Deploy Default Userprofile for Personal Use

XP1 · 12-31-2008, 07:59 PM

Deploy Default Userprofile for Personal Use

I want to configure all of my home computers (about 5 computers) with the same settings so that all new users will have the same configurations to all programs installed the same way I configured with the "Computer Owner" base userprofile.

I have a problem with the last step on my list.

Here are my steps so far:

Steps:

Install Windows Vista SP1
Create a temporary userprofile called "Computer Owner" to create custom settings
Log in "Computer Owner" account
Install needed programs / software applications*
Run and configure installed programs
Enable "Administrator" account
Log off "Computer Owner" account
Log in "Administrator" account
Copy "Computer Owner" userprofile to C:\Users\Default userprofile
Set permissions to "Everyone"
Create new userprofile called "TestUser" to test
Some of the program settings fail because they still reference the "C:\Users\Computer Owner\..." setting (both in registry and in %AppData%)

How do I get around this problem?

I was thinking that I may need to create a script to replace all occurrences of "C:\Users\Computer Owner" to "C:\Users\USERNAME" in the registry and in %AppData% configuration files, so that when the new user TestUser logs on for the first time, the scripts run and they change all settings to fit TestUser.

Any thoughts from experienced deployment people?

*Here is my application installation list:

Code:

Installation Summary
Application Installation List:
Disc:
✔Microsoft Windows Vista
✔Acronis Disk Director Suite 10.0.0.2160
✔Acronis True Image Home 2009 12.0.0.9646
✔Microsoft Office 2007
✔Microsoft Student with Encarta Premium 2009 + Microsoft Math
✔Encyclopædia Britannica 2008 Ultimate Reference Suite
✔Adobe Creative Suite 4
✔ABBYY FineReader
USB Flash Drive:
Major:
✔Adobe Flash Player 10.0.12.36
✔Shockwave Player 11.0.3.470
✔Java Runtime Environment 1.6.0.11
✔Java Development Kit 1.6.0.11
✔Microsoft Visual C++ Redistributable Packages
✔Microsoft Save as PDF or XPS Add-in for Microsoft Office 2007
✔Windows Live Messenger 2009 + Messenger Plus! Live + Plug-ins
✔Skype 3.8.0.188
✔Ahead Nero 9
✔Roxio Creator 2009 Ultimate
✔Apple QuickTime 7.55.90.70 + iTunes 8.0.2.20
✔DAEMON Tools Lite 4.30.2 (x86) + SPTD 1.56
✔FinePrint 6.04 (x86)
✔WinRAR 3.80
✔UltraISO Premium Edition 9.3.2.2656
✔Opera 9.63 Build 10476
Minor:
✔HashTab 2.1.1
✔COCR2 1.0
✔Lavalys Everest Ultimate Edition 4.60.1500
✔My Function Keys 4.0.1
✔Lexar Image Rescue 3.0
✔VLC Media Player 0.9.8a
✔Audacity 1.2.6
✔Flickr Uploadr 3.1.1

Windows Update Installation List:
Updates / Hotfixes
Windows Search 4.0
✔Microsoft Silverlight 2

Steps:
✔Install License / Registration
✔Install Graphics Card Drivers
✔Install Audio Drivers
✔Install Fonts
✔Install Hosts File (Ad blocking)
✔Half-open Limit Patch Fix
✔Load Registry Entries
✔Change Administrator Avatar
✔Install Digital Clock Gadget
✔Change Menu & Explorer Settings
✔Disable Sticky Keys
✔Change Power Settings
✔Run & Configure all Programs
✔Uninstall Apple Software Update

**jcgriff2** · 12-31-2008, 10:14 PM

Hi -

Do you plan to have the same username on all 5 computers? I think 2 issues will be environment variables and ability (or not) to run apps/installs at elevated admin level.

Environment variables %temp% & %tmp% reserved for each user and contain install files, logs, other, etc... used to update some products. Elevated admin level or Trusted Installer/ NT AUTHORITY\SYSTEM used for driver updates and Window Updates.

Are these stand-alone systems or all connected to a server?

I grasp concept - but not the practicality here. I think this will turn into nightmare for you b/c of Vista security - SIDs in particular dealing w/ file permission settings - "Everyone" group or not.

Are all 5 computers identical hardware-wise?

May I ask the purpose for this?

