts to execute one-time commands, you shouldn't use them to set environment variables. Any environment settings used by scripts aren't maintained for subsequent user processes. Also, you shouldn't use logon scripts to specify applications that should run at startup. You should set startup applications by placing the appropriate shortcuts in the user's Startup folder.

Normally, logon scripts contain Windows 2000 commands. However, logon scripts can be

  • Windows Script Host files with the .vbs, .js, or other valid script extensions

  • Batch files with the .bat extension

  • Command files with the .cmd extension

  • Executable programs with the .exe extension

One user or many users can use a single logon script, and, as the administrator, you control which users use which scripts. As the name implies, logon scripts are accessed when users log on to their accounts. You can specify a logon script by completing the following steps:

  1. Access the user's Properties dialog box in Active Directory Users And Computers and then choose the Profile tab.

  2. Enter the path to the logon script in the Logon Script field. Be sure to set the full path to the logon script, such as \\ZETA\User_Logon\Eng.vbs.

NOTE

You can specify logon and logoff scripts using other techniques. For complete details, see the section of Chapter 4 entitled "User and Computer Script Management."

Creating logon scripts is easier than you might think, especially when you use the Windows 2000 command language. Just about any command you can type into a command prompt can be set to run in a logon script. The most common tasks you'll want logon scripts to handle are to set the default printers and network paths for users. You can set this information with the NET USE command. The following NET USE commands define a network printer and a network drive:

net use lpt1: \\zeta\deskjet
 
net use G: \\gamma\corp\files

If these commands were in the user's logon script, the user would have a network printer on LPT1 and a network drive on G.

Assigning Home Directories

Windows 2000 lets you assign a home directory for each user account. Users can store and retrieve their personal files in this directory. Many applications use the home directory as the default for File Open and Save As operations, which helps users find their resources easily. The command prompt also uses the home directory as the initial current directory.

Home directories can be located on a user's local hard disk drive or on a shared network drive. On a local drive, the directory is only accessible from a single workstation. On the other hand, shared network drives can be accessed from any computer on the network, which makes for a more versatile user environment.

TIP

Although users can share home directories, it's not a good idea. You'll usually want to provide each user with a unique home directory.

You don't need to create the user's home directory ahead of time. Active Directory Users And Computers automatically creates the directory for you. If there's a problem creating the directory, Active Directory Users And Computers will instruct you to create it manually.

To specify a local home directory, complete the following steps:

  1. Access the user's Properties dialog box in Active Directory Users And Computers and then choose the Profile tab.

  2. Click the Local Path option button and then enter the path to the home directory in the associated field. Here's an example: C:\Home\%UserName%.

To specify a network home directory, complete the following steps:

  1. Access the user's Properties dialog box in Active Directory Users And Computers and then choose the Profile tab.

  2. Click the Connect option button and then select a drive letter for the home directory. For consistency, you should use the same drive letter for all users. Also, be sure to select a drive letter that won't conflict with any currently configured physical or mapped drives. To avoid problems, you might want to use Z as the drive letter.

  3. Type the complete path to the home directory using the Universal Naming Convention (UNC) notation, such as \\GAMMA\User_Dirs\%UserName%. You include the server name in the drive path to ensure that the user can access the directory from any computer on the network.

NOTE

If you don't assign a home directory, Windows 2000 uses the default local home directory. On systems where Windows 2000 is installed as an upgrade, this directory is \Users\Default. Otherwise, this directory is the root directory.

Setting Account Options and Restrictions

Windows 2000 provides many ways to control user accounts and their access to the network. You can define logon hours, permitted workstations for logon, dial-in privileges, and more.

Managing Logon Hours

Windows 2000 allows you to control when users can log on to the network. You do this by setting their valid logon hours. You can use logon hour restrictions to tighten security and prevent system cracking or malicious conduct after normal business hours.

