Setting up a mandatory user profile in Windows 10
User profiles in Windows determine which settings users use and which interface they work with. By specifying binding user profiles, users can be prevented from making adjustments and opening security holes or making unauthorized changes. This also increases the stability of workstations and administrators can specifically specify which areas of the computer users should have access to.
The settings of the users and their data, as well as the associated directories, are stored on computers with Windows 10 in the directory “C:\Users”. On German computers, the directory is displayed as “C:\Users”. Microsoft has tried in the past to replace the user accounts with new solutions like User-Environment-Virtualization (UE-V), but this approach has not been successful.
So, user profiles are still the standard for controlling user settings on local machines, even with Windows 10 and Windows Server 2016/2019. Of course, settings can also be specified here with group policies.
How user profiles work
When a profile is deleted, Windows recreates it as soon as the user logs on to the computer again. All the user’s settings are reset to the default when the profile is deleted, and the profile is recreated and empty accordingly. Windows creates the user profiles as a copy of the default profile “Default”.
In addition to the default folders for the desktop and the various files, the file “Ntuser.dat” is found in the profile path. This contains the registry settings, which are located under “HKEY_CURRENT_USER” (HKLM). In order to display all the data, the hidden and protected system files must be shown. The settings for this are located on the “View” tab in Windows Explorer in the “Show/Hide” area.
Application-specific data is stored in the “AppData” folder in the user profile. This folder contains the three subfolders: Local, LocalLow and Roaming. In the two folders “Local” and “LocalLow” Windows stores data of applications that cannot be used in the network with the profile, i.e. are specific to individual computers. The “Roaming” folder contains the data that is user-specific and can be used for server-stored profiles.
Setting server-stored profiles for users in Active Directory
On the Profile tab of a user account in the Active Directory Users and Computers snap-in, user profiles can also be stored on shares in the network. Permissions are automatically set accordingly.
To set server-stored profiles, the properties of the user account are called. At “Profile path” on the “Profiles” tab, the share is specified Folder where Windows should save the user profile when logging off and load it when logging on.
If a server-based user profile is used, it is available on all workstations in the network. The profile path is specified in the form “\<server name>\<share name>\%UserName%”. When logging off a computer, Windows updates the server-based profile with the locally modified files. The first time a user logs on, Windows loads a predefined profile from the server or copies the user’s previous local profile to the server when the user logs off. The Remote Desktop Services Profile tab, in turn, can be used to specify whether a user on a remote desktop server is assigned a profile of their own.
Adjustments that a user makes to his or her local settings are saved by Windows in his or her profile. However, changes to profiles can be prevented. A user who has been assigned a mandatory profile can make changes, but these changes are not saved when the user logs off. If the user logs out and logs in again, he gets the settings of the binding profile again.
The conversion of a normal profile to a binding profile is done by renaming the file “Ntuser.dat” to “Ntuser.man”. This makes it impossible for users to save changes. Thus, the profile becomes read-only by changing the file.
Binding profiles can be assigned to multiple users. For this purpose, the same user profile path is used for all users. When a user logs in for the first time, the client loads the profile from the server. If companies use a mandatory profile, Windows always loads it automatically, regardless of whether there is a profile on the client that has its own settings.
A mandatory profile is used every time you log on. If the server or share, is not available, Windows uses a locally cached copy of the profile. When a user logs on to another workstation, the user profile path entry in the user’s properties detects that this user has a server-stored user profile. If the name of the file “Ntuser.man” is changed back to “Ntuser.dat”, the user is allowed to make changes again.
Setting the version of user profiles
Microsoft is constantly expanding the features of Windows. This also applies to Windows 10. In the user profile, it is possible to specify for which operating system version the profile is suitable. Currently, there are six versions (no version specified, up to v6 for computers running Windows 10 version 1607 or later). It is expected that with Windows Server 2019 and the optimized version for Windows 10 with it, another version will appear. The version is used as an extension for the directory where the server-stored profile is stored, for example \\server\release\profile.v6.
Creating a default network user profile
If a default profile is to be used for PCs in the enterprise, a structured approach will help. The creation should be done with a local administrator account on computers running Windows 10. After that, the settings should be made in such a way that they will later be assigned to the users. After that, the control panel is called up. As of Windows 10 version 1803, this can be done by entering “control panel” in the search field of the Start menu.
The quickest way to access system settings is via “sysdm.cpl”. User profiles can be controlled via the “Settings” button under “User profiles” on the “Advanced” tab. Then the standard profile is marked and copied with “Copy to”. It is important that the group “Everyone” is used for “User”. Then the path where the profile is to be saved is selected. Microsoft provides further information on the web page “Create mandatory user profiles”.
Folder redirections of profiles
Windows 8/8.1/10 offer the possibility to redirect different folders within the profile to a server drive. This reduces the size of the profiles, and thus shortens the login time. The folder redirections can be found in the Group Policy Management Editor under “User Configuration/Policies/Windows Settings/Folder Redirections”. The best way to do this is through Group Policy. Windows Server 2016 also provides the ability to redirect folders depending on a security group, so different folders on the network can be used as redirects for different departments in the organization.