Finally, there may be other forces at work - like WinSxS. I found this directory containing sample music on this Vista x64 Intel system -

Code:

C:\Windows\winsxs\amd64_microsoft-windows-musicsamples_31bf3856ad364e35_6.0.6000.16386_none_043c39ea6d9a42f6

I don't know its role, if any, but there are others like it.

Happy New Year!

Regards. . .

jcgriff2

.

XP1 · 12-31-2008, 10:31 PM

Quote:

Originally Posted by jcgriff2

Hi -

Do you plan to have the same username on all 5 computers?

Are all 5 computers identical hardware-wise?

Yes, I plan to have the same usernames on all computers. All computers are identical in hardware.

Quote:

Originally Posted by jcgriff2

Are these stand-alone systems or all connected to a server?

They are currently stand-alone systems. I can setup a server if I have to (I will probably anyway if I want to share files).

Quote:

Originally Posted by jcgriff2

May I ask the purpose for this?

I want all user accounts to have the same settings. If I don't do this, I will have to create the accounts I need then re-configure the settings for each account. Repeat this process for about 10 accounts per computer (10 * 5), so I will have to set configuration 50 times. I thought it would be easier if I had to configure a profile once and send it to each computer as the default profile.

Quote:

Originally Posted by jcgriff2

I think 2 issues will be environment variables and ability (or not) to run apps/installs at elevated admin level.

Environment variables %temp% & %tmp% reserved for each user and contain install files, logs, other, etc... used to update some products. Elevated admin level or Trusted Installer/ NT AUTHORITY\SYSTEM used for driver updates and Window Updates.

I grasp concept - but not the practicality here. I think this will turn into nightmare for you b/c of Vista security - SIDs in particular dealing w/ file permission settings - "Everyone" group or not.

Finally, there may be other forces at work - like WinSxS. I found this directory containing sample music on this Vista x64 Intel system -

Code:

C:\Windows\winsxs\amd64_microsoft-windows-musicsamples_31bf3856ad364e35_6.0.6000.16386_none_043c39ea6d9a42f6

I don't know its role, if any, but there are others like it.

Happy New Year!

Regards. . .

jcgriff2

.

I don't see other ways to do this. Are there any other easier ways to apply settings?

**jcgriff2** · 01-01-2009, 12:30 PM

I am still somewhat lost as to the purpose of all of this. Certainly you are computer savvy enough to know that 50 users will perform different functions or perform the same function/task in a different manner. Is all this dealing with file permission settings? Is this home or business environment?

Also what about those functions that require elevation for execution? Will all these users have elevated admin password (assuming one is set)? This alone could allow users to un-do what it is you are trying to accomplish here.

JC

.

XP1 · 01-01-2009, 11:43 PM

Quote:

Originally Posted by jcgriff2

I am still somewhat lost as to the purpose of all of this. Certainly you are computer savvy enough to know that 50 users will perform different functions or perform the same function/task in a different manner. Is all this dealing with file permission settings? Is this home or business environment?

Also what about those functions that require elevation for execution? Will all these users have elevated admin password (assuming one is set)? This alone could allow users to un-do what it is you are trying to accomplish here.

JC

.

When you say "dealing with file permission settings", what do you mean? I'm trying to deal with the "C:\Users\Computer Owner" reference found in newly created accounts.

I guess when you talk about file permission settings, you mean that I could set the "Computer Owner" directory for use for everyone, so when any user logs on, they will have the same shared Documents folder as everyone else? That's what I don't want. I want all accounts to have their own Documents folder and their own profile.

Maybe I should map a drive letter H:\ so that all userprofiles will be on H drive letter? That way I don't have to mess around with the "C:\Users\Computer Owner" reference for each account. All account profiles will be on H drive, and a script will launch every time a user logs on, mapping the H drive.

There won't be administrator-level access since the accounts will be standard or limited user. I want the user accounts to stay the same, and I don't want anyone to change computer settings. Sounds like a very locked-down home environment? Setting all administrator accounts is dangerous (I've dealt with that in the Windows XP days).

**jcgriff2** · 01-06-2009, 02:08 AM

Hi -

It may seem locked down, but you are of course free to do as you wish - they are your systems. I have no issues with that whatsoever.

I have been thinking and looking around at the many systems here to try and figure out how this will all work for you without causing you a coronary by spending hours on end at each system trying to keep them in sync. Each system may be identical hardware wise, but that does not mean they will all run identically the same. One system could have a corrupt file or install of ... say Java. What happens if a Java or other update comes in (or needs to come in) - will you be "summoned" to that particular system to do so?

Vista user accounts differ from XP user accounts - specifically the admin accounts. In XP, admin accounts had 2-user tokens; the Vista admin accounts that you create have 1 user token. Each Vista system must have at least one 1-user token admin account. The Vista hidden admin account (1 per system named "Administrator") is the only admin account with 2 user tokens. The 2nd user token is needed (by the 1 token admin accounts) whenever an elevated administrative process is performed. This is evident whenever the UAC prompt is invoked by an installing program, a program update, certain file downloads, etc... A 1 token admin account is required by Windows Updates for most security updates; the hidden admin account is restricted from certain Windows Update installations. Vista to date has had somewhere around 200 Windows Updates since its inception in January 2007.

If your main concern is one user obtaining access to another's user profile folders - documents, music, pictures, etc... it cannot be done with the 1-token admin account set up under Vista - assuming you have multiple 1-token admin accounts on each system. If you plan to have everyone use the same account on each system, I cannot think of a way around this outside of password protected files (encryption). The 2nd token (elevation) is required for that -- only the hidden admin account can view all user profile folders. If you set up two 1-token admin accounts on a Vista system - they cannot access each others user profile folders. Have you tested this? Utilizing the standard user (XP = limited) account may serve your needs.

As for elevation, you can set a password for the hidden admin on each system so that if the UAC is invoked by a process, the standard user accounts cannot get past the UAC screen without the password. So there is no chance they can bypass this security feature.

Vista, unlike XP, DOES NOT show the Administrative account on the safemode screen - unless it is activated. Even then, if password protected, one cannot get past it w/o the password.

A note of caution - if you set a password for the hidden admin and lose it/ forget it you will 99% of the time have to re-install Vista.

I have all my systems set up here with 1-token admin accounts and certain systems have the hidden admin password protected. None of the systems have standard (limited) user accounts, nor do any have the Guest accounts activated.

What type of "computer settings" are you speaking about that you do not want changed? Desktop wallpaper, installed programs, sounds, screen resolution, etc...

I will gladly look into this further and continue discussion, but outside of the "no access to others documents" I still don't exactly understand what it is you are trying to accomplish. I don't believe it possible to have identical stand-alone systems even with mapping. If others here care to comment - I welcome it as it can only stand to benefit you and allow me to understand your ultimate goal.

Regards. . .

jcgriff2

.

12-31-2008, 10:14 PM	#2 (permalink)
jcgriff2 Moderator, Microsoft Supp Join Date: Sep 2007 Location: The Great State of New Jersey - away from the gross corruption of the Riverside County, CA, SO office. SHAMEFUL ! Posts: 10,160 OS: Windows 7, Vista Ultimate My System	Re: Deploy Default Userprofile for Personal Use Hi - Do you plan to have the same username on all 5 computers? I think 2 issues will be environment variables and ability (or not) to run apps/installs at elevated admin level. Environment variables %temp% & %tmp% reserved for each user and contain install files, logs, other, etc... used to update some products. Elevated admin level or Trusted Installer/ NT AUTHORITY\SYSTEM used for driver updates and Window Updates. Are these stand-alone systems or all connected to a server? I grasp concept - but not the practicality here. I think this will turn into nightmare for you b/c of Vista security - SIDs in particular dealing w/ file permission settings - "Everyone" group or not. Are all 5 computers identical hardware-wise? May I ask the purpose for this? Finally, there may be other forces at work - like WinSxS. I found this directory containing sample music on this Vista x64 Intel system - Code: C:\Windows\winsxs\amd64_microsoft-windows-musicsamples_31bf3856ad364e35_6.0.6000.16386_none_043c39ea6d9a42f6 I don't know its role, if any, but there are others like it. Happy New Year! Regards. . . jcgriff2 . __________________ . . . . . . . . BSOD Posting Instructions B Expecting a reply and waiting > 36 hours ? Send a PM to me containing a link to your thread Glad to be home in the Great State of New Jersey ! !

