What are the implications of locking the ntuser.dat file on the user's server profile? That is, if I make the ntuser.dat file read-only, what affects will that have on the client?
Hmmm...well ntuser.dat is the registry hive that is loaded into HKEY_CURRENT_USER for each user. So..you are making the HKEY_CURRENT_USER registry hive read only? I am guessing that a user wouldn't be able to add printers, customize desktop, etc. However if any application wanted to write to HKEY_CURRENT_USER that would be a problem. You could check out the activity on HKEY_CURRENT_USER by downloading regmon from sysinternal which will show you registry activity that can be filtered to HKEY_CURRENT_USER.... If you want to see what is in this hive open regedit, highlight HKEY_USERS, select file->Load Hive, and browse to an ntuser.dat that is not in use....You will have to give a temporary name which is how you will identify the loaded hive under HKEY_USERS. Noal -----Original Message----- From: samba-bounces+noal.miles=tdstelecom.com@lists.samba.org [mailto:samba-bounces+noal.miles=tdstelecom.com@lists.samba.org] On Behalf Of Keith Lynn Sent: Tuesday, February 06, 2007 1:42 PM To: samba@lists.samba.org Subject: [Samba] ntuser.dat What are the implications of locking the ntuser.dat file on the user's server profile? That is, if I make the ntuser.dat file read-only, what affects will that have on the client? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
On Tue, Feb 06, 2007 at 01:42:07PM -0600, Keith Lynn wrote:> What are the implications of locking the ntuser.dat file on the user's > server profile? That is, if I make the ntuser.dat file read-only, what > affects will that have on the client?When a user logs in and doesn't have a local profile already on the machine, Windows will copy the ntuser.dat file as part of the initial profile that is used for the user. Once copied to the client machine, the ntuser.dat is then writable. In most (and likely almost all) cases, the ntuser.dat is already read-only on the server because you don't want a user to modify the default profile for every new user. That being said, I'm guessing that it's not even possible to load a registry hive (in this case ntuser.dat) as read-only in Windows. If your goal is to try to prevent modifications to the user profile, what I've found works quite well is the following: 1. Set it up to pull the default profile from the server when a user logs in (this is usually the default if roaming profiles aren't setup). 2. Run a script every time the client starts up to delete every local user profile (everything in C:\Documents and Settings except for certain system user profiles). 3. Automatically shut down computers at night to enforce that the script to delete the profiles runs at least daily, plus it saves power. Obviously there are tradeoffs with this method but I find it to work exceedingly well. Users can still make changes to the settings which are not locked out by Group Policies but they are completely restored to their defaults every time the computer is restarted. Ed Plese
Keith Lynn wrote:> What are the implications of locking the ntuser.dat file on the user's > server profile? That is, if I make the ntuser.dat file read-only, what > affects will that have on the client?The follwoing is worth what you paid for it. Maybe. The client machine will fuss when the user logs out, and complain that it cannot copy the profle back. Sometimes this means that other stuff in the profile directory won't get copied back too. If you don't want the users to mess with the profile, then rename it from .dat to .man. This creates a mandatory profile. I think win clients know that this is not changeable and don't try. Users can make changes in the local copy, but they don't stick. This is usually more hassle than it's worth, as some programs use the registry to save state. (E.g. Nikon View saves the last open folder, and brings you back to that point on the next invocation. A third way to do it is to let the users have their individual profiles initially, then run a script that copies a standard profile over the user profile every night. This has to be a profile usable by everyone, or has to be that user's profile from previously. A fourth way to this is to make user that your netlogon share has the profile you want users to use, then just delete the ntuser.dat files every night. The client saves the file without a problem, but the next day, it's not there so the default user profile is loaded instead. The best way, I think would be to script the editing of the user's ntuser.dat file to reset the keys that you want set. Probably can be done with policies too. I'm just learning about policies.