Advantages of the User Profile
User profiles provide the following advantages:

After a successful logon, users start working with their own working environment
(including desktop settings) that existed at the time he/she last logged out.

Many users can share a single computer, and each user will get individual settings
for their working environment.

User profiles can be stored on the server; they may be used independently from the
workstation where the user logs on to the network. These user profiles are called
roaming user profiles.
From the administrator's point of view, user profiles provide specific advantages and are
capable of:

Creating customized user settings

Specifying common settings for each user group

Assigning mandatory user profiles which can't be changed by the users and don't
allow them to change the system's configuration
As was already mentioned in Chapter 1
, Windows XP and Windows Server 2003 provide
the following types of user profiles:

Local User Profiles. User profiles of this type are stored on the local computer's
hard disk. Any changes that you might introduce to the local user profile are
computer-specific and only apply to the computer on which these changes are
made.


Roaming User Profile. Roaming user profiles are stored on the server, and are
available any time the user logs onto a network. Any changes made to a roaming
user profile are updated on the server.

Mandatory User Profile. This type of user profile can be created or updated only
by system administrators. Any changes the user makes to this type of profile are
lost when he or she logs off.

Note Mandatory user profiles are included with Windows XP and later only in order to
provide backward compatibility with existing Windows NT 4.0 domains. If you
have Windows 2000 domains in native mode or have even migrated to Windows
Server 2003 domains, and need to provide managed desktop configurations for
users and groups, it is recommended that you use Group Policy rather than
mandatory user profiles. Group Policy basics will be discussed later in this chapter.
The Settings Stored in the User Profile
Each user profile contains configuration settings and options customized for each
individual user. In practice, the user profile can be considered a "snapshot" of the user's
working environment.
Main settings stored in the user profile are listed in Table 10.1
.

Table 10.1: User Profile Settings
Working
environment item
User profile settings
Windows GUI
(Windows Explorer
or My Computer)
All user-specified settings of the Windows Explorer application
Taskbar All personal program groups and their properties, all personal

programs and their properties, all individual settings of the taskbar
Printer settings All connections to network printers
Control Panel All individual user-specific settings specified using Control Panel
applets
Accessories All user-specific customized settings of the applications that
influence Windows NT/2000, Windows XP, or Windows Server
2003 working environments, including individual settings for
Calculator, Notepad, Paint, Hyper-Terminal, etc.
Application settings All Windows applications allow individual settings in relation to
each individual user. If this information exists, it's stored in the
user's registry hive (HKEY_CURRENT_USER)
Bookmarks in the
online Help system
All Help bookmarks set by the user
Favorites registry
key
All registry keys marked by the user as Favorites

User Profile Structure
Each user profile consists of a registry hive (Ntuser.dat file, which is mapped to the
HKEY_CLASSES_ROOT registry key when the user logs on) and a set of folders in the
file system of your computer. Since the release of Windows NT 4.0, the default location
of user profiles has changed in order to allow administrators to provide better security for
the operating system folders without affecting user data. Let us consider the default
location of user profiles in more detail.
All Windows NT user profiles are stored in the %SystemRoot%\Profiles folder. When
you log onto the system for the first time, the system creates a new profile for you based
on the Default User profile, present on each Windows NT Workstation or Windows NT
Server computer. The \Default User folder and profile folders for individual users contain
the Ntuser.dat and Ntuser.dat.log files (user profile hive and its log) together with the

desktop shortcuts.
The naming conventions for the user profile folders have changed with Windows 2000.
In general, the location of Windows 2000, Windows XP, or Windows Server 2003 user
profiles depends on the method used to install the operating system:

If Windows 2000, Windows XP, or Windows Server 2003 was installed fresh, the
Setup program will create a new folder for storing user profiles:
%SystemDrive%:\Documents and Settings (for example, C:\Documents and
Settings).

If the system was installed as an upgrade from the previous Windows NT versions,
user profile folders will be located in the %SystemRoot%\Profiles folder (like in
Windows NT 4.0).

