- "Do I Know This Already?" Quiz
- Foundation Topics
- Exam Preparation Tasks
Foundation Topics
Migrating Users and Their Profiles
Windows 8.1 provides two tools that assist you in migrating users from old computers to new ones. Windows Easy Transfer is a wizard-based tool that replaces the Files and Settings Transfer Wizard used in Windows XP; it is designed to facilitate the migration of one user or a small number of users, including their data and profiles. If you have a large number of users to migrate in a corporate environment, the User State Migration Tool (USMT) 5.0 is designed for this purpose. Running it from the command line, you can customize USMT to suit the needs of your migration requirements.
User State Migration Tool
Intuitively, you might first think that migrating a large number of users to new Windows 8.1 computers could be as simple as using the xcopy command or a tool such as Robocopy to move files from their old computers to a network share, and then moving them back to the new computers at a later time. However, users like to store data on various locations on their local hard drives; they have customized application settings and specific files (such as Microsoft Outlook PST files) that might be hard to locate after such a move is finished. Users also like to set up individual desktop preferences, such as wallpapers and screen savers. Using USMT enables you to move all these items and more in a seamless manner to their appropriate locations on the new computer so that the users can resume working on this computer with minimal delay.
You can use USMT 5.0 to quickly and easily transfer any number of user files and settings as a part of operating system deployment or computer replacement. This tool is included with the Windows Assessment and Deployment Kit (Windows ADK) for Windows 8.1. It includes migration of the following items:
- Local user accounts.
- Personalized settings from these accounts, such as desktop backgrounds, sounds, screen savers, mouse pointer settings, Internet Explorer settings, and email settings including signature files and contact lists.
- Personal files belonging to these accounts including user profiles, the Desktop folder, the My Documents folder, and any other folder locations users might have utilized. USMT 5.0 includes the capability to capture files even when they are in use, by means of Volume Shadow Copy technology.
- Operating system and application settings, including the Applications folder within Program Files, user profile folders, or storage folders on the local disk defined within specific application settings.
- Information contained in previous Windows installations and included in Windows.old folders.
This tool reduces the costs of operating system deployment by addressing the following items:
- Technician time associated with migration
- Employee learning and familiarization time on the new operating system
- Employee downtime and help desk calls related to repersonalizing the desktop
- Employee downtime locating missing files
- Employee satisfaction with the migration experience
USMT consists of three executable files, ScanState.exe, LoadState.exe, and UsmtUtils.exe, and three migration rule files, MigApp.xml , MigUser.xml, and MigDocs.xml. You can modify these migration rules files as necessary. They contain the following settings:
- MigApp.xml : Rules for migrating application settings
- MigDocs.xml : Rules that locate user documents automatically without the need to create custom migration files
- MigUser.xml : Rules for migrating user profiles and user data
You can also create customized .xml files according to your migration requirements, as well as a Config.xml file that specifies files and settings to be excluded from migration (such as a user’s large folder full of images and music). ScanState.exe collects user information from the old (source) computer based on settings contained in the various .xml files, and LoadState.exe places this information on a newly installed Windows 8.1 (destination) computer. The source computer can be running Windows XP, Vista, 7, 8, or 8.1.
New to USMT 5.0 is the Usmtutils.exe tool, which provides the following capabilities:
- Improved capability to determine cryptographic options for your migration
- Removal of hard-link stores that cannot otherwise be deleted due to a sharing lock
- Determination of corruption in any files in the compressed migration store
- Extraction of files from the compressed migration store when migrating data to the destination computer
Using the USMT involves running ScanState.exe at the source computer to collect the user state data to be migrated and transferring it to a shared folder on a server. Then you must run LoadState.exe on the destination computer to load the user state data there, as shown in Figure 3-1 . Microsoft refers to the server used for this purpose as the technician computer. When migrating multiple users, you can create a script to automate this process.
Figure 3-1 To use USMT, run ScanState.exe at the source computer to transfer the files to a shared folder on a server and then run LoadState.exe at the destination computer to load the data there.