During valid logon hours, users can work as they normally do. They can log on to the network and access network resources. During restricted logon hours, users can't work. They can't log on to the network or make connections to network resources. If users are logged on when their logon time expires, what follows depends on the account policy you've set for them. Generally, one of two things happens to the user:

  • Forcibly disconnected  You can set a policy that tells Windows 2000 to forcibly disconnect Windows 2000 users when their logon hours expire. If this policy is set, remote Windows 2000 users are disconnected from all network resources and logged off the system when their hours expire.

  • Not disconnected  Users aren't disconnected from the network when they enter the restricted hours. Instead, Windows 2000 simply doesn't allow them to make any new network connections.

Configuring Logon Hours

To configure the logon hours, follow these steps:

  1. Access the user's Properties dialog box in Active Directory Users And Computers and then choose the Account tab.

  2. Click the Logon Hours button. You can now set the valid and invalid logon hours using the Logon Hours dialog box shown in Figure 9-5. In this dialog box each hour of the day and night is a field that you can turn on and off.

    • Hours are filled in with a dark bar—you can think of these hours as being turned on.

    • Hours that are disallowed are blank—you can think of these hours as being turned off.

    To change the setting for an hour, click it. Then select either the Logon Permitted or Logon Denied option button.

Click to view graphic
Click to view graphic

Figure 9-5. Configure logon hours for users using the fields provided.

Logon Hours features are listed in Table 9-1.

Table 9-1. Logon Hours Features

FeatureFunction
All buttonAllows you to select all the time periods
Day of week buttonsAllow you to select all the hours in a particular day
Hour buttonsAllow you to select a particular hour for all the days of the week
Logon Permitted Sets the allowed logon hours
Logon Denied Sets the disallowed logon hours

TIP

When you set logon hours, you'll save yourself a lot of work in the long run if you give users a moderately restricted time window. For example, rather than explicit 9-5 hours, you might want to allow a few hours on either side of the normal work hours. This will let the early birds onto the system and allow the night owls to keep working until they finish for the day.

Enforcing Logon Hours

If you want to forcibly disconnect users when their logon hours expire, complete the following steps:

  1. Access the group policy container you want to work with, as detailed in Chapter 4 in the section entitled "Managing Site, Domain, and Unit Policies."

  2. Access the Security Options node, shown in Figure 9-6, by working your way down through the console tree. Expand Computer Configuration, Windows Settings, and then Security Settings. In Security Settings, expand Local Policies and then select Security Options.

    3. Click to view graphic
    Click to view graphic

    Figure 9-6. You can access the Security Options node in Group Policy.

  3. Double-click Automatically Log Off Users When Logon Time Expires. This opens a Properties dialog box for the policy.

  4. Select the Define This Policy Setting check box and then select the Enabled option button. This turns on the policy restriction and enforces the logon hours. Click OK.

Setting Permitted Logon Workstations

Windows 2000 has a formal policy that allows users to log on to systems locally. This policy controls whether or not a user can sit at the computer's keyboard and log on. By default, on Windows 2000 workstations you can use any valid user account, including the guest account, to log on locally.

As you might imagine, allowing users to log on to any workstation is a security risk. Unless you restrict workstation use, anyone who obtains a user name and password can use it to log on to any workstation in the domain. By defining a permitted workstation list, you close the opening in your domain and reduce the security risk. Now not only must hackers find a user name and password, they must also find the permitted workstations for the account.

NOTE

The permitted logon workstation restrictions only affect Microsoft Windows 2000 and Microsoft Windows NT computers in the domain. If any Microsoft Windows 95 or Microsoft Windows 98 computers are in the domain, they aren't subject to the restrictions, which means you only need a valid user name and password to log on to these systems.

For domain users, you define permitted logon workstations by completing the following steps:

  1. Access the user's Properties dialog box in Active Directory Users And Computers and then choose the Account tab.

  2. Open the Logon Workstations dialog box by clicking the Log On To button.

  3. Select The Following Computers option button, shown in Figure 9-7.

    4. Click to view graphic
    Click to view graphic

    Figure 9-7. To restrict access to workstations, specify the permitted logon workstations.

  4. Type the name of a permitted workstation and then click Add. Repeat this procedure to specify additional workstations.

