VIII. Managing user profiles

Contents

1. Introduction
    1.1 A word about user profiles

2. Making preparations
    2.1 Registry settings for the local machine
    2.2 Preparing policies
    2.3 Recommended policies
    2.4 Setting policies with DOSETPOL.BAT
    2.5 Keeping shortcuts in a safe place

3. User profiles and policies
    3.1 Enabling roaming profiles
    3.2 Creating the profiles for the janitors
    3.3 Establishing the environment for the default user

4. Creating the golden image

5. Inaugurating new user accounts
    5.1 Applying the proper policy
    5.2 Locking user profiles

6. Advanced topics
    6.1 Creating a simple list with usernames and passwords
    6.2 Creating individual password letters

7. Concluding remarks

1. Introduction

This chapter deals with the last steps before the final 'golden image' can be created with g4u.

The following steps were taken in previous chapters.

This chapter discusses the steps to take before the final 'golden image' of the workstation can be created. The following needs to be done.

1.1 A word about user profiles

In the early DOS-days there was no notion of 'personal settings': all files and all applications on the workstation were accessible to anyone that happened to sit at the keyboard. It meant that every computer user could also act as the computer's administrator. That notion has evolved over time. With the introduction of Windows 95 it was recognised that different users can use the same workstation at different times. This called for a mechanism to store personal preferences in such a way that every user could have the option to change settings without changing the settings for other users of the same workstation. These personal settings are known as a 'user profile'.

Technically speaking the personal settings consist of the following elements:

These settings are merged with global settings for 'All Users'. The combination of the settings for 'All Users' and the personal settings together make up the working environment for the user.

By default Windows 98 still uses the 'one-size-fits-all'-approach: all users share the same settings on a workstation. Note that some of these settings may originate in the 'All Users' settings where others are stored in USER.DAT. This behaviour can be changed in such a way that every user has a personal profile. That is: every user gets a personal USER.DAT and (optionally) a personal set of Desktop shortcuts and (optionally) a personal set of Start Menu shortcuts.

ServerAtSchool uses these features: every user gets a personal USER.DAT and a personal set of Desktop shortcuts. Users also get their own personal Start Menu, even though it usually is empty.

The difference between 'user' and 'administrator' has become more distinct in later versions of Microsoft Windows, notably in the Windows NT line. In Windows 98 the system registry can be used to make it more difficult for ordinary users to perform administrator tasks. However, this is no tight security by any standard.

When a Windows 98 workstation is used in a network it becomes possible to store the personal profile on the central server. That allows for using the same profile on different machines. This is called a 'roaming profile' or a 'roving profile'. It means that it no longer matters which workstation users use because the profile is the same.

The roving profiles for Windows 98 workstations are stored on the ServerAtSchool server, under the user's home directory in H:\.profile\USER.DAT, H:\.profile\Desktop and H:\.profile\Start Menu.

When a user successfully logs on to the network, the file USER.DAT is copied from the server to the workstation as are the shortcuts from the Desktop and the Start Menu. After logging out any changed settings in USER.DAT are copied back to the server. Any shortcuts added to Desktop and Start Menu are also copied to the server. At that point any shortcuts that were removed by the user are also removed from the server.

It is important to note that any changed settings are copied back to the server at logout time. It means that when a user is logged in multiple times there are multiple copies of the profile floating around. The last one to logout will overwrite the profile as it is stored on the server with the latest settings. This can lead to confusing situations with multiple simultaneous sessions.

When a user does not log on to the network, the so-called default profile is used on the workstation. This profile is equal to the 'one-size-fits-all' profile that existed on the workstation before the personal profiles were enabled. It is important to make sure that this profile has as little privileges as possible.

NOTICE: This profile of the default user is also used when a new user logs on and off for the first time. It is used as the starting point for the profile of the new user.

2. Making preparations

Before the personal profiles can be enabled and the 'golden image' can be created, a few things have to be prepared. First a few registry settings for the local machine have to be configured correctly. Subsequently all available shortcuts must be stored in a safe place, for future reference. Finally policies for pupils and teachers must be prepared.

2.1 Registry settings for the local machine

A few registry settings have already been discussed in earlier chapters. For completeness' sake they are repeated below. A good place to store these .REG files would be the directory H:\My Documents\janitors\regedit. By storing the changes in a .REG file and importing this file with REGEDIT.EXE you minimise the risk of rendering the workstation unusable due to a typing error.

2.1.1 PWDCACHE.REG

This is the contents of the file PWDCACHE.REG.

REGEDIT4
 
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Network]
"DisablePwdCaching"=dword:00000001

Applying this change in the registry makes sure that passwords will not be cached on the workstation. See section 11.2.5 Password caching in chapter IV. Workstation setup for more information.

2.1.2 USERNAME.REG or LASTUSER.REG

This is the contents of the file USERNAME.REG.

REGEDIT4
 
[HKEY_LOCAL_MACHINE\Network\Logon]
"username"=""

Applying this change removes the name of the user that was logged in last. This file should be applied every time before an image is made. The file shown here leaves the username field empty. You can change this to any text (20 characters maximum).

If you never want to show the name of the previous user on the workstation you could use the register setting as shown in the file LASTUSER.REG below. Note that this change needs to be applied only once.

REGEDIT4
 
[HKEY_LOCAL_MACHINE\Network\Logon]
"DontShowLastUser"=dword:00000001

See section 11.2.8 Dealing with the previous user logon in chapter IV. Workstation setup for more information.

2.1.3 Applying .REG-files

If you want to apply a .REG file to the Registry, you should take the following steps.
  1. If necessary (re)boot the workstation and login to the network using the special 'scholar' account.
  2. Navigate to: H:\My Documents\janitors\regedit
  3. Doubleclick on the .REG file you wish to apply.
  4. A message box appears, asking you for a confirmation to apply the changes to the Registry.
  5. Press [Yes] to confirm the dialogue. The adjustements will be made to the Registry.
  6. Depending on the nature of the changed settings in the Registry, the changes take effect immediately, after logout and subsequent login or even after the next (re)boot.

