PHWinfo - Afficher un message

03/09/2007, 01h46

The one thing that surprises me about this working is that when you create a
user's ntuser.dat (essentially the HKCU hive file), it contains registry
permissions such that only that particular user SID (and local
Administrators and localSystem) can write to the keys within that hive. So
simply copying ntuser.dat to the Default User profile should not work unless
every user that logs into that machine is a member of the local
Administrators group. This is why you normally have to use the Control
Panel, System user profile applet or a tool like moveuser.exe to copy a
profile. Because all of these tools re-permission the reg hive on copy. So,
I would not recommend this simple file copy approach unless you don't mind
requiring all of your users to be local admin (or something else is going on
that I don't know about).

Darren

--
Darren Mar-Elia
MS-MVP-Windows Server--Group Policy

Script Group Policy Settings with the GPExpert Scripting Toolkit for
PowerShell!
Find out more at http://www.sdmsoftware.com/products2.php

Visit the GPOGUY: http://www.gpoguy.com -- The Windows Group Policy
Information Hub:
FAQs, Training Videos, Whitepapers and Utilities for all things Group
Policy-related

"Lanwench [MVP - Exchange]"
<lanwench@heybuddy.donotsendme.unsolicitedmailatya hoo.com> wrote in message
news:eBp0LSb7HHA.4660@TK2MSFTNGP02.phx.gbl...
> Yobbo <info@NoSpamIt.com> wrote:
>> Hi All
>>
>> Just want to check if the following procedure is OK to do:
>>
>> 1) On a local XP Pro SP2 machine I create a 'User' user account so
>> that I have 1 x admin user account and 1 x 'user' user account.
>>
>> 2) I log into the 'User' account and config Desktop, Start Menu, etc
>> to the way I want it to look, eg Auto-Arrange, Classic Desktop, 15
>> screen saver, My Docs icon on Desktop, etc.
>>
>> 3) I log out of the 'User' account and log in as the admin.
>>
>> 4) I copy the NTUSER file from my 'User' account to the default user
>> account and also delete unnecessary shortcuts (eg Outlook Express)
>> from the default user account.
>>
>> I now have a user profile 'look' that will 'kick in' for each user
>> that logs onto this machine after I've added it to my Win2003
>> AD/Domain.
>>
>> I know I could probably get most of the things working this way
>> through GPO, but I could never figure out how to get the Auto-Arrange
>> feature and the 'show my own desktop wallpaper, but don't show active
>> desktop options in the folder views' method.
>>
>> Is the above procedure detrimental in anyway to my WinXP installation
>> or Win2003 AD setup?
>>
>> Thanks
>
> I do pretty much what you do - but I make it the default for any new
> domain
> user I create.
>
> I do this to tweak everything I cannot (easily) control via group policy.
> This includes power settings, Windows Explorer display settings, etc.
> Don't
> add a mail profile, or anything that will be unique to any domain user -
> keep it nice and generic.
>
> Once you're done with this 'template' profile, log out - then log in as a
> domain admin (or any account that has permissions to write to
> \\DCname\netlogon).
>
> In control panel | system, copy the 'template' user profile you created to
> \\DCname\netlogon\Default User (with the proper capitalization & the
> space). Set "Allowed to use" to "Everyone".
>
> Then your new *domain* users will have these settings.
>
> That said - a lot of what you are currently configuring in your user
> profile can be done/controlled by Group Policy - including Windows Classic
> & Classic Start Menu, screensaver settings, and most importantly, folder
> redirection of My Documents (and perhaps also Desktop & Application Data).
> Do whatever you can via group policy - it is easier to administer and
> customize.
>
>
>

03/09/2007, 01h46	#3
Darren Mar-Elia Messages: n/a Hébergeur:	Re: Should I be fiddling with ntuser file??? The one thing that surprises me about this working is that when you create a user's ntuser.dat (essentially the HKCU hive file), it contains registry permissions such that only that particular user SID (and local Administrators and localSystem) can write to the keys within that hive. So simply copying ntuser.dat to the Default User profile should not work unless every user that logs into that machine is a member of the local Administrators group. This is why you normally have to use the Control Panel, System user profile applet or a tool like moveuser.exe to copy a profile. Because all of these tools re-permission the reg hive on copy. So, I would not recommend this simple file copy approach unless you don't mind requiring all of your users to be local admin (or something else is going on that I don't know about). Darren -- Darren Mar-Elia MS-MVP-Windows Server--Group Policy Script Group Policy Settings with the GPExpert Scripting Toolkit for PowerShell! Find out more at http://www.sdmsoftware.com/products2.php Visit the GPOGUY: http://www.gpoguy.com -- The Windows Group Policy Information Hub: FAQs, Training Videos, Whitepapers and Utilities for all things Group Policy-related "Lanwench [MVP - Exchange]" <lanwench@heybuddy.donotsendme.unsolicitedmailatya hoo.com> wrote in message news:eBp0LSb7HHA.4660@TK2MSFTNGP02.phx.gbl... > Yobbo <info@NoSpamIt.com> wrote: >> Hi All >> >> Just want to check if the following procedure is OK to do: >> >> 1) On a local XP Pro SP2 machine I create a 'User' user account so >> that I have 1 x admin user account and 1 x 'user' user account. >> >> 2) I log into the 'User' account and config Desktop, Start Menu, etc >> to the way I want it to look, eg Auto-Arrange, Classic Desktop, 15 >> screen saver, My Docs icon on Desktop, etc. >> >> 3) I log out of the 'User' account and log in as the admin. >> >> 4) I copy the NTUSER file from my 'User' account to the default user >> account and also delete unnecessary shortcuts (eg Outlook Express) >> from the default user account. >> >> I now have a user profile 'look' that will 'kick in' for each user >> that logs onto this machine after I've added it to my Win2003 >> AD/Domain. >> >> I know I could probably get most of the things working this way >> through GPO, but I could never figure out how to get the Auto-Arrange >> feature and the 'show my own desktop wallpaper, but don't show active >> desktop options in the folder views' method. >> >> Is the above procedure detrimental in anyway to my WinXP installation >> or Win2003 AD setup? >> >> Thanks > > I do pretty much what you do - but I make it the default for any new > domain > user I create. > > I do this to tweak everything I cannot (easily) control via group policy. > This includes power settings, Windows Explorer display settings, etc. > Don't > add a mail profile, or anything that will be unique to any domain user - > keep it nice and generic. > > Once you're done with this 'template' profile, log out - then log in as a > domain admin (or any account that has permissions to write to > \\DCname\netlogon). > > In control panel \| system, copy the 'template' user profile you created to > \\DCname\netlogon\Default User (with the proper capitalization & the > space). Set "Allowed to use" to "Everyone". > > Then your new domain users will have these settings. > > That said - a lot of what you are currently configuring in your user > profile can be done/controlled by Group Policy - including Windows Classic > & Classic Start Menu, screensaver settings, and most importantly, folder > redirection of My Documents (and perhaps also Desktop & Application Data). > Do whatever you can via group policy - it is easier to administer and > customize. > > >