Bienvenido! - Willkommen! - Welcome!

Bitácora Técnica de Tux&Cía., Santa Cruz de la Sierra, BO
Bitácora Central: Tux&Cía.
Bitácora de Información Avanzada: Tux&Cía.-Información
May the source be with you!

Sunday, October 24, 2010

Windows 7: Copy A Modified User Profile

  Over The Default Profile

        While this is not directly security related, it should be helpful to those who are testing Windows 7. I'm posting it to help those who are searching the Internet for details on copying user profiles in Windows 7. It use to be that you could easily go into the profiles manager and copy any unlocked profile you wanted over the "Default User" profile. It seems that Microsoft has disabled this in Windows 7, the "Copy To" option is grayed out, and they expect you to use sysprep by putting:

The Steps: After setting up the profile for one user, lets call the account "adrian", do the following:
This workaround on Windows 7 RTM works.  It’s a bit more time consuming than clicking on but it does the same thing.  What you are doing is:
  • Manually copying the profile folder to the file server.
  • Renaming it, e.g. Mandatory.V2 (the V2 is required for Vista, Windows 7, Windows Server 2008/2008 R2
  • Deleting AppData\Local and AppData\LocalLow from the new profile on the file server.
  • Launching REGEDIT on the file server and loading the hive from NTUSER.DAT in the profile.
  • Changing the permissions on the loaded hive: delete the old user and add in a group, e.g. authenticated users = full control.
  • Unloading the hive.
  • Renaming NTUSER.DAT in the mandatory profile to NTUSER.MAN
  • Changing the user object(s) to use a roaming profile, e.g.  Note that .V2 is not specified here.  It’s silent.  Vista, etc know to add it.  XP, etc won’t use it.
Yes, much slower than clicking on and renaming a folder and a file.
"I got this to work, but it's no where near as elegant as with XP and Vista via the User Profile "copy to" method:
Customize a user profile as needed
Go to Control Panel and create a new dummy admininstrator
Reboot, log in as the dummy admin
Browse to C: and go into the Folder settings and Show all hidden/system files
Browse to C:\Users and CTRL-drag the Default folder to make a second (backup) copy of it
Browse to C:\Users and CTRL-drag the customized user profile to make a second copy of it
SHIFT-DEL the original Default folder
Rename the customized folder copy to Default
Create a new dummy admin and reboot/log in to test it
I've not tested this extensively yet but this seemed to work with the exception that the desktop background pic was gone leaving a black background.  I fixed this easily by re-selecting the correct background pic.
I really hope that MS restores the previous method as this seems very sketchy to me and I'd hate to have to use this in a production environment."
It seems to work, but the registry-entry for shell folders are - as with vista and w2008 - also wrong. All shell folders entries have the paths from the initial user. I can fix it with a script, this is ok.
Problems after migrating a OS to RAID platform. How to copy the actual profile
Can you boot into Safe Mode with Networking?
If you can, please download WAIK. We can use USMT 4.0 and save your profile with the command scanstate.exe to save your profile. Then after reinstalling, run loadstate.exe to load the profile.
If you cannot boot into Safe Mode, you may just reinstall the system without reformatting the system partition. The contents of the previous system will be saved in Windows.old folder. USMT can pick up your profile from the Windows.old folder. YOU just need to run loadstate.exe to load your profile from Windows.old after reinstalling.
Otherwise, you can try to boot in Last Known Good configuration. If it successes, you can run Easy Transfer to save your profile. Then run In-place Upgrade to repair the system. In this case you do not need to reinstall the system.
I just was able to get the COPY button ungrayed.  The key here is that after you create and customize the template user profile (the one that you're going to copy) while logged into the domain as that user, you have to REBOOT THE WORKSTATION COMPUTER before logging in as an admin to do the copying.   Logging out, and logging in as an admin doesn't do it.  You have to REBOOT.
In summary, I created a new domain user in Active Directory Users and Computers.  I did not change the default settings for where this user's profile would be stored.
I logged into the domain as this new user on a workstation.  I customized the profile (desktop settings, icons, wallpaper, etc).  I then REBOOTED THE WORKSTATION.
On that same workstation, I logged in as an administrator, right clicked on My Computer, selected Advanced, and User Profiles.
I then highlighted the Domain\username profile that I just customized and wanted to copy, and hit the Copy button.  This button was not grayed out anymore.
I then copied the profile to the \\domaincontrollername \netlogon\Default User directory.  The actual profile files and folders (Application Data, desktop, Favorites, etc) sit inside the Default User folder (\sysvol\sysvol\yourdomainname \scripts\Default User\theprofilefiles )  (the italicized pieces will be changed to match your setup).
FYI, on my system, this Default Users folder has Full Control privs for sharing, and Full Control NTFS privs for Everyone, Domainname \administrator and System.
Again, the two key things that I've learned is that you can't copy a user profile if you're logged in as that user, and you have to reboot the computer between logging in as that user, and logging in as the administrator to do the copying. 
