http://www.microsoft.com/TechNet/tnnews/features/userprof.htm (PC Press Internet CD, 03/1996)
| Updated: March 12,1996 |  Go To TechNet Home Page |
ABSTRACT: Windows 95 allows easier user and system management through User Profiles and System Policies. Established by the user, network administrator, or MIS professional, User Profile components include Windows 95 settings (for example, background, font selection, shortcuts), network settings (network connections and shared resources), and application settings (menu/toolbar configurations and application window configuration preferences). System Policies extend a network manager's range of desktop control and are designed to supersede any settings that may exist in User Profiles or Hardware Profiles. The System Policy Editor, a tool that helps set system policies, allows network administrators to effectively manage and modify network policies or user configurations for all networked Windows 95 users. An annotated bibliography lists TechNet CD sources of documentation, Knowledge Base articles, and additional information.
Introduction
User and System Management in Windows 95
Windows 95 Registry Logistics
User Profiles and the Windows 95 Registry
System Policies: Crowd Control Barriers for Novice Users
Before You Implement User Profiles and System Policies
More Information
As a Help desk manager or network administrator, how much confidence do you really have in your users' computer literacy? Recently conducted focus groups by the TechNet team suggest 'not much.' User management tools in Windows 95 give network administrators the flexibility to customize the look and feel of networked PCs on the basis of their users or the hardware itself. A writer for PC Week points out:
Windows 95 heeds my call for user safety nets. It will let me set up user profiles and disable portions of the Control Panel. What a feeling of power. I don't want to hear about any more helpdesk calls from users who accidentally uninstalled their printers or set all system colors to be blue and want to know what's wrong with their monitor.
Christine Comaford, PC Week, April 24, 1995.
Facilitating the day-to-day chores of user management is by no means novel. The System Policy Editor, a Windows 95 tool network managers use to define their users' desktop environments, appeared in various forms in MS LAN Manager, Windows NT, and Windows for Workgroups. In fact, the tool wasn't integrated into Windows 95 until after the Beta-1 release in June 1994. Now, in conjunction with the Registry Editor, the System Policy Editor acts as the network manager's front-line resource to enabling, disabling, and customizing system capabilities.
In this piece we'll examine user profiles and system policies
as they relate to you, the MIS professional, Help desk manager,
or network administrator. At the end of this piece, a complete
annotated bibliography will highlight other avenues you can explore
for further information on these subjects.
Top of Article
In April 1993 the Chicago Feature Specification had evolved into much more than a quick pre-meeting read. Steadfastly approaching its eighth comprehensive revision and tightly printed across more than 200 pages, the recipe for Microsoft's latest version of Windows based itself on a number of requirements and areas for improvement. The requirements included:
· Compatibility
· Performance equal to or better than Windows 3.1 on a 4-MB
system
· Robustness
And the areas for improvement included:
· Great setup and easy configuration (Plug and Play)
· New shell and user interface visuals
· Integrated and complete protect mode operating system
· Great network client, peer server, and workgroup functionality
· Great mobile computing environment
· Windows 32-bit application support
The Windows 95 team's achievement of these goals already point to the operating system's success. Usability studies coupled with documented feedback from Windows 95 Beta testing sites indicate that the operating system makes users more productive, reduces support time and cost, facilitates a smooth migration from previous versions of Windows, and gives MIS departments more control over their users' desktops. How MIS departments and network managers can leverage this control to more easily support their users and manage networked Windows 95 PCs will be the topics of this piece.
CONFIG.SYS, AUTOEXEC.BAT, WIN.INI, and SYSTEM.INI-artifacts of Windows 3.1 we all would like to forget. You know the support song and dance, however, let's reflect back on configuration management done the old fashioned way:
· path statements resembling novellas
· information scattered in all locations WINFILE.INI, PROTOCOL.INI, SYSTEM.INI, MSMAIL.INI, private .INI files, private .GRP files
· text-based .INI files limited to 64 KB and APIs that allowed only for get/write operations
· several hundred different switches and entries, which practically required a computer science degree to configure
· .INI files that couldn't store user-specific information thereby making multiple user access to computers difficult
· .INI files made local to each system, sans API mechanisms to enable remote administration
The days of tweaking .INI files came to an end with Windows NT
and the concept of a Registry. Windows NT's nifty utility, the
Registry Editor (REGEDT32.EXE), used in conjunction with the Windows
NT Diagnostics tool (WINMSD.EXE) allowed experienced users the
ability to view and edit configuration information stored in the
Registry. The Registry made systems easier to manage by acting
as a central, one-stop, repository of seemingly random information:
computer hardware the system used, software installed on the system,
and the system's users profiles. Furthermore, the Registry alleviated
configuration management and support woes by allowing secure,
remote access to user- and system-specific information on networked
systems.
Top of Article
Conceptually speaking, the Windows 95 Registry falls somewhere between Windows 3.1's Registration Database and Windows NT's Registry. On the minimalist end, the Registration Database in Windows 3.1 stored file associations and OLE registration information. Windows NT's Registry was comprehensive in that it stored everything (hardware settings, software installed), allowed other applications a repository to store configuration data, and completely did away with all of the plain text files that Windows 3.1 used.
The Windows 95 Registry falls in the middle of the two. Like Windows NT's Registry it is extremely comprehensive; however, the Windows 95 Registry continues to process files like CONFIG.SYS, AUTOEXEC.BAT, and WIN.INI. Why? Primarily because Win16-based applications expect to find and manipulate the WIN.INI and SYSTEM.INI files to add entries or load unique device drivers.
Besides solving the proliferation and system-wide distribution of .INI files, the Windows 95 Registry simplifies the setting of system switches, plays a pivotal role in Plug and Play implementation, and, because many of the Win32 Registry APIs use the remote procedure call (RPC)**, allows remote access to Registry information. In addition to helping placate MIS managers, network querying of information coupled with the use of RPC enables the custom development of industry management mechanisms like Simple Network Management Protocol (SNMP) and Desktop Management Interface (DMI), which can subsequently be used with Windows 95.
Because of the Registry's complexity and its central role in the
Windows 95 desktop system, it is recommended that changes and
settings be established by experienced network managers or Help
desk staff. Note that Microsoft doesn't support changes made to
the Windows 95 Registry.
Top of Article
What exactly is the Windows 95 Registry and how are user profiles and system policies integrated within it? The Windows 95 Registry is a hierarchically organized data store of system, user, and policy information organized into two .DAT files. The SYSTEM.DAT file contains PC-specific information while the USER.DAT file contains user-specific information. Most all the network, hardware, and security parameters you establish update the HKEY_LOCAL_MACHINE portion of the Registry, which subsequently updates the SYSTEM.DAT file. Likewise, desktop settings, like application preferences, screen colors, and security access permissions, update the HKEY_CURRENT_USER portion of the Registry, which updates the USER.DAT file.
An administrator can locally or remotely use the Windows 95's Registry Editor (Figure 1) to read and write values that are contained in the User Profiles and the Hardware Profile of the Registry. Both files, the USER.DAT and SYSTEM.DAT, can be relocated to a server to enable a network administrator to remotely manage a user or workgroup's PC environment. This scenario also enables Windows 95 to be run on a diskless or remote initial program load (RIPL) workstation.
Figure 1 Windows 95's Registry Editor
In another scenario, the SYSTEM.DAT file might be located on the PC's local drive, while the USER.DAT file is located in the user's logon directory on a network server. This configuration would enable 'roving' users to maintain their own network connections and desktop configurations.
Finally, the Registry and all of the other system files can be located on a local hard disk. In this scenario, multiple users, with unique logon usernames and user profiles, can share a single Windows 95 PC.
Because users can write values to their USER.DAT files, an administrator may choose to create a mandatory user profile, a USER.MAN file. By creating and locating a USER.MAN file to a user's network directory, hiding the file, and making it read-only, an administrator can mandate certain settings and system configurations. On a Windows NT network the network directory is the user's home directory and on a NetWare network it's the user's mail directory. Whether the USER.MAN is located on the user's hard drive or on a server, when a user enters a logon name and password on a Windows 95 PC, the settings established in this file are downloaded to the user's Registry rather than their specific USER.DAT file settings. Network administrators have the option to enable user override capabilities.
