Hi Everybody! I would like to share information that was clarified through a case I worked. Recently the platforms team changed their support stance on the customization of the Default User Profile due to shell related problems with unexpected registry entries and missing file issues related to the customized profile.

As a result, several options we’ve used over the years to correct a variety of IE related issues due to first logon, or missing registry entries need to be slightly modified/clarified.

ex. Automatically detect settings, missing registry entries related to running IE without a shell, etc)

DETAILS

From my discussion with the Platforms Directory Services team and through a thorough read through of the current knowledge base article on the topic, the only method that is NOT supported for the customizing of the Default User Profile is the actual file copy method used to replace the default profile with another user’s profile.

The good news is there is a method to customize the Default User profile that is supported and recommended for very targeted registry changes.

The current reigning article on the topic of Default Profile modification spends the majority of time discussing the image preparation method using Sysprep. In the article it talks about the reasons why the file copy method was deemed to be unsupported:

“Previously published procedures relied on a file copy mechanism. These procedures caused information to be left behind in the default user profile that caused the Windows shell to behave incorrectly. This led to problems with application compatibility and with the user experience. Therefore, do not advise customers to copy profiles over the default user profile. This method is no longer supported.”

How to configure default user settings for already deployed desktops

Implement the required new or changed settings as a logon script and configure it to run one time. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

  • 284193 How to run a logon script one time when a new user logs on

You can automate the procedure in Knowledge Base article 284193 by using the Reg.exe command. For an alternative solution, see the “Targeted changes to the Default User Registry hive and profile folders” section on the following Microsoft website:

C. Targeted changes to the Default User Registry hive and profile folders

I used to use this method in the before the automated profile copy existed. I can be useful when only a small number of targeted changes are required. It can be described as follows:

  • Identify the needed Registry changes. Then use a tool like Reg.exe or KiXtart to load the Default User hive into a temporary location into the Registry, write only the needed settings, and then unload the hive. The Knowledge Base article “How to run a logon script one time when a new user logs on” (http://support.microsoft.com/?id=284193) shows how to do this manually. This can be scripted for an unattended installation using Reg.exe as shown in this example (these lines may wrap due to page width):

:: ***** Configure Default User
:: *** Load Default User hive
reg load "hku\Test" "%USERPROFILE%\..\Default User\NTUSER.DAT"
:: *** Disable Desktop Cleanup
reg add "hku\Test\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\CleanupWiz" /v NoRun /t REG_DWORD /d 1 /f
:: *** Unload Default User hive
reg unload "hku\Test"

  • Copy only needed files or shortcuts to the Default User profile folder.

This has the advantage that all changes to Default User are known and predictable. However, this requires that all changes be reduced to “scriptable” items (i.e. Registry or file system changes, no manual configuration).

To get this method to work properly on various service pack versions of Windows XP or Windows Server 2003 you have to disable the automated profile copy. In some cases you have to either install the hotfix from this KB article: http://support.microsoft.com/?kbid=887816 or set UpdateServerProfileDirectory=0 in Sysprep.inf. Which service packs versions have the automated profile copy enabled by default are documented in KB959753. In Windows Vista and higher the automated profile copy is disabled by default. You would then do the Default User hive registry edits before Sysprep runs.

This method can also be used to make changes to the Default User profile for machines that are already deployed in production.

You should exercise caution using this method. Try to keep all changes limited to only the individual Registry or file system changes needed for a particular desired result (e.g., a Windows or application setting). Do not do wholesale export and import of Registry keys or folder trees. This can potentially lead to the same problems as a manual profile copy. You can use a tool like Sysinternals Process Monitor to identify the individual changes. "

 

 

What this means for IE is going forward, when discussing the need to modify the Default User Profile, you must identify and import only the registry modifications necessary to achieve the solution.

This blog has been provided to you by another one of our Escalation Engineers for Internet Explorer, Aurthur Anderson.