Preparing the Server to Run USMT
You need to create and share the appropriate folders on the technician computer before running USMT. This procedure requires the Windows ADK for Windows 8.1, which you can download as an .iso file from http://www.microsoft.com/en-US/download/details.aspx?id=39982 and burn to a blank DVD. Use the following procedure:
- Step 1. Create and share a folder named USMT on the technician computer. The migrating user should have Read permission to this folder, and the local administrator on the destination computer should have at least Modify permission to this folder. Ensure that this folder has enough storage space available to meet the needs of all computers to be migrated.
- Step 2. Create and share a folder named MigStore on the technician computer. Both the migrating user and the local administrator on the destination computer should have at least Modify permission to this folder.
- Step 3. In the USMT folder, create two subfolders named Scan and Load.
- Step 4. Insert the Windows ADK disc and follow the instructions in the Setup program that automatically starts to install Windows ADK.
Step 5. Copy all files from the C:\Program Files(x86)\Windows Kits\8.1 folder created during the Windows ADK installation to the USMT shared folder. For example, use the following syntax:
xcopy " C:\Program Files (x86)\Windows Kits\8.1\Assessment and Deployment Kit\User State Migration Tool\x86" \\server\share\USMT
- Step 6. Make any required modifications to the .xml files included in this folder, or create any additional .xml files as needed.
Collecting Files from the Source Computer
After you have created and shared the appropriate files on the technician computer, including the USMT folder and its contents, you are ready to scan the source computer and collect information to be exported to the new computer. Use the following procedure:
- Step 1. Log on to the source computer with an account that has administrative privileges. This user should have permissions to the shares on the server as described in the previous procedure.
- Step 2. Map a drive to the USMT share on the server.
- Step 3. Open a command prompt and set its path to the Scan folder on the mapped USMT share.
Step 4. To run ScanState , type the following command:
scanstate \\ servername \migration\mystore /config:config.xml /i:miguser.xml /i:migapp.xml /v:13 /l:scan.log
In this command:
- /i : is the include parameter, which specifies an XML file that defines the user, application, or system state that is being migrated.
- /config : specifies the config.xml file used by scanstate.exe to create the store.
- servername is the name of the server on which you installed the Windows ADK tools.
- l: is a parameter that specifies the location of Scan.log , which is the name of a log file that will be created in the USMT share and will hold any error information from problems that might arise during the migration. If any problems occur, check the contents of this file.
- The v:13 parameter specifies verbose, status, and debugger output to the log file.
Loading Collected Files on the Destination Computer
Before loading files to the destination computer, you should install Windows 8.1 and all required applications on this computer. However, do not create a local user account for the migrating user (this account is created automatically when you run LoadState ). Join the computer to the domain if in a domain environment. Then perform the following procedure:
- Step 1. Log on to the destination computer as the local administrator (not the migrating account).
- Step 2. Map a drive to the USMT share on the server.
- Step 3. Open an administrative command prompt and set its path to the Load folder on the mapped USMTshare.
Step 4. To run LoadState, type the following command: (The set of .xml files should be the same as used when running ScanState.)
loadstate \\servername\migration\mystore /config:config.xml /i:miguser.xml /i:migapp.xml /lac /lae /v:13 /l:load.log
- Step 5. Log off and log on as the migrating user and verify that all required files and settings have been transferred.
In this command, /lac and /lae specify that local accounts from the source computer will be created and enabled on the destination computer. The other parameters are the same as defined previously for the ScanState tool. Note that passwords are not migrated (they are blank by default).
Using the User State Migration Tool
As already discussed, USMT 5.0 is designed for use when large numbers of users must be migrated from older computers to new computers running Windows 8.1. You can also use this tool when you have upgraded these computers from Windows Vista/7 to Windows 8.1. After performing the upgrade, you can use a USB drive to hold the required commands for migrating user data from the Windows.old folder. Use the following procedure:
- Step 1. Download and install the Windows ADK as discussed earlier in this chapter.
- Step 2. Prepare an external USB drive by creating a USMT folder in the root directory. This folder should have x86 and amd64 subfolders for migrating 32-bit and 64-bit installations, respectively.
- Step 3. Copy the Program Files\Windows ADK\Tools\USMT folder from the computer on which you installed Windows ADK to the USMT folder in the USB drive.
Step 4. Use Notepad to create a batch file for x86 file migrations. Microsoft suggests the following batch file:
@ECHO OFF If exist D:\USMT\*.* xcopy D:\USMT\*.* /e /v /y C:\Windows\USMTIf exist E:\USMT\*.* xcopy E:\USMT\*.* /e /v /y C:\Windows\USMTIf exist F:\USMT\*.* xcopy F:\USMT\*.* /e /v /y C:\Windows\USMTIf exist G:\USMT\*.* xcopy G:\USMT\*.* /e /v /y C:\Windows\USMTIf exist H:\USMT\*.* xcopy H:\USMT\*.* /e /v /y C:\Windows\USMTIf exist I:\USMT\*.* xcopy I:\USMT\*.* /e /v /y C:\Windows\USMTIf exist J:\USMT\*.* xcopy J:\USMT\*.* /e /v /y C:\Windows\USMTIf exist K:\USMT\*.* xcopy K:\USMT\*.* /e /v /y C:\Windows\USMTCd c:\windows\usmt\x86 ScanState.exe c:\store /v:5 /o /c /hardlink /nocompress /efs:hardlink /i:MigApp.xml /i:MigDocs.xml /offlineWinOld:c:\windows.old\windows LoadState.exe c:\store /v:5 /c /lac /lae /i:migapp.xml /i:migdocs.xml /sf /hardlink /nocompress :EOF
- Step 5. Save this file to the USB drive as Migrate.bat.
- Step 6. Log on to the computer that has been upgraded using an administrative account.
- Step 7. Insert the USB drive and copy the Migrate.bat file to the desktop.
Step 8. Right-click this file and choose Run as administrator . If you receive a User Account Control (UAC) prompt, click Yes.
- Step 9. When the batch file finishes, access the C:\ Users folder and confirm that all user files have been migrated to the appropriate file libraries.
This batch file locates USMT files and copies them to the C:\Windows folder so that the ScanState.exe command can create a hard-link migration store at C:\ Store from the Windows\old folder. This hard-link migration process creates a catalog of hard links to files that are to be migrated. The LoadState.exe command then remaps the catalog of hard-links to their appropriate locations in the Windows 8.1 installation. For AMD 64-bit machines, modify the batch file by changing the x86 subfolder references to amd64.
Windows Easy Transfer
Windows Easy Transfer enables you to transfer files and settings from an old computer to a new one across a network or by means of an external hard drive, a USB flash drive, or the Easy Transfer cable. You can purchase the Easy Transfer cable from a computer store or on the Web. This cable uses USB to link to cables and transfers data at about 20 GB/hour.
Windows Easy Transfer includes a wizard that helps you transfer your files, folders, and settings to a new computer or to a clean installation of Windows 8.1 on an existing computer, by collecting them at the old (source) computer and then transferring them to a new computer running Windows 8.1 (called the destination computer). This is the simplest method when only a few computers are affected or when users are individually responsible for migrating the user states on their own computers.
Using Windows Easy Transfer to Collect Files at the Source Computer
You can use the following procedure to collect files from any computer running Windows 7, Windows 8, or Windows 8.1. The steps shown here are as they occur for a USB drive on a computer running Windows 7; they are somewhat different if you are using the Windows Easy Transfer Cable or a network connection. Note that Windows Easy Transfer in Windows 8.1 no longer supports the transfer of data from a computer running Windows XP or Vista.
Step 1. On a Windows 7 computer, click Start > Run , type migwiz , and press Enter. On a Windows 8/8.1 computer, access the Search charm, type migwiz , and select Windows Easy Transfer from the list that appears. If you receive a UAC prompt, click Yes . This starts the Windows Easy Transfer Wizard, as shown in Figure 3-2.
Figure 3-2 Windows Easy Transfer presents a wizard that facilitates transferring files from an old computer running Windows XP or later.
