Prevent Local Profile Creation 1

[Viscereal]

Hey all:

This might have been addressed in the forums already, but I cannot search and need the info ASAP>

Anyway, is there a method of preventing the creation of a local profile when the user logs on the computer for the first time? I would like to force the use of a roaming profile ONLY!

I have 3GB drives and I cannot go around to each PC and delete the users on the machine. I also do not have money for new and larger drives so please do not suggest that.

Thanks for any help you can provide

 

[shmoes]

a roaming profile always creates a local profile.

when you log onto a profile that is roaming. it copies that profile to the computer that is being logged onto. and it runs from that computer. and when you log off, it's copied back.

I don't know that you can avoid this. and i'm not sure that you'd want to. If you have all your clients with a roaming profile that doesn't copy your network traffic is going to increase dramaticly.




~Shmoes

I lay claim to nothing and everything. My words may be wisdom or disaster. In the end you make a choice. Noone is perfect.

 

[Breakerfall]

have you tried using MANDATORY profiles intead of roaming?
that would do it.

PS: keep us posted, thanks

 

[wolluf]

Are you on a domain? (with 3GB workstation drives?).

I don't think Breakerfull's approach on its own will make much difference - changes to mandatory profiles are not saved when you log out, but each user will still create its own local copy of mandatory profile (assuming a roaming mandatory profile).

On local machine, you could spcify that each user uses the same profile (run lusrmgr.msc, profile tab of user properties). On domain, I suppose you could do the same (ie, specify a local profile location to either User Manager or AD - eg, c:\doucments and settings\default), but I've never tried this.

 

[bcastner]

wolluf,

It still copies the default profile for each user.

I think there is no way to do this as shmoes indicated.

 

[Viscereal]

All:

I will address each post successively.

Schmoes:
The network traffic is already there when it pulls the profile from the server and when it places it back on the server. I dont think the traffic will increase all that much.

Breakerfall:
Mandatory would most likely only create an identical copy of the "profile" locally.

Wolluf:
Yes in a domain. Yes 3GB drives... can you say 13th poorset school in our state??

Re: the mandatory..I tihnk you are correct.
RE: the use same (copied) profile, it would still make the local copy, but it would look like the original or "copied" profile. I cannot use the same user as they are all held accountable for their actions on the system.

Bcastner:
I concure.

The question then is this:

Can I delete the profile after they log off? I mean heck, I have the roaming profile, it contains all the data so what if I delete the C:\documents and settings\*.* files?

Since I cant prevent it, why not just get rid of it after I've used it.

Other than the more specific of not having a local admin profile, but there has to be a method for deleting all but default and admin, right?

I thought I read about a reg hack sometime ago, but cannot remember.

Those are my thoughts on the subject. I will let you know more as I get it.

Thanks for all of you and your responses. Even though the original set of responses did not get us the result I'm looking for, it starts the dialogue and eventually, whalla..the answer.

Thanks

Viscereal

 

[wolluf]

Viscereal,

You could run a job at end of each day (from the server), which does this (obviously machines would need to be left on until this had run) - or start of each day. Something like psexec (part of freeware pstools at

http://www.sysinternals.com)

would do this (can specify user name/password to the job, so it could have right access). Just a case of what to run (eg, could copy the Administrator, Default User and All Users profiles elsewhere, remove everything in document and settings, copy them back, then remove the copies. Would need to check each stage had worked before doing the next. Or just have a list of rd /s for each user on the domain (bit unwieldy)).

Anyway - some ideas.

 

[bcastner]

I was thinking along the same lines. Look at this utility:

http://www.xxcopy.com/#toc

I have used it before as a quick way to "reverse copy" if you will. I had a template directory structure and used XXCOPY in a regular batch file to remove everything on the target that did not match the template.

