The procedure below outlines how to set up your Win95/98 machines so that when a user logs on to the NT4 network a standard set of "profiles" is downloaded from the NT4 server onto their computer. Any changes made by the user to the desktop, background, screen saver, etc are lost when they log off. Typically this approach would be adopted in a school situation where individuals log on to the network using a common "User Name". In this document it will be assumed that there is a Group called "students" and the user name for group members is "student".
NOTE: Many of the texts and internet sources about this process assume the client machine (the one connected to the network) is running NT Workstation operating system. Win95/98 is incompatible with many of the NT Workstation techniques you will find in "NT4" references and Web pages. Unless the author specifies Win95/98, be careful. They are probably assuming you are using NT4 Workstation.
STEP 1 Set up a GROUP and USER account. In this document we will use the example of:
GROUP - students
USER - student
NOTE 1: Leave the "Use Profile Path" property box EMPTY. (This is for clients using NT4 Workstation.)
NOTE 2: You can specify any drive letter in the "Connect" field as long it is not one of the physical drives inside the NT4 system. Each User you set up can have the same virtual drive letter - you don't need a different "Connect" drive for each user.
STEP 2 Create a directory structure for the user "HOME" directory:
C:\USERS\HOME\STUDENTS
STEP 3 Share the HOME directory as Share Name "home$" (without the quotation marks). Don't share any of the other directories.
NOTE: Using the "$" at the end of the Share Name makes it an "Administrative Share" which will not be visible when the Network Neighborhood is browsed.
STEP 4 Set up one of the client machines using POLEDIT.EXE with all of the required restrictions. This will be the "Template" system.
STEP 5 Setting up the Client System … (ie the Win95/98 computer) Go to Control Panel and open the Passwords icon.
Click on the User Profiles tab and select the properties as below:
Do this for each of the Client machines on the network.
STEP 7 From the Template system Log on to the NT4 server using the User logon name you created in Step 1 (in our case - as student). (Make sure that no other 'student' user logs off while you are doing this. - It is best to be the only one using the network at the time, just in case.)
When the user logs off, the following directory structure will be created in the user 'home' directory.
STEP 8 Go into the students directory and change the name of User.dat to User.man (the ".man" stands for a mandatory profile). This prevents users from changing profiles in the future. (See point 4 below before 'locking up User.man)
Well in theory, that's all you have to do. Unfortunately there are a few more steps:
1. You need to make User.man 'read only'. NT4 doesn't appear to want to allow you to make the change, so you will need to go to the command line (DOS Prompt?) and use: <directory structure> attrib User.man +r (You will be able to tell if things are working when you start getting a series of .TMP files in the home directory as users log out. - This indicates that the clients are unable to overwrite the User.man file - just what you want!)
2. You need to make sure that the User.man file in the home directory is exactly what you want. Sit down with one of the client systems (the "template" system), log in as the target 'user' (in our case: student), use POLEDIT to set all the restrictions as you want them. Set up the desktop to be compatible with the rest of the clients (ie remove any icons that are not installed on the other clients) and then save the changes to registry.
3. Make sure that any registry-dependent values (such as proxy servers, etc in Netscape Gold) are available on the "template" system.
4. Log in and out twice using the target user name (and then 'lock' up User.man
as described above) to make sure the correct User.dat is written to the
NT4 home directory for the target user.
NOTE: This is just one approach to roaming profiles. An alternative is to use CONFIG.POL in the NETLOGON share. For details see the links on the previous page.
.... with thanks to Paul Gryzlec and David Brown
A few further comments:
1. The close link between Win98 and Internet Explorer appears to over-ride some of the 'default' settings you may set up on the 'template' system. Internet Exporer and Outlook Express icons sometimes appear on the client desktop even if they were not present on the template system.
2. Set up a fully open template using a different user name and password to be used for administration purposes.
3. You can use POLEDIT to force users to log on at the opening windows screen and prevent them form simply pressing the cancel button to sidestep your security. See: http://www.helmig.com/j_helmig/pollogin.htm