Step 2. Click Next . The wizard provides the three choices shown in Figure 3-3 for storing the collected data. Click the desired choice.
Figure 3-3 Windows Easy Transfer provides three choices for storing the collected data.
- Step 3. On the next page, confirm that you are at the old computer (if you are transferring from a Windows 7 or 8 computer to a Windows 8.1 computer or from a Windows 8.1 computer to another one, this screen asks if this is the old computer or the new one).
Step 4. The wizard displays the page shown in Figure 3-4 as it collects data from this computer. This process takes several minutes or even longer, depending on the amount of data to be transferred. When it is done, click Next.
Figure 3-4 Windows Easy Transfer collects data from the user accounts stored on the old computer.
- Step 5. On the Choose what you can transfer page, clear the check boxes for any users whose data you do not want to transfer. To modify the types of files and settings to be transferred for any user, click Customize and then clear the check boxes for any file types you do not want to transfer. When finished, click Next.
Step 6. On the Save your files and settings for transfer page (see Figure 3-5), type and confirm a password that you will need to enter later at your new computer. Then click Save and confirm the filename provided, or enter a new one and click Save again.
Figure 3-5 You should specify a password for the transfer to take place.
- Step 7. The save process takes several minutes or longer, depending on the amount of data to be transferred. When informed that the files have been saved, click Next .
- Step 8. Click Next again and then click Close to finish the wizard.
Using Windows Easy Transfer to Save Files at the Destination Computer
After you have installed Windows 8.1 plus any required applications on the destination computer, you can save the collected files by performing the following procedure:
- Step 1. At the destination computer, connect the USB drive and double-click the file containing the migrated information.
Step 2. Windows Easy Transfer starts and displays the page shown in Figure 3-6 asking you for the password you specified when you collected your files. Type this password and then click Next.
Figure 3-6 Type the password you specified at the old computer.
Step 3. On the Choose what to transfer to this PC page shown in Figure 3-7, deselect any users whose files and settings you do not want to transfer. If you want to map your user account to a different account on the new computer, or select a drive on the new computer to which you want to transfer files, click Advanced options and make the appropriate choices.
Figure 3-7 Windows Easy Transfer enables you to choose what is transferred to the new computer.
- Step 4. To begin the transfer, click Transfer.
- Step 5. The wizard transfers the files and, when finished, displays a Your files have been transferred message. Click Close.
Configuring Folder Redirection
Microsoft includes the technologies of folder redirection and offline files for redirection of the paths of local folders to a network location while caching their contents locally for increased speed and availability. In this section, we take a look at folder redirection. Offline files are covered in Chapter 15 , “Configuring and Securing Mobile Devices.” Using folder redirection, you can redirect the path of a known folder to a local or network location either manually or by using Group Policy. The process is transparent to the user, who works with data in the folder as if it were located in its default place.
Benefits of Folder Redirection
Users and administrators benefit from using folder redirection in the following ways:
- Users’ documents are always accessible to them, regardless of which computer they log on to.
- When roaming user profiles are used, only the network path to a folder such as the Documents folder is actually part of the profile. This eliminates the need for copying the contents of this folder back and forth at each logon and logoff, thereby speeding up the logon/logoff process.
- You can configure the Offline File technology so that users’ files are always available to them even when they are not connected to the network. Their files are automatically cached and are in the same logical location (for example, the U: drive) on the laptop as they are when they are connected to the network, facilitating their working on the files when they are away from the office.
- It is easy to back up all users’ files from a central server without interaction by the user. The administrator or backup operator can accomplish this task as part of the routine backup task.
- Administrators can use Group Policy to configure disk quotas, thereby controlling and monitoring the amount of disk space taken up by users’ folders. We discuss disk quotas in Chapter 11 , “Configuring and Securing Access to Files and Folders.”
- You can standardize users’ working environments by redirecting the Desktop folder to a common shared location. This standardization can help with remote support problems because the support staff will know the desktop layout of the users’ computers.