Logon as a user and set the profile.
Logon as Administrator
Go to C:\Users and RENAME Default to DefaultKeep.
Rename user profile above to DEFAULT.
Logoff and back on again as an Administrator (or restart if necessary).
Go into the System Profiles and select "Default" and choose "Copy Profile". It allows you to copy the default one.  Set the permissions to "everyone" and copy to a network share.
Go back in and rename the Default one back to users name and then copy the Network Share created and call it "Default" or use the network one for setting up mandatory roaming profiles like I do.
I just tested it, and it seems to work perfectly. :)
1. Download a little freeware program called "Windows Enabler 1.1" (Google it, and download it).
(It's a handy little portable utility I keep on my thumb drive and network utilities folder. All you need is the "Windows Enabler.exe" and "EnablerDLL.dll" together in a folder.)
2. Run Windows Enabler on the Windows 7 machine, and a little blue & white icon will show up in your system tray.
3. Bring up the "Users Profile" window, and select the profile you wish to copy where the button is grayed out.
4. Click on the Windows Enabler icon in your system tray, and it should say "On"
5. Click once on the "Copy To" button, and it should un-gray the button. Click the Windows Enabler icon again to turn it off.
6. Now, you have your Copy To button working! Copy the user profiles as you normally would, and try logging in as a new user on the machine.
I tested it, and it appears fully functional. I was able to copy a profile, and log in with a new user, and everything looks good so far! :D  Windows Enabler is a great little utility to add to your collection :)
I just did the following on my computer running build 7100:
  1. Create a new user account
  2. Open up the User Profiles window, choose a user with whom you've not logged into since last reboot
  3. Click Copy To... and type in \Users\accountname using the name of the account in step 1
  4. Set permissions to Everyone, then click OK
I didn't have any extra profiles set up so I copied the Default Profile over to the new account, but it should all work the same.  Only time I've ever had trouble is if I logged into the source user account before trying to copy it - that locks files as in use and only a restart will clear that up.
Also, a couple sidenotes since my last post:
The more I use Sysprep the more I like it over the traditional way we all used in XP, to the point that I'm probably going to start using the sysprep way of setting a default profile even in XP system deployments at work.  Things that need to be set differently for different departments can almost always be customized within domain GPOs, and on the default user account I've been creating "gateway" links that link to resources for each department. For example instead of adding printers to the default profile image I have a desktop shortcut labeled "Add Printer" that goes to the print server (\\printers)- People see the full company listing of printers and just double-click the printer they need to install it - no need to have separate profiles per department.  For internal websites, I just bookmark all of them, sorted into folders by department - basic security practices should keep people from getting to sites or network shares that they shouldn't be going to even though there's a link to it on their desktop.
And finally, a question about copying profiles: When copying a profile to another one and setting the permissions, what is the point? Does anyone ever set the permissions to something other than Everyone and how does that affect things?
I use the Profiles tab ALL the TIME to create Roaming Profiles because I use Mandatory Roaming Profiles.
To make a roaming profile you need to go to the Users Profile tab in the properties of Computer.
Find the profile and choose "Copy to"
In Windows 7 the "Copy To" is GREYED OUT for EVERY USER except the Default Profile. I have tried a Local User (regular) and two different domain users (regular). I have logged in as both Domain Admin and Regular Admin.
Machine has been restarted so the profiles are no longer loaded in the registry and I CAN delete them (Delete option is Available). However, I just can't "copy  to" using profile tab.
I have logged in as a Local Administrator (yes I enabled it) and also a Domain Administrator. Both have the greyed out "copy to" button. It is not a permissions issue.
It is available this way in Vista as I have done it per these Microsoft Instructions.
Create a Default Network User Profile
  1. Log on to a computer running Windows Vista with any domain user account. Do not use a domain administrator account.
  2. Configure user settings such as background colors and screen savers to meet your company standard. Log off the computer.
  3. Log on to the computer used in step 1 with a domain administrator account.
  4. Use the Run command to connect to the Netlogon share of a domain controller. For Example, the path used in the domain looks like \\HQ-CON-SRV-01\NETLOGON
  5. Create a new folder in the Netlogon share and name it Default User.v2.
  6. Click Start, right-click Computer, and then click Properties.
  7. Click Advanced System Settings. Under User Profiles, click Settings.
  8. The User Profiles dialog box shows a list of profiles stored on the computer. Click the name of the user you used in step 1. Click Copy To.
  9. In the Copy To dialog box, type the network path to the Windows Vista default user folder you created in step 5 in the Copy profile to text box. For example, the network path in the domain is \\HQ-CON-SRV-01\NETLOGON \Default User.v2.
  10. In Permitted to use, click Change. Type the name Everyone,and then click OK.
Click OK to start copying the profile. Close all remaining windows and log off the computer when the copying process is complete
The only sure fired way I have come across so far is to use copy profile in unattended.xml. Log on as the user you want to set up the default profile as, set up everything as you want, then still logged in as that user run sysprep and thank you very much all done. Having said that having to learn how to use Windows System image manager (I think thats what it is called) is time consuming but it is the only way so far.If you have already used WSIM with Vista you laughing, takes less than 5 min. Perhaps things may change with the final release?
It was definetly handy to be able to copy the profile at times.
 However I read numerous threads and articles yesterday indicating this method does not always work.  This one is the most eye opening, and I must say I found to be true wiith my testing: else is also frustrating is this, the majority of businesses did not go with Vista.  XP was a good OS, and still is.  Now when you try learning about Windows 7, such as through Videos, articles etc; you constantly here, those of you who upgraded to Vista, will have no problem upgrading to Windows 7 since they are so similiar, and the way to deploy are similiar.  To my knowledge many orginazations did not upgrade to Vista.  So if Microsoft wants businesses to upgrade to Windows 7, they have to do a much better job in educating their customers on how to upgrade from XP to Windows 7.  Hey WDS is good stuff, WAIK as well, but please explain from A to Z how the 2 work with Windows 7 in one lab or article. No half explanation, with referneces to Vista that actually don't work.
You can copy the profiles manually for mandatory profiles (haven't tested for Default User as I don't change mine). Just copy the profile you created to a new folder. Run regedit, load the profile into regedit, go to the Permissions and add Everyone = Full Control and remove the regular user. Unload the hive.
I have detailed instructions here
I did get it to work and now have Windows 7 Mandatory profiles in my domain.
The current workaround that I can think of is to download and use MDT 2010 beta.
Deploy Windows 7 x64 to the target PC.
Configure and install any software for your custom image.
Sysprep your target PC with the userid you want to use as the default profile (after applying settings you wish).
Capture the image back to the server (imagex /compress fast /flags "Ultimate" /capture d: z:\wimname.wim "description")
Create your new custom OS and task sequence.
Edit the unattend.xml  in the custom task sequence and apply following:
Pass 4 specialize, amd64_Microsoft-Windows-Shell-Setup_neutral, set "CopyProfile" to "true".
This willl apply the profile settings of the user id used to sysprep the PC to all users that logon to the target PC.
No me deja copiar ningun perfil de usuario excepto el predeterminado.
A mi se me ocurre que lo hayan quitado intencionalmente para que la gente personalize sus perfiles de la manera mas apropiada;EN-US;959753  el boton de copiar a veces trae problemas.. (pero no entiendo porque no quitaron el boton).
En todo caso hay una herramienta portable llamada Windows Enabler, que te permite habilitar botones que estan deshabilitados
si la corres con click derecho "run as administrator" y pinchas el boton de "copy to..." que te sale deshabilitado funciona. Lo probe y anda bien, esa seria la solucion.. pero no se que tan recomendable sea.
A free simple tool called Windows Enabler (
This standalone tool can be run off a USB thumb drive and 'enables' locked menus and buttons. Basically you:
1) Download Windows Enabler
2) Save it to a thumb drive
3) Right-Click and choose "Run As Administrator" on the Windows Enabler EXE on the system you wish to copy the profile
4) Click the Notification Tray icon to turn Windows Enabler on
5) Open the USER PROFILES dialog and click on the greyed out COPY TO... button to see it become enabled.
6) Copy the profile as you used to in XP and Vista. 
Copying the profile, copies the user security settings so no it won't work properly unless you go into the regstry and reset the permissions on the key to everyone=full control. Also you have to remove any user specific settings.
The Default User in Windows 7 is also quite unique than a users profile too. It contains quite a few links to all the "hidden" stuff that is there to support Windows XP (application data, My Documents etc).
For total clarity, here is what I have done and it was successful using the Windows Enabler tool.  As noted, Windows Enabler does not actually install on the computer so it can easily be run off a USB thumb drive or network share to 'enable' locked menus and buttons.  Basically you:
  1. Download Windows Enabler.
  2. Save it to a thumb drive or share.
  3. On the system you need to copy a profile, Right-Click and choose "Run As Administrator" on the Windows Enabler EXE.
  4. Click the Windows Enabler Notification Tray icon to activate Windows Enabler.
  5. Open the USER PROFILES dialog and click on the greyed out COPY TO... button to see it become enabled.
  6. Copy the profile as you used to in XP and Vista.