By enabling User Profiles through the Passwords option in Windows 95's Control Panel, you can establish any of the following settings:
· A custom background, desktop layout, and display resolution
· Network connections, preferred server, and shared resources
· Menu, toolbar, and window configuration preferences
As mentioned earlier, user profile files can be located to a dedicated server. Upon logging on to any Windows 95 user profile-enabled PC, a user can automatically work in their custom-tailored, pre-established environment anywhere on the network. The username and logon password trigger Windows 95 to automatically reconfigure the desktop based on the user's user profile settings. If specified in the USER.DAT file, Windows 95 will limit or grant access to network and print resources as well as implement sharing capabilities. Of course, a user's profile preferences will not override system configuration parameters preset on a PC. For example, suppose a user had established a certain network connection in their user profile (USER.DAT) and tried to establish that same connection on a different user profile-enabled Windows 95 PC. If the PC had a SYSTEM.DAT file or a USER.MAN file that specifically did not grant access to the desired network connection the user would be out of luck.
For more information on setting up user profiles on Windows NT and Netware networks check out the Setting Up User Profiles on a Windows NT Network and Setting Up User Profiles on a Netware Network sections of the Windows 95 Resource Kit, Chapter 15.
The benefits of using user profiles are obvious:
· Users on the move, like support specialists, Help desk managers, or corporate technicians can log onto the network from any Windows 95 32-bit, protected-mode client, and feel right at home on any PC. There is no need to establish new connections to corporate support servers or regain access to normally restricted applications.
· User profile maintenance is a no-brainier. If the User Profile option is enabled, changes to a user's USER.DAT file are maintained automatically. This pertains to user profiles stored locally or remotely.
· Users who habitually map network directories to the wrong
letter, change the 3-D corporate logo background, or forget specific
print shares will not be support nightmares if mandatory user
profiles are used.
Top of Article
A PC Computing editor described System Policies as:
...crowd control barriers that keep individual users from wandering off the main road into tech-support wilderness.
Matthew Lake, PC Computing, Dec. 1994.
System Policies give network administrators comprehensive control over their users' Windows 95 PCs. System Policy settings are established in a CONFIG.POL file that is located on a logon server, not a local computer. Settings established in the CONFIG.POL file are maintained on a network server and then copied to a user's local Registry on logon, overwriting settings contained in the USER.DAT and SYSTEM.DAT Registry sections (Note: Both Windows NT and Netware networks are supported as network servers; however, consult the Preparing to Use System Policies on the Network section in the Windows 95 Resource Kit for information on support for automatic and manual downloading of these files). To understand system policies it's important to understand how they differ from mandatory user profiles (USER.MAN):
· System policies are much more comprehensive than mandatory user profiles in that they allow an administrator to mandate both user-specific and computer-specific settings. Mandatory profiles allow control over user-specific settings only.
· System policies are much more flexible to use because they allow an administrator to establish a subset of user settings to control and allow the user to control the remaining settings. Mandatory user profiles control every user-specific setting.
Both system policies and mandatory user profiles are ways to mandate user settings; a network administrator should choose to employ one method and not both.
Using the System Policy Editor (POLEDIT.EXE) (Figure 2) an administrator can seamlessly set a user's system policies through an intuitive, easy-to-use GUI. The editor is located on the Windows 95 compact disc in the \ADMIN\APPTOOLS\POLEDIT directory.
Figure 2 Windows 95's System Policy Editor
Like user profiles, to use system policies the target computer must have user profiles enabled for settings to be established. Take a look at the following system policy settings overview to understand the set of policy options available in Windows 95. These are just some of the system policy settings.