  5. If you make a mistake, select the erroneous entry and then click Edit or Remove, as appropriate.

Setting Dial-In Privileges

Windows 2000 lets you set dial-in privileges for accounts using the Dial-In tab of the user's Properties dialog box. As shown in Figure 9-8, dial-in privileges are controlled through Remote Access Policy by default. This is the preferred method of controlling remote access. You can explicitly grant or deny dial-in privileges by selecting Allow Access or Deny Access. In any event, before users can dial in to the network, you'll need to complete the following steps:

  1. Install Remote Access Services using Configure Your Server.

  2. To enable remote access connections, configure the group policy for a site, domain, or organizational unit. You do this using the Network Dial-Up And Connections node. Expand User Configuration, Administrative Templates, and then Network. Select Network Dial-Up And Connections.

  3. Configure remote access using Routing And Remote Access. In Computer Management, expand Services And Applications and then select Routing And Remote Access.

After you grant a user permission to access the network remotely, configure the following additional dial-in parameters using the Dial-In tab of the user's Properties dialog box (see Figure 9-8).

Click to view graphic
Click to view graphic

Figure 9-8. Dial-in privileges control remote access to the network.

  1. If the user must dial in from a specific phone number, select Verify Caller-ID and then type the telephone number from which this user is required to log on. Your telephone system must support Caller ID for this feature to work.

  2. Define callback parameters using the following options:

    • No Callback  Allows the user to dial in directly and remain connected. The user pays the long-distance telephone charges, if applicable.

    • Set By Caller  Allows the user to dial in directly, and then the server prompts the user for a callback number. Once the number is entered, the user is disconnected and the server dials the user back at the specified number to reestablish the connection. The company pays the long-distance telephone charges, if applicable.

      • NOTE

      You shouldn't assign callback for users who dial in through a switchboard. The switchboard might not allow the user to properly connect to the network.

    • Always Callback To  Allows you to set a predefined callback number for security purposes. When a user dials in, the server calls back the preset number. The company pays the long-distance telephone charges, if applicable, and reduces the risk of an unauthorized person accessing the network.

    TIP

    You shouldn't use preset callback numbers with multilinked lines. The multilinked lines won't function properly.

  3. If necessary, you can also assign static IP addresses and static routes for dial-in connections using Assign A Static IP Address and Apply Static Routes, respectively. For more information on IP addresses and routing, see Chapter 15, "Managing TCP/IP Networking."

Setting Account Security Options

The Account tab of the user's Properties dialog box has many options designed to help you maintain a secure network environment. Use these options to control how user accounts are used and what options are available. The options are:

  • User Must Change Password At Next Logon  Forces the user to change his or her password when the user logs on next.

  • User Cannot Change Password  Doesn't allow the user to change the account password.

  • Password Never Expires  Ensures that the account password never expires, which overrides the normal password expiration period.

    • CAUTION

    Selecting Password Never Expires creates a security risk on the network. While you might want to use this option with administrator accounts, in most cases you shouldn't use it with normal user accounts.

  • Store The Password Using Reversible Encryption  Saves the password as encrypted clear text.

  • Account Is Disabled  Disables the accounts, which prevents the user from accessing the network and logging on.

  • Smart Card Is Required For Interactive Logon  Requires the user to log on to a workstation using a smart card. The user can't log on to the workstation by typing a logon name and password at the keyboard.

  • Account Is Trusted For Delegation  Specifies that the user might need object management privileges in Active Directory and that the user is trusted to perform any permissible actions on objects that the user has been delegated the authority to work with.

    • NOTE

    Most users don't need to be trusted for delegation. Only users with special privileges or Active Directory management needs should be granted this permission.

  • Account Is Sensitive And Cannot Be Delegated  Specifies that the user can't be trusted for delegation. You might want to set this option for all normal user accounts to prevent these users from manipulating Active Directory objects unless specifically permitted to by an authorized administrator.

  • Use DES Encryption Types For This Account  Specifies that the user account will use DES (Data Encryption Standard) encryption.

