Configuring Default User Settings – Full Update for Windows 7 and Windows Server 2008 R2


I have written several posts on this topic before.  However, changes were made to Windows 7 and Windows Server 2008 R2 that warrant a full revisit of this topic.


This post can can also be also be found on the Windows Springboard Series blog here.


Anyone who had been doing operating system deployments long enough has had to deal with configuring default settings for users that log on to the computer after the image is deployed. Some examples of these are folder settings, desktop wallpaper, and screen saver options. Most of these will be initial settings for user preferences that users will be able to change (unlike policies which are enforced). This is done so that users will have a consistent, known experience when logging on to any client computer for the first time.


This can be done in a number of ways.  Below are the methods I have seen or used with what I feel are pros and cons of each.


Implementing Default User Settings by modifying the Default User Profile


There are three main methods that have been used to configure the Default User profile.  Only one method (B) is now officially supported and I recommend that you use this method.


A. Manual or scripted copy of a configured profile over the Default User profile (unsupported)


The traditional solution for this (developed during the Windows NT Workstation days) was to configure the Administrator account (or another designated account) with the settings, then copy the Administrator (or designated account) user profile over the Default User profile.  This was previously documented in numerous Knowledge Base articles (which have now been deleted).  A tool called CopyProfile was even created to script this process during unattended installations of Windows XP.


 


However, there are problems with using this procedure.  It is very old procedure from NT4, when the shell was much simpler.  The shell is more complicated for Windows 2000 and higher.  This process will copy settings that should not be copied to the default user profile.  It may seem to work but you will find subtle problems.  Windows XP and later have made those subtle problems more visible.


 


Also, the Default User profile contains some single run actions that occur when the user logs in for the first time, which then setup that user by running those custom actions.  If you overwrite the Default User profile, those single run actions do not take place.


The manual profile copy process can cause issues such as:



  • Their list of most frequently run programs is not cleared

  • Whether the user has been introduced to the Start menu (will be set to TRUE for the source account, but should be FALSE for new users). Windows Explorer does some special things the first time you log on to introduce you to the Start menu and other new features.

  • Whether the user is an administrator (and should therefore see the Administrative Tools, etc).

  • The personalized name for “My Documents” will be incorrect. All users documents folders will be called “Administrator’s Documents”.  This is documented in the Knowledge Base article “The Desktop.ini File Does Not Work Correctly When You Create a Custom Default Profile” (http://support.microsoft.com/?id=321281).

  • The default download directory for IE will be set to the Administrator’s Desktop folder.

  • The default Save and Open locations for some application with point to the Administrator’s documents folder.

  • Windows 7 Libraries are broken.

Because of these issues, this process is no longer supported in Windows XP and all later operating systems.  Unfortunately, the ability to copy a profile over the Default User profile was not blocked in Windows XP, Windows Server 2003, Windows Vista, or Windows Server 2008.  This allowed many administrators to continue using the process and putting their Windows installations into an unsupported state.  To prevent this, Windows 7 and Windows Server 2008 R2 now block this scenario by having the Control Panel System applet gray out the option to overwrite the Default User profile.


At this time the only supported way to configure the the Default User profile using a copy of a configured profile is to use the next method described here, the automated profile copy associated with using Sysprep.


B. Automated profile copy with Sysprep (supported)


First introduced in Windows XP Service Pack 2 (http://support.microsoft.com/?id=887816), Minisetup was modified so that it will copy customizations from the local administrator account to the default user profile.  All subsequent versions of Windows will also do this with the proper entries in the answer file.  This process was designed to avoid the problems with method A and is already automated. 


I won’t dwell on how the automated profile copy is used since it is documented in several Knowledge Base articles:



How to customize the default local user profile when you prepare an image of Windows Vista, Windows Server 2008, Windows XP, or Windows Server 2003
http://support.microsoft.com/?id=959753


How to customize default user profiles in Windows 7
http://support.microsoft.com/?id=973289


However this process does have a drawback.  It does not propagate all settings to Default User and there is no known documentation as to what will and will not be propagated.  It also can be difficult to determine if a setting did not carry over to a new user because it was considered inappropriate (i.e. not copied to Default User by design) or is being reset by Minisetup/Specialize or first logon processes.


One final important point to remember is the difference in behavior between Windows XP/Windows Server 2003 and Windows Vista and higher with respect to when the answer file setting must be present for the automated profile copy to occur.  On Windows XP and Windows Server 2003, if you want to change the behavior of the automated profile copy, the UpdateServerProfileDirectory entry must be present in Sysprep.inf when Sysprep is run.  This is because the profile copy happens when Sysprep is run on Windows XP and Windows Server 2003.  The exact opposite is true for Windows Vista and higher.  The CopyProfile setting must be set to True in the final answer file that is present when the OS restarts after Sysprep (Specialize phase) or the answer file used when Setup is used to deploy the custom image.  This setting does not necessarily have to be present in the answer file used during the image build when Sysprep is run (Generalize phase).  This is because the profile copy for Windows Vista and higher happens only during the Specialize phase.  So if you are using a deployment tool like ConfigMgr or MDT that may modify/replace the Unattend.xml, make sure that CopyProfile is configured in the answer file used for deployment.


C. Targeted changes to the Default User Registry hive and profile folders


I used to use this method in the before the automated profile copy existed.  I can be useful when only a small number of targeted changes are required.  It can be described as follows:



1. Identify the needed Registry changes.  Then use a tool like Reg.exe or KiXtart to load the Default User hive into a temporary location into the Registry, write only the needed settings, and then unload the hive.  The Knowledge Base article “How to run a logon script one time when a new user logs on” (http://support.microsoft.com/?id=284193) shows how to do this manually.  This can be scripted for an unattended installation using Reg.exe as shown in this example (these lines may wrap due to page width):



:: ***** Configure Default User
:: *** Load Default User hive
reg load “hku\Test” “%USERPROFILE%\..\Default User\NTUSER.DAT”
:: *** Disable Desktop Cleanup
reg add “hku\Test\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\CleanupWiz” /v NoRun /t REG_DWORD /d 1 /f
:: *** Unload Default User hive
reg unload “hku\Test”



2. Copy only needed files or shortcuts to the Default User profile folder.


This has the advantage that all changes to Default User are known and predictable.  However, this requires that all changes be reduced to “scriptable” items (i.e. Registry or file system changes, no manual configuration). 


To get this method to work properly on various service pack versions of Windows XP or Windows Server 2003 you have to disable the automated profile copy.  In some cases you have to either install the hotfix from this KB article: http://support.microsoft.com/?kbid=887816 or set UpdateServerProfileDirectory=0 in Sysprep.inf.  Which service packs versions have the automated profile copy enabled by default are documented in KB959753.  In Windows Vista and higher the automated profile copy is disabled by default.  You would then do the Default User hive registry edits before Sysprep runs.


This method can also be used to make changes to the Default User profile for machines that are already deployed in production.


