User Profiles and System Policies: The Issues
You can use system policies or mandatory user profiles to enforce user settings. You should choose to use one method or the other, but not both. The two features differ in the following ways:
- System policies let you mandate user-specific and computer-specific settings. Mandatory user profiles let you mandate only user-specific settings.
- System policies let you selectively determine a subset of user settings to control, and each user controls the remaining settings. Mandatory user profiles always control every user-specific setting.
Before implementing user profiles, you should consider the following issues:
- Do you want to use system policies for user settings? If so, you must enable user profiles on the computer.
- What do you want to include in user profiles? For example, you might choose to include the desktop, Start menu, or Network Neighborhood in the user profile.
- Do you want user profiles to work across the network so that they are available to roving users? If so, the computers must be running a 32-bit, protected-mode network client. Also, you must make sure that each user has a home directory on the network.
- Should mandatory user profiles be used? If so, you must copy the necessary files to each user's home directory.
If you want to make user profiles available on the network (rather than on individual computers), you must perform the following preliminary steps:
- Install and run a 32-bit, protected mode networking client (such as Client for NetWare Networks or Client for Microsoft Networks) on the computers.
- Ensure that the server supports long filenames for full user profile functionality. If the server doesn't support long filenames, only USER.DAT will follow a user around the network. Users will not be able to download other folders (such as those that support the Start menu and Network Neighborhood configuration).
- For Microsoft networks, ensure that a network home directory exists for each user because this is where user profiles are placed. (On Novell® NetWare® networks, profiles are placed in the MAIL/user_ID directory, which always exists.)
- For each computer, use the same names for the directory and the hard disk drive in which Windows 95 is installed. If Windows 95 is installed in C:\WINDOWS on one computer and in C:\WIN95 on another computer, some components of the user profile will not be transferred between the two computers. This is also true if Windows 95 is installed on different hard disks on different computers (for example, C:\WINDOWS on one computer, and D:\WINDOWS on another).
Before implementing system policies, you should consider the following issues:
- What types of restrictions and settings would you like to define and manage centrally? For example, do you want to limit access to the MS-DOS prompt and other applications or to Control Panel options, or do you want to implement a standard desktop for all users?
- Do you want to use one set of standard settings for all users and computers, or do you want to customize settings by groups of users? Also, do you want to maintain individual settings for users and computers? Typically, you customize settings by groups, where the majority of users are in groups such as Accounting, Marketing, and so on, and a small group of individuals (such as administrators) have special privileges. If so, you must install special files to support group policies.
- Will you be using user system policies (as opposed to defining only computer policies)? If so, user profiles must be enabled on the computers running Windows 95, which in turn requires that the computers use 32-bit, protected-mode network clients.
- Do system policies in Windows 95 meet your system administration needs, or do you need a more sophisticated system? If you need a high level of administrative control, you might want to consider using a more sophisticated management software tool, such as Microsoft Systems Management Server, rather than System Policy Editor. For information, see Appendix E, "Microsoft Systems Management Server."
If you want to use system policies, you must perform the following preliminary steps:
- On the administrator's computer, install System Policy Editor from the ADMIN\APPTOOLS\POLEDIT directory on the Windows 95 compact disc. Decide which users can install and have access to this tool for modifying policies. For most client computers, you probably will not install System Policy Editor.
- On the client computers, enable user profiles to ensure full support for system policies. If user profiles are not enabled, only the computer settings in any system policy will be written to the Registry.
- Install support for group policies on the client computers if your site will use these. For information, see "System Policy Editor" later in this chapter.
Tip You can enable user profiles and related settings automatically when installing Windows 95 by using custom setup scripts. For information, see Appendix D, "MSBATCH.INF Parameters."