Regarding the comment about wallpaper not copying - save the wallpaper in the PUBLIC\PICTURES folder and it will work just fine.  The profile copy function is 'smart' and doesn't copy a number of extraneous items like the contents of DOCUMENTS, PICTURES, etc which is likely why you didn't get a wallpaper after copying the profile.  By using the PUBLIC folders you don't end up with a copy of the wallpaper in each profile which is a little more space effective.
Also, if you like desktop gadgets and want to include them in your default profile you need to do the following:
* Create a folder named MICROSOFT in 
* In C:\Users\Default\AppData\Local\Microsoft 
copy the WINDOWS SIDEBAR folder from 
(USERNAME is the user you used to create the profile you are copying to default).----------------------------
Have a look at group policy, filtering and loop back processing. You can configure alternative locations for roaming profiles using Active Directory GPO. You can then filter that GPO a number of ways. The simplest is by linking it to a specific OU(s) and it applies to only objects below it. Next is WMI filtering where it applies based on some setting/feature of the AD client. And then there is Loop Back Processing. A GPO might be inherited by an OU of containers. The GPO contains user configurations. The users are in a totally different OU. However, with loop back processing enabled the user configuration policy of the computer linked GPO will apply to users who log into those computers. That's how I've set up dedicated roaming profiles for people who logged into Terminal Servers in the past ... this isolated their TermSvcs profiles from their desktop profiles.
You will also need to do somethign similar if users are using both V1 profiles (XP and older) and V2 profies (Vista and newer)
I log in as the a standard non-admin user, make a couple of small tweaks, log back in as admin, copy the profile, done - 3 mins. In the manual copy method (Manual copy of folder -> Delete Local + Local Low -> Load ntuser.dat hive to registry -> Change perms -> Unload ntuser.dat) this extends to more like 6 or 7 mins. the time it's generalised, booted, respecialised and added it self back to the domain, this has taken 10 to 15 minutes depending on hardware. On a one off job, yeah this makes no bones. Try doing this on 9 different images. It goes from 3 x 9 = 27 minutes  to (taking an average) 12.5 x 9 = 107.5 minutes, that's an hour and 47 minutes!
How about going to start--all programs--accessories--system tools--windows easy transfer
In windows XP it had a similar tools, but instead of copy the profile from one phyical machine to the next. You can utilize the tools to copy the profile from one folder to another.
No luck.  The probelm is that we need to be able to set the default profile and after you use the easy transfer wizard you must pick an existing account on the destination computer (or create a new one) to transfer to.  You cannot pick the default profile or browse to the destination folder on the hard drive (i.e. C:\Users\Default). 
when logged on as admin:
- make sure the enabler isnt already running
- run the enabler
- find the enabler icon in the systray
- make sure enabler icon the systray icon says 'ON'
- open the profile management screen
- the 'copy to...' button will still be greyed out
- click the button once.
- the 'copy to...' button should then become available (un-greyed out)
go ahead and use the 'copy to...' function as you normally would.
When youre done.... exit the enabler using the systray icon
I've done this on lots of Win7 / 2008 R2 boxes without any issues.
Incidentally, I'm not using this method to modify default profiles. I'm using it mainly to copy out my customised user profiles for mandatory and roaming profile use.
Also, Matt:
I hate to rain on your parade, but I dont think that MS is particularly interested in community engagement. There's no $$$ in it for them.
From my recent experience, in this economic climate MS are really only addressing what they are seeing as 'showstoppers'
All issues and their response are being evaluated on a cost vs. benefit model.
The questions being asked are:
How serious do MS think the problem is?
How much will it costs MS to resolve this problem?
What is the cost to MS in terms of major customer loss / negative publicity?
Of the 5 issues / bugs I've reported to MS Professional Support since Win7 2008 R2 launch, so far none of them are being addressed.
Also worth noting: I had opened a PSS case for this very issue.
The MS response was exactly the same as it has been all along on this thread:
To paraphrase that:
"The features been disabled because copying user profiles in this way has been known to create problems in certain situations"
"There is no alternate tool that provides the same functionality"
"Ooops, yes we forgot that this function is needed to create mandatory and roaming profile templates. Sorry about that"
"The workaround to create mandatory or romaing user profile templates is to copy the profile manually and change perms on the contents of user.dat manually also"
"the only supported method to modify the 'default' pofile is the 'sysprep /generalize' method"
"There is no alternate method. No fixes or alternate tools are being planned"

sysprep /generalizeunattend:unattend.xml
        But this also resets a lot of other stuff, and that sucks when you are making a Ghost image for a lab environment. Below is the work around you can use to modify the Default profile by copying any profile you have previously modified over the Default profile. It is VERY much not supported by Microsoft, but for my limited tests seems to work.
in your unattend.xml and running the command:

No comments: