Configuring Windows 2000 for multiple users (on a single machine)

these notes are currently in development. eventually they should also cover configuring for multiple machines in a roaming user environment

version 0.9.17

you need to configure the operating system in a general manner and then pre-configure it so that each user will experience it the way you have defined. likewise applications need to be configured then pre-configured for each user

configure the operating system, in general and in preparation for multiple users
(in all cases as per 'Configuring Windows 2000/XP for Performance, Usability and Security')

As Administrator, configure the operating system as per 'Configuring Windows 2000/XP for Performance, Usability and Security' but just those settings that are per-machine
? Install software applications (as per 'Windows 2000 Pro Software Installation')
(if you're intending to pre-configure using a Default User profile then you should be ok creating that default profile after installing the applications as long as you're mindful of any user-specific options they keep within that profile (whether in config giles or the registry), and editing them accordingly, or deleting the whole file/section. Alternatively, and what seems the safer method, is to create the Default User profile before installing aplications and when those applications are first run by users they should set themselves up automatically (and using your pre-configuration if you've chosen to use one).
if you haven't already done so, pre-configure Desktop and Start Menu icons
by copying all those created to Default User, so that a set is given to each user, which they have the ability to edit if they choose ( a version they cannot edit could alteternatively be made by using All Users in place of Default User)

copy icons from All Users\Desktop and Administrator\Desktop to Default User\Desktop
copy menu items from All Users\Start Menu and Administrator\Start Menu to Default User\Start Menu
they will be copied to each new user's desktop, and ownership permissions should be altered for each user specifically and exclusively. many applications install with just the permission of the user that did the installing so this solution also saves time editing those permissions. but this doesn't always work this way (presumably depending on the role of the user account) . It doesn't work for a 'Restricted user'. if security on these icons isn't of the utmost importance you can select everything bar NTUSER.DAT and set full access for Everyone, including using Advancedand setting the action to propogate down through directories and overwrite all explicitly defined permissions
make sure all instances of shortcuts for any applications that require a specific command-line option to point them to a pre-configuration have that command-line option set (i.e. IrfanView)

Choose one of these approaches to configure user profiles:

a) configure the Default User profile so new user profiles are generated based on this when users first login - automated method
(this is our preferred method, and the most automated, if you want to use our specific configuration)

delete the existing Default User profile
get the profile called 'before apps installed' which we provide at http://../../profiles/
unzip the profile into c:\Documents and Settings\Default User
change permissions of the folders (including Advanced -> 'allow inheritable...') (or more restrictive if you need)
change permissions of NTUSER.DAT for Everyone (or more restrictive if you need)

b) configure the Default User profile so new user profiles are generated based on this when users first login - manual method
(this is our preferred method, if you want to use your own form of configuration)

create a new user account, perhaps called 'template'
login as template and configure it as-per 'Configuring Windows 2000/XP for Performance, Useability and Security' but just those settings that are user-specific
logout and login as Administrator
copy template's user profile to the Default User profile: Start -> Settings -> Control Panel -> System -> User Profiles -> template -> Copy To

Copy profile to: c:\Documents and Settings\Default User
Permitted to use: Everyone

this may not copy the NTUSER.DAT file, in which case you should copy it from template to c:\Documents and Settings\Default User\

c) configure an account then copy that account's profile to another account (using Windows' feature for copying it)

same as above but instead of the profile being created automatically you copy it manually
login as the newly created user to create the Profile (their Windows profile will be created based on that in the Default User Profile and they will see the standard Desktop and Start Menu icons from the All Users Profile). if you don't create this profile, and instead copy a Profile first, Windows will choose another Profile name upon first login because a Profile already exists with the name it would have chosen.
logout then login as Administrator (if thetemplate account isn't actually the Administrator account)
choose Control Panel -> System -> User Profiles -> choose the already configured user -> Copy To -> for the user to copy to, pick their profile directory (probably C:\documents and Settings\'username' and then set their name in the 'Permitted to use' field (so as to alter the permissions on the files of that Profile to their username). this will copy the Profile and registry of the original user

d) configure each user account by hand as per 'Configuring Windows 2000/XP for Performance, Useability and Security'
e) configure Default User and/or individual user profiles using The Windows Envionment and Application Konfigurator (TWEAK)