NOTICE: You can also apply these changes by executing REGEDIT.EXE from the command line or via Start | Run and specifying the name of the .REG file as a parameter, e.g. REGEDIT PWDCACHE.REG. If you add the command line switch /S (for 'silent') the change is applied without asking for confirmation. This can be handy when used from a .BAT file.

2.2 Preparing policies

It is very convenient to prepare a few .REG files that can be applied to the profiles of the various groups of users in order to enforce policies. We recognise the following four policies.

These four different policies consist of a number of registry keys. The keys are the same for all four variations. The values can be different. This makes it easy to use one of the four as the basis for the others.

You can create these files using any plain Ascii editor, e.g. NOTEPAD.EXE or EDIT.COM on the workstation.

NOTICE: You can also create these files on the server using nano(1) or vi(1). Note that you have to make sure that the editor adds both a Carriage Return and a Line Feed at the end of every line: the DOS-convention for indicating an end of line. REGEDIT.EXE may have trouble importing Unix-type of files, with a bare Line Feed at the end of a line.

Below is an example of the most restrictive policy: ZERO.REG and the corresponding explanation. The differences between the four policies are detailed in the next section.

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoAddPrinter"=dword:00000001
"NoDeletePrinter"=dword:00000001
"NoDrives"=dword:03FFFFFF
"NoDriveTypeAutoRun"=hex:B5,00,00,00
"NoFind"=dword:00000001
"NoNetHood"=dword:00000001
"NoRun"=dword:00000001
"NoSaveSettings"=dword:00000001
"NoSetFolders"=dword:000000001
"NoSetTaskbar"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Network]
"NoNetSetup"=dword:0000001
"NoNetSetupIDPage"=dword:00000001
"NoNetSetupSecurityPage"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"=""

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"NoAdminPage"=dword:00000001
"NoConfigPage"=dword:00000001
"NoDevMgrPage"=dword:00000001
"NoDispAppearancePage"=dword:00000001
"NoDispBackgroundPage"=dword:00000001
"NoDispCPL"=dword:00000001
"NoDispScrSavPage"=dword:00000001
"NoDispSettingsPage"=dword:00000001
"NoFileSysPage"=dword:00000001
"NoProfilePage"=dword:00000001
"NoPwdPage"=dword:00000001
"NoSecCPL"=dword:00000001
"NoVirtMemPage"=dword:00000001

[HKEY_CURRENT_USER\Control Panel\Desktop]
"Wallpaper"="C:\WINDOWS\SETUP.BMP"

[HKEY_CURRENT_USER\Control Panel\Colors]
"Background"="255 255 255"

NOTICE: The text between the square brackets identifies the exact location (sometimes called a "cell") within the Registry of the key-value-pairs that follow. This is comparable with a directory in a regular file system. Using the same analogy, keys are comparable to files and the values correspond to the contents of those files. The keys have an associated data type, often a double word (32-bits number), identified by dword. Quoted strings are also very common.

Explanation:

2.3 Recommended policies

Below is an overview of recommended policies for the default user (ZERO.REG), the pupils (NEST.REG), staff members (TEACHER.REG) and janitors (JANITOR.REG). You can use this table as a starting point for your own policies.

Overview of recommended policies.
Key ZERO NEST TEACHER JANITOR
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoAddPrinter"=dword: 00000001 00000001 00000001 00000000
"NoDeletePrinter"=dword: 00000001 00000001 00000001 00000000
"NoDrives"=dword: 03FFFFFF 03FFFB7F 03DFFB72 00000000
"NoDriveTypeAutoRun"=hex: B5,00,00,00 B5,00,00,00 B5,00,00,00 B5,00,00,00
"NoFind"=dword: 00000001 00000001 00000000 00000000
"NoNetHood"=dword: 00000001 00000001 00000000 00000000
"NoRun"=dword: 00000001 00000001 00000000 00000000
"NoSaveSettings"=dword: 00000001 00000001 00000000 00000000
"NoSetFolders"=dword: 00000001 00000001 00000001 00000000
"NoSetTaskbar"=dword: 00000001 00000001 00000000 00000000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Network]
"NoNetSetup"=dword: 00000001 00000001 00000001 00000000
"NoNetSetupIDPage"=dword: 00000001 00000001 00000001 00000000
"NoNetSetupSecurityPage"=dword: 00000001 00000001 00000001 00000000
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"= "" "http://server/" "http://server/" "http://server/"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"NoAdminPage"=dword: 00000001 00000001 00000001 00000000
"NoConfigPage"=dword: 00000001 00000001 00000001 00000000
"NoDevMgrPage"=dword: 00000001 00000001 00000001 00000000
"NoDispAppearancePage"=dword: 00000001 00000001 00000000 00000000
"NoDispBackgroundPage"=dword: 00000001 00000001 00000000 00000000
"NoDispCPL"=dword: 00000001 00000001 00000000 00000000
"NoDispScrSavPage"=dword: 00000001 00000001 00000000 00000000
"NoDispSettingsPage"=dword: 00000001 00000001 00000000 00000000
"NoFileSysPage"=dword: 00000001 00000001 00000001 00000000
"NoProfilePage"=dword: 00000001 00000001 00000001 00000000
"NoPwdPage"=dword: 00000001 00000001 00000000 00000000
"NoSecCPL"=dword: 00000001 00000001 00000000 00000000
"NoVirtMemPage"=dword: 00000001 00000001 00000001 00000000
[HKEY_CURRENT_USER\Control Panel\Desktop]
"Wallpaper"= "C:\WINDOWS\SETUP.BMP" "" "" ""
[HKEY_CURRENT_USER\Control Panel\Colors]
"Background"= "255 255 255" "0 128 128" "0 128 128" "0 128 128"

2.4 Setting policies with DOSETPOL.BAT

In this section we will prepare a small script and a corresponding .PIF file that will assist us lateron to apply policies to the personal user settings. This requires a copy of the files ZERO.REG, NEST.REG, TEACHER.REG and JANITOR.REG on the C: drive, a batch file called DOSETPOL.BAT and a shortcut on the Desktop that calls the batch file.