You should exercise caution using this method.  Try to keep all changes limited to only the individual Registry or file system changes needed for a particular desired result (e.g., a Windows or application setting).  Do not do wholesale export and import of Registry keys or folder trees.  This can potentially lead to the same problems as a manual profile copy.  You can use a tool like Sysinternals Process Monitor to identify the individual changes.


Implementing Default User Settings by Using Scripts or Group Policy


The following methods are not for configuring the Default user Profile directly.  However, they can be used to achieve the same effect (configuring settings the first time a new user logs on).  And they have the added advantage of potentially being centrally managed.


D. Local logon script in the RunOnce Registry key


This is documented in “How to run a logon script one time when a new user logs on” (http://support.microsoft.com/?id=284193).  This manual process can be scripted with reg.exe.


There are several advantages to using a script in the default user RunOnce key.  It completely avoids Sysprep, CopyProfile, Minisetup/Specialize, or first logon processes effects.  Also, if after deployment the default initial user settings need to changed, only the script file needs to be updated (instead of having to script a load/unload of the default user hive and fixing multiple settings).   Finally, it is easy to “reset” a user’s setting to the defaults because the script can be kept up to date and present on every box through software distribution or Computer Startup Scripts.  This method also requires that all changes be reduced to “scriptable” items.


E. Local or Domain GPO logon script


A Group Policy logon script can be used to set “default settings” once by having the script set a flag after it first runs (perhaps an HKCU Registry entry) that it will look for and exit if found on subsequent runs.  A Domain logon script has the added benefit of being centrally managed.  This method also has the same advantages as method D.  This method also requires that all changes be reduced to “scriptable” items.


F. Group Policy Preferences


Group Policy preferences first shipped as part of the Group Policy Management Console (GPMC) in Windows Server 2008.  GP preferences consist of more than 20 Group Policy extensions that expand the range of configurable settings within a Group Policy object (GPO). Many of these extensions can configure settings that are commonly configured as default settings in a desktop image. Unlike policies, GP preferences can be changed by the user in most cases. Also, GP preferences can be configured to “apply once and do not reapply”. This allows them to behave exactly like initial default settings configured in an image but has the benefit of being centrally managed and updated.


GP preferences cover many of the areas where default settings are usually configured such as:



  • Environment Variables

  • Files

  • Folders

  • INI File Settings

  • Registry

  • Shortcuts

  • ODBC Data Sources

  • Folder Options

  • Internet Settings

  • Local Users and Groups

  • Network Options

  • Power Options

  • Regional Options

  • Scheduled Tasks

  • Start Menu

The main disadvantages GP preferences are that it requires either Windows Server 2008, Windows Server 2008 R2, the Remote Server Administration Tools (RSAT) update for Windows Vista with Service Pack 1 or higher, or the RSAT update for Windows 7 to manage them and client-side extensions (CSEs) have to be installed for Windows Vista RTM, Windows XP with Service Pack 2, and Windows Server 2003 with Service Pack 1 or higher.  For those still managing Windows 2000 images, you will have to use one of the previous methods mentioned since GP preferences will not work on Windows 2000.


I believe that GP preferences will likely be the best way to manage this going forward. Simply create GPOs using GP preferences, target them as needed, install the CSEs into the image(s) as needed, and you no longer need to worry about configuring these settings in the client image(s).


For information about Group Policy preferences see the following web resources:


Group Policy Preferences Overview


http://www.microsoft.com/downloads/details.aspx?FamilyID=42e30e3f-6f01-4610-9d6e-f6e0fb7a0790


Group Policy Preferences Frequently Asked Questions (FAQ)


http://technet.microsoft.com/en-us/windowsserver/grouppolicy/cc817590.aspx



Disclaimer: The information on this site is provided “AS IS” with no warranties, confers no rights, and is not supported by the authors or Microsoft Corporation. Use of included script samples are subject to the terms specified in the Terms of Use.


This post was contributed by Michael Murgolo a Senior Consultant with Microsoft Services, U.S. East Region.

Comments (53)

  1. worldzfree says:

    Can someone from the "Deployment Guys" create a video or document that talks about creating the Default User when using MDT 2010 in conjunction with SCCM 2007 SP2?  It would be a great help to all of us.

  2. Gary,

    I agree that this should be documented.  However, that does not mean that the results are inconsistent.  It means that you have to test first to see if the process results in your settings are propagated or preserved.  You may not be able to predict which settings work this way but it will happen consistently every time.

    Yes, this does mean additional testing during the image build.  And some settings may have to be implemented using methods D, E, or F.  But I have not found it to be a major impediment to using this process.

    Michael Murgolo

  3. jaydee,

    I don’t claim to know the inner working of the Windows product group.  However, just because you may not need the Active Directory Administrative Console or some other Windows feature does not mean that this was not a requested feature or something developed to address additional customer scenarios, use cases, supportability issues, etc.  One man’s trash is another man’s treasure.  🙂

    I understand your frustration that we have hard blocked an old method that is no longer supported, but I would submit that you do not have “nothing”.

    I spend nearly all of my time assisting our customer with deployment of Windows.  Part of that includes automated image builds with customized Default User profiles.  I use the Microsoft Deployment Toolkit to automate the process, script all custom user settings, and use the method B above to propgate these setting to Default User.  I have used this process with great success with some of our largest enterprise customers.

    This method does require some up front engineering but once done has many benfits.  These include repeatability, consistancy ,easy of deployment, etc.  Please give this a try before simply writing it off.

    For already deployed machines, method C could be used to modify the Default User profile in conjuction with Computer Startup Scripts or a software distribution tool like System Center Configuration Manager.

    Finally, consider moving to more centally managed methods of controlling user settings like Group Policy Prefernces.  This can help you get out of the business of managing the local Default User profile altogether for domain-joined machines.

    Michael Murgolo

  4. DeploymentGuys says:

    John,

    Just about the only thing you could try in this case is to mount install.wim, modify the Default User profile using method C, and then unmount/commit the changes.

    Michael Murgolo

  5. Anonymous says:

    Dear Mike et al,

    Over at the social.technet forums (Specifically
    http://social.technet.microsoft.com/Forums/en-US/w7itprogeneral/thread/5a5d44b6-116a-4a21-bc64-53379218ecc6?prof=required&wa=wsignin1.0 ) I have been follwing this debate for some time and have myself run into this brick wall of Default User profile developemnt
    and maintenance. I work at a large British university where PC’s for students need to cater for all learning requiremnts accross a broad sepctrum of subjects.

    Mike, you say "Part of that includes automated image builds with customized Default User profiles.  I use the Microsoft Deployment Toolkit to automate the process, script all custom user settings, and use the method B above to propgate these setting to Default
    User.  I have used this process with great success with some of our largest enterprise customers. This method does require some up front engineering but once done has many benfits." Whilst I agree that all this is possible, what I don’t agree with is that
    this is a one size fits all notion. Not even 90%, probably not even 75% and I’d be surprised if it fits much more than 50%, if that.

