As I was consulting one of my colleagues regarding the user profile and imaging, I decided to try and find some sort of best practice document that would point out the differences, and where to use which. To my surprise, I could not find anything specific to what I was looking for, but rather most articles were referring to those profiles in the context of either a (1) terminal services environment, or (2) a roaming profile scenario (or both).
In reality, I believe there is a much more basic need for understanding the role of these 2 types of profiles, in the context of imaging, as well as the context of virtualization, which introduces even a more critical need to understand the differences.
note: for the sake of not rambling on about older technologies, my references will refer only to Windows XP and Windows 7. (In most cases, the Windows 7 tips will apply to Windows Vista, and in less cases, some Windows XP references may apply to Windows 2000.)
What is the Default User profile?
The default user profile is a windows profile that exists in both Windows XP and Windows 7 and contains all the components of a normal user profile. What makes this profile different, is that it is actually used as the initial profile loaded for a user upon their first login to a workstation. Once the user’s profile is created, the Default User profile will not affect that user any longer, even if the settings on the Default User profile have been changed. The only way those would re-apply to the user account, is to actually delete that user profile from the workstation, and re-login to bring back the Default User settings to that new profile.
When the user initially logs in to a workstation, a copy of the Default User profile is created in the new user’s profile folder. This means that the user now has full access to make any changes to their own profile.
So how do you create or modify that Default User profile?
The creation of the Default User profile has changed significantly between Windows XP and Windows 7. Since this is a little bit out of the scope of this article, I will not go into much detail about this, but will provide you with some links to creating both. The basics of the creation involve creating a normal profile, and then copying it over to the Default User profile.
Here is a guide on some information regarding the Default User profile in XP: http://www.petri.co.il/copy_user_profiles_in_windows_xp.htm
and another for some information regarding the Default User profile in Windows 7: http://support.microsoft.com/kb/973289
yes, they are drastically different.
What can I use the Default User profile for?
This is a question that I would’ve answered differently in the older days, and today — I would lightly say — there is almost no need for it. Let me explain:
The Default User profile is essentially the profile that specifies a lot of settings for the users. These include items such as: printers, task bar settings,
desktop icons, start menu items, favorites, screen savers, and all other user specific profile settings. In a non-corporate environment — translated: an environment without Active Directory — the default profile may be a life saver, as it would be the only method to customize desktops to look the same for all users. However, my guess is, if you are reading this article, that you are looking to figure out how to use those profiles in a corporate environment, so I will assume that you do have Active Directory running. That said, ever since server 2003, and even more so, server 2008, Active Directory has gotten so granular with group policies, that there are now very few options that would be needed to tweak in the Default User profile. One of the biggest issues is usually printer deployment based on the location of the workstations. With AD 2003, this problem has been solved with GPO printer deployment. This pretty much resolves half the battle with Default User profiles.
For additional details regarding what can be changed with GPO for user profiles, you can refer to the official GPO reference guide for both Windows XP and and Windows 7: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=18c90c80-8b0a-4906-a4f5-ff24cc2030fb
What is the All Users profile?
The All Users profile, at its essence looks pretty similar to the Default User profile, in that everything in both profiles will be visible to all users logging in to that workstation. The major difference is one: anything that is in the All Users profile is merely a link to its contents in the target user’s profile.
For instance, if an item called document1.doc is placed in the All Users\Desktop location on Workstation A, any users logging in to Workstation A will see that document on their desktop.
How do you create or modify the All Users profile?
This has unfortunately changed a little bit between Windows XP and Windows 7. The good news, is that the resulting locations are still just as easily modifiable on both operating systems. In order to add an item to the desktop in the All Users profiles on Windows XP, just copy that content into C:\Documents and Settings\All Users\Desktop.
The same can apply if you want to place items in the Favorites, or the Start Menu, etc … The location of those folders have changed between XP and 7, so below, you will find a mapping of the “old” XP locations, and the new Windows 7 locations.
note: It is worth noting, that in Windows 7, you will still be able to navigate to the Windows XP locations, but if you were to try to delete anything from those locations, you will get an “Access Denied” message. The reason for this, is because those locations are only JUNCTION points which point to the actual new locations in Windows 7, and are maintained mostly for backwards compatibility with Windows XP. I would highly recommend that you use all new locations, instead of relying on the legacy JUNCTION points.
Below is a table that will show the old and the new mappings of the two OS common folders:
|Windows XP||Windows 7|
|All Users||C:\Documents and Settings\All Users||c:\Users\Public|
|Desktop||C:\Documents and Settings\All Users\Desktop||C:\Users\Public\Desktop|
|Favorites||C:\Documents and Settings\All Users\Favorites||C:\Users\Public\Favorites|
|Start Menu||C:\Documents and Settings\All Users\Start Menu\||C:\ProgramData\Microsoft\Windows\Start Menu|
|Application Data||C:\Documents and Settings\All Users\Application Data||C:\Programdata|
|Documents||C:\Documents and Settings\All Users\Documents||C:\Users\Public\Documents|
What can I use the All Users profile for?
With the existence of such granular control with Active Directory group policy, there is really not a whole lot of need to control that profile manually anymore. Using GPOs preferences in Windows 7, It is possible to control everything from folder options, drive mappings, printers, services, to start menu items and registry entries. In a Windows 2003 environment, however, some of these options are still not available, and you would have to resort to using the All Users profile to set some of them.
In some cases, you may find that you would like to add some desktop items, or start menu items for the users, where you don’t want the users to be allowed to make any changes to those. The All Users profile is the perfect place for those. (See below for more information regarding this).
Where to use what?
This section is really the essence of this article. There are many different scenarios for using the different profiles, but since we’re discussing the traditional desktop, and a virtualization scenarios, we’ll talk about those:
In a corporate environment, there is often a need to make changes to workstation via management or login scripts. Earlier we have discussed that the different profiles treat their content differently, and in the first section where I was discussing Default User profiles, you will notice that I had crossed out desktop, favorites, and start menu. There is a method to my madness.
Let’s consider a scenario, and this is, of course, assuming that we’re not using Group Policy to control these items:
We deploy a new image with a Default User profile. That profile contains a 1Mb Read-Only document on the desktop, which I would like to make available to all users when they login to that workstation. If I place this document in the Default Profile. A couple of things will happen:
- Everytime a user logs in that 1Mb document gets copied over to the user’s desktop, ending up with multiple copies of the same document, taking up unnecessary space on the hard drive.
- Because a user’s profile is owned by the user, all contents are also owned by the user. At this point, it is practically impossible to make the file Read-Only, and not allow the user to delete it.
In a virtual environment, taking that route for this document is extremely bad practice, especially when using virtualized desktops, where optimizing a user’s profile is crucial for performance and storage reasons.
If we place that file, however, in the All Users/Desktop location, that file will exist only once on the workstation, regardless of the users logging in, and will inherit the permissions that we set on the All Users folder. In this scenario, we have accomplished both goals in maintaining that file in a single instance, and preventing users from deleting it.
Also, remember, that if that file was created in the Default User profile at some point, and users had already logged in, their own copy will be maintained. If for whatever reason, a change is required in the future to that file. (i.e: an updated version), running a script to copy a new version of the file to the All Users/Desktop profile will only create a second instance of it on the user’s desktop, creating confusion, unless additional measures are taken within the copy process to account for the user-owned copy of the file and deleting that before recopying the new one to the correct location (i.e: all users/desktop). This will only result in unnecessary management work, and confusion for the users.
So in conclusion, though the use of Default User, and All User profile is less needed these days with the prominence of very granular GPO settings. It is important to still differentiate between them, and use them correctly depending on the scenarios needed.