2.4.1 Copying the registry files to C:

In order to have the various .REG files available at all times, even when the user is not logged in and hence file shares on the server are not available, we need to have the files on the local drive.

If you want to copy the .REG files you created in the sections above, you could take the following steps.

  1. If necessary (re)boot the workstation and login to the network using the special 'scholar' account.
  2. Open a window (using My Computer) and navigate to C:\WINDOWS\SYSTEM. Do take note of the warnings that it might be dangerous to change anything in this directory but continue anyway.
  3. In a new window, navigate to H:\My Documents\janitors\regedit.
  4. Position the windows in such a way that you can easily access them both.
  5. Copy the following files from H:\My Documents\janitors\regedit to C:\WINDOWS\SYSTEM:
  6. Close both windows.

At this point the prepared files with policies for the various types of user are copied to the C: drive. These files will become part of the 'golden image' lateron, making it easier to apply the relevant file whenever a new user is added.

NOTICE: Choosing the directory C:\WINDOWS\SYSTEM to store these files makes it less likely that a casual user will accidently make changes to the registry by double clicking these files. A determined user, however, will have no serious problems with changing the registry anyway. It is a matter of making it harder rather than making it impossible. If a pupil is smart enough to take this hurdle and actually change something, you could consider to appoint this pupil as your Official Helper for Miscellaneous Computer Tasks.

NOTICE: There are many ways to copy files. The example above is just one way. You can choose another way to copy files if you wish.

2.4.2 Creating the batch file DOSETPOL.BAT

In order to make it easier to apply the various .REG files, a simple batch file must be constructed. This file should be created in the directory C:\WINDOWS\COMMAND because this directory is part of the search path. This will make sure that the batch file can be found when it needs to be executed. Here is a fully functional example of this batch file.

@ECHO OFF
REM C:\WINDOWS\COMMAND\DOSETPOL.BAT -- Helper for setting policies
 
IF NOT EXIST P:\NUL GOTO Farewell
 
C:\WINDOWS\COMMAND\CHOICE /C:QZNTJ /N Z(ero), N(est), T(eacher), J(anitor) or Q(uit)? 
IF ERRORLEVEL == 5 GOTO LabelJ
IF ERRORLEVEL == 4 GOTO LabelT
IF ERRORLEVEL == 3 GOTO LabelN
IF ERRORLEVEL == 2 GOTO LabelZ
IF ERRORLEVEL == 1 GOTO LabelQ
 
:LabelQ
ECHO Nothing changed
GOTO Byebye
 
:LabelZ
ECHO ZERO
C:\WINDOWS\REGEDIT /S C:\WINDOWS\SYSTEM\ZERO.REG
GOTO Byebye
 
:LabelT
ECHO TEACHER
C:\WINDOWS\REGEDIT /S C:\WINDOWS\SYSTEM\TEACHER.REG
GOTO Byebye
 
:LabelN
ECHO NEST
C:\WINDOWS\REGEDIT /S C:\WINDOWS\SYSTEM\NEST.REG
GOTO Byebye
 
:LabelJ
ECHO JANITOR
C:\WINDOWS\REGEDIT /S C:\WINDOWS\SYSTEM\JANITOR.REG
GOTO Byebye
 
:Byebye
ECHO DONE
PAUSE
 
:Farewell

When this script is executed, it first determines whether the user at the workstation is currently logged in. This is done by testing for the existence of the file P:\NUL. DOS thinks this file exists if drive P: exists (see notice below). This drive only exists when a user is logged in. If DOS thinks this file does not exist and hence we must conclude that this drive does not exist, the remainder of the script is skipped alltogether. The effect is that it looks like nothing happens. This situation occurs when no user is logged in, i.e. the user hit the [Esc] key or pressed [Cancel] in the network logon dialogue. This user may be able to execute the script, but it will simply do nothing.

If the file P:\NUL does exist, the script continues with prompting the user for a choice (using C:\WINDOWS\COMMAND\CHOICE.COM). Valid choices are: 'Q', 'Z', 'N', 'T' and 'J'. Depending on the choice the user makes, indicated via the error level, processing continues at one of the labels 'LabelQ', 'LabelZ', 'LabelN', 'LabelT' or 'LabelJ'.

For option 'Q', nothing happens. This can be used to bail out. The other four options each print a message on the screen and subsequently apply exactly one of the .REG files to the registry.

After processing is complete, the message 'DONE' is written to the screen and the script waits until the famous AnyKey is pressed (due to the command PAUSE).

NOTICE: It is important the the order of the options (the letters 'Q', 'Z', 'N', 'T', 'J' in the /C parameter) corresponds with the error levels. I.e., when you add a sixth letter/option to the list, you should insert the test for errorlevel 6 before the test for errorlevel 5.

NOTICE: The check for the file P:\NUL stems from the old DOS-days. This trick still works in Windows 98. Every name of a built-in device such as NUL exists in every directory, unless the directory itself (or the corresponding drive) does not exist. This phenomenon can be used to check for the existence of directories and also for the presence of a particular drive without having to know the name of an existing file on the drive.