    A lot of the time I get the feeling that Microsoft think that all organisations use fairly small numbers of applications (for ball park figures somewhere between 10 and 30. Suites of apps such as office I’m counting as one here) for the majority of their
    front end users. Once configured, these applications a) stay configured that way for fairly long periods of time and b) don’t get replaced very often. Therefore once the "up front engineering" has been completed the rest more or less looks after itself and
    the majority of changes can be "automate[d]….., script[ed]….., and [then] use the method B above to propgate these setting to Default User" every now and again to small numbers.

    This I can understand, it makes sense. But let’s look at the opposite end of the scale. Large numbers of applications (150+, yes we deal with that many), often require small changes making to their default opperation (depending on teaching, how quickly academics
    test things, etc, etc), many of the applications cannot be configured via automatic methods (especially when the settings for individual user need to be the same for everyone) and applications usually change on an anuual basis, some as often as every six months
    (and this is not a simple patch and proceed, it’s a full uninstall and brand new install + configuration). Academic software is almost never written for large multi user environments by a team of highly qualified software engineers and therefore result in
    bad implementation but cater for such niches that no alternative exists.

    I am tweaking default profiles many times a week. Different areas of speciality often require different settings for the same app. Our situation isn’t 80% set in stone, it’s more like 20%. The current windows implementation does not cater at all well for
    highly dynamic environments where software does not confirm to written and unwritten standards.

    I seem to be having trouble posting my full post so I will try and do it in two halves 🙂

    Cheers,

    Matt

  6. Anonymous says:

    Hi Mike,

    After praising you for you responses, you seem to have gone quiet. Either what I’ve written is not worth replying to, or something I’ve said has caused there to be a reluctance to respond, or I have a general curse on threads which causes the mods to clam up.

    Can we get some constructive feedback on my posts? There’s a lot of detail/questsions in there that haven’t really been answered yet. Nashphil is probably one of the people out there who this really effects.

    If Microsoft are going down the route where the minimum level of expertise is going to rise to such a point that you can only effectively use Microsoft systems if you’ve had all of the training available from Microsoft, then I can see an awful lot of business being lost as companies and organisation who don’t have the time/money to train for qaualifications and pay salaries to heavily professionaly qualified IT staff, look for more simple, user friendly, easier to administer solutions.

    It seems there is a shift more and more to scripted, non UI supported solutions. I can only see this creating expense for businesses as IT Admins ask for more and more money because the thing they could ask their three year old to do last year now requires 2 MS exams and a degree in patients for each time you need to create and test a new script.

    Personally I have no problem with scripting in very complex and unique situations. Scripting is a great tool that gets around limitations of a UI, but when I’m wasting time creating scripts that a UI used to do or could do, I don’t see a reason for it. Oh other than it’s a lot cheaper to maintain a scripting language than it is to main a scripting language and a UI. Oh hang on….isn’t Unix/Linux still very script based….maybe we should all expect the enevitable and jump ship now and work with a seasoned, sript based OS rather than with one that’s taking its first tentative steps which doesn’t appear to listen/respond to its customers.

    Windows has been fantastic for a very long time due to it’s ease of entry (a la Nashphil). It seems the easy (switch on, pliddle about with UI for a while and voila) is disappearing in favour for the complex (switch on, piddle about for a while, feel utterly bamboozeled and switch off again never to return). With all of Apple’s neat, user friendly consumer features, it’s ever improving OS and it’s switch to Intel chips, if it ever creates a server/enterprise PC solution with all of these facets, it would seem that big Bill G got out at the right time.

    Meh I hate ranting, apologies if this post appears shouty, I am trying to present a considered arguement….but seriously, being ignored does fire me up 😛

    Cheers,

    Matt

  7. Tom,

    Unfortunately, that will not help.  The issues will occur when manually copying any user profile over default user.  These profiles have already been "personalized" for that user

    Michael Murgolo

  8. jaydee,

    In general, IT processes that depend on manual intervention will have more errors, quality problems, and inconsistencies than automated processes.  When people follow a manual "run book" or simply "make it look right" manually, it becomes a process that has a good chance of not being done the same way twice.

    I see your point that smaller organizations may not always have the resources or time to devote to developing such automation.  However, smaller organizations can benefit from automation as much large ones (perhaps more so in some instances).

    For example, a few years ago I worked with a small suburban township IT department (basically a two person admin shop) to implement and teach BDD and SMS 2003 OSD Feature Pack (current at the time) over the course of about two or three weeks.    This included automating customizations to the Default User profile.  We did not cover every setting but I showed them how figure out the rest for themselves.   And where Registry settings or configuration items were difficult or impossible to find, I showed them how to use VBScripts with Sendkeys or a tool like AutoIt to automate moving through the user interface of Windows or installed programs to configure settings during the image build.  (I don’t recommend doing that for the actual deployment, but doing this perfectly acceptable for the image build process which runs in isolation.)

    This exercise greatly reduced the time they spent configuring, generating, and deploying Windows thereafter.  With a process like this, generating a custom network or mandatory profile now simply becomes a matter of kicking off the automated build, restarting the resulting machine, and copying the configured Default User profile to the network location.  This involves only minutes of operator time for the entire process since you can walk away from it.

    So while a tool to create a configured default profile without a full OS build and Sysprep would be helpful, I would want to see such a tool used in a scripted fashion anyway.  No customer that I have ever worked with for OS deployment/management with was still doing manual profile configuration once I showed them how automate it.

    Michael Murgolo

  9. jaydee,

    I was not implying that you or anyone else is technologically inept.  I was simply pointing out that perhaps you were oversimplifying by claiming to have "nothing" at your disposal to manage profiles.  They may not be perfect and they may not work they way they did in the past but you can certainly be successful when using them.

    Also, I don’t believe I said that deployments were "easy".  I state that this will require up front engineering.  The customers that I work with that are most successful with managing the user experince in the long run are those that commit to doing this type of engineeing effort.  Once they develop the processes for achieving this level of automation, they find that their costs for changing and maintaining it in the future are actually less than before they undertook the effort.

    These customers find themselves higher along the road to an optimized intrastructure in the desktop space after such an effort. (http://www.microsoft.com/infrastructure/about/default.aspx).

    Michael Murgolo

  10. jaydee – I agree that we could provide better tools for doing this.  We realize that the profile copy associated with Syprep is convenient for image build/deployment.  And that it’s not so convenient for updating deployed machines or creating a network profile.  Being in our Consulting organization, I am constantly pushing our product teams to make improvements and provide better tools precisely because I work with our customers to accomplish many of the same things that you are.  However, whether a tool or improvement gets made or not depends on a lot of factors including development resources, priority, customer impact, testing required, etc.

    Chris – Someone from Microsoft (other than me) will read these comments.  I was actually asked to do this update by several people in our Support and Windows organizations.  The will be looking at the feedback and factor it into their decision making about current and future product and tools.