As another approach to this, I think you would find in a school setting that the machine could be set to autologin as a specified default user. Use the server side login script to prompt for a student name, set it as an environmental variable, and map shares from that variable. As far as the network is concerned there is only 1 regular logon at that machine in 99.9% of the cases. Then use group policies to prevent the installation of software or changes to the core of the profile.

 

[shmoes]

Viscereal,

Yes, network bandwidth is used to pull the profile, and put it back .. however it's not used DURING and does not keep open connections to files. so yes you would have an increase in traffic while using.


did a little bit of searching online, how about this!

http://searchwin2000.techtarget.com/ateQuestionNResponse/0,289625,sid1_cid514380_tax285114,00.html

~Shmoes

I lay claim to nothing and everything. My words may be wisdom or disaster. In the end you make a choice. Noone is perfect.

 

[Viscereal]

Shmoes:

I tried the GPO locally.... It just created a smaller local profile. However, with this smaller profile, I can accomodate all of the students of the building and more.

The profile was reduced from ~5MB to under 4MB (~3.65MB)

With 1.0 GB left, I can get 250+ user profiles on the drive before its full.

This is still not the ideal way of doing it, but I guess it will have to work for now.

Anyone out there have 90 drives they would like to donate????

Sorry for the shameful plug, but I have to ask!

Thanks All. If I get any additional information I will post it here. Thanks for helping out!

 

[Breakerfall]

Viscereal, I have a Q:
what version of Win are you using?
in W/XP the default profile is only 1.16Mb
in W/2K is only 400k,

so I don't see why creating a mandatory roaming profile (you can even edit the profile and make it the smallest you can) and assigning that profile for the "users" group would not work. I understand that the User profile eventually gets copied to the machine anyway, but NOT all of the students will log on to ALL of the computers. And also, they can't make changes to the profile (e.g. storing files in the MY DOCUMENTS folder, Favorites, etc.) If the need to store personal information somewhere, then it's better to use "Home Folders".

KUP.
Thanks

 

[Viscereal]

ROGER THAT KUP!!!!!

I am running Win XP for next year, but have been testing a machine and the profile is consistently between 3 and 5 MB.

I will be using the Man Profile next year, as per the admin getting complaints about desktops. Thanks for the ideas keep 'em coming.

Viscereal

 

[Breakerfall]

Ok, you are running XP for the clients, but what about the DC for the Domain, it's a W2k? If so, you can create two things:

•a group (put the users on the group)
•a group policy (on the domain or OU, whatever you are using) to enforce folder redirection for:

-Application Data
-Desktop
-My Documents
-Start Menu

or you could setup Home Folders, like a said in my other post. However homefolders only includes the “My Documents” folder.

hope that helped a bit

kup,
tnx.



Breakerfall
®º°¨¨°º can you ping me now...GOOD! º°¨¨°º®

 

[Breakerfall]

also, you could:

•create a new GPO at the domain level
•give it a name like "Remove Local Profiles"
•edit the policy that you just created and find this item:

Remove Local Profiles [myserver.mydomain.net]
╚-Computer Configuration
╚-Administrative Templates
╚-System
╚-Logon
•Delete Cached copies of roaming profiles


you must enable that policy to take effect.
the resulting behavior of doing so, is that the %username% folder will
be deleted from the C:\Documents and Settings folder when the user logs off.
The roaming profile gets copied back to the server with changes (if any)
prior to folder deletion.

remember, this is a computer policy, so you have to add the "domain Computers"
group in the security tab, on the properties menu of your "Remove Local Profiles" GPO
and give the Read and Apply permissions to the group.

Let me know if this worked,
I tried myself at home and works Great!

kup.
tnx




Breakerfall
®º°¨¨°º can you ping me now...GOOD! º°¨¨°º®

 

[bcastner]

Someone in a different thread suggested this software:

http://www.deepfreezeusa.com/

Looks like one way to handle the problem.

 

[itsfisko]

delprof (microsoft tool) is what I use to remove these profiles. I run a script at server daily to remove profiles.Seems to work.

Some lead, some follow....I just Hope!

 

[OzCDN]

As BreakerFall has already pointed out ... what you need to do is delete the local copy of the profiles after the user logs out. Breakerfall has suggested using a AD policy editor but it can also be done with a quick registry tweak if you are not on AD. Here are the details:

System Key: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
Value Name: DeleteRoamingCache
Data Type: REG_DWORD (DWORD Value)
Value Data: (0 = disabled, 1 = enabled)

You could deploy this with a simple .reg file. It works well ... we do this on all our public machines.

 

[OzCDN]

Please ignore the bad grammer in the last post ... proof reading is a lost art. I'm still searching for it.

 

[itsfisko]

Hi BNCASTNER

I am interested in your idea you had of (in a school setting that the machine could be set to autologin as a specified default user. Use the server side login script to prompt for a student name, set it as an environmental variable, and map shares from that variable)
How would you go about setting this up?
I use AD with folder redirection at the moment but this idea of yours sounds interesting.
Thanks John School tech

Some lead, some follow....I just Hope!

 

[bcastner]

itsfisko,

Three steps are required:
[ul][li]The Autologon Process[/li]
[li]The Mandatory Default User profile[/li]
[li]The Logon Scripting[/li][/ul]

1. The Autologon Process

This autologon involves the registry:

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon
AutoAdminLogon (Reg_SZ) = 1
AutoLogonCount (Dword) = 2
DefaultDomainName (Reg_SZ) = <domain>
DefaultUserName (Reg_SZ) = <username>
DefaultPassword (Reg_SZ) = <password>

You could &quot;push&quot; a change through Group Policy, or:

1. At a command prompt, type &quot;control userpasswords2&quot; and press Enter to open the Windows 2000-style User Accounts application.
2. On the Users tab, clear the Users Must Enter A User Name And Password To Use This Computer check box and then click OK.
3. In the Automatically Log On dialog box that appears, type the user name and password for the account you want to be logged on each time you start your computer.

Or...

Control Panel/Administrative Tools/Local Security Settings/Minimum Password Length (0). User account/Remove Password.

I should note that for a small number of machines the Microsoft &quot;PowerToy&quot; Tweak UI handles this easily:

http://www.microsoft.com/windowsxp/pro/downloads/powertoys.asp

2. Set the Mandatory Profile

Since the workstation will logon and authenticate as a single user, you set the profile for that autologon user to Mandatory. The advantage is that any changes made to the profile are lost at logoff:

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q307800&sd=tech

Which means that you need something that can enforce the logon/logoff between users to have this work well. To foce this is an issue I will bring up later.

3. Scripting to set Environmental Paths

Both Group Policy and the Schedule Task Service offer the opportunity to implement a logon script. Since this logon script is not attempting authentication (the default autologon user is already authenticated) you will have to script to check that the username passed is valid and/or offer a default alternative.

The only issues are:
[ul][li]Setting persistant environmental variables[/li]
[li]Mapping the user drive[/li][/ul]

To set persistant environmental variables in a script you need to use the Win2k resource kit tool SETX.EXE, available from MS without charge:

http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/setx-o.asp

Your script would take the username and set an environmental variable (non-conflicting with system variables) such as %Student%.

Net use H: \\servername\sharename\%student%

The second concern is the mapping for each user. Windows will insist on its default Profile location for &quot;My Documents&quot;. What you need to convince your users to do is as follows:

If you save anything you want to see again, save them to your H: drive, or they will be lost and there is no way to recover them.&quot;

H: can be any drive you mapped above. I can conceive of ways to change the security principles of the default profile path with registry changes, but this is not a good path to follow. Usually the user makes the mistake once of saving to a non-persistant location. The information will not be &quot;lost&quot; just buried underneath everyone elses files who make the mistake.

You can with SETX change the %PROFILEPATH% value, but this is application specific as to whether it helps.

Bill Castner