There are problems with some applications in copying their user profile entries, that are easily worked around by removing those entries (files and directoires in %APPDATA% or registry settings in HKCU/Software/program-name/), that may be helped by copying the profile before these specific applications are installed

this is an imperfect solution, as it copies references to temp directories from applications that don't use the otherwise very convenient %USERPROFILE% variable, that relate now wrongly to the original user's directory rather than the new users, so these must then be amended by logging in as as each user and amending application options. most of the current applications we use require this treatment (the perfect workaround for this is applications allowing us to use %USERNAME% in their options; this solves everything but not all applications allow it (Mozilla does in its command-line but not in other places))

so, basically, for multi-user compatible software applications, you have to change the TEMP setting in most (those that aren't mult-user aware will have to have been installed in a manner that compensates for this and remain with the one set of options - i.e. a per-machine cache rather than a per-user cache).
The occasional application that this isn't good enough for (i.e. Mozilla) will need each the users profile directory data pertaining to it removing so that it can re-create it correctly, or do the copy profile procedure before installing that application

configure applications for multiple users
If you're going to configure an application, may-as-well do so in a way that if more Windows user accounts (or application profiles within a single Windows profile, if the application supports that) are created then they will receive the same configuration, and that those users can edit that configuration for their own account if they choose.

create temp directories for all applications that can use a per-user cache, in the user's specific directory on the TEMP partition
(otherwise the application should already come pre-configured to use the per-machine cache you've already configured it to use, some will not and they need to be given a per-machine cache location or not used atall)
different applications do multi-user configuration in different ways
(they either create a HKCU registry setting or save settings in a single file in the user's profile directory - for each new user that runs them (most common) or by using a per-user means of installation (less common). some applications allow you to pre-configure them so that when they create these entries they do so with the options you have chosen. other applications do only part or none of these per-user techniques: they use the HKLM reigstry location instead of HKCU, use a single copy of a file to store settings or either of these for a just a sub-set of their options aswell as the previous multi-user compatible techniques - we have details of techniques used by some applications on their specific pages).
configure the applications in one of these ways:

some applications that have their own 'profile', within the Windows profile, that create it if none is already there and have their own means of pre-configuring that fresh profile, so if you have a copy of such a profile in your template user's profile you should delete it (i.e. Mozilla, OpenOffice)

some of these applications may not succeed in allowing you to pre-configure them enough and you still have to copy files manually whenever a new Windows user profile or application profile is created (i.e. Mozilla's USER.JS file)

some save their settings in the registry, so if you've configured that application for your template user account, the settings will be copied to others
some simpler applications allow you to manually force them to look to the profile directory for pre-configured settings (i.e. IrfanView) and to pre-configure these for each new Windows profile you put this configuration in the Default User/Application Data directory and set the global setting (this is particular to each program) to force it to look instead to this file
some applications, or parts of applications, don't support a multi-user configuration. if you really must use them, configure the whole of it or just the parts of it that will apply to everyone in a per-machine manner (i.e. if it uses a single temp location, create F:\'program-name'; or make sure everyone has access to the HKLM registry location, or file, that it uses)

creating new user accounts once your multi-user system is configured
create as many new users as you need (you may only have one user, but thats one other than Administrator), and define their priviliges (our current advice is just to make them a Restricted User (i.e. a member of the group 'Users') but from what we understand so far there is some software that hasn't been brought into line with Windows 2000 yet that will only work as 'Standard User - Power Users Group')

create their Windows profile by whichever means you setup in the earlier stage
make any changes to Windows that carry across specific references to the user account the profile was copied from

location of My Documents
Internet Explorer's cache location

most applications' profiles will copy across fine but for any that embed specific directory names into their profiles that cannot be copied from one user to another, delete the profile so it can be re-created correctly, i.e.:

Mozilla (because of storing the absolute location of that user's profile directory in %APPDATA%\Mozilla\registry.dat) (but what about if you delete registry.dat so that Mozilla recreates it?)
Internet Explorer (because of its cache location))
are there others?

run each of those applications, from above, which have their own means of automating the creation of their profile, so as to create a new profile for the user
do any manual configuration of individual applications' profiles that have settings specific to individual users (i.e. to individual users' temp location) and that cannot be automated due to problems specific to each application in this regard, i.e.:

Mozilla's user cache location stored in Mozilla's USER.JS that cannot use the %USERNAME% environment variable)
Notetab's registry (if you've included registry settings, and applications' registry settings in particular, in your pre-configured profile, then you won't need to make any such manual registry changes for applications)

Applying these profiles across different computers
our limited experience of copying Windows profiles by hand (admittedly across different hardware) are just that when you login explorer.exe crashes, repeatedly

permissions
if you're happy for one user to be able to look into the directories of another you can skip this
('Documents and Settings' is already pre-configured with the right permissions, we want to mirror that in the same way we're mirroring its other features by moving them off elsewhere for our multi-partitioned environment. if we didn't use multi partitions obviously this would all be a lot more straightforward but not so well tuned)

...

create TEMP-PARTITION-OR-FOLDER\'username'\application name\ for each application and each user
and set that application to use it from within it - the only way this differs with standalone NT is that you create each directory within a root directory named to that of each user and you do so for each user

you must do each of these for each user on the system

not all applications use TEMP for their temporary files (i.e. Mozilla) and it is these that present a problem. if they understand environment variables then probably you can pre-configure them to use TEMP, but, if like Mozilla, they don't recognise environment variables from within their pre-configuration routines you will have to copy a file over containing the user-specific temp directory manually each time a new profile of that application is created or new Windows profile

Note - from here on, this document moves into being just rough notes rather than actual succinct instructions...

Services

Services that can be turned off, even in a networked environment

Clipbook
Explanation: "a relic of NT3.x. Used to support Clipbook Viewer which allows remote viewing of the clipbook. Default for workstation is manual. Ensure it is set to manual or disabled"
Default setting: manual
Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ClipSrv
Distributed Transaction Coordinator
Explanation: 'Coordinates transactions that are distributed across two or more databases, message queues, file systems, or other transaction protected resource managers' - If you do not have transaction protected resources you can disable this - a stand-alone machine can certainly set this to manual
Default setting: manual
Registry subkey: ?
Indexing Service
Explanation: 'Indexes contents and properties of files on local and remote computers; provides rapid access to files through flexible querying language' - this is variable, if you have a lot of Office documents that you need to search, this is useful, but does use up memory - used to be called 'FindFast'
Default setting: manual
Registry subkey: ?

IPSec Policy Agent
Explanation: 'Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver' - if you're not using these things then set this to manual
Explanation:
Default setting: automatic
Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSEC

Computer Browser
Explanation: 'Maintains an up-to-date list of computers on your network and supplies the list to programs that request it' - not always needed with a domain controller, needed on at least two machines with a workgroup - "The browser service is used to maintain the list of PCs you see in Network Neighborhood. This is normally a server function. A home user can set this to Manual"
Default setting: automatic
Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser

Fax Service
Explanation: set to manual if you don't need it
Default setting: manual
Registry subkey: Fax
FTP Publishing Service
Explanation:
Default setting: not installed?
Registry subkey: ?
IIS Admin Service
Explanation:
Default setting: not installed?
Registry subkey: ?
Network DDE
Explanation: "Supports network transport of DDE (Dynamic Data Exchange) connections. Such connectivity is mostly a relic from the NT 3.x days."
Default setting: manual
Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetDDE

NetMeeting Remote Desktop Sharing
Explanation: "Allows authorized people to remotely access your Windows desktop using NetMeeting. If you don't use NetMeeting you can disable this"
Default setting: manual
Registry subkey: ?
Routing and Remote Access
Explanation: 'Offers routing services to businesses in local area and wide area network environments'
Default setting: disabled
Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess
RIP Service
Explanation: "If your system is not needed as a router you can set this to manual or disable it"
Default setting: not installed?
Registry subkey: ?
Telephony
Explanation: "Provides Telephony API (TAPI) support for programs that control telephony devices and IP based voice connections on the local computer and, through the LAN, on servers that are also running the service. If you don't use any applications that establish voice connections online, e.g. Roger Wilco, Netmeeting, or Internet telephone services, you can turn it off"
Default setting: manual?
Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TapiSrv
World Wide Web Publishing Service
Explanation: "Unless your system needs to be a web server you can set this to manual or disable it"
Default setting: not installed?
Registry subkey: ?

Services that can probably be turned off, even in a networked environment, but have some network functionality that you should check are not being used

Alerter
Explanation: 'Notifies selected users and computers of administrative alerts' - this may be used if part of a Windows domain
Default setting: manual
Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Alerter
Messenger
Explanation: 'Sends and receives messages transmitted by administrators or by the Alerter service'
Default setting: automatic
Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger
Remote Registry Service
Explanation: 'Allows remote registry manipulation'
Default setting: automatic
Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Server
Explanation: ''Provides RPC support and file, print, and named pipe sharing' - removes the ability to share folders on your computer, but you can still access shared folders on other computers
Default setting: automatic
Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters
Registry value: For Servers edit "AutoShareServer" with a REG_DWORD Value of 0; For Workstations, edit "AutoShareWks"
TCP/IP NetBIOS Helper
Explanation: "Provides support for name resolution via a lookup of the LMHosts file. If you are not using LMHOSTS name resolution, you can set it to Manual"
Default setting: automatic?
Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\?

Services that can be turned off, that are required on a networked system, but not required on a stand-alone system

DHCP Client
Explanation: 'Manages network configuration by registering and updating IP addresses and DNS names'
Default setting: automatic
Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dhcp
Net Logon
Explanation: logs a workstation onto a domain
Default setting:
Registry subkey: ?
Distributed Link Tracking Client
Explanation: 'Sends notifications of files moving between NTFS volumes in a network domain' - you should perhaps leave this on if you work within a Windows 2000 domain - but a stand-alone machine can set this to manual
Default setting: automatic
Registry subkey: ?
DNS Client
Explanation: "Resolves and caches Domain Name System (DNS) names. This is normally provided by your ISP. Set to Manual and if you have name resolution problems, return it to Automatic"
Default setting:
Registry subkey: ?
NT LM Security Support Provider
Explanation: "Provides security to remote procedure call (RPC) programs that use transports other than named pipes. A home user can set this to Manual"
Default setting:
Registry subkey: ?
Performance Logs and Alerts
Explanation:
Default setting:
Registry subkey: ?
Plug and Play
Explanation: "Gives something like PnP functionality but unless you are using unimodem modems, don't bother"
Default setting:
Registry subkey: ?
QoS RSVP
Explanation: Provides network signaling and local traffic control setup functionality for QoS-aware programs and control applets. A home user can set this to Manual
Default setting:
Registry subkey: ?
Security Accounts Manager
Explanation: "Stores security information for local user accounts. A home user can set this to Manual unless you are using Local Security Policy Editor"
Default setting:
Registry subkey: ? -
Server Service
Explanation: "You can disable the service service unless you are sharing files on your hard drive or your printer. If you have a DSL or cable modem, stop this service. Hackers will get nowhere if you do"
Default setting:
Registry subkey: ? -

Services that can be turned off, but that you might want to be more cautious about until you know you definataly don't use them

Runas Service
Explanation: "Enables starting processes under alternate credentials. If you don't run applications under an alias (e.g.as a different user), you can turn it off"
Default setting:
Registry subkey: ? -

Permissions
there are various components for which non-administrative users will require upgraded permissions to use or to use effectively:

Printer

Start -> Settings -> Printers -> choose printer -> File -> Properties -> Security -> add Everyone or individual users or specific group to the list and give them appropriate permissions

Fax

haven't found how to make this work for a Restricted User yet (despite changing all permissions that could find that seemed relevant, when send fax it doesn't actually get transmitted until log in as Administrator), making them Standard User allows it to work ok

Remote Access Service (Dial-Up Networking)

create shortcuts to dial-up Internet connections on a per-user basis (else settings such-as password that were saved with another account it may have been copied from will not be carried withthe shortcut) -
if you setup DialUp Networking, leave off the '...remember password...' (or whatever its called) setting in the properties (not the one when you actually dial) when you set it up as Administrator and then use as a Restricted User as the password will not be accessable by other users and connection will fail

"For Windows NT, 2000, and XP, you configure autodial for Microsoft apps (IE and Outlook) the same way as ... However, these settings have no effect on non-
MS applications. To configure autodial for non-MS applications, you have to start the OS service "Remote Access Auto Connection Manager." Once this
services has been started, autodial works fine with Mozilla. However, it seems that this service is configured to NOT start automatically by default, so it
will look like autodial is broken on Mozilla on these systems until the service is started. I forgot to mention in that in my experiments, I found that the
autoconnect service only works correctly if the ethernet device is disabled. Unplugged doesn't seem to be good enough. An important detail."

Set boot menu delay to 1 second
Control Panel -> System -> Advanced -> Startup and Recovery -> System startup -> Display list of operating systems for [1] seconds

if installing applications as Administrator then using as other users, applications that aren't able to be used on a per-user basis may have to be run as Administrator
right click icon -> Properties -> Run as different user - on
icons that will require tailoring to specific users (such as those using profiles like web browser and email) will need to be stored in each users' desktop directory - and perhaps the whole desktop should be
(some applications use 'start in %HOMEDRIVE%%HOMEPATH%', perhaps this should be used for icons throughout)

some application behaviour
- F-Prot saves everything (program/?workstation? and user settings) in HKLM - so its fine for multi-user single machine, but not multi-user roaming network

- LeechFTP: HKEY_USERS

- Mozilla uses HKLM and HKEY_USERS but both just for program locations

- ZoneAlarm uses HKLM and stores a paltry amount in HKEY_USERS but only for the user that installed it - Bad!

- PowerArchiver saves only install directory in HKLM and user config in HKEY_USERS

- Java saves on a per user basis to %USERPROFILE%\.Java; uses HKLM and HKEY_USERS but HKEY_USERS looks empty

- Acrobat uses HKLM and HKEY_USERS

- Pegasus stores user specific settings in its own file in the mail directory and creates a paltry amount of information (username, program directory location) in HKEY_USERS

- OpenOffice is free from registry settings (tho it does make some, theyre ignorable)

is there an efficient way to configure a DEFAULT USER account and copy its settings to All Users for use by everyone? in NT4 you'd do this with Group Policies, do they still exist or have they been replaced by Active Directory? there are still .pol files around indicating that policies are being used like they were in NT4 (in All Users)

there would be various groups of settings for an account:
settings for TMP and TEMP?

group policy

profile

Start Menu

Desktop

application settings are dealt with by each application
atleast I think most are, what about Java for instance?

registry

Security Settings
control panel -> Local Security Policy

control panel -> users and groups -> you can define which of a pre-defined group a user is a member of

All Users probly is an overlay for look and feel
where-as Default User is what each account is actually a copy of, and thus it contains things like an empty 'Cookies' directory that enables that directory to be created in the first place (apart from NTUSER.DAT or NTUSER.POL files)

worth a look
http://www.labmice.net/articles/securingwin2000.htm

Microsoft's instructions for using a different drive for the 'documents and settings' folder:
"Specify a different folder for the "Documents and Settings" folder during installation:

Use the /UNATTEND switch with Winnt.exe or Winnt32.exe and insert the following entry into the Unattend.txt file, where z:\foldername is the path and folder name you want:

[GuiUNattended]
ProfilesDir = z:\foldername

Install Windows. The path you included in the Unattend.txt file is used instead of the default "Documents and Settings" folder: winnt /u:a:\unattend.txt or use the boot disk I've made"

however... I had problems... I had to create a boot disk , so as to specify the command line above and have the UNATTEND.TXT file, and have a FAT32 formatted drive for the installation to use for swap space (I alreqady had NTFS drives C thru to H partitioned). I then installed without using a CD cache (SMARTDRV), so it took ages, but also had trtouble reading some files from the disk.
failing that method, set as many things as appropriate to point elsewhere:

TEMP (Control Panel -> System -> Advanced -> Environment Variables ->
TMP (Control Panel -> System -> Advanced -> Environment Variables ->
IE cache
My Documents

there are further instructions for manually moving 'documents and settings' but for now we're passing them off as too complicated until we find there's no other efficient way of doing it

do any registry settings for non multi user environment applications that use HKEY_CURRENT_USER need moving from the user that installed's registry area to other users'?

(i.e. any that use the registry in place of the profile for per-user settings, or, if they use the registry, save to a place that will get copied to each new users' registry)
(the way around this is to configure each application whilst logged in as each user, or copy the settings from one HKEY_USERS location to another. unless they automatically create the HKEY_USERS settings when you run the app for the first time as that user)
(the best thing is for applications to be saving user data to %USERPROFILE% so that user config doesn't have to be made from each particular workstation (I should write a set of guidelines for this) instead just the once and from anywhere, and which allows people to do OS-level roaming. which leaves workstation-specific registry settings, which more applciations do, pointing to where the program lives.)
(which s/w auto registers to any HKEY_USERS that exist on the system? and which just to that which is logged in whilst installing?)
template should include:
- HKLM?
- HKEY_USERS - and then sub parts for differing ways of creating doing HKEY_USERS (on first install only or subsequent runs). ?and does it store preferences in here?
- %USERPROFILE%? (does it store user data here or program location data here too?)

for OS-level roaming user environment, if preferences stored in %USERPROFILE% then only needs configuring the once and from anywhere. if stores prefs in HKEY_USERS then must be re-configured at each workstation. if uses HKLM then will need installing from each workstation?
however, apps may re-create HKLM and HKEY_USERS when run for the first time on a workstation.
some apps will store everything in %USERPROFILE% whilst others will use a conbination of that and the registry)

an app can be written to work with multiple users on the same machine, or furthermore written to work with multiple users on a roaming network environment
bad behaviour is an app that stores settings in its or Windows' program directory, as you'd then have to give the User Group EVERYONE write access to there, which is poor security; but can be worked around by a user pref that allows using a pref file in a different location

may need to amend TEMPLATE.HTML to take these things into account

for software that doesn't have per user settings, you don't want to set temp to a per user cache, instead use TEMP\application name\

a next step is learning how to pre-configure these applications, and then offering downloadable file of same from the 'our info' page

"Users can customize Office 2000 to a greater extent than ever before. These customizations fall into two categories:
Configuration: customizing which Office applications are installed and available for use on the computer
Preference: personalizing settings for installed applications

The first of these categories, configuration, can be controlled for the computer or for each user of the computer. In either case, no matter how many users, you have only one set of Office 2000 files for each computer. The second category, preferences, can be controlled on a per-user basis. In other words, each user of the computer can store different personalized settings for the applications on the computer.
The personalized settings are stored in each user’s Application Data folder and in the HKEY_CURRENT_USER key in the Windows® registry, which are in turn part of each user’s profile. A user profile stores both personalized settings for Office 2000 as well as customized settings for the operating system, such as the desktop environment or network and printer connections. The user profile can also contain a unique Start menu for the user, so the user sees only the applications available to that user."

PowerArchiver's icons in All Users, despite having the 'Users' group added to their security permissions, still don't appear for users other than Administrator

time to install Windows 2000 (with formatting one 1.5GB partition): 35mins