    Michael Murgolo

  11. Kevin,

    MDT is definitely supported.  I have personally opened cases on it and I know some of the people in our Support organization who cover it.

    Michael Murgolo

  12. Denis,

    Even if we provided a CopyProfile tool for Windows Vista and higher, it does not mean you can clone Windows without using Sysprep.  If you do, you are creating unsupported installations of Windows.  Yes the Specialize process in Windows Vista and higher is somehat longer than Mini-Setup in Windows XP.  However, if you have an automated deployment process and deploy during off hours that extra time impacts no one.

    Michael Murgolo

  13. Since this discussion appears to be getting very lively, I’d like clear up a few things.

    First, mattcdse and jaydee, thank you for the kind words.  I apologize for any perceived delay in responding.  However, you have to understand the Deployment Guys do this blogging and responding to comments in our spare time.  This is not an official Microsoft consulting or support forum.  We decided to create this blog to share some of our experiences and solutions with a larger audience than our normal consulting engagements allow.  We cannot necessarily answer every question or assist with every issue.  I wish I had the time to do that, but I simply do not.  I also wanted to take a little time to decide how to respond to these comments.

    With that disclaimer out of the way, I’ll make a few additional general comments on this topic.  After that, unless it’s a specific question with the methods I have blogged, I will likely not respond any further on this topic.  However, feel free to continue to post constructive comments.  The feedback on this topic is being looked at by the Windows team.

    Mattcdse and jaydee – My first job in IT was with a small manufacturing company that had less than 100 PCs.  I understand what it’s like to work in small, resource-constrained environment.  What inspired me to learn scripting and other automation techniques was that fact that I was constantly visiting desktops repeatedly for many tasks.  Automating some of these tasks did take me a long time initially.  However, once I was proficient I found that doing this saved me large amounts of time and also made it easier to automate more tasks after that.

    Mattcdse – I wish I could address the specifics of everything you mention, but that would take more than a few blog comments.  However, there is nothing in the description of your environment that I have not heard before.    I have had customers all over the map (small/medium/large number of seats, application portfolios of all sizes, small/medium/large number of computer models, etc.).  I still stand by my assertion that if you have more than a few PCs and are repeatedly performing manual operations on them, then automation WILL in the long run save you time and money.

    Finally, based on the comments so far, I noticed one thing that appears to be a common misconception.  Sysprep should NOT be used on machines that are already deployed in production.  This is not supported (http://support.microsoft.com/?id=828287).  Sysprep is meant to be used to prepare images for deployment (with or without a customized Default User profile) or to create a template network profile.  For already deployed machines, we do not have a good answer for updating the local Default User profile manually today.  The old profile copy process could not be supported.  I and others have been pushing to have it added back in a supported fashion.  (Although I would still recommend automation over a manual process even if it was restored.)  If there is any update on this front, I will be sure to blog about it.

    Michael Murgolo

  14. Anonymous says:

    So here’s part deux (I’m spitting this again due to apparent problems submitting)….

    Below is one of my posts from the above linked social.technet thread. The response I got was "Thanks for the feedback, it was useful and very detailed." Mike, I sincerly hope that a) you response to this is very detailed (I expect you to be because so far your responses have been miles above what I have come to expect from Microsoft. Many thanks for putting the effort in to treat customers with respect) and b) you can get hold of whoever wrote the above response and tell them never to respond unless they have something useful to say. Reposnses like that just feel like I’m being treated like a gulible person being given the run around.

    QUOTE

    Hey all,

    Another discruntled Win 7 tester 🙁

    So it’s been 5 months since the quote below. A few people have responded to it on the forum and I’m sure several will have mailed Darrell directly. Yet there is no response or feedback to the comunity who started and contributed to this thread.

    I find it odd that MS have asked any of the questions below, I’m sure most of the answers are self explanitory to them since they wrote/included the Profile Copy tool in the first place. :S

    Hello all,

    I would like to ask some questions about replacing the Default User Profile to better understand the scenarios and reasons why it is being replaced.

    Certainly details would be appreciated on the scenarios.

    If you prefer to send directly to me that is fine as well

    Darrellg@online.microsoft.com

    remove the online from the address to send to me

    Why is there a need to update the default profile so often?

    What types of customizations are you doing?

    What types of profiles are being customizing?  Mandatory, network default, local default?

    Why is sysprep inadequate for this?

    Thanks, Darrell Gorter This posting is provided "AS IS" with no warranties, and confers no rights

    So I feel I must add my two cents to this thread and answer these questions, plus add my experiences and thoughts on other topics in this dicussion.

    A little background:- I work for a large British University. We have somewhere in the region of 6000 staff and 30000 students. My team personally looks after 1000+ open access PC’s available to all staff and students for study, teaching (and lets be honest, a large slice of facebook 😛 ). So in answer to the above questions…….

    Why is there a need to update the default profile so often?

    Potentially 36000 people need to have the same experience as every other user on our PC’s to make sure that those teaching can acturately transfer the content of their lecture to their students no matter which room their in, no matter who is in the class.

    With 150+ applications and utilities that have to be made available for everyone to use, it is quite some task to ensure everyone gets the same experience. Further more, with changes to courses and what we’re licensed for (you’d be amazed at how often certain departments temporaily add extra components to their licenses for specialist courses) the default profile often needs tweaking.

    And tweaking here is the crux of it. I log in as the a standard non-admin user, make a couple of small tweaks, log back in as admin, copy the profile, done – 3 mins. In the manual copy method (Manual copy of folder -> Delete Local + Local Low -> Load ntuser.dat hive to registry -> Change perms -> Unload ntuser.dat) this extends to more like 6 or 7 mins. Sysprep….by the time it’s generalised, booted, respecialised and added it self back to the domain, this has taken 10 to 15 minutes depending on hardware. On a one off job, yeah this makes no bones. Try doing this on 9 different images. It goes from 3 x 9 = 27 minutes  to (taking an average) 12.5 x 9 = 107.5 minutes, that’s an hour and 47 minutes! Ouch!

    To be continued………….

  15. Anonymous says:

    Hi Mike,

    Let me start with some <hugs> for you! 🙂 The first two paragraphs of your Jan 28th post are superb. It’s really good to know to what extent you can reply to comments. This removes a whole lot of frustration from posters and creates patients and understanding. May this attiude spread throughout MS and I crown you the Ghostcrawler of MS (this is a genuine compliment if soomewhat stange on the face of it. I leave yout o find out why 🙂 )

    So….just a couple of responses…

    "I was constantly visiting desktops repeatedly for many tasks" – This is something I don;t do. I understand it was what helped to inspire you and therefore is personal to you and your not necessarily saying this is the general answer to our posts. However, I do know scriptiing to a point and I do know it is easy to create templates and reuse old code, but this has gone a bit off topic really. Even once configured, Sysprep still takes ~10 minutes longer to perform its task than the original method – this is the crux of the problem, oh and the learning time required to setup Sysprep in the first place if you are not yet a scripter. Scritping has its place, but I doubt it’s really necessary in building profiles to the deploy using automated scripts/sever apps.