2.4.3 Creating a corresponding .PIF-file

Once you would apply the file ZERO.REG containing the recommended settings (see 2.3 Recommended policies) to the Registry, it suddenly would become impossible to run commands or browse the local C: drive (see the explanations for NoRun and NoDrives in section 2.2 Preparing policies). Note that NoRun takes effect immediately even though the option is still visible in the Start Menu. However, double clicking on shortcuts is still allowed. Therefore we will be preparing a special shortcut for the batch file before ZERO.REG will be applied. This way we allow ourselves access to the policies, even after NoRun is already active, after applying ZERO.REG. Note that ZERO.REG will be applied shortly, in section 3.3 Establishing the environment for the default user below.

If you want to create a shortcut to DOSETPOL.BAT, you should take the following steps.

  1. On the desktop area right-click the mouse. A popup menu appears.
  2. Navigate to: New | Shortcut. The 'Create Shortcut' dialogue appears.
  3. In the field 'Command Line' enter: DOSETPOL.BAT.
  4. Press [Next] to confirm the dialogue. The 'Select a Title for the Program' dialogue appears.
  5. Accept the default name for the shortcut ('Dosetpol'). Press [Next] to confirm the dialogue. The 'Select an Icon' dialogue appears.
  6. Select an icon from the icon collection that is displayed. The picture of a traffic light seems appropriate because, in a way, applying these policies (denying or allowing access) resembles traffic control. Press [Finish] to confirm the dialogue.
  7. The Desktop reappears. A new shortcut called 'Dosetpol' is added to the Desktop.
  8. Right-click on the new icon. A popup menu appears.
  9. Select 'Properties' from the popup menu. The 'Dosetpol Properties' dialogue appears.
  10. Navigate to the 'Program' tab and check the box labeled 'Close on exit'.
  11. Confirm the dialogue by pressing [OK].
  12. The Desktop reappears.

At this point there is a shortcut to the batch file. This shortcut can be used to execute the batch file that was created in the previous section. We will be using this shortcut whenever a new user account is inaugurated.

2.5 Keeping shortcuts in a safe place

After installing all the educational software in chapter VII. Installing educational software both the Desktop and the Start Menu are filled with many shortcuts, including the shortcut 'Dosetpol' created in the previous section. It is a good idea to make sure that none of these shortcuts are lost. We will need the shortcut files (*.LNK and *.PIF) lateron when we will be assigning shortcuts to individual users.

When we are trimming down the privileges of the default user (see section 3.3 Establishing the environment for the default user below) we will be removing all shortcuts for this default user, except the 'Dosetpol' shortcut. Now is the last chance to save the shortcuts!

In order to make a copy of all available shortcuts you should take the following steps.

  1. If necessary (re)boot the workstation and login to the network using the special 'scholar' account.
  2. Navigate to: My Documents | janitors | shortcuts.
  3. Create a new directory 'all' here. Descend into this new directory, e.g. by double-clicking it and leave the directory open.
  4. Right-click on the Start button. A drop down menu appears.
  5. Click on 'Explore'. An Explorer window with two panes opens. The left hand pane shows a directory tree, the right hand pane shows the contents of the Start Menu.
  6. Re-arrange the positions of the 'all' window and the 'Explorer' window in such a way that you can easily access both.
  7. Now drag the whole Start Menu from the left hand pane in Explorer to the new directory you just created, using the righthand mouse button.
  8. Release the righthand mouse button and select 'Copy Here'. The complete Start Menu will be copied.
  9. Now return to the Explorer pane which shows the directory tree.
  10. Navigate to the directory called 'Desktop'.
  11. Repeat the procedure and copy Desktop to the new directory too.
  12. Navigate to the directory called 'All Users'.
  13. Repeat the procecedure and copy All Users to the new directory too.
  14. Close both windows.

At this point you have made a copy of all available shortcuts

We will sort these out in chapter IX. Shortcuts, desktops and start menus.

(top)

3. User profiles and policies

At this point all preparations have been made for smooth transition to roaming profiles. In this section we will perform the following actions. First we will 'flip the switch' and enable personal profiles for all users on this machine. This involves rebooting the computer.

After that we will create the profile for the special 'scholar' account and perhaps do the same for the other members of the 'janitor' group. Then we will 'login' as the default user, do a thorough cleanup and strip the Desktop and the Start Menu (i.e. removing nearly all shortcuts). After that the ZERO.REG policy is applied. At that point the workstation is ready for the final 'golden image'.

3.1 Enabling roaming profiles

The big moment is finally there. The roaming profiles are on the verge of being enabled. Did you make a 'milestone image' recently?

If you want to enable roaming profiles on this workstation, you should take the following steps.

  1. If necessary, completely shutdown the computer. This makes certain that profiles will be enabled in a clean, uncluttered manner.
  2. Start the workstation. After a while the 'Enter Network Password' dialogue appears.
  3. Do not logon to the network but instead press the [Esc] key or the [Cancel] button.
  4. Navigate to: Start | Settings | Control Panel | Passwords. The 'Password Properties' dialogue appears.
  5. Switch to the tab 'User Profiles'. Note that the option 'All users of this computer user the same preferences and desktop settings' is selected and that two check boxes in the frame 'User profile settings' at the bottom of the dialogue are grayed out.
  6. Check the box 'Users can customize their preferences and desktop settings. Windows switches to your personal settings when you log on'. Note that the 'User profile settings' frame is no longer grayed out.
  7. In the frame 'User profile settings' make sure both 'Include desktop icons and Network Neighbourhood contents in the user settings' and 'Include Start menu and Program goups in user settings' are checked.
  8. Confirm the dialogue by pressing [OK]. The 'System Settings Change' dialogue appears.
  9. Press [Yes] to confirm the dialogue. The workstation will reboot itself. This may take some time.
  10. Eventually the 'Enter Network Password' dialogue appears.

At this point personal user profiles are enabled for this workstation.

3.2 Creating the profiles for the janitors

Until now all user settings and shortcuts were stored on the local drive C: of the workstation. Now that the personal profiles are enabled every user has to get their own profile. Such a fresh profile is patterned after the profile of the default user. At this moment the profile of the default user is still the same as it was directly before the personal profiles were enabled.