Note Later in this chapter, we'll use the %ProfilePath% variable to specify a path to the
folder that contains user profiles.
The locations of user profiles for each of the possible types of OS installation are briefly
described in Table 10.2
.

Table 10.2: User Profile Locations
Installation type User profiles location
Clean installation of Windows 2000,
Windows XP or Windows Server 2003
(no previous operating system)
%SystemDrive%\Documents and Settings; for
example, C:\Documents and Settings
Upgrade from Windows 2000 %SystemDrive%\Documents and Settings; for
example, C:\Documents and Settings
Upgrade from Windows NT 4.0 %SystemRoot%\Profiles; for example,

C:\WinNT\Profiles
Windows 2000 or Windows XP systems
upgraded from Windows 9x/ME
%SystemDrive%\Documents and Settings; for
example, C:\Documents and Settings

Like the previous versions of Windows NT/2000, Windows XP and Windows Server
2003 automatically create a user profile when the new user first logs onto the system. To
store this profile, the system creates a new nested folder named after the login name of
the new user and located under the %ProfilePath% folder. The path to this folder will be
saved in the system registry and associated with the user's security identifier (Security ID,
SID).

Note Also notice that many users, even experienced ones, often think that the system
identifies each user by his or her usemame (or login name) and the password. This
isn't so; it's the SID that uniquely identifies the user. User profiles are also identified
by their associated SIDs (Fig. 10.1
).

Figure 10.1: The HKEY_USERS registry key
The HKEY_USERS registry key contains the default user profile as well as profiles for
all user accounts currently logged on to the computer. The HKEY_USERS\.DEFAULT
key contains parameters that the system applies before any user logs on to the system.
Other subkeys represent SIDs of the currently logged on user accounts:

HKEY_USERS\S-1-5-18 — This subkey contains parameters for the
LocalSystem, an identity used locally by the OS and by services configured to log
on as Local-System. Notice that this identity is a hidden member of the
Administrators group. That is, any process running as LocalSystem has the SID
for the Administrators built-in group in its access token.


HKEY_USERS\S-1-5-19 — This subkey contains parameters for the
LocalService, an identity used by services that do not need such extensive local
privileges as Local System, and do not need authenticated network access.

HKEY_USERS\S-1-5-20 — This subkey contains parameters for the
NetworkService, an identity used by services that do not need extensive local
privileges, but do require authenticated network access.

Note All three above-listed SIDs are well-known SIDs (more information on well-
known SIDs was provided in Chapter 9
). Also notice that NetworkService
(S-1-5-20) and LocalService (s-1-5-19) are newly introduced built-in
accounts, only existing in Windows XP and Windows Server 2003 in order
to reduce the number of services running in the SYSTEM context. Therefore,
the HKEY_USERS registry key in Windows 2000 or earlier does not contain
subkeys identified by these SIDs.

HKEY_USERS\CURRENT_USER_SID (in the example shown in Fig. 10.1, the
CURRENT_USER_SID is S-1-5-21-1292428093-1343024091-12804019-1107).
This subkey contains parameters that correspond to the current user, who has
logged on locally.

HKEY_USERS\SID_Classes — these subkeys contain file associations and COM
classes for specific SIDs
Starting with Windows 2000, Microsoft has introduced the so-called Run As
functionality, also known as secondary logon. This feature is designed to provide users
with the capability of starting programs under different security contexts. For example,
administrators can log on as ordinary users, and invoke a secondary logon
(administrative) in order to run administrative tools without needing to log off. To start a

program under a different security context, it is sufficient to right-click the file that you
want to start, and then select the Run As command from the context menu. The Run As
dialog will open (Fig. 10.2
), where you will be able to select the user account with
administrative rights.

Figure 10.2: Using a secondary logon

Note Secondary logons represent a security enhancement, which protects the system
against unintended actions, attacks on the local Administrator account and Trojan
Horse attacks while accessing non-trusted sites using Internet Explorer.
After the user invokes a secondary logon and provides credentials for the administrative
account, Windows will load additional settings for the secondary logon, and new subkeys
will appear under HKEY_USERS registry key (Fig. 10.3
).