    "repeatedly performing manual operations on them, then automation WILL in the long run save you time and money." – I agree, and we do as much as we can using automation techniques (not always script based…there are some nice UI tools out there that take a miniscule amount of time compared to the scripting equivalent). However there is a hell of a lot you cannot do with scripts. 99% of all third party applications and utilities cannot be manipulated by script and even if you could, it is very unlikely you’d ever find out the full process that an application makes when changes are made (modification to files, reg keys, databases, connections, etc, etc).

    Scripting is good for manipulating specific things built into windows. Unfortunately profiles massively bridge the gap between windows and third party apps. It is neither soley managing the athetics and operation of windows, nor is it soley managing the athetics and operation of third party apps. Scripts won’t work here in developing a default (standard) profile. All changes related to third party apps have to be done manually. If you’re someone like me who has a lot of base images to distribute to 100’s/1000’s of PC’s, you want this manual portion of your job to consume as little time as possible. Syspreping a base image only increases that time when the previous tool worked without fail (for me 5 years so far) as long as you followed some simple rules. 1) Only us the User profile tool to delete or copy profiles 2) In all cases where you can, use an application itself to make the necessary changes (i.e. run app, make changes to the way the application functions, close app) to the profile you are using that will later be copied to the default. If at all possible, do not manually edit the files/regkeys in this profile unless it is a matter of life and death…IT wise! 😛

    I swear if MS followed the above method of support for the profile copy tool, all would be wonderful and life would be good again. If somebody moaned about the tool and you simply asked, "did you do any copy/editing of the profile that didn’t use the tool or an actual application?" 99% of the time they’d reply, "yeah I did" and you’d just say "don’t then" and copy in the related KB article which says "do this and don;t do this".

    What actually drives me on this crusade is that no one has actually managed to put in a response saying….oh btw, the tool was great, but sysprep is better. Giving concise examples and how to recreate such improvements. This leads me to fear they don’t exist and all profile copying in sysprep does is waste time (money to your managers when you arguing against Win 7 implementation)

    Ug, I’m beginning to rant again. Time stop 😛 But seriously Mike, huge thumbs up from that last post…some of your coleagues on official support and technical forums could learn bucket loads from that one post (and findong out who Ghostcrawler and colleagues are) 🙂

    BTW – Sorry for spelling, writing this in a rush without speel chek! (don’t fall for it!)

    Cheers,

    Matt

  16. doxley says:

    @James,

    Microsoft (nor we) can recommend any 3rd party alternatives for SteadyState, and this is also not the forum to discuss it.

    With regards to your Feb 1 post (which you posted only 24 hours ago by the way), you should bear in mind that we run this blog in our spare time, outside of work hours and when we are not on site with customers.  As such, any replies to comments on one of our blog posts by us can take a while to be responded to, and we don’t respond to all of them (there are just far too many).

    If you have key specific issues that need addressing urgently, you should consider contacting your local Microsoft representative who may be able to help you quicker.

    Any ADM templates that Microsoft has, are published on the website, we have no hidden repository that we could provide to you.  If an ADM file does not cover everything you need, remember that you could always create your own, which is not too complicated a task but would provide a perfect fit for modifying the registry keys you need.

    The best way (in my opinion) to personalise the initial user configuration on Windows is to use the very steps detailed by Mike in this post (and also his earlier posts on this subject).  Mike has worked on this topic for way too many years, and this post is the fruit of his work and experience.  I doubt you will find a better way to do it.

    Finally, remember that from Windows Vista onwards you can also use "Group Policy Preferences" as well as GPOs to configure the user experience.

    Daniel

  17. doxley says:

    @James

    SteadyState is currentlt a discontinued product so there is no current plans that I am aware of for updating it for Windows 7.

    Also, it won’t conflict in a nasty way at all with Group Policy.  When configured right, it would make an ideal addition to the GPO configuration.

    I would not abandon Group Policy at all, in fact I would use it in addition to SteadyState in the scenario you describe.

    HTH,

    Daniel

  18. DeploymentGuys says:

    Dan,

    When building a custom image, there is no reason you cannot use .reg file instead of reg.exe command.  I like using reg.exe because each operation is atomic and loggable and reg.exe gives better information on errors.

    If you are using the automated profile copy, simply apply the .reg files as you have been, but do it in the full OS when logged on as the built-in Administrator.

    If you do not want to use the profile copy and want to use method C, then place your regedit commands between the "reg load" and "reg unload" and change the path in the .reg files to point to the loaded Default User hive.

    There is really nothing equivalent to XP unattended setup in Vista and higher.  Setup for Vista and higher applies a WIM with an already "installed" OS and then modifies it based on setup options selected.

    Michael Murgolo

  19. Paul Willy says:

    Why can’t Microsoft resolve the few issues of overwriting the default user profile instead of making thousands of admins jump through hundreds of hoops each, just to fix the giant mess of a default profile with many annoying obstructions to end-user productivity?

    It seems to me that we are paying the salary of the developers by our purchases of Windows licenses.

    A solution to this issue should be “front burner” with the deployment folks.

    No wonder people want to vote with their feet, or delay or defeat the deployment.

  20. Anonymous says:

    And finally part 3 🙂

    What types of customizations are you doing?

    9 images! I hear you say. Yes it a fair few…actually we have 7 more. Disparrity in hardware and software (due to license restrictions) means that we have to keep different images for different areas of campus and I’m fairly sure we’re not the only people who suffer from this issue. So why don’t we use msi packages or virtual apps? For a start theres so many (150+) all programmed with varying degrees of competency and some of which use drivers which can’t be virtualised making it impossible to package/virtualise them all in the narrow summer vacation window we have to update a large chunk of the software in the summer.

    This all a little by the by, but what I’m gettin at is that not all enterprises, be they business, education, non profit, etc, have a core set of 5-20 apps that are easily configured, customised and deployed through various deployment services. In fact a lot of enterprise have very complex IT needs and therefore need solutions that work quickly. I don;t want to spend 1 hour 47 mins tweaking profiles, I want to spend 27 mins. It’s not necessarily that I’m making tweaks a lot, it may be that I have to make the same tweak several times. In either case I want a tool which does it fast and with no fuss or prior <cough sysprep> setup to get it to work.

    What types of profiles are being customizing?  Mandatory, network default, local default?

    Local default mostly, but we do have some mandatory profiles in training rooms. I’ve never thoguht of newtwork default, but actually this might be useful (althought with the masive size of profiles in Vista/Win 7 might prove too much of a drag on the network when 200+ students all log in on the hour on the same subnet for a class. We used to keep them to 5-6MB, now they’re consistently 20MB+).

    Why is sysprep inadequate for this?

    To quote myself….