It is very convenient to keep this profile, for future reference. The best account to use is the 'scholar' account. The purpose of this account is to have a 'clean' account that is solely used for the purpose of installing (educational) software. It seems only natural to keep all shortcuts and settings in the roaming profile of this particular account.

It can be efficient for other selected users to have a profile that is already filled with most if not all available shortcuts. Suitable accounts would be the accounts of the members of the predefined group 'janitors'. In the Exemplum Primary School there are two other members of the group 'janitors': the local systems administrator Freddie Frinton (userid 'ffrint') and the ICT coordinator Amelia Cackle (userid 'acackl'). Even though it is not necessary to let these two janitors have all available shortcuts it can be very handy. On the other hand: it is not a good idea to give everyone (including staff members) access to everything.

If you want to create a 'filled' profile for the 'scholar' account, you should take the following steps.

  1. Make sure the 'Enter Network Password' dialogue is displayed.
  2. Logon to the network using the special 'scholar' account.
  3. After a while the 'Windows Networking' dialogue is displayed. It prompts you with the following question: "You have not logged on at this computer before. Would you like this computer to retain your individual settings for use when you log on here in the future?". This is a somewhat strange choice of words. It means: "You have not yet established a personal profile on this computer. Do you want to establish such a profile?" Press [Yes] to confirm the dialogue.
  4. The 'Creating User Profile' dialogue appears briefly. A blue progress bar indicates that some files are being copied from the server to the workstation, into the directory C:\WINDOWS\Profiles\scholar.
  5. After a while the Desktop appears. It looks exactly the same as before, as it should.
  6. (optional) Apply the relevant policy for this user account using the shortcut 'Dosetpol' that was created in section 2.4 Setting policies with DOSETPOL.BAT above. See notice below.
  7. Navigate to: Start | Log Off Scholar. The 'Log Off Windows' dialogue appears.
  8. Press [Yes] to confirm the dialogue. Once again the dialogue 'Creating User Profile' is displayed briefly and again a blue progress bar indicates that some files are being copied, this time in the opposite direction, from the workstation to the server.
  9. After a while the 'Enter Network Password' dialogue is displayed.

At this point the personal profile for user account 'scholar' has been established. The next time this account logs on to the network, the settings for the account will be copied from the server to the workstation. This includes all the shortcuts that are part of the personal profile. Any changes to the profile are copied back to the server after logout. Note that these changes do not affect other users' settings.

If you want to quickly fill the personal profile for the local systems administrator and the ICT coordinator too, you should repeat the procedure outlined above for both accounts.

NOTICE: At this point no policies may have been applied to the accounts 'scholar' and possibly 'ffrint' (the local systems administrator at the Exemplum Primary School) and 'acackl' (the ICT coordinator). (See the optional step 6 above). You can always apply these policies lateron, if you wish. Please make sure that you do not apply the restrictive ZERO.REG to your own account or that of the 'scholar' user, because it really makes working on the computer hard if you need to perform administrative tasks such as installing more (educational) software.

3.3 Establishing the environment for the default user

At this point all shortcuts have been copied at least once (see section 2.5 Keeping shortcuts in a safe place). Furthermore, the special 'scholar' account also has a copy of almost all the available shortcuts, in H:\.profile\Desktop and H:\.profile\Start Menu. Even more copies may exist in the profiles for the local systems administrator ('ffrint') and the ICT coordinater ('acackl'). Now it is time to remove almost all shortcuts from the personal environment of the default user. Also, now is the right time to enforce the restrictive ZERO.REG policy for the default user.

Please take the following steps.

  1. If necessary (re)boot the workstation. After a while the 'Enter Network Password' dialogue appears.
  2. Do not logon to the network but instead press the [Esc] key or the [Cancel] button.
  3. Clean up any superfluous files using the procedure outlined in section 11.3 Cleaning up in chapter IV. Workstation setup. It is very important to clean up the profile of the default user because it will be the basis for the profile of every new user. You should at least get rid of This is the last chance for an easy but thorough cleanup.
  4. Right-click on the Start button. A drop down menu appears.
  5. Click on 'Explore'. An Explorer window with two panes opens. The left hand pane shows a directory tree, the right hand pane shows the contents of the Start Menu.
  6. In the right hand pane do the following:
  7. Now use the left hand pane to return to the Start Menu by selecting it. The right hand pane now shows the contents of the Start Menu consisting of a single subdirectory 'Programs'.
  8. On the Desktop locate the shortcut called 'Dosetpol' (created in section 2.4 Setting policies with DOSETPOL.BAT). Move (not copy) this icon to the right hand pane, into the Start Menu directory.
  9. In the left hand pane, navigate to the directory 'Desktop'. The right hand pane shows the contents of the Desktop.
  10. In the right hand pane do the following:
  11. Close the window. The (nearly empty) Desktop appears.
  12. The Desktop should only contain the following items. All other items should be deleted. This includes the shortcut to DAEMON Tools and other shortcuts. All these shortcuts originate from the 'All Users' directory discussed earlier. Delete these remaining shortcuts, e.g. by selecting them and hitting the [Del] key.
  13. (optional) You may want to remove any shortcuts from the Quick Launch bar but please do keep the icon 'Show Desktop'.
  14. Empty the Recycle Bin by rightclicking on the icon and selecting the appropriate option from the popup menu. This removes all items that were deleted in the previous steps.
  15. Apply the ZERO.REG policy, e.g. by double clicking the file C:\WINDOWS\SYSTEM\ZERO.REG. Note that in this case navigating to Start | Dosetpol will not work because the default user is not logged in and hence the DOSETPOL.BAT script will do nothing.
  16. Shutdown the workstation, e.g. by navigating to: Start | Shut Down | Shut Down. Confirm the dialogue by pressing [OK]. The workstation will be shut down.
  17. If necessary, switch off the workstation.