01-01-2009, 12:30 PM	#4 (permalink)
jcgriff2 Moderator, Microsoft Supp Join Date: Sep 2007 Location: The Great State of New Jersey - away from the gross corruption of the Riverside County, CA, SO office. SHAMEFUL ! Posts: 10,160 OS: Windows 7, Vista Ultimate My System	Re: Deploy Default Userprofile for Personal Use I am still somewhat lost as to the purpose of all of this. Certainly you are computer savvy enough to know that 50 users will perform different functions or perform the same function/task in a different manner. Is all this dealing with file permission settings? Is this home or business environment? Also what about those functions that require elevation for execution? Will all these users have elevated admin password (assuming one is set)? This alone could allow users to un-do what it is you are trying to accomplish here. JC . __________________ . . . . . . . . BSOD Posting Instructions B Expecting a reply and waiting > 36 hours ? Send a PM to me containing a link to your thread Glad to be home in the Great State of New Jersey ! ! Last edited by jcgriff2; 01-01-2009 at 12:33 PM.

01-06-2009, 02:08 AM	#6 (permalink)
jcgriff2 Moderator, Microsoft Supp Join Date: Sep 2007 Location: The Great State of New Jersey - away from the gross corruption of the Riverside County, CA, SO office. SHAMEFUL ! Posts: 10,160 OS: Windows 7, Vista Ultimate My System	Re: Deploy Default Userprofile for Personal Use Hi - It may seem locked down, but you are of course free to do as you wish - they are your systems. I have no issues with that whatsoever. I have been thinking and looking around at the many systems here to try and figure out how this will all work for you without causing you a coronary by spending hours on end at each system trying to keep them in sync. Each system may be identical hardware wise, but that does not mean they will all run identically the same. One system could have a corrupt file or install of ... say Java. What happens if a Java or other update comes in (or needs to come in) - will you be "summoned" to that particular system to do so? Vista user accounts differ from XP user accounts - specifically the admin accounts. In XP, admin accounts had 2-user tokens; the Vista admin accounts that you create have 1 user token. Each Vista system must have at least one 1-user token admin account. The Vista hidden admin account (1 per system named "Administrator") is the only admin account with 2 user tokens. The 2nd user token is needed (by the 1 token admin accounts) whenever an elevated administrative process is performed. This is evident whenever the UAC prompt is invoked by an installing program, a program update, certain file downloads, etc... A 1 token admin account is required by Windows Updates for most security updates; the hidden admin account is restricted from certain Windows Update installations. Vista to date has had somewhere around 200 Windows Updates since its inception in January 2007. If your main concern is one user obtaining access to another's user profile folders - documents, music, pictures, etc... it cannot be done with the 1-token admin account set up under Vista - assuming you have multiple 1-token admin accounts on each system. If you plan to have everyone use the same account on each system, I cannot think of a way around this outside of password protected files (encryption). The 2nd token (elevation) is required for that -- only the hidden admin account can view all user profile folders. If you set up two 1-token admin accounts on a Vista system - they cannot access each others user profile folders. Have you tested this? Utilizing the standard user (XP = limited) account may serve your needs. As for elevation, you can set a password for the hidden admin on each system so that if the UAC is invoked by a process, the standard user accounts cannot get past the UAC screen without the password. So there is no chance they can bypass this security feature. Vista, unlike XP, DOES NOT show the Administrative account on the safemode screen - unless it is activated. Even then, if password protected, one cannot get past it w/o the password. A note of caution - if you set a password for the hidden admin and lose it/ forget it you will 99% of the time have to re-install Vista. I have all my systems set up here with 1-token admin accounts and certain systems have the hidden admin password protected. None of the systems have standard (limited) user accounts, nor do any have the Guest accounts activated. What type of "computer settings" are you speaking about that you do not want changed? Desktop wallpaper, installed programs, sounds, screen resolution, etc... I will gladly look into this further and continue discussion, but outside of the "no access to others documents" I still don't exactly understand what it is you are trying to accomplish. I don't believe it possible to have identical stand-alone systems even with mapping. If others here care to comment - I welcome it as it can only stand to benefit you and allow me to understand your ultimate goal. Regards. . . jcgriff2 . __________________ . . . . . . . . BSOD Posting Instructions B Expecting a reply and waiting > 36 hours ? Send a PM to me containing a link to your thread Glad to be home in the Great State of New Jersey ! !