Redirecting Library Folders
First introduced with Windows 7 and continued in Windows 8.1 is the concept of virtualized folders. In Windows 8.1, a library is a set of virtual folders that is shared by default with other users of the computer. By default, Windows 8.1 includes four libraries (Documents, Pictures, Music, and Videos), which you can access from the Start menu, or from the task list on the left side of any File Explorer window. From the taskbar, click the folder icon to view the libraries on your computer, as shown in Figure 3-8. You can also see them when you open a File Explorer window and navigate to C:\Users\Public . The subfolders you see here are actually pointers to the folder locations on the computer. You can also think of them as the results of search queries. From the Libraries folder, you can create a new library by clicking New library in the toolbar and providing a name for your new library.
Right-click any library and choose Properties to view its contents. You will notice that each library contains a user-based subfolder, located by default at C:\ Users\ %username% ,. You can add additional folders by clicking the Add button shown in Figure 3-9 and navigating to the desired folder in the Include Folder in Documents dialog box, as shown in Figure 3-10; this can even include shared folders located on other computers on the network. You can also add folders to a library from any File Explorer window by selecting the folder and clicking the Add to Library option in the Explorer toolbar.
Figure 3-8 Windows 8.1 creates these four default libraries.
Figure 3-9 Each library by default contains a user subfolder.
Figure 3-10 Adding a folder to the Documents library.
The library’s Properties dialog box also enables you to add folders and configure several additional properties. The check mark shown in Figure 3-9 indicates the default save location used by programs such as Microsoft Office; to change this location, select the desired location and click the Set save location command button. To change the location of public saved documents, select the appropriate folder and click the Set public save location button. To remove a folder from the library, select it and click Remove. To remove all added folders from the library and reset it to its default settings, click the Restore Defaults button.
Implementing Domain-Based Folder Redirection
Implementation of folder redirection requires an Active Directory Domain Services (AD DS) domain and a server running Windows Server 2012 R2. You can also use a server running an older version of Windows Server, but some functionality might not be available. Use the following procedure to implement a Group Policy Object (GPO) that enables folder redirection in an AD DS domain or organizational unit (OU):
- Step 1. Open Server Manager on a computer with the Group Policy Management console installed.
- Step 2. Click Tools > Group Policy Management to display the Group Policy Management Console.
- Step 3. Right-click the domain or OU where you want to configure Folder Redirection and choose Create a GPO in this domain, and Link it here.
- Step 4. In the New GPO dialog box, type a name for the GPO and then click OK.
- Step 5. Right-click this GPO and choose Edit to open the Group Policy Management Editor console.
Step 6. Navigate to User Configuration\Policies\Windows Settings\Folder Redirection . You receive the options shown in Figure 3-11.
Figure 3-11 Implementing folder redirection in Windows Server 2012 R2.
Step 7. Right-click the folder to be redirected from the details pane in Figure 3-11 and choose Properties. This action displays the Properties dialog box for the selected folder, as shown in Figure 3-12.
Figure 3-12 You have three choices for implementing folder redirection in Windows Server 2012 R2.
Step 8. Under Setting, select from the following choices:
- Basic–Redirect everyone’s folder to the same location: This option redirects all folders to this location.
- Advanced–Specify locations for various user groups: This option redirects folders to different locations depending on the users’ security group memberships. The bottom part of the dialog box changes so that you can specify a universal naming convention (UNC) path for each security group.
- Not configured: Folder redirection is not applied.
Step 9. Choose an option from those shown in Figure 3-13 and described here. To create a folder for each user, choose Create a folder for each user under the root path. Type or browse to the desired path (in general, you will want to use a UNC path such as \\server1\docoments ), and then click OK or Apply.
- Redirect to the user’s home directory: This option redirects users’ folders to the home directory as specified in the user account’s Properties dialog box in the Active Directory Administrative Center. This option works only for client computers running Windows XP Professional, Windows Server 2003, or later, and is available only for the Documents folder.
- Create a folder for each user under the root path: This option enables you to specify a root path in the form of a UNC path to a shared location. A subfolder is automatically created for each user in this location, and the folder path appears at the bottom of the dialog box.
- Redirect to the following location: This option enables you to specify a UNC path to the specific folder for each user. The username is automatically appended to the path you provided to create a unique folder name.