At this point the environment for the default user has been established. The workstation has been switchted off, preventing accidental changes to this workstation. The final step is to create the ultimate 'golden image' with g4u.

4. Creating the golden image

At this point the workstation is ready for creation of the 'golden image'. The environment for the default user has been restricted as much as possible, temporary files and other cruft has been removed.

If you want to create the 'golden image' you should take the following steps.

  1. (optional) If you want to keep your documentation up-to-date, you may want to take the following steps.
  2. Restart the workstation with the g4u floppy.
  3. Create the golden image using the procedure outlined in section 5. Creating an image of a workstation in chapter V. Managing disk images with ghost for unix.

At this point you have created the golden image for this workstation. The image is now ready to be distributed to all the other workstations.

5. Inaugurating new user accounts

Every user has to have their own profile. This profile is created automatically whenever the user logs on to the network for the first time. The basis for the profile of the new user is the profile of the default user. In te previous section we did our best to restrict the profile of the default user as much as possible. We did this by removing all shortcuts from Desktop and Start Menu and also by applying the Registry settings from ZERO.REG.

The effect is that any new user that logs in and out for the first time gets a fairly restricted profile. These restrictions can selectively be lifted by applying one of the other files to the Registry, e.g. NEST.REG, TEACHER.REG or even JANITOR.REG. The procedure to do this for all users is discussed in section 5.1 Applying the proper policy below.

The changes from these .REG files eventually end up in the user's USER.DAT. Section 5.2 Locking user profiles discusses how a user profile can be locked, i.e. the user itself can not change any setting in the profile at all. This feature can be very effective for nests (pupils). Some staff members could also benefit from a locked profile because it prevents accidental changes to the profile or deletion of shortcuts. That can make life easier for the local systems administrator.

5.1 Applying the proper policy

If you want establish a profile for a new user, you should take the following steps.
  1. (optional) (Re)boot the workstation.
  2. After a while the 'Enter Network Password' dialogue appears.
  3. Logon to the network, using the new user's userid and the new user's password.
  4. After a while the 'Windows Networking' dialogue is displayed. It prompts you with the following question: "You have not logged on at this computer before. Would you like this computer to retain your individual settings for use when you log on here in the future?". This is a somewhat strange choice of words. It means: "You have not yet established a personal profile on this computer. Do you want to establish such a profile?" Press [Yes] to confirm the dialogue.
  5. The 'Creating User Profile' dialogue appears briefly. A blue progress bar indicates that some files are being copied from the server to the workstation, into a directory under C:\WINDOWS\Profiles. This directory has the same name as the userid of the new user.
  6. After a while the Desktop appears. It looks exactly the same as the Desktop for the default user.
  7. Apply the relevant policy for this user account using the shortcut 'Dosetpol'. Note that this shortcut for 'Dosetpol' was added at the top of the Start Menu in section 3.3 Establishing the environment for the default user. You can start this script by navigating to: Start | Dosetpol.
  8. Open the Start Menu once again. Rightclick on the 'Dosetpol' shortcut. A popup menu appears.
  9. Select 'Delete' from the popup menu in order to remove the shortcut from this user's Start Menu. It is no longer needed.
  10. Empty the Recycle Bin. This makes sure that this user can not restore this shortcut lateron.
  11. Navigate to: Start | Log Off userid. The 'Log Off Windows' dialogue appears.
  12. Press [Yes] to confirm the dialogue. Once again the dialogue 'Creating User Profile' is displayed briefly and again a blue progress bar indicates that some files are being copied, this time in the opposite direction, from the workstation to the server.
  13. After a while the 'Enter Network Password' dialogue is displayed again.

At this point a single profile, including the correct policy, is established for the new user. This procedure needs to be repeated for every new user.

After establishing the profile and applying the policy, the Desktop and the Start Menu of the new user have to be populated. This is discussed in the chapter IX. Shortcuts, desktops and start menus.

NOTICE: If you, in your role of local systems administrator, do not logon at least once with every new userid, any new user will end up with the restricted profile of the default user after the first logon and logoff. That is good. However, by running 'Dosetpol' this new user can supply herself with janitor privileges. That probably is not good. By logging in yourself for the very first time, using the new account, you can make sure that the profile is already established by the time the actual user logs on herself for the first time. As an added bonus you can make sure that there are no typing errors or other mistakes in the password that was assigned to this new user; you have checked it yourself by succesfully logging on the first time.

5.2 Locking user profiles

At this point every user now has her personal profile in a USER.DAT file on the server. However, when a user modifies her Desktop or installs software and adds an extra shortcut on the desktop or in the Start Menu, these changes are also copied to the server when she logs off. This may or may not be a problem.

For some users it might be a good idea to lock the profile, i.e. make it impossible for these users to change their own settings in their own USER.DAT. The 'official' way to lock a profile consists of two steps.

  1. The file USER.DAT on the server must be renamed to USER.MAN ('MAN' is short for 'Mandatory').
  2. The file permissions for USER.MAN must be changed to readonly.

5.2.1 Locking and unlocking with a one-liner

In the current version of ServerAtSchool the changes to the USER.DAT/USER.MAN files are made via the command line on the server. You can change the status of a user profile from 'unlocked' to 'locked' and vice versa with the following one-liner at the root prompt (illustrated using the accounts for 'grade7' and 'grade8'). Note that your input is emphasised.

[root@praeceptor root]# cd /home/userdata/home/users ; \ 
> for u in grade7 grade8; do \
>   mv $u/H/.profile/USER.DAT $u/H/.profile/USER.MAN ; \
>   chmod 0440 $u/H/.profile/USER.MAN ; \
> done
[root@praeceptor users]# _

This one-liner (which is displayed on multiple lines for layout reasons) iterates through a list of userid's (here a list of two: grade7 and grade8) and changes the name of the file USER.DAT in the subdirectory H/.profile to USER.MAN using mv(1) and subsequently sets the permissions of the renamed file to readonly for the owner and the group of the file with chmod(1). These changes together are enough to lock the profiles of grade7 and grade8.

