About User Profiles

The system creates a user profile the first time that a user logs on to a computer. At subsequent logons, the system loads the user’s profile, and then other system components configure the user’s environment according to the information in the profile.

Types of User Profiles

• Local User Profiles. A local user profile is created the first time that a user logs on to a computer. The profile is stored on the computer’s local hard disk. Changes made to the local user profile are specific to the user and to the computer on which the changes are made.
• Roaming User Profiles. A roaming user profile is a copy of the local profile that is copied to, and stored on, a server share. This profile is downloaded to any computer that a user logs onto on a network. Changes made to a roaming user profile are synchronized with the server copy of the profile when the user logs off. The advantage of roaming user profiles is that users do not need to create a profile on each computer they use on a network.
• Mandatory User Profiles. A mandatory user profile is a type of profile that administrators can use to specify settings for users. Only system administrators can make changes to mandatory user profiles. Changes made by users to desktop settings are lost when the user logs off.
• Temporary User Profiles. A temporary profile is issued each time that an error condition prevents the user’s profile from loading. Temporary profiles are deleted at the end of each session, and changes made by the user to desktop settings and files are lost when the user logs off. Temporary profiles are only available on computers running WindowsВ 2000 and later.

A user profile consists of the following elements:

• A registry hive. The registry hive is the file NTuser.dat. The hive is loaded by the system at user logon, and it is mapped to the HKEY_CURRENT_USER registry key. The user’s registry hive maintains the user’s registry-based preferences and configuration.
• A set of profile folders stored in the file system. User-profile files are stored in the Profiles directory, on a folder per-user basis. The user-profile folder is a container for applications and other system components to populate with sub-folders, and per-user data such as documents and configuration files. Windows Explorer uses the user-profile folders extensively for such items as the user’s Desktop, Start menu and Documents folder.

User profiles provide the following advantages:

• When the user logs on to a computer, the system uses the same settings that were in use when the user last logged off.
• When sharing a computer with other users, each user receives their customized desktop after logging on.
• Settings in the user profile are unique to each user. The settings cannot be accessed by other users. Changes made to one user’s profile do not affect other users or other users’ profiles.

User Profile Tiles in Windows 7 and Later

In WindowsВ 7 or later, each user profile has an associated image presented as a user tile. These tiles appear to users on the User Accounts Control Panel item and its Manage Accounts subpage.. The image files for the default Guest and default User accounts also appear here if you have Administrator access rights.

NoteВ В The Manage Accounts subpage is accessed through the Manage another account link in the User Accounts Control Panel item.

• %ProgramData%\Microsoft\User Account Pictures\Guest.bmp
• %ProgramData%\Microsoft\User Account Pictures\User.bmp

The user’s tile image is stored in the %SystemDrive%\Users\ \AppData\Local\Temp folder as .bmp. Any slash characters (\) are converted to plus sign characters (+). For example, DOMAIN\user is converted to DOMAIN+user.

The image file appears in the user’s Temp folder:

• After the user completes the initial system setup (OOBE).
• When the user first launches the User Accounts Control Panel item.
• When the user goes to the Manage Accounts subpage of the User Accounts Control Panel item. In addition, tiles for all other users on the computer are shown.

Those instances are the only times that the images are created or updated. Therefore, there are several caveats to keep in mind when using the Temp folder location programmatically:

The user’s tile is not guaranteed to be present. If the user deletes the .bmp file, for instance manually or through a utility that deletes temporary files, that user tile is not automatically recreated until the user launches the User Accounts Control Panel item or Manage Accounts subpage.

User tiles for other users on the computer might not be present in the currently logged-on user’s Temp folder. For example, if User A creates User B through the User Accounts Control Panel item, User B’s tile is created in User A’s Temp folder when Windows sends User A to the Manage Accounts subpage. Because the directory structure is not created for User B until he or she logs on, User A’s Temp folder is the only location that User B’s tile is stored. When User B logs on, the only image stored in User B’s Temp folder is his or her own.

1. To get all user tiles for users on a system, applications might need to search in each user’s Temp directory.
2. Because the access control list (ACL) of these Temp directories allows access to SYSTEM, Administrator, and the current user, applications need to elevate to access for other users.

Other users’ tiles are not guaranteed to be up-to-date in their Temp folders. If User B updates his or her user tile, User A will not see the change until User A accesses the Manage Accounts subpage. Therefore, if applications use User A’s Temp folder to obtain User B’s tile, those applications can get an out-of-date image file.

Customize the default local user profile when you prepare an image of Windows

This article describes how to customize the default local user profile settings when you create an image in Windows 7.