  • Do Not Require Kerberos Preauthentication  Specifies that the user account doesn't need Kerberos preauthentication to access network resources. Preauthentication is a part of the Kerberos v5 security procedure. The option to log on without it is available in order to allow authentication from clients using a previous, or nonstandard, implementation of Kerberos.

Managing User Profiles

User profiles contain settings for the network environment, such as desktop configuration and menu options. Problems with a profile can sometimes prevent a user from logging on. For example, if the display size in the profile isn't available on the system being used, the user might not be able to log on properly. In fact, the user might get nothing but a blank screen. You could reboot the machine, go into VGA (Video Graphics Adapter) mode, and then reset the display manually. However, solutions for profile problems aren't always this easy and you might need to update the profile itself.

Windows 2000 provides several ways to manage user profiles:

  • You can assign profile paths in Active Directory Users And Computers.

  • You can copy, delete, and change the type of an existing local profile with the System utility in the Control Panel.

  • You can set system policies that prevent users from manipulating certain aspects of their environment.

Local, Roaming, and Mandatory Profiles

In Windows 2000, every user has a profile. Profiles control startup features for the user's session, the types of programs and applications that are available, the desktop settings, encryption certificates, and a lot more. Each computer that a user logs on to has a copy of the user's profile. Because this profile is stored on the computer's hard disk, users who access several computers will have a profile on each one of them. Another computer on the network can't access a locally stored profile, called a local profile, and, as you might expect, this has some drawbacks. For example, if a user logs on to three different workstations, the user could have three very different profiles on each system. As a result, the user might get confused about what network resources are available on a given system.

To solve the problem of multiple profiles and reduce confusion, you might want to create a profile that can be accessed by other computers. This type of profile is called a roaming profile. With a roaming profile, users can access the same profile no matter which computer they're using within the domain. Roaming profiles are server-based and can only be stored on a Windows 2000 server. When a user with a roaming profile logs on, the profile is downloaded, which creates a local copy on the user's computer. When the user logs off, changes to the profile are updated both on the local copy and on the server.

REAL WORLD

When your organization uses the Encrypting File System (EFS) to make file access more secure, the use of roaming profiles becomes extremely important for users who log on to multiple computers. The reason for this is that encryption certificates are stored in user profiles and the encryption certificate is needed to access and work with the user's encrypted files. If a user has encrypted files and doesn't have a roaming profile, that user won't be able to work with these encrypted files on another computer.

As an administrator, you can control user profiles or let users control their own profiles. One reason to control profiles yourself is to make sure that all users have a common network configuration, which can reduce the number of environment-related problems.

Profiles controlled by administrators are called mandatory profiles. Users who have a mandatory profile can make only transitory changes to their environment. Here, any changes that users make to the local environment aren't saved, and the next time they log on they're back to the original profile. The idea is that if users can't permanently modify the network environment, they can't make changes that cause problems. A key drawback to mandatory profiles is that the user can only log on if the profile is accessible. If, for some reason, the server that stores the profile is inaccessible and a cached profile isn't accessible, the user won't be able to log on. If the server is inaccessible but a cached profile is accessible, the user will receive a warning message and will be logged onto the local Windows 2000 system using the system's cached profile.

Creating Local Profiles

In Windows 2000, user profiles are maintained either in a default directory or in the location set by the Profile Path field in the user's Properties dialog box. The default location for profiles depends on the workstation configuration in the following way:

  • Windows 2000 Upgrade Installation  The user profile is located at %SystemRoot%\Profiles\%UserName%\Ntuser.dat, where %SystemRoot% is the root directory for the operating system, such as C:\WINNT, and %UserName% is the user name, such as wrstanek.

  • New Installation of Windows 2000  The user profile is located at %SystemDrive%\Documents and Settings\%UserName%\%UserDomain%, such as F:\Documents and Settings\Wrstanek\Adatum\Ntuser.dat. If the user logs on to a domain controller, the profile might be located at %SystemDrive%\Documents and Settings\%UserName%\Logon Server Name, such as F:\Documents and Settings\Wrstanek\ZETA\Ntuser.dat.