Option Examples
Restrict access to control Hide the Display Control Panel,
panels Network Control Panel, and Passwords
Control Panel
Restrict printer settings Disable deletion of printers and hide
the General and Details property
sheets for the printer
Define user profiles for desktop Wall paper and color scheme are
settings predefined
Restrict access to network Disable file and print sharing
settings
Restrict access to shell Hide Start menu subfolders and custom
settings Start menu, remove Run and Find
commands,. disable Shut Down command,
and hide Network Neighborhood
Restrict access to system Disable Registry editing tools, only
settings run allowed Windows applications, and
disable MS-DOS prompt
Option Examples
Enable user-level security User-level access control through
pass-through validation by a Windows NT
or Netware server
Establish custom logon banner Type values for a caption and text
displayed in a Logon banner
Microsoft client for Windows Enable participation in Windows NT
networks domain or workgroup
Password settings Disable password caching and require
alphanumeric Windows password
Dial-up Networking Disable dial-in connections to the
computer
Sharing Disable file and print sharing
One of the system policy options I find to be especially nifty is the Enable User Profiles option. If you plan to enable user profiles on a number of networked Windows 95 PCs and don't want to travel to each PC to enable the option you can create a system policy that can be downloaded automatically when the initial Windows 95 installation is complete-a huge time-saver. Check out the Windows 95 Resource Kit for a complete list of system policy options.
To understand when to use mandatory user profiles or system policies let's establish a couple of scenarios and evaluate what functionality might be employed.
A configuration in which you want to impose restrictions on many similar nodes is one in which system policies are appropriate. Suppose you're the network administrator of a university with 25,000 student nodes. Maintaining a single, global CONFIG.POL file to enforce network-wide system or user restrictions would make sense. Unlike with user profiles, system policy restrictions like removing the Run command from the Start menu, which prohibits users from running applications using the Run command in the Start menu, and Hide All, which prevents users from making any changes to Control Panel or Printer settings, are available.
Maintaining an extremely secure, customized, enterprise-wide environment would also be a situation to employ system policies. For example, five Add Custom options available in system policies (Add Custom Desktop Icons, Add Custom Programs Folder, Add Custom Startup Folder, Add Custom Network Neighborhood, and Add Custom Start Menu) offer administrators an opportunity for corporate customization by defining a program group containing corporate applications, applications that run at system startup, a custom Network Neighborhood, or a custom Start menu with standard choices. The system policy restrictions Disable File and Printer Sharing, Disable Registry Editing tools, and Disable Dial-up Networking are standard safety precautions for most corporate environments unavailable in maintaining a mandatory user profile.
Mandatory user profiles are excellent when you need to support
a distinct set of users with the same needs for system access,
application availability and network connections. In a banking
environment, for example, you could assign a mandatory user profile
called TELLER.MAN. All tellers assigned to the 'teller group'
would use this standard profile and work in the same desktop environment.
Global 'teller group' changes could be enforced by modifying TELLER.MAN.
Because global customization and security are not as necessary
in this situation mandatory user profiles would make the most
sense. Furthermore, other mandatory profiles could be established,
like LOANOFIC.MAN. This mandatory user profile could be used to
manage all loan officers.
Top of Article
Now, before you start mandating that all your networked users use MYDOGSPIKE.BMP as a default system background you might want to consider the following issues.
If user profiles are the route your headed towards think about these points:
· What user-specific or system-specific settings would you like to control?
Necessary and over-protective control are important issues to resolve. Ask yourself what level of control is essential to maintaining a secure, supportable PC environment. You don't want users thinking you're Big Brother.
· Do you want to use system policies for user settings instead of mandatory user profiles?
Remember that to use system policies user profiles must be enabled on the computer. Also consider the scope of control and customization you're looking for.
· Are traveling users an important reason for user profile implementation?
Besides having 32-bit, protected mode network clients, each roving user must have a home directory on the network where user profile files, like USER.DAT, are kept.
· If you choose to use user profiles, you must establish whether mandatory user profiles are necessary?
A mandatory user profile requires an administrator to copy the necessary files to each user's network.
If System Policies are more appropriate for your network configuration, consider these issues:
· What types of restrictions are necessary to enforce? Will you jeopardize user productivity by limiting certain options?
Limit access to the MS-DOS prompt, the Start menu, or the Run command.
· What type of network architecture will you be using? How many servers are in use? How many users are supported? What is the typical logon process?
Typical customization schemes are accomplished by grouping individuals in a corporate environment into logical workgroups. For example, you might want to consider if you will be assigning application availability on the basis of a user's membership in a specific company team: marketing, accounting, system support personnel, or administration. Uniform logon procedures for group of users in addition to users sharing one computer will also impact decisions concerning system and user customization.
· Do Windows 95 system policies meet your administration needs?
For higher levels of administration consider using Microsoft Systems Management Server.
After asking yourself these questions you might want to investigate
some system policy templates. The System Policy Editor opens a
default policy template on startup. Creating custom templates
are great because they only list specific policies an administrator
ought to consider restricting or setting for a given environment.
For example, if you were the lead network administrator in your
company you could develop three or four template examples for
administrators below you to set. These 'second-level' administrators
would not have to worry about what parameters to restrict or set,
only what degree of restriction or access was necessary. For a
detailed example of a Maximum- and a Minimum-level System Policy
template, see the online examples provided with the Windows
95 Resource Kit utilities.
Top of Article
Used responsibly and in conjunction with a logical support and systems management plan, user profiles and system policies offer an effective means to minimizing Help desk calls and managing PCs throughout a Windows 95 network.
Note: Microsoft doesn't support changes made to the Windows 95
registery.
Top of Article
The following resources are all available on the TechNet disc.
Document Location
Windows NT 3.5 Resource Kit MS BackOffice and Enterprise
Systems, MS Windows NT Workstation,
Resource Kit Version 3.5
Windows 95 Resource Kit Personal Systems, MS Windows 95,
Resource Kit
Q128624: How to Create and Assign Microsoft Knowledge Base
User Profiles for Users in a
Domain
Q121618: Saving Workstation Microsoft Knowledge Base
Default User Profiles for a Domain
Document Location
Microsoft Windows NT Server System Not on the TechNet CD. Ships
Guide with the product.
Introducing Microsoft Windows 95: The Microsoft Press: ISBN
Next Generation of Microsoft Windows 1-55615-860-2
Inside Windows 95 Microsoft Press: ISBN
1-55615-626-X
Inside Windows NT Microsoft Press ISBN
1-55615-481-X
"Windows 95: for Deadheads and Suits." Lake, Matthew, PC-Computing,
Dec. 1994, volume 7, number 12,
p62(1)
"Microsoft, Keep Out!" Raskin, Robin, PC Magazine,
June 13, 1995, volume 14,
number 11, p30(1)
"Managing Win95 Over a Net." Harper, Eric, LAN TIMES, April
24, 1995, volume 12, number 8,
p126(1)
"It's Better Not to Judge a New OS by Comaford, Christine, PCWeek,
its Cover" April 24, 1995, volume 12,
number 16, p22(1)
"A Good Product Just Got Better" Luoma-Hopson, Casey, Data Based
Advisor, Feb. 1995, volume 13,
number 2, p26(2)
"How to Ride the Win95 Marketing Wave" Davis, Dwight B., Windows
Watcher, Feb. 1995, volume 5,
number 2, p1(1)
"Windows 95 Tool Gives Administrators Harper, Eric, LAN TIMES, May 8,
Control" 1995, volume 12, number 9,
p103(2)
"Win 95 Scripts" Watterson, Karen, Windows
Sources, April 1995, volume 3,
number 4, p161(3)
"Windows 95: A Distributed Computing Goulde, Michael A., Distributed
Platform Computing Monitor, June 1995,
volume 10, number 3, p34(6)
Microsoft TechNet
August 1995
Volume 3, Issue 8
(**A message passing facility that enables a distributed application to call services available on various computers in a network without regard to their locations. Remote network locations are handled automatically. RPC provides a procedural view, rather than a transport-centered view, of networked operations.)
 |
Click Here to Search TechNet Web Contents | TechNet CD Overview | |
Microsoft TechNet Credit Card Order Form At this time we can only support electronic orders in the US and Canada. International ordering information. |
| Go To TechNet Home Page |
©1996 Microsoft Corporation |  Go To Microsoft Home Page |