Some organizations must restrict domain accounts on specific computers, but these domain accounts are unrestricted by Group Policy. This often happens with shared facilities that are used briefly by domain users, such as CD or DVD creation labs or other types of dedicated computer kiosks.
Similarly, operators may want to restrict domain accounts on specific computers but do not have the access rights to make the required changes within Group Policy to do so.
Other security-conscious environments would like to ensure that default restrictions are applied to domain users even if network issues prevent Group Policy restrictions from being applied during an initial logon.
Note: |
---|
If you copy the Default User folder to the NETLOGON shared folder on a domain controller, the settings and restrictions of this default profile will apply to all domain users the first time they log on. The folder will be replicated to all other domain controllers providing a Default User profile for all new domain accounts. |
All of these scenarios can be addressed by setting restrictions on the Default User profile in Windows SteadyState. The Default User profile is then used as the template when creating all new user profiles for both domain and local accounts. This particular technique does not work on domain accounts that are configured with roaming user profiles
Note: |
---|
It is advisable to create a backup of the Default User profile before you customize the profile for use on the domain. To do this, make a copy of the Default User folder located in the Documents and Settings folder. |
To create a custom Default User profile
-
Log on as the Windows SteadyState administrator.
-
Create a new local user profile.
-
Log off and then log on as the local user that you just created.
-
Customize the user settings and environment. For example, you could:
- Customize the Start menu.
- Customize the desktop and taskbar.
- Install and configure printers.
- Customize the Start menu.
-
Log off and then log on as the Windows SteadyState administrator.
-
Configure and apply restrictions for the newly created user profile.
-
Perform one of the following tasks:
- In Windows XP, click Start, and then
click My Computer.
- In Windows Vista, click Start, and
then click Computer. To show menus,
press the ALT key and the menu bar will appear above the
toolbar.
- In Windows XP, click Start, and then
click My Computer.
-
On the Tools menu, click Folder Options.
-
In the Folder Options dialog box, on the View tab, under Advanced settings, click Show hidden files and folders, and then click OK. Several of the files in the new profile are hidden by default and must be visible to be copied to the new custom Default User profile.
-
Perform one of the following tasks:
- In Windows XP, click Start,
right-click My Computer, and then click
Properties. In the System Properties dialog box, on the Advanced tab, under User
Profiles, click Settings.
- In Windows Vista, click Start,
right-click Computer, and then click
Properties. In the System Properties dialog box, click Advanced system properties. On the Advanced tab, under User
Profiles, click Settings.
- In Windows XP, click Start,
right-click My Computer, and then click
Properties. In the System Properties dialog box, on the Advanced tab, under User
Profiles, click Settings.
-
In the User Profiles dialog box, click the user profile that you just created and customized, and then click Copy To.
-
In the Copy To dialog box, under Copy profile to, click Browse, select the Settings\Default User folder, and then click OK.
-
Under Permitted to use, click Change, click Everyone, and then click OK. If Everyone is not available, click Advanced, click Find Now, click Everyone, and then click OK.
After the Default User profile is customized, Windows XP or Windows Vista assigns the Default User profile along with its restrictions to any new user who logs on to the computer. This technique cannot be used to lock new user profiles as they are created. However, you can use customized Default User profiles along with Windows Disk Protection to clear the new user profiles that are created on the Windows partition with each restart of the computer.