Note that mandatory profiles have a slightly different naming convention. A normal mandatory profile is one in which the ntuser.dat file has been renamed to ntuser.man. A super mandatory profile is a roaming profile in which the profile path ends in .man. For example, a roaming profile path called \\server\\profiles\stdprofile.man\ specifies a super mandatory profile.
Inside Profile Creation
The key to solving the mysteries of user profiles is to understand their wily ways, and to do that, you need to understand how Windows creates a profile. At a high level, the process is simple: If a user logs on to a Windows workstation for the first time and doesn't have a profile—either cached on the workstation or on a roaming server share—Windows creates a new default profile for that user. However, the process is more involved than you might think. Let's step through the user profilecreation process so that you can understand it thoroughly. Along the way, we'll review some details about profile creation that will help you if you ever need to troubleshoot profile problems. Because subtle differences exist in profile behavior between each of Microsoft's OS versions, I'm going to stick with XP in my example. This example assumes that a new AD domain user for whom you've defined a roaming profile path is logging on to the domain and to his or her workstation for the first time.
When a user logs on, Windows first checks the user's AD account to see whether a roaming profile path is defined.
Next, Windows pings the connection to the profile share to determine whether it's a slow link. A roaming profile download behaves differently if the OS detects a slow link. The slow link threshold is defined through Group Policy and defaults to 500Kbps.
After determining that you're not on a slow link, Windows checks the NTFS ownership of the roaming profile directory to ensure that it's owned by either the user who is logging on or the local Administrators group. This step is a new check as of XP Service Pack 1 (SP1) and Win2K SP4, and it ensures that someone hasn't tried to create a forged roaming profile that a user would download inadvertently.
Assuming the check in Step 3 is successful, Windows checks the roaming profile directory for the existence of either ntuser.dat or ntuser.man (indicating a mandatory profile). If neither exists, as in the case of a brand new user, Windows proceeds to the next step.
Windows determines whether the workstation has a cached copy of the user's profile in C:\documents and settings. However, instead of looking in the file system on the workstation, the OS consults the registry; all legitimate user profiles that are cached on a workstation must be registered under the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList registry subkey. Within the ProfileList subkey, all users who have a locally cached profile will have a key that contains a unique SID that refers to that user. This key contains values that identify in which folder the user's local profile is cached, the path to the user's roaming profile, and other information about when the profile was last written and its state.
If Windows determines that no roaming or local profile exists, it creates the appropriate entry in the registry, as I described in Step 5, then creates the user's local profile directory in the Documents and Settings folder.
Next, Windows issues the user a new default profile. You can control which default profile a user receives by using one of two methods. First, you can place a default user profile on the Netlogon share of your AD domain controllers (DCs)—specifically under \\<DC ServerName>\netlogon\default user. Windows checks this folder first to see whether you've put a default user profile there; if you haven't, Windows takes the default profile found on the local workstation under \%system root%\documents and settings\default user. If you provide your own default profile to either the Netlogon share or the local default user folder, the profile must be complete; it must contain all the folders and the ntuser.dat file that a profile expects to have. The Netlogon approach is much easier to maintain, but if you decide to use the default user folder on the local machine, you can include a default profile in your standard workstation image.
After the system finds the correct path for the default user profile, it copies the contents of that folder to the user-specific folder under Documents and Settings. More important, Windows sets file-system security on the \%systemroot%\documents and settings\%username% folder so that only the user's account and the local Administrators group on the workstation have Full Control access. And, because ntuser.dat is a registry hive file and the registry has security permissions associated with it, when the system copies this file from the default user profile location, the registry keys within the hive are set to the same permission that's set for the file portion of the user's profile. Therefore, only the user and members of the local Administrators group can access the settings in this profile. This is an important fact because it means that you can't simply copy a user's profile directory from one user to another. Even if you change the permissions on the file portion of the profile, the registry permissions will still point to the original user. To resolve this problem, you have two options: You can open the Control Panel System applet, select the Advanced tab, click Settings under the User Profiles section to open the dialog box that Figure 3 shows, and click Copy To, or you can take advantage of the Microsoft Windows 2000 Resource Kit's moveuser.exe utility. For more information about this utility, read Inside Out, "Move User Profiles," July 2003, http://www.winnetmag.com, InstantDoc ID 39192.
This is a very good article on user profiles. Thanks for being so clear.
One correction I'd like to suggest is regarding the location of profiles. They are found in %SYSTEMDRIVE% folder, NOT in the %SYSTEMROOT% folder. Minor difference but it could through some people off who are not familiar with environment variables (which I've found to be fairly common).
Also, it would be very helpful if a future article could include troubleshooting as it relates to profiles. I'm amazed at the amount of time spent by experienced techs on "network" or "messaging" issues that are profile specific. It doesn't seem to occur to folks to test functionality with a different profile.
Thanks again.
JC Warren March 03, 2004
Yes, I agree with jc warren, excellent article. However, JC, i believe you meant to say "throw some people off" instead of "through some people off." That might throw a few readers off too.
jyates May 20, 2004
The slow logoff has been an issue in my company. We even went through an ms support issue and they were unable to help us. But I found a little known utility. Its called uph clean. I think this problem started after a windows update but I am not sure. Either way ms wrote a little program that releases your profile and then tells you what was locking it.
I do not agree with your description of super mandatory and mandatory. In future article I would like to see this be clearer. I create mandatory profiles as per the normal mandatory but DO NOT see the users favorites or my documents get stored or saved. Just an FYI....
daniel gagnon July 07, 2004
"In Win2K or later, Windows compares the date stamps and timestamps of the files in the local and roaming profiles to determine which ones need to be written on logoff, then writes only those files."
What happens if you want to delete something from your local profile. Will that automatically delete it from your roaming profile. I am experiencing many users getting large profiles. One reason commonly seems to be due to there being recovered documents stored in documents and settings\application data\microsoft word Should I exclude this from the roaming profile as well? If so I assume that I will need to manually go into each users profile and delete the folder from the server to stop it being copied back down. Thanks
rfraser October 06, 2004 (Article Rating: )
Really good article. Explains the workings of a profile very well.
Anonymous User October 14, 2004
Do use of mandatory profiles affect IE from installing client certificates on a local PC?
Anonymous User October 15, 2004
i breakdown of the files needed for a roaming profile to work would be a great addition , we know how they are set , where they are saved , but the bare minimal of whats really needed and why
Anonymous User November 23, 2004
Would like to see more about problems with profiles and how to fix them, but still a very good article.
Anonymous User November 30, 2004 (Article Rating: )
Question: I deleted my main user profile that had all my documents in it. Is there a way to recover deleted user profiles? THanks!
Order Your Fundamentals CD Today! Register today for your in-depth copy of one of three Fundamental CDs on the following topics – Exchange, SQL, and SharePoint.
)
One correction I'd like to suggest is regarding the location of profiles. They are found in %SYSTEMDRIVE% folder, NOT in the %SYSTEMROOT% folder. Minor difference but it could through some people off who are not familiar with environment variables (which I've found to be fairly common).
Also, it would be very helpful if a future article could include troubleshooting as it relates to profiles. I'm amazed at the amount of time spent by experienced techs on "network" or "messaging" issues that are profile specific. It doesn't seem to occur to folks to test functionality with a different profile.
Thanks again.
JC Warren March 03, 2004