If you don't change the default location, the user will have a local profile.

Creating Roaming Profiles

Roaming profiles are stored on Windows 2000 servers. When users log on to multiple computers and use EFS, they'll need a roaming profile to ensure that the certificates necessary to read and work with encrypted files are available on computers other than their primary work computers.

If you want a user to have a roaming profile, you must set a server-based location for the profile directory by completing the following steps:

  1. Create a shared directory on a Windows 2000 server and make sure that the group Everyone has access to it.

  2. Access the user's Properties dialog box in Active Directory Users And Computers and choose the Profile tab. Enter the path to the shared directory in the Profile Path field. The path should have the form \\server name\profile folder name\user name. An example is \\ZETA\User_Profiles\Georgej, where ZETA is the server name, User_Profiles is the shared directory, and Georgej is the user name.

  3. The roaming profile is then stored in the Ntuser.dat file in the designated directory, such as \\ZETA\User.Profiles\Georgej\Ntuser.dat.

    4. NOTE

    You don't usually need to create the profile directory. The directory is created automatically when the user logs on.

  4. As an optional step, you can create a profile for the user or copy an existing profile to the user's profile folder. If you don't create an actual profile for the user, the next time the user logs on, the user will use the default local profile. Any changes the user makes to this profile will be saved when the user logs off. Thus, the next time the user logs on, the user can have a personal profile.

Creating Mandatory Profiles

Mandatory profiles are stored on Windows 2000 servers. If you want a user to have a mandatory profile, you define the profile as follows:

  1. Follow steps 1-3 in the previous section, "Creating Roaming Profiles."

  2. Then create a mandatory profile by renaming the Ntuser.dat file as %UserName%\Ntuser.man. Now when the user logs on the next time, the user will have a mandatory profile.

    3. NOTE

    Ntuser.dat contains the registry settings for the user. When you change the extension for the file to Ntuser.man, you tell Windows 2000 to create a mandatory profile.

Using the System Utility to Manage Local Profiles

To manage local profiles, you'll need to log on to the user's computer. Afterward, you can use the System utility in the Control Panel to manage local profiles. To view current profile information, start the System utility and then click the User Profiles tab.

As shown in Figure 9-9, the User Profiles tab displays various information about the profiles stored on the local system. You can use this information to help you manage profiles. The fields have the following meanings:

  • Name  The name of the local profile, which generally includes the name of the originating domain or computer and the user account name. For example, the name Adatum\Wrstanek tells you that the original profile is from the domain adatum and the user account is wrstanek.

    • If you delete an account but don't delete the associated profile, you might also see an entry that says Account Deleted or Account Unknown. Don't worry, the profile is still available for copying if you need it, or you can delete the profile here.

  • Size  The size of the profile. Generally, the larger the profile, the more the user has customized the environment.

  • Type  The profile type, which is either local or roaming.

  • Modified  The date when the profile was last modified.

Click to view graphic
Click to view graphic

Figure 9-9. The User Profiles tab in the System Properties dialog box lets you manage existing local profiles.

Creating a Profile by Hand

In some cases, you might want to create the profile by hand. You do this by logging on to the user account, setting up the environment, and then logging out. As you might guess, creating accounts in this manner is time-consuming. A better way to handle account creation is to create a base user account. Here, you create the base user account, set up the account environment, and then use this account as the basis of other accounts.

Copying an Existing Profile to a New User Account

If you have a base user account or a user account that you want to use in a similar manner, you can copy an existing profile to the new user account. To do this, you'll use the System Control Panel utility. You do that by completing the following steps:

  1. Start the System Control Panel utility and open the User Profile tab.

  2. Select the existing profile you want to copy using the Profiles Stored On This Computer list box (see Figure 9-9).

  3. Copy the profile to the new user's account by clicking on the Copy To button. Next, enter the path to the new user's profile directory in the Copy Profile To field (see Figure 9-10). For example, if you were creating the profile for our user, georgej, you would type \\ZETA\User_Profiles\Georgej.