The profiles can be unlocked again by using the following one-liner.

[root@praeceptor root]# cd /home/userdata/home/users ; \ 
> for u in grade7 grade8; do \
>   mv $u/H/.profile/USER.MAN $u/H/.profile/USER.DAT ; \
>   chmod 0660 $u/H/.profile/USER.DAT ; \
> done
[root@praeceptor users]# _

This reverses the actions performed when locking the profile: the file is renamed to USER.DAT and both read and write permissions are granted to owner and group of the file.

5.2.2 Locking and unlocking with a script

If there are many profiles that need to be locked or unlocked or when profiles need to be locked or unlocked more than a few times, it may be efficient to create a small helper script that contains both one-liners. Such a script, say /usr/sbin/userdat, might look like this.

#!/bin/bash
# /usr/sbin/userdat -- lock or unlock windows profiles for user accounts 

PROG="$(/bin/basename $0)"

if [ "$1" == "-L" ]; then
  OLDNAME="USER.DAT"
  NEWNAME="USER.MAN"
  PERMISSIONS="0440"
  shift
elif [ "$1" == "-U" ]; then
  OLDNAME="USER.MAN"
  NEWNAME="USER.DAT"
  PERMISSIONS="0660"
  shift
else
  echo "usage: $PROG [ -L | -U ] userid [userid ...]"
  exit
fi

if [ -z "$1" ]; then
  echo "usage: $PROG [ -L | -U ] userid [userid ...]"
  exit
fi

while [ -n "$1" ]; do
  OLDPATH="/home/userdata/home/users/$1/H/.profile/$OLDNAME"
  NEWPATH="/home/userdata/home/users/$1/H/.profile/$NEWNAME"
  echo -n "$1: "
  if [ -e "$OLDPATH" ]; then
    /bin/mv "$OLDPATH" "$NEWPATH"
    echo -n "$OLDNAME renamed, "
  else
    echo "$PROG: '$OLDPATH' not found; no file renamed"
  fi
  if [ -e "$NEWPATH" ]; then
    /bin/chmod "$PERMISSIONS" "$NEWPATH"
    echo "permissions changed"
  else
    echo "$PROG: '$NEWPATH' not found; no permissions changed"
  fi
  shift
done

This script should be called with the switch -L for 'lock' or the switch -U for 'unlock' as the first parameter, followed by a list of userids that need to be locked or unlocked. This way locking the profiles of grades12, grade3, ..., grade8 can be done with a single command as illustrated below. Again, your input is emphasised.

[root@praeceptor root]# userdat -L grade12 grade3 grade4 grade5 grade6 grade7 grade8  
grade12: USER.DAT renamed, permissions changed
grade3: USER.DAT renamed, permissions changed
grade4: USER.DAT renamed, permissions changed
grade5: USER.DAT renamed, permissions changed
grade6: USER.DAT renamed, permissions changed
grade7: USER.DAT renamed, permissions changed
grade8: USER.DAT renamed, permissions changed
[root@praeceptor root]# _

NOTICE: You can use the automatic filename expansion of the bash shell to your advantage by changing to the directory /home/userdata/home/users and subsequently lock the profiles of all nests (grades) with the single command userdat -L grade*. In the same manner you could lock all accounts with userdat -L *.

6. Advanced topics

In section 5. Inaugurating new user accounts you had to login with every user account in order to establish personal profiles for everyone. For this you need to know the correct combination of userid and password for every user.

If you used the default settings in chapter III. Janitor, all the nest accounts are allowed to access the network without specifying a password because of the special value NO PASSWORD that was specified as the SMB password for those users. That makes it very easy to logon and logoff with these userids.

Things are different for staff members. In section 5.7 Adding Multiple user accounts in chapter III. Janitor you have created a batch input file called staff.in which was used to add the various accounts for teachers and other staff members. If you have retained that file you can now re-use it and create individual letters with the pertinent information for all staff members without having to retype anything. You can use these 'password letters' to inform your users about their userid and passwords.

You could also use a one-liner to extract userids and SMB passwords from staff.in in a handy list. You could use this list while logging on and off once with every userid.

6.1 Creating a simple list with usernames and passwords

The file staff.in looked like this.

acackl:::Amelia Cackle::/bin/bash:programs,teleworkers,staff,principals,janitors:gN8OKrK1:waavaegh::amelia.cackle:0.0.0.0/0
adumbl:::Albus Dumbledore::/bin/bash:programs,teleworkers,staff,principals:jrNgtGyP:uaxefiko::albus.dumbledore:0.0.0.0/0
hgronb:::Honorine Hermelin Gronbech::/bin/bash:programs,teleworkers,staff,faculty:UAPjJ6bn:iekufaid::honorine.gronbech:0.0.0.0/0
aschur:::Anna Maria van Schurman::/bin/bash:programs,teleworkers,staff,faculty:PoVRLubL:metheese::annamaria.vanschurman:0.0.0.0/0
mastel:::Mary Astell::/bin/bash:programs,teleworkers,staff,faculty:H6JmE006:eehohdea::mary.astell:0.0.0.0/0
wblade:::Wilhelmina Bladergroen::/bin/bash:programs,teleworkers,staff,faculty:jpvnJIgb:eezuveek::wilhelmina.bladergroen:0.0.0.0/0
mmonte:::Maria Montessori::/bin/bash:programs,teleworkers,staff,faculty,healthcare:k6aVkNSu:jiesooli::maria.montessori:0.0.0.0/0
hparkh:::Helen Parkhurst::/bin/bash:programs,teleworkers,staff,faculty,healthcare:wWITa4ye:ahgiesah::helen.parkhurst:0.0.0.0/0
odecro:::Ovide Decroly::/bin/bash:programs,teleworkers,staff,faculty:j3m1odN5:ohngiegu::ovide.decroly:0.0.0.0/0
lvygot:::Lev Vygotsky::/bin/bash:programs,teleworkers,staff,faculty,healthcare:3XtMaKjX:hoofahni::lev.vygotsky:0.0.0.0/0
ppeter:::Peter Petersen::/bin/bash:programs,teleworkers,staff,faculty:dYa34K7Z:eeteeyoo::peter.petersen:0.0.0.0/0
cfrein:::Celestin Freinet::/bin/bash:programs,teleworkers,staff,faculty:1jvGRsa5:aeghicae::celestin.freinet:0.0.0.0/0
bskinn:::Burrhus Frederic Skinner::/bin/bash:programs,teleworkers,staff,faculty:coNnLV9V:icheiwoi::burrhus.skinner:0.0.0.0/0
pfreir:::Paolo Freire::/bin/bash:programs,teleworkers,staff,faculty:2jgtjRBs:iewohsho::paolo.freire:0.0.0.0/0
iillic:::Ivan Illich::/bin/bash:programs,teleworkers,staff,faculty:h1x1ahto:dusuvagi::ivan.illich:0.0.0.0/0

This file is in the standard batch import format as discussed in section section 5.7.1 File format for batch processing in chapter III. Janitor. Note that in this file the first field contains the userid, the fourth field contains the full name of the staff member and the nineth field holds the SMB password. The following one-liner extracts these fields from the file staff.in and stores the output in a file called staff.txt. This file is subsequently be printed using lpr(1). Once again your input is emphasised in the illustration below.

[root@praeceptor root] cut -f1,4,9 -d: < staff.in > staff.txt
[root@praeceptor root] lpr -P laserjet staff.txt
[root@praeceptor root] _

Use man cut to learn what is happening here. The output on the printer will look like the list shown below.

acackl:Amelia Cackle:waavaegh
adumbl:Albus Dumbledore:uaxefiko
hgronb:Honorine Hermelin Gronbech:iekufaid
aschur:Anna Maria van Schurman:metheese
mastel:Mary Astell:eehohdea
wblade:Wilhelmina Bladergroen:eezuveek
mmonte:Maria Montessori:jiesooli
hparkh:Helen Parkhurst:ahgiesah
odecro:Ovide Decroly:ohngiegu
lvygot:Lev Vygotsky:hoofahni
ppeter:Peter Petersen:eeteeyoo
cfrein:Celestin Freinet:aeghicae
bskinn:Burrhus Frederic Skinner:icheiwoi
pfreir:Paolo Freire:iewohsho
iillic:Ivan Illich:dusuvagi

This list can simplify the process of logging on and off with every userid. Note that you do need to keep the file staff.txt in a safe place, just like the file staff.in because these files (and the hardcopy, too) contain valuable passwords.

6.2 Creating individual password letters

You can create a password letter for every user, again based on the contents of the file staff.in. The snippet below also prints the contents of a file called password-letter.txt. This file could contain a short explanation for all users about the meaning of the passwords, useful hints on keeping the passwords and this password letter secret and perhaps other pertinent information. This text is then merged with the username and password information and printed on the laserprinter, one page per user.

while read L; do
  cat password-letter.txt
  echo "Name:                $(echo $L | cut -f4 -d:)"
  echo ""
  echo "Network Logon:"
  echo "UserID:              $(echo $L | cut -f1 -d:)"
  echo "Password:            $(echo $L | cut -f9 -d:)"
  echo ""
  echo "E-Mail:"
  echo "UserID:              $(echo $L | cut -f1 -d:)"
  echo "Password:            $(echo $L | cut -f8 -d:)"
  echo ""
  echo "Teleworking:"
  echo "UserID:              $(echo $L | cut -f1 -d:)"
  echo "Password:            $(echo $L | cut -f8 -d:)"
  echo "Hostname:            $(/bin/hostname)"
  echo "RSA key fingerprint: $(ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub | cut -f2 -d ' ')" 
  echo -e "\f"
done < staff.in | lpr -P laserjet

Explanation:

Below is an example of an individual password letter.

PASSWORD LETTER

This letter contains the secret passwords you need to use the
facilities of our server at school. Please keep these passwords to yourself.
Do not show this letter to anyone else.

- You need the information under 'Network Logon' when you want to logon to
  the school network.
- You need the information under 'E-Mail' when you want to access your 
  mailbox via webmail.
- The information under 'Teleworking' is required when you want to work at
  home with documents and files on the server at school. Note that it is
  important that the key fingerprint matches when you logon from home for
  the first time. If there is a difference, you should cancel the
  logon attempt and tell Freddie Frinton about it.

Name:                Helen Parkhurst

Network Logon:
UserID:              hparkh
Password:            ahgiesah

E-Mail:
UserID:              hparkh
Password:            wWITa4ye

Teleworking:
UserID:              hparkh
Password:            wWITa4ye
Hostname:            praeceptor.exemplum.serveratschool.net
RSA key fingerprint: 24:8f:3a:85:0a:d1:25:d6:81:14:b0:22:b6:62:55:39

Note that an in-depth explanation of the power of the command line is a little beyond the scope of this manual. If you want to learn more about this subject, you may want to consult one of the many helpful sites with information about this subject. See Appendix B. Bibliography for more information.

(top)

7. Concluding remarks

At this point the following goals are achieved.

The next step is to manipulate the users' shortcuts. This is discussed in the next chapter: IX. Shortcuts, desktops and start menus.

(top)

Authors: Peter Fokker <peter (at) berestijn.nl> and Dirk Schouten <schoutdi (at) knoware.nl>
$Id: profiles.html,v 1.18 2006/03/31 08:15:49 peter Exp $