How to Prevent a User from Changing the User Profile Type

ID: Q150919

The information in this article applies to:

Microsoft Windows NT Workstation version 4.0
Microsoft Windows NT Server version 4.0
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server

SUMMARY

If roaming user profiles are used with Windows NT 4.0 systems, system administrators may wish to not allow users to change the profile type to local. To do this, remove the read permission from the %systemroot%\System32\Sysdm.cpl file for the users or groups that should not be able to modify profile settings. This removes the System icon from Control Panel. As a result, those users cannot change system settings.

NOTE: The Windows NT 4.0 system has to be installed on an NTFS partition to be able to set file permissions.

MORE INFORMATION

User profile settings are stored in the registry under the following registry key:


   HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
      NT\CurrentVersion\ProfileList

For every user ever logged on to a Windows NT 4.0 system there is a subkey named after the security ID (SID) of that user where the actual values are stored. The user profile type is stored in the State value under the users subkey. Setting this value using system policies is possible but it does not prevent the System icon from Control Panel from appearing and therefore the user can change the profile type once logged on. Another disadvantage of changing the profile type in the registry is that you must ensure that you change the value in the subkey associated with the user. This implies that you must find the appropriate SID for the user.

Additional query words: prodnt

Keywords : kbui ntdomain ntsecurity NTSrvWkst
Version : WINDOWS:2000; winnt:4.0
Platform : WINDOWS winnt
Issue type : kbinfo