    4. Click to view graphic
    Click to view graphic

    Figure 9-10. Use the Copy To dialog box to enter the location of the profile directory and to assign access permissions to the user.

  4. Now you need to give the user permission to access the profile. Click the Change button in the Permitted To Use area and then use the Select User Or Object dialog box to grant access to the new user account.

  5. Close the Copy To dialog box by clicking OK. Windows 2000 will then copy the profile to the next location.

TIP

If you know the name of the user or group you want to use, you can type it directly into the Name field. This will save you time.

Copying or Restoring a Profile

When you work with workgroups where each computer is managed separately, you'll often have to copy a user's local profile from one computer to another. Copying a profile allows users to maintain environment settings when they use different computers. Of course, in a Windows 2000 domain you can use a roaming profile to create a single profile that can be accessed from anywhere within the domain. The problem is that sometimes you might need to copy an existing local profile over the top of a user's roaming profile (when the roaming profile is corrupt) or you might need to copy an existing local profile to a roaming profile in another domain.

You can copy an existing profile to a new location by doing the following:

  1. Log on to the user's computer and then start the System Control Panel utility and open the User Profile tab.

  2. Select the existing profile you want to copy using the Profiles Stored On This Computer list box.

  3. Copy the profile to the new location by clicking the Copy To button and then enter the path to the new profile directory in the Copy Profile To field. For example, if you're creating the profile for janew, you could type \\GAMMA\User._Profiles\Janew.

  4. Now you need to give the user permission to access the profile. Click the Change button in the Permitted To Use area and then use the Select User Or Group dialog box to grant access to the appropriate user account.

  5. When you're finished, close the Copy To dialog box by clicking OK. Windows 2000 will then copy the profile to the new location.

Deleting a Local Profile and Assigning a New One

Profiles are accessed when a user logs on to a computer. Windows 2000 uses local profiles for all users who don't have roaming profiles. Generally, local profiles are also used if the local profile has a more recent modification date than the user's roaming profile. Because of this, there are times when you might need to delete a user's local profile. For example, if a user's local profile becomes corrupt, you can delete the profile and assign a new one. Keep in mind that when you delete a local profile that isn't stored anywhere else on the domain, you can't recover the user's original environment settings.

To delete a user's local profile, complete the following steps:

  1. Log on to the user's computer using an account with Administrator privileges.

  2. Start the System utility and then click the User Profiles tab.

  3. Select the profile you want to delete and then click Delete. When asked to confirm that you want to delete the profile, click Yes.

NOTE

You can't delete a profile that's in use. If the user is logged on to the local system (the computer you're deleting the profile from), the user will need to log off. In some instances Windows 2000 marks profiles as in use when they aren't. This is typically a result of an environment change for the user that hasn't been properly applied. To correct this, you might need to reboot the computer.

Now the next time the user logs on, Windows 2000 will do one of two things. Either the operating system will give the user the default local profile for that system or it will retrieve the user's roaming profile stored on another computer. To prevent the use of either of these profiles, you'll need to assign the user a new profile. To do this you can

  • Copy an existing profile to the user's profile directory. Copying profiles is covered in the next section.

  • Update the profile settings for the user in Active Directory Users And Computers. Setting the profile path is covered earlier in this chapter in the section entitled "Configuring the User's Environment Settings."

Changing the Profile Type

With roaming profiles, the System utility lets you change the profile type on the user's computer. To do this, select the profile and then click Change Type. The options in this dialog box allow you to

  • Change a roaming profile to a local profile  If you want the user to always work with the local profile on this computer, set the profile for local use. Here, all changes to the profile are made locally and the original roaming profile is left untouched.

  • Change a local profile (that was defined originally as a roaming profile) to a roaming profile  The user will use the original roaming profile for the next logon. Afterward, Windows 2000 will treat the profile like any other roaming profile, which means that any changes to the local profile will be copied to the roaming profile.

NOTE

If these options aren't available, the user's original profile is defined locally.

Next


Last Updated: August 26, 2002
Top of Page