    "It [the time it takes to make a change to the default profile on 9 different images] goes from 3 x 9 = 27 minutes  to (taking an average) 12.5 x 9 = 107.5 minutes, that’s an hour and 47 minutes! Ouch!"

    Is the main reason, appart from the fact you have to configure the unattend.xml first and all the unecessary stuff that sysprep does to generalise and the specialise the installtion. The fact that sysprep occasionally completly screws up a windows installation meaning the PC has to be reimaged and the changes that were lost, made again, also make me very reticent to use sysprep as it’s doing far, far more than is necessary than is required to make a default profile change.

    In my IT experience, the fewer changes and operations you perform on an OS, the better it performs. Even if your using the same tool with the same method with the same configuration, with the same software, the more changes and opperations that are performed lead to an increased risk of corruption in some form. Therefore I want my tool to do the bare minimum that is required to safely make the change. I am 100% sure sysprep does not do this and 100% sure the profile copy tool does.

    Please save us all time, fingernails and hair and give us this tool back….it means so much. Really it does.

    On a futher note. I’ve tried the windows enabler tool with Windows Enterprise RTM Build 7600 – I can’t get it to work, I can’t get the Copy To button to un-grey or become active in any way. Please if anyone knows of the steps to get this small but potentially extremly useful tool to work, I’d be eternally grateful. (I’ve run it as admin, copied the exe and dll locally and had no luck :S )

    So that’s me done! Here’s hoping!

    Cheers,

    Matt

    END QUOTE

    So as I say above, that’s me done and sorry for the three walls of text 🙂

    Cheers,

    Matt

  21. John says:

    Is there anyway to use <CopyProfile> without generalizing the image? We’re currently using the standard WIM and don’t actually create a unique image but rather customize around the standard WIM.

  22. Dan_IT says:

    Michael,

    For years in XP/2003 I handled the Default User profiles by performing scripted (unattend.txt) installations. I applied standard registry files (HKCU/HKLM) during the T-12 (cmdlines.txt) stage. Creating these registry files was easy using tools like regmon and regshot on development systems. I had about 60 small reg files that I recursively applied from a folder in the $oem$ directory using regedit /s.

    This cmdlines.txt method worked wonderfully for me. This method is extremely easy to maintain. It was much easier than having to script a hundred registry entries using reg.exe pointing to temporarly mounted Default User hive.

    Is there any similar method available to me in Windows 7/Vista that maybe is not well known?

  23. pwilkins1 says:

    For windows 7, add a new problem with themes.   If you copy over the default user, the background and theme reverts to black.  You have to do a runonce hack and have it run c:windowsthemesaero.theme (or whatever theme) at user’s first login.

  24. jaydee says:

    If there was ever the need for a tool that allowed us to ‘create’ a default user profile from a template…..

    When will microsoft produce a set of tools that allow is to manage the user profiles more simply?

    Youre right about one thing. The shell is a lot more complex now. And the plumbing is a mess, frankly. Trying to manage them through registry hacks is *so* labourious

    If Microsoft insist that they know best for us, and they know the do’s and dont’s, then give us a set of tools that takes the effort out of it for end users and make it less of an onerous, laborious and error pone task.

    How about it guys?

  25. jaydee says:

    Sysprep /generalise is not a solution to this.

    I can see that it benefits microsoft in that it reduces you support calls, possibly

    But its not a solution that benefits customers in any way.

    I’m not prepared to generalise every machine in my organisation when i want to make a change to the defaul profile.

  26. Chris Thomas says:

    I don’t think anyone from Microsoft will ever read these comments but here goes.

    Using the copyto function in XP does not carry the user permissions or name to the user profile. Therefore the "A" method is not correct. I have done this method from windows 2000 and it works fine, that’s why the copyto was created.

    I guess we are just users and Microsoft can do as they like, but we are the ones who have to distribute to 2000+ student machines.

    If you are taking away a known feature of deployment give us the real reason, was it too hard, did you forget, is there no enough competition?

    With every new version it just gets harder, and my users pay my salary not Microsoft.

  27. kimmo says:

    Nothing is said as far as 08 R1/R2 (RDS) is concerned. Why?

    Aside that, what is this obsession with "Default User"? Even in my client/server engagements that thoght was far off. With RDS, however, there is an another picture. See, the Windows fandango is just the supporting engine (JEOS) to deliver applications.

    To be in a supported state, am I, in the knowing, supposed to be leveled down by the lowest determinator? This is no way good information. This sucks hairy legs of the leftover bones of "thanksgiving".

  28. moreira says:

    I’ve used method A for several years with Win 2k and Win XP (skipped Vista altogether) with excellent results. So far, with win 7, I’ve spent hours and hours reading about it and only read complaints on how microsoft  left us all in dark. The windows 7 commercials cleraly state that microsoft LISTENED. My question is, to whom? Not to us, who have to deploy images to hundreds/thousands of users.

    I absolutely agree with  Chris Thomas.

    Microsoft, please READ and LISTEN!

  29. Spencer says:

    So Microsoft admits that Automated profile copy with Sysprep (supported) "does not propagate all settings to Default User and there is no known documentation as to what will and will not be propagated."

    My question is, when will this documentaion be available to the masses so we can stop spinning our wheels modifying settings for the default user profile that "was considered inappropriate  (i.e. not copied to Default User by design)"

    In my opinion the primary benifit of Microsoft operating systems has always been it’s open and highly customizable nature. When Microsoft starts considering customaizations innappropriate we may as well be running on a Mac.

    Additionally I agree with the others that generalizing the image to modify the default user profile is a poor solution.

  30. Tom Henriksen says:

    Echoing the comment above, I’ve also used method A for years. I just started working with WIndows 7 and have spent hours likewise reading nothing but complaints. The lack of a workable method for configuring the default user profile is a deal breaker for me  I hope that Microsoft will correct this error but no Windows 7 until then.

  31. Betsy says:

    same thing for me. this is a deal breaker. I can find no supportable way to set program preferences for many non microsoft products.

    microsoft – wake up.

  32. tom says:

    With regards to method "A"…Why no create a local user with the same permissions as your default user in the field then customize that profile and copyto default user profile?

    Wouldnt this be simplier and alleviate the problem of local admin attributes being duplicated for all users?

    Thanks!

  33. Denis says:

    We even used "A" method during years. The "B" method (sysprep) make us loose a lot of time during sysprep process for each PC we build with Win 7 comparing to XP (if we choose Win 7).

    Why Microsoft didn’t provide a new tool as CopyProfile with all the problems corrected that the same thing as sysprep. I hope it will come soon.

    Why Microsoft do not imagine how our work is now so difficult to build unattend installation since Vista in enterprises !!!

    Denis.

  34. Warren Gardocki says:

    I have about 3500 computers to manage and setting them up with a default profile helps keeping them the same.  Windows 7 has made it very hard to set up a standard.  Without a standard default the users have to log on and answer all the first launch questions.  Not only does Microsoft subject us to these questions but also a lot of other software suppliers require you to answer questions on first launch.  Since we are a school our profiles are not retained on the computer.  We use Deep Freeze to clear anything that was done on a computer with a restart.  Every time a user logs on they have to answer all the questions again.  Once set up in a default profile these set up questions can be answered once and never have to be answer again.  I set up 30 Apple computers this summer and they have the ability to manage the default settings remotely.  Microsoft needs to make this available also or even set up a default login so it can be configured and then all other users attach to that modified default profile.  I like Windows 7 but DO NOT LIKE not being able to modify the default profile.  One side note, I have not found an easy way to have a default local shared printer installed for a user without copying the default profile.  We have about 1000 different printers for different classroom and coming up with a way to have these printers be the default printer for all uses is not possible without copying the default profile.

    Microsoft please listen to the people complaining about this problem.  If you do not come up with a way to easily modify deployment of Windows 7 will suffer.  This problem could be used against Microsoft with negative publicity.

  35. Clint Gayle says:

    An example of how to setup 1000 printers for users to attach to.  Use Group Policy Preferences with item level targeting to have a default printer applied to user. Since the computers don’t move around as much as people do, I would probably apply based on computer and create new AD Groups for each printer in you organization, and add the location to the description.  That’s 1000 new AD printer groups.  Then add to each printer AD group the computers that you want to default to that printer.  Now go into GPMC (Group Policy Management Console) running on a Windows 7 box, you will create one group policy with all of the printers and have this applied at the top of your AD, or you could set one per OU.  This is all dependent on how you AD is organized. Go into Computer Configuration, Preferences, Control Panel Settings, Printers, right-click – select New TCP/IP Printer, select Action ‘Replace’, then add all of the printer information that you should already have in your environment in the ‘General’ tab as well as the ‘Port Settings’ tab, now for the good stuff…Select the ‘Common’ tab, check the box "Item-level targeting" then click on ‘Targeting’ button, now select the ‘New Item’, then ‘Security Group’, nwo choose the AD group that you created earlier for this printer.  Test this, then add more printers…

  36. jagosis says:

    I couldn’t agree more with what Warren said.  I manage about 900 lab and classroom computers for a University.  We also use Deep Freeze to restore the state of the systems on each reboot.  More often than not, our students just want to log on quickly and check something online or print out a paper.  The last thing they want to have to do each time is choose their preferred Internet Explorer settings or be introduced to the Start menu.  Also our instructors depend on us to configure the programs they use to teach their classes in specific ways on each computer.  They can’t take 10 minutes of every class to once again configure whatever program they are using.  Eliminating these first use configuration settings for new users is a huge part of the reason why the copy profile option is so important to those of us who manage computer labs.  We have learned how to delete recent documents and redirect the default download locations before copying the profile.  (or to configure this through group policy)  I can’t even begin to express how much I do not want to have to figure out how to manually alter the first run behavior for new users for over 100 third party applications just so we can move to Windows 7.  Please, please come up with some sort of viable solution for computer lab managers, Microsoft.  

  37. Daniel Wolf says:

    I use, and will continue to use method A.

    Until Microsoft provides me a user profile customizer or more fine-grained group policies I’m afraid I, nor many of my peers, can follow your advice.

    Make it for Windows 7. Say it’s an awesome feature and reason to upgrade to Windows 7. I’m shocked about reading this backstep in ability for Windows 7. Suddenly Windows XP doesn’t look so old.

  38. jaydee says:

    Murgolom. I just wanted to say, reference to your statement "whether a tool or improvement gets made or not depends on a lot of factors including development resources, priority, customer impact, testing required, etc…"

    This might seem a bit off topic but i really dont understand why or why development resources are thrown into something like the "Active Directory Administrative Console" and no development resources are available for a toolset for user profile management.

    Theres nothing in ADAC that you cant already do through the regular ADMINPAK or RSAT tools.

    I’m not attacking you, of course, Murgolom. I know you dont make these decisions. But it underscores the lack of credibility to microsofts priorities as you stated them -"development resources, priority, customer impact, testing required…".

    The world doesnt need a ‘tarted up’ version of dsa.msc. However it BADLY needs a set of tools for user profile management. Because right now we have nothing.

  39. ScriptingIT says:

    I have to say for those asking for a solution if MS was truely interested in desktop deployment we would not have MDT for a start.

  40. jaydee says:

    Michael, of course we do every single one of those things. WDS, MDT, WAIK, GPO’s GPP’s registry scripts hacks and tweaks…. I dont want to create the impression that we’re technologically inept!

    You’re oversimplyfying. Deloyments are easy – everything nice and shiny and new. But things dont stay that way, and managing lifecycles is a bit more difficult than you make out

    I dont want to go into specifics here, but you know theres a big difference between saying you can script ‘everything’ and the work involved in actually doing it, maintaining such things and ensuring uniformity consitency, and checking if things get run in the same way if we’re onsite or of site on a VPN, etc…

    User profiles are a huge challenge. Nobody should underestimate the problems that come from them even when they are properly managed. Look at some of the comments from people – mainly working in education or another niche areas. I dont think you can argue against the points they are making. They really are crying out for a better way to manage profiles generally on an ongoing basis without resorting to generalising, imaging, hacking, or otherwise getting bogged down by something that could so easily be managed through ‘templates’ and decent toolset to apply them – preferably one that doesnt involves generalising a machine to do it.

    Anyway – you work for Consulting, so you totally I KNOW you know what I’m saying. You said as much in an earlier post.

    This is WAY more difficult than it ought to be.

  41. jaydee says:

    Mike,

    The overwhelming consensus for the forums i’m reading is that there are a heck of a lot of peolpe who disagree with Microsofts idea of user profile management – myself included – and all for reasons that I totally understand

    Some admins may just want to log on as a template user, load their profile, make it look right from the ‘inside’, log off, and then apply it. Whether that be applying it to the default user profile, or as the basis for a mandatory or roaming profile, or for some other purpose. That method has a kind of immediacy thats difficult to achieve through other means.

    I hear a lots of people saying the same thing. They dont want to recreate something that they could do visually in 10 minutes, with a bunch of stuff that will take them considerably longer.

    I dont see how adopting such an approach takes those people away from the optimised infrastructure you mention.  The end result is be the same. They get the user profiles configured the way they want. One way is easier for the customer, one way is harder.  Harder in this case doesnt really mean better.

    Of course, it does require that MS write some better tool to facilitate that, and that brings us back to your point about development resources. And for that to happen MS have to think its a whorthwile and useful endeavour.

    But its looking to me like I’m flogging a dead horse by pressing this point. MS it seems have already decreed whats best for us. I know when I’m beaten.

    But I hope that MS continues to read the feedback in its own forums and keep a much more open mind on this subject than it appears its doing right now.

  42. ryan says:

    What about those of us with less than 300 laptops/desktops spread across 5 states and 2 countries with just 1 person supporting them? I do not have the time (or management support) to allocate to "engineering" a custom default profile because I spend all day just keeping them up and running so our staff can bill our customers and the company can be profitable. A SIMPLE and CLEAR process is needed that does not require hacking the Registry or generalizing the OS installation. These hoops that must be jumped though only creates frustration in the very people that are your biggest supporters.

  43. jaydee says:

    Mike,

    I want to echo what mattcdse said above. You absolutely do deserve thanks for your responses to this debate. Because at least you’ve weighed in to the discussion, unlike in the social technet forums, where the MS moderated response to awkward subjects like this has been an equally awkward silence….

    But, at the same time. i find your rationale, facile, frankly. Your idea that somehow everyone’s going to be better off becauase of ‘removed and not improved’ functionality is just bonkers.

    We could go on and on on this. but theres little point.

    Fortunately i have the skills and the experience to make the situation work no matter what the circumstance, but i can tell you that we wont be rushing particularly hard to roll out Win7 in our organisation.

    Underneath all this, theres something very badly wrong when a commodity based software vendor responds to its customers demands by telling them that it knows what they need better than they do.

  44. Kevin says:

    First a quick observation.  Although Microsoft provides the MDT tool, it is technically an accelerator (a set of unsupported scripts).  Have you ever tried to get support on MDT when it is not working correctly?  I have, called PSS.  You can guess what there answer was.  The MDT tools is very much appreciated, but this tool should be part of the System Center Server Family, not a set of unsupported scripts.

    I will reserve any judgement on the default user profile for Windows 7 and Windows 2008 R2 at this point.  We previously used method "A" for Windows XP and Windows 2003 servers.  It feels like network default user profiles might be our answer, but more RND needs to be completed yet.

  45. Nashphil says:

    I work at an small school, I have no formal training in computers. I am an experienced hobbyist. I have teachers that have different printers, different software and Less experience.

    When I make any changes to their machines I go in after the changes and copy my profile to the Default User. Done!

    Now you are telling me, that with Win7, I have to install and run sysprep, then do something to an ??.xml file to make my profile work??

    PaLease!

    Win 7 is touting itself as friendly. This IS NOT user friendly or something easily learned. If I cannot setup and run it without going to MS headquarters to learn how, then why change? I will stick to XP till Win 8,9 or I die if this is not addressed (to us simple folks).

  46. Tired says:

    I work at a public university, managing classrooms, labs, and faculty machines.

    Are there any online tutorials for using Group Policy Management Editor to create a default user profile.  What are the "best practices" for achieving a default profile through group policy.

    What happens when you have a laptop that needs mandatory desktop settings.  If the laptop is not plugged in to the network, then how do the Group Policy settings get enforced.

    How do you manage Windows 7 libraries on a public machine.  How would you restrict the use of libraries in a student lab.

    I mean this kindly, but if Microsoft continues to anger the computer technicians (as it has done since the release of Windows 95), they might just be convinced to talk their supervisors into buying MacIntoshes.  Mac adoption is quietly happening at universities everywhere……

  47. james says:

    Scripting solutions are fine, but….I am afraid to make too many cryptic customizations and/or unauthorized "hacks" to a vanilla Windows 7 install, as the next service pack from Microsoft might break some/all of my hard work.

    Windows 7 was designed for the single user with administrator rights to the machine.  Very nice, but at a public university with thousands of PCs, most of the machines are multiuser, and I need to enforce different desktop lockdown settings based on the type of user logging in to the machine: admin, faculty, staff, student.  What is wrong with asking for easy-to-configure GUI tools that enforce a common, consistent desktop experience for all users (make and copy a default profile).  If Microsoft does not to listen, then fine.

    Mike, thanks for your diplomatic responses.  I realize that you are not upper management.  It is a shame that upper management at Microsoft continues to ignore the needs of the support technicians. Being ignored on a consistent basis makes us want to encourage Mac deployment.

    Matt, once Apple finishes perfecting its products in the mobile device market, I have a hunch that it will turn its attention to Server/PC solutions.  At a minimum, have you looked into buying a Mac and joining it to Active Directory?  How about setting up a "golden triangle?"  (MAC as a member of both AD and OD).

  48. james says:

    One more request:

    When will Windows Steady State be available for Windows 7.  I will assume that Windows Steady State would conflict with Group Policy settings in a very nasty way.  Could I abandon Group Policy and all the registry customizations for university computer lab machines, public consoles, and kiosks by using Steady State.  

    I will not upgrade aggressively until Steady State for Windows 7 is released.  Thanks for reading, Microsoft Executives!  Hope you are motivated to help us.

  49. james says:

    As I see this discussion is going nowhere, then what about getting a default profile via Group Policy.

    I am looking for adm templates that lock down the start menu/desktop/taskbar and allow me to customize what I want to appear/not appear in the start menu and taskbar for the default user.

    Does Microsoft have a repository of adm templates to accomplish the same thing as a default profile?  Could Microsoft at least tell us which registry entries define the start menu and taskbar.

    How can I customize a default profile via group policy for laptops?  "Run Once" settings, perhaps?

  50. james says:

    @Daniel,

    I am NOT going to introduce Vista to my users.  I prefer to have no more than two Microsoft operating systems to support at the same time.  I have XP users and a couple of 7 users.  That is enough.

    3rd party tools may conflict with Group Policy settings.  What 3rd party alternatives to Windows Steady State are schools using?  I have heard of Deep Freeze, but are there any others?

    I am looking forward to Microsoft to address my concerns in my February 1st post.

  51. james says:

    Daniel,

    Thanks for the update.  Sorry, I did now know that this website was an unpaid, fun project.  I was under the false impression that Microsoft was paying you.

    To bypass the whole argument about copying a profile to the default user, I would like to customize all of the default desktop settings via GPO.  All my questions are centered around this goal.

    I would like to make my own custom .adm templates to import into my GPO, but in order to do that, I need to know the Windows 7 registry entries for the start menu, desktop, and taskbar.  Would anyone know where in regedit these settings reside?  How would I find out?

    Thanks again for your help.  No rush, though.

  52. uk tech says:

    Just bring back the ability to set up the ‘local default user profile’, by the simple ‘copy to’ method.

    WE CAN’T DO OUR JOBS WITHOUT THIS FUNCTION, and anything i can offer using windows 7, is by comparison to XP a REALLY REALLY BAD JOB.

    JUST FIX IT !!

  53. Gary says:

    From the section regarding Automated profile copy with Sysprep (supported)  "However this process does have a drawback.  It does not propagate all settings to Default User and there is no known documentation as to what will and will not be propagated.  It also can be difficult to determine if a setting did not carry over to a new user because it was considered inappropriate (i.e. not copied to Default User by design) or is being reset by Minisetup/Specialize or first logon processes."

    Quite frankly, this is unacceptable for an enterprise environment.  What I need for my company is a method of modifying default user profiles both during image creation and after deployment that will provide consistent results.