- Redirect to the local userprofile location: This option redirects users’ folders to the local user profile location specified in the user account’s Properties dialog boxes in Active Directory Administrative Center. This option is useful for returning redirected folders to their original default location.
Figure 3-13 Specifying a location for folder redirection.
Step 10. You receive the message box shown in Figure 3-14 regarding Group Policy settings in Windows Server 2003 or older operating systems. Click Yes to accept this message and implement folder redirection.
Figure 3-14 You receive this warning message about older Group Policy settings.
- Step 11. You are returned to the Group Policy Management Console. Ensure that the GPO you created displays a GPO status of Enabled and that the Link Enabled column reads Yes.
Configuring Profiles
When a user logs on to a Windows 8.1 computer, the operating system generates a user profile . This profile is composed of desktop settings, files, application data, and the specific environment established by the user. For example, a user named Peter logs on to Windows 8.1, changes his desktop wallpaper to a picture of his dog, edits the user information in Microsoft Word, configures a dial-up connection to his Internet service provider (ISP), and adjusts the mouse so that it is easier to double-click. When Sharon logs on to the same computer using her own account, she sees the default settings for Windows 8.1, not Peter’s settings. When Peter logs on next, Windows finds Peter’s existing profile and loads his settings—the wallpaper, the Word data, the dial-up connection, and the mouse click settings.
Windows 8.1 provides the following profile versions:
- Local: A profile that is available only on the computer and for the user for which it is configured.
- Roaming: A profile that has been placed on a server so that it is available to a given user no matter which computer she is logged on to. A user is free to make changes to this profile version at any time.
- Mandatory: A profile that has been placed on a server but is configured as read-only, such that the user is unable to make any changes to it.
In addition to these profile types, it is possible to set up a temporary profile, which is loaded by default if the user is unable to load her normal profile.
When Windows 8.1 is connected to a Windows network, you can configure a user profile to roam the network with the user. Because the profile is stored in a sub-folder in the Users folder on the %systemdrive% volume, you can configure the profile to be placed on a network drive rather than a local hard disk, thereby making it accessible to the user regardless of which computer she is using.
User profiles allow users to customize their own settings without impairing another user’s configuration. User profiles were developed in response to organizations that routinely provided shared desktop computers. In cases where a user absolutely requires certain settings to use the computer comfortably, having to share a computer with another person who then removes the needed configuration can be frustrating; plus it causes a loss of productivity. Another advantage to user profiles is that, when used in conjunction with network storage of data, the desktop computer is easily replaceable; users can use any computer on the network without having to perform extra tasks to customize the computer to suit their needs.
To use profiles, each user must have a separate user account. The user account can be a domain account or a local account. There are four different types of profiles, which are detailed in Table 3-2 .
Table 3-2 Profile Types
Profile |
Created For |
How It Works |
Local |
Every user at first logon |
When the user logs on to a computer, whether or not it is connected to a network, a local profile is created and saved in the local Users folder for that user. All changes are saved when the user logs off. |
Roaming |
Users who log on to different computers on the network |
The profile is stored on a server. When a user logs on to a network computer, the profile is copied locally to the computer. When the user logs off the network, changes to the profile are copied back to the server. |
Mandatory |
Administrative enforcement of settings (this is applied to user accounts that are shared by two or more users) |
The profile is stored on a server. When a user logs on to a network computer, the profile is copied locally to the computer. No changes are saved when the user logs off the server. Only an administrator can make changes to the profile. |
Temporary |
Users who were unable to load their profile |
When an error condition exists that prevents a user from loading his normal profile, a temporary profile is loaded. When the user logs off, all changes are deleted. |
User profiles consist of a registry hive that incorporates the data typically found in NTuser.dat , saved as a file that is mapped to the HKEY_CURRENT_USER Registry node and a set of profile folders.
You can change the location that Windows looks for a user’s profile. When you do so, you must be logged on to the computer as a member of the Administrators group. Use the following procedure:
- Step 1. Right-click Start and choose Computer Management.
Step 2. Expand the Local Users and Groups folder and select Users . Information about all users configured on the computer appears in the details pane, as shown in Figure 3-15.
Figure 3-15 Profile information can be found in the Computer Management console.
- Step 3. Right-click a user account and select Properties from the shortcut menu.
- Step 4. Click the Profile tab.
Step 5. Type the location of the profile in the Profile Path text box. For example, type the UNC path as shown in Figure 3-16. Then click OK.
Figure 3-16 Configuring a user’s profile path.
Step 6. From this dialog box, you can perform the following actions:
- Click Default Profile and then click Copy To in order to copy an existing profile to another computer. This is useful in a nondomain situation where you want to standardize profiles between computers.
- Click Delete to delete a profile for a user. This is useful when you are moving a computer to a different user.
- Click Change Type to change the profile from a local profile to a roaming profile or vice versa.
- Step 7. When finished, click OK.
Using Roaming and Mandatory Profiles with Active Directory
Roaming and mandatory profiles require a network server for implementation. Although it is recommended that you have an AD DS network for this, you can implement these profiles on other network servers. An AD DS network is recommended for use with roaming and mandatory profiles because of the additional management features that are provided by Group Policy. For example, you can specify additional folders to include in the profile, as well as mark certain folders to exclude from the profile.
An additional advantage to using Group Policy in conjunction with roaming profiles is that you can prevent users from running applications that you deem to be unacceptable, or to allow a user to run only a short list of applications. Even if a user has installed the application and incorporated its data into the user’s profile prior to the restriction policy, the GPO will prevent the user from running it.
When you use Group Policy together with roaming profiles, you can ensure that a user’s Windows 8.1 settings are exactly what you wish the user to have. You can create a default user profile that includes the desktop icons, startup applications, documents, Start menu items, and other settings. Then you can use Group Policy to manage the way that the user interacts with the network, such as preventing access to Control Panel. You can even use Group Policy to publish certain applications that the user is allowed to install, and you can redirect users’ Documents and Desktop folders to a network location. When a user logs on to the network the first time, the desktop will be configured with the settings that are appropriate for your organization. If the user makes changes to the profile, those changes will be saved. The user can then log on to an entirely different computer the next day and automatically see the environment he configured for himself, plus have immediate access to his personal files, folders, and applications.
Implementing Roaming Profiles
Local profiles cause an administrative headache when users roam around the network and when computers are routinely exchanged throughout the network. For example, if Joe logs on at PC1 and saves a file that holds key information for his job on his desktop, and later Joe logs on at PC2 because PC1 was replaced with new hardware, he is likely to have a panic attack to discover that his file is missing. Roaming profiles overcome this problem.
When a user with a roaming profile logs on for the first time, the following process takes place:
- Step 1. Windows 8.1 checks for the path to the user’s roaming profile.
- Step 2. Windows 8.1 accesses the path and looks for the profile. If no profile exists, Windows 8.1 generates a folder for the profile.
- Step 3. Windows 8.1 checks for a cached copy of the profile listed in HKLM\SOFTWARE\ Microsoft\Windows NT\CurrentVersion\ProfileList . If a local profile is found, and the computer is a member of a domain, Windows 8.1 looks in the domain controller’s NETLOGON share for a default profile for the domain. The default domain profile is copied to the local computer folder %systemdrive%\ Users\%username%. If there is no domain default, Windows 8.1 copies the default local profile to the same location.
- Step 4. The NTuser.dat file is mapped to the Registry’s HKEY_CURRENT_USER key.
- Step 5. Windows 8.1 updates the user’s %userprofile% environment variable with the new location of the profile.
- Step 6. When the user logs off, the local profile is copied to the network path configured in Windows 8.1.
- Step 7. The next time the user logs on to the same computer, Windows 8.1 opens the locally cached copy of the user’s profile and compares it with the copy on the domain server. Windows 8.1 merges the contents of the two profiles.
You can make changes to whether a computer uses local or roaming profiles in the Control Panel. Use the following procedure:
- Step 1. From the System and Security category of Control Panel, click System . You can also right-click Start and choose System from the programs list that appears.
- Step 2. From the System dialog box that appears, click Advanced system settings.
Step 3. Click the Advanced tab to display the dialog box shown in Figure 3-17.
Figure 3-17 You can access user profile settings in the System Properties dialog box.
Step 4. In the User Profiles section, click Settings to display the dialog box shown in Figure 3-18.
Figure 3-18 Some profile management options are to copy, delete, or change the type of user profile for specific users.
Step 5. From this dialog box, you can perform the following actions:
- Change profile type: Select a profile and click Change Type to change the profile from a local profile to a roaming profile or vice versa.
- Delete a profile: Select a profile and click Delete to delete an existing profile. This is useful when you are moving the computer to a different user.
- Copy a profile: Select a profile and click Copy To in order to use the same settings for another user on the same computer.
- Step 6. When finished, click OK.
Establishing Mandatory Profiles
A mandatory profile is a roaming profile that can’t be changed by the user. You configure the profile identically to the roaming profile. After the profile has been configured and saved as the NTuser.dat file in the user’s profile path on the network, you simply need to rename the file to NTuser.man.
When the NTuser.dat file is renamed with the .man extension, it is treated as though it is a read-only file. At user logon, the file is read the same way as a roaming profile. However, if a user makes any changes to the environment, the changes are discarded when the user logs off. A mandatory profile is helpful in managing the desktop environment for users who unpredictably and accidentally delete items from their desktop and Start menu, or make other unintended changes. A mandatory profile is not useful for users who need a dynamic environment for running a variety of applications.
New to Windows 8.1 and Windows Server 2012 R2, mandatory profiles become super-mandatory profiles when stored in a profile path ending in .man ; for example, \\server\share\mandatoryprofile.man \. When a super-mandatory profile is in use, users who use these profiles cannot log on if the server on which the profile is stored becomes unavailable. With ordinary mandatory profiles, a user can log on with the locally cached copy of the mandatory profile.
When you configure a mandatory profile to be used in an organization to be shared by a variety of users or computers, and when a single user moves around a network to use different computers, the profile’s graphical presentation should be made to run at a level that all the computers can support. For example, if you have some computers that support a maximum 1680 × 1050 resolution, you should not create a profile with a 1920 × 1080 resolution setting because it will not display correctly on some of the computers.
If you need to make changes to a mandatory profile, rename the profile back to NTuser.dat , log on as the user, and configure the computer. After you complete the changes, you should log off so that the changes are saved to the profile. Then, after logging on as an administrator, you can rename the file as NTuser.man. If this is a profile that should be used by multiple people, you can replace the other users’ NTuser.man files with the new version.
User Profiles and Operating System Versions
Most networks include computers running different Windows versions, such as Windows 7, Windows 8, and Windows 8.1, as well as servers running either the original or R2 versions of Windows Server 2008 or 2012. Each newer operating system version has introduced modifications to roaming and mandatory user profiles. Consequently, if a user moves between computers running different Windows versions, the user profiles are not compatible with each other. Profile versions include the following:
- Version 1 profiles used by Windows Vista, Windows Server 2008, and older Windows versions
- Version 2 profiles used by Windows 7 and Windows Server 2008 R2
- Version 3 profiles used by Windows 8 and Windows Server 2012
- Version 4 profiles used by Windows 8.1 and Windows Server 2012 R2
When a user logs on to a Windows 8.1 computer for the first time after using an older computer, Windows 8.1 automatically updates the profile to version 4. If the user then logs on to an older computer, the available profile is incompatible and is not loaded; further, the profile might become corrupted.
Microsoft recommends that you keep roaming, mandatory, super-mandatory, and domain default profiles created in one Windows version separate from those that were created in a different Windows version. Microsoft also makes available an update rollup that fixes this issue in Windows 8.1, and a hotfix that performs the same task in Windows 8. For more information, including the Registry entry that must be created, refer to “Incompatibility Between Windows 8.1 Roaming User Profiles and Those in Earlier Versions of Windows” at http://support.microsoft.com/kb/2890783.