Original product version: В Windows 7 Service Pack 1, Windows Server 2012 R2
Original KB number: В 973289

Summary

After you deploy the image, the default local user profile settings are applied to all new users who log on to the computer.

To customize a default user profile or a mandatory user profile, you must first customize the default user profile. Then, the default user profile can be copied to the appropriate shared folder to make that user profile either the default user profile or a mandatory user profile.

When the default user profile is customized as described in this article, it reconstructs the source profile in a format that is appropriate for use by multiple users. This is the only supported method of customizing the default user profile for the Windows operating system. If you try to use other methods to customize the default user profile, it may result in extraneous information being included in this new default user profile. Such extraneous information could lead to serious problems with applications and system stability.

This article supersedes all previously published procedures about how to customize default local user profiles when you prepare images.

Customize a default user profile

The only supported method for customizing the default user profile is by using the Microsoft-Windows-Shell-Setup\CopyProfile parameter in the Unattend.xml answer file. The Unattend.xml answer file is passed to the System Preparation Tool (Sysprep.exe).

Step 1: Configure the default user profile

Log on to Windows by using the built-in local Administrator account.

You cannot use a domain account for this process.

Open the User Accounts control panel, and remove all added user accounts except for the one Administrator-level user account that you used to log on to Windows.

Configure the settings that you want to copy to the default user profile. This includes desktop settings, favorites, and Start menu options.

Customizing the Start menu and the Taskbar is limited in Windows 7.

Step 2: Create an Unattend.xml file that contains the Copy Profile parameter

Create an Unattend.xml file that contains the Copy Profile parameter ( Microsoft-Windows-Shell-Setup\CopyProfile ). By using this Copy Profile parameter, the settings of the user who is currently logged on are copied to the default user profile. This parameter must be set to true in the specialize pass.

Windows System Image Manager (Windows SIM) creates and manages unattended Windows Setup answer files in a graphical user interface (GUI).

Answer files are XML-based files that are used during Windows Setup to configure and to customize the default Windows installation.

Use the Windows System Image Manager tool to create the Unattend.xml file. The Windows System Image Manager tool is included as part of the Windows Automated Installation Kit (Windows AIK). Obtain the AIK for your operating system from one of the following websites:

For more information about Windows AIK, see Windows Automated Installation Kit (AIK). Directions about how to create an answer file can be found in the Help information that is included with Windows AIK. For more information about how to create an answer file, see Work with Answer Files in Windows SIM.

Step 3: Customize the default user profile in the Unattend.xml file

Open an elevated command prompt. To do this, click Start, type cmd in the Search box, right-click cmd in the Programs list, and then click Run as administrator.

If you are prompted for an administrator password or for confirmation, type the password or provide confirmation.

At the command prompt, type the following command, and then press ENTER:

Sysprep.exe is located in the %systemdrive%\Windows\System32\sysprep directory.

To confirm that the CopyProfile command successfully completed, open the %systemroot%\panther\unattendgc\setupact.log file.

Search for lines that resemble the following (in the specialize pass):

[shell unattend] CopyProfileDirectory from c:\Users\Administrator succeeded.
[shell unattend] CopyProfile succeeded.

This line confirms whether the CopyProfile command succeeded and which user profile was copied to the default user profile.

Capture the image.

Deploy the image. For more information about how to use Sysprep to capture and deploy an image, see Sysprep Technical Reference.

• You must use the /generalize switch with sysprep.exe so that the Copy Profile parameter can be used. The /unattend option is used to point to the desired Unattend.xml file. Therefore, in this example, the Unattend.xml file is located in the c:\answerfile folder.
• The built-in administrator account profile is deleted when you perform a clean Windows installation or when you run the Sysprep tool. The CopyProfile setting is processed before the built-in administrator account is deleted. Therefore, any customizations that you make will appear in the new user account profile. This includes the built-in administrator account profile settings.
• If there are multiple user profiles, Windows sysprep may select an unexpected profile to copy to the default user profile.
• Not all customizations will propagate to new profiles. Some settings are reset by the new user logon process. To configure those settings, use Group Policy settings or scripting.

What to consider if you use automated image build and deployment systems

When you use tools such as the Microsoft Deployment Toolkit or System Center Configuration Manager, the CopyProfile setting is not required when you run the Sysprep command. These tools usually replace or change the Unattend.xml file after the image is deployed to the disk but before the operating system has started for the first time after you run the Sysprep command. Therefore, the Unattend.xml file that is used in the Microsoft Deployment Toolkit or System Center Configuration Manager deployment process must contain the CopyProfile setting.

