To ensure that you have control of the resources users can access in your domain environment, you must first be able to identify users, and then be able to identify the rights and permissions associated with those user identities. In Microsoft Windows Server Active Directory service users are associated with individual user objects.
These objects are used for authentication purposes and the configuration of user environment settings. To be able to manage users, groups and computers effectively, you need to know how to create, modify and delete these objects.
User profiles define the following: individual display settings, network and printer connections, and other specified settings. The user profile allows the user to define and customise their desktop or, if you have mandatory profiles, allows the system administrator to define desktop settings that users are unable to modify. (This promotes corporate identity, as all desktops look the same, and makes fault finding easier, as all settings are the same.)
There are four types of user profile, described below.
Local user profile
A local user profile is created the first time you log on to a computer and is stored on a computer’s local hard disk. Any changes made to your local user profile are specific to the computer on which you made the changes. So, if someone else logs onto that computer after you, they will have the settings that you specified. (This is why roaming profiles were introduced, see below.)
Roaming user profile
A roaming user profile is created by the system administrator and is stored on a server. This profile is specific to a user and is available every time that user logs on to any computer on the network. Changes made to a roaming user profile are updated on the server. To create a roaming profile, you first have to create a user account in Active Directory.
Mandatory user profile
A mandatory user profile is a roaming profile that can be used to specify particular settings for individuals or an entire group of users. Only users with administrator rights can make changes to mandatory user profiles. This is useful if you want to give different groups of users their own settings, but you do not want them to be able to change them. Therefore, the system administrator customises profiles, not the user.
Temporary user profile
A temporary profile is issued any time that an error condition prevents the user’s profile from being loaded. Temporary profiles are deleted at the end of each session. Changes made by the user to their desktop settings and files are lost when the user logs off. So if you log in and get an error message when Windows tries to access your profile, be aware that the temporary profile will not have your customised settings and you will lose any changes you make to it.
Managing user profiles
You manage user profiles under Active Directory Users and Computers. Before you create a profile, you create the user account that is going to use it. Then you right-click the user account and pick the Profile tab. If you store the user profile on a server (this does not need to be done by a domain controller), when the user logs on, Windows checks to see if a user profile path exists. If it does, it finds the user profile and loads it on to whatever local computer the user logs on to. This means that any changes the user makes to the settings follow them, whatever local computer they use. To manage user profiles, you must be a member of the Enterprise Admins, Domain Admins, or Account Operators group, or you must have been delegated the necessary permissions.
The picture above shows the screen displayed when you right-click a user. When you click on the Profile tab you see the screen shown in below.
If you want the user’s home folder stored on a server, which means their my documents would be stored on a server, thus being stored centrally and being easier to backup, then you would fill in the Full path. That is, if the server was SERVER1 and the sharename was SHARED and the Username was jsmith then the profile path would be \\SERVER1\SHARED\jsmith
If you have created roaming profiles for users and want them to be mandatory roaming profiles (which users cannot change), simply give the profile the file extension .man when you enter the full path name for the profile.
In order to learn how to create and manage user profiles, follow the step-by-step instructions below: You may wish to carry these steps out yourself on a system or virtual installation.
Select Active Directory Users and Computers from Administrative Tools. A screen similar to the one shown immediately below is displayed.
The Users container is opened by default and its contents displayed in the right-hand pane. When you create users, you initially create them here.
- Select Action, then New , then User.
- Fill in the user details as Bill Yoursurname and Ben Yoursurname with User logon names of BillYoursurname and BenYoursurname.
- Make the password P@ssw0rd (so that it meets complexity requirements for upper- and lowercase and numbers) and select User cannot change password.
- Right-click User and select Properties
- Select the Profile tab and in Profile enter the path for where you want the roaming profile kept. The picture below gives an example.
Once you have set up both users’ profiles, ensure that they can log on locally. (You do this by opening Domain Controller Policy from Administrative Tools, selecting Local Policies, selecting User Rights Assignments and adding them to Logon Locally.)
If you have followed the steps you can now test the settings have worked by
Logging on as Bill, changing the background and then logging off.
Logging on as Ben and checking that you have the original background, not Bill’s.
Once you have made sure this is the case, change the background (to a different one from Bill’s) and log off. Log on as Ben and check you have changed background and log off. Then Log on as Bill and check that you see Bill’s background and log off.
Roaming profiles are generally used over a network, not when logging in locally to the Domain Controller. If you want to implement this over a network, do the following (not step-by-step) Use the users you have already setup in Active Directory: BillYoursurname and BenYoursurname:
- Set up an additional profile for Bill called Flowerpot.
- Store Bill’s and Ben’s profiles in a shared folder called Puppets, which you will need to create and share with the sharename of Puppets. On your computer,
the profile path will be in the form:
- If you use the wildcard %username%, Windows automatically fills in the user for you.
- Log on to a computer that is in your domain.
- To join a computer to a domain, first ensure it is booted on a client operating system such as Windows 7, and that it is in the same subnet and has the Domain Controller which contains the users set as the DNS (Domain Name Services) Server.
DNS is one of the pre-requisites when you install Active Directory. If you do not already have this installed, Windows installs it for you, with the Domain Controller as the DNS Server.
- Right click on Computer and then click Properties. On the next screen click Change Settings. The following screen should appear;
• Click on Domain and enter the name of the domain you wish to join. If you do not have the correct DNS Server, or are on a different subnet, or have mistyped the domain name you will get the message shown below:
- If the system can contact the domain controller, you will be asked to enter an administrator user and password from the Domain Controller’s system. Once you have been successfully authenticated, you will receive a message telling you have now joined the domain.
- Log on as Bill and change the screensaver, now log off.
- Now logon as Ben and change the desktop theme. (When you log on as Ben check the screensaver, you should still have the original.)
- Now log on as Bill and check that you have kept the changes to the screensaver and that the theme is the original one. (To change screensavers and themes go into Display properties from the Control Panel).
- Once you have carried out these tasks, go to the User Profiles tab and change the file extension in Bill’s profile path to .man.
- Log on as Bill, change the background and log off and on again. Have the changes been kept? Bill will have lost the changes when he logged off, as you have changed his roaming profile to a mandatory roaming profile and he does not have the authority to make changes to it.