If you set the CopyProfile setting to true when you run Setup from the Windows 7 installation media during the image build process, the administrator profile settings may be unintentionally copied into the default user profile. The administrator profile settings are typically present in the Install.wim file on the installation media.

Turn the default user profile into a network default user profile

To turn the default user profile into a network default user profile, follow these steps:

Use an account that has administrative credentials to log on to the computer that has the customized default user profile.

Use the Run command to connect to the NETLOGON shared folder of a domain controller. For example, the path resembles the following:
\\ \NETLOGON

Create a new folder in the NETLOGON shared folder, and name it Default User.v2.

Click Start, right-click Computer, click Properties, and then click Advanced system settings.

Under User Profiles, click Settings. The User Profiles dialog box shows a list of profiles that are stored on the computer.

Select Default Profile, and then click Copy To.

In the Copy profile to text box, type the network path of the Windows default user profile folder that you created in step 3. For example, type the path \\ \NETLOGON\Default User.v2 .

Under Permitted to use, click Change, type the name Everyone, and then click OK.

Click OK to start to copy the profile.

Log off from the computer when the copying process is completed.

Turn the default user profile into a mandatory user profile

You can configure the default local user profile to become a mandatory profile. By doing this, you can have one central profile that is used by all users. To do this, you have to prepare the mandatory profile location, copy the local default user profile to the mandatory profile location, and then configure a user’s profile location to point to the mandatory profile.

Step 1: Prepare the mandatory profile location

On a central file server, create a new folder or use an existing folder that you use for roaming user profiles. For example, you can use the folder name Profiles:
\Profiles

If you are creating a new folder, share the folder by using a name that is suitable for your organization.

The share permissions for shared folders that contain roaming user profiles must enable Full Control permissions for the Authenticated Users group. The share permissions for folders that are dedicated to storing mandatory user profiles should enable Read permissions for the Authenticated Users group and enable Full Control permissions for the Administrators group.

Create a new folder in the folder that is created or identified in step 1. The name of this new folder should start with the logon name of the user account if the mandatory user profile is for a specific user. If the mandatory user profile is for more than one user, name it accordingly. For example, the following domain has a mandatory profile, and the folder name begins with the word mandatory:
\Profiles\mandatory

Finish naming the folder by adding .v2 after the name. The example that is used in step 3 has the folder name mandatory. Therefore, the final name of the following folder for this user is mandatory.v2:
\Profiles\mandatory.v2

Step 2: Copy the default user profile to the mandatory profile location

Log on to the computer that has the customized local default user profile by using an account that has administrative credentials.

Click Start, right-click Computer, click Properties, and then click Advanced System Settings.

Under User Profiles, click Settings. The User Profiles dialog box shows a list of profiles that are stored on the computer.

Select Default Profile, and then click Copy To.

In the Copy profile to text box, type the network path of the Windows default user folder that you created in the Step 1: Prepare the mandatory profile location section. For example, type the following path:
\\ \Profiles\mandatory.v2

Under Permitted to use, click Change, type the name Everyone, and then click OK.

Click OK to start to copy the profile.

Log off from the computer when the copying process is completed.

On the central file server, locate the folder that you created in the Step 1: Prepare the mandatory profile location section.

Click Organize, and then click Folder options.

Click the View tab, click to select the Show hidden files and folders check box, click to clear the Hide extensions for known file types check box, click to clear the Hide protected operating system files check box, click Yes to dismiss the warning, and then click OK to apply the changes and close the dialog box.

Locate and right-click the NTUSER.DAT file, click Rename, change the name of the file to NTUSER.MAN, and then press ENTER.

Previously it was possible to copy profiles by using the System Control Panel item. This copy to default profile option is now disabled as it could add data that made the profile unusable.

Step3: Prepare a user account

As a domain administrator, open the Active Directory Users and Computers management console from a Windows Server 2008 R2 or Windows Server 2008 computer.

Right-click the user account to which you want to apply the mandatory user profile, and then click Properties.

Click the Profile tab, type the network path that you created in the Step 1: Prepare the mandatory profile location section in the profile path text box. However, don’t add .v2 at the end. In our example, the path would be as follows:
\\ \Profiles\mandatory

Click OK, and then close the Active Directory Users and Computers management console. The user will now use the customized mandatory user profile.

Still need help

If this article does not answer your question, ask a question and pose it to other community members at Microsoft Community.

Resources

If you are having issues logging on to a user profile, see the website: