Same Profile for More than One Network User on Same Machine?

[Ken Dibble]

I've looked at all the current postings on profiles in this group and
none seems to address my particular problem:

Windows NT Server (with SP 6a) domain network and a Win 2000 SP3
workstation.

We don't use roaming profiles and I'm not trying to create one.

I have a restricted user network domain login account called "Joe" set
up on the Win 2000 box. I have set up another network domain login
account "Mary" in NT Server to log in to this box. When Mary logs in,
I want her to get Joe's profile.

None of the stuff I've seen about this actually works as I expect. I
can login to the box as Mary and get a new profile for her. I can then
log in as Administrator and copy Joe's profile to Mary's profile.
However, when I then login as Mary, I only get some aspects of Joe's
profile--that is, the desktop is mostly, but not completely, the same;
programs set to run on startup for Joe do not run for Mary, and Mary
gets various "access denied" messages when trying to access resources
that Joe can get to with no problem.

Now, I know the simplest solution would just be to let Mary have Joe's
login and password. The real-world situation is that "Joe" is going
out on extended leave and "Mary" will be taking over some of "Joe's"
duties during that leave. When "Joe" returns he could just change his
password. And if there isn't a relatively quick and simple alternate
solution, that's what I'll end up doing.

I realize there may be some complex and time-consuming hack to achieve
this. I also realize that I could spend a lot of time simply logging
in as Mary and recreating everything Joe has by hand. I'm looking for
a quick and simple solution--one that doesn't take much more time than
it would take me to give Joe's password to Mary. I'm just hoping I'm
missing something simple here.

Thanks in advance for any help.

Ken Dibble
Southern Tier Independence Center

 

[Doug Sherman [MVP]]

If you create Mary's domain user account by copying Joe's domain user
account, she should have the same access to network resources that he does.
With respect to rights to local resources on the Win2k workstation, it may
be that Joe's domain user account is a member of the machine's lbuilt-in
adminstrators group and Mary's isn't?

Doug Sherman
MCSE Win2k/NT4.0, MCSA, MCP+I, MVP

 

[Phillip Windell]

The solution isn't to have them use the same profile. The solution is to
setup all the Apps they need to run so that those Apps work under both
profiles. As far as other files that need to be accessed that "Joe" might
have in his "My Documents" and such places,...that is a perfect example why
those things shouldn't be stored in such places, but rather should be stored
in a centralized location where permissions can be granted and revolked when
needed.

I delt with a very similar situation here today with one employee who
replaced one that isn't here anymore. They wanted the password of the guy
who's no longer here because they have it in thier head that the only way to
do "his stuff" is to log in as him.

It is just a matter of managing the network using the proper methods and
tactics. As a general rule, if something seems really hard to accomplish
and has very little or no documentation to do it, then you are probably
trying to do it the wrong way.

 

[Ken Dibble]

Thanks for replying.

Nope, Joe is a restricted user. All of the resources that Mary needs
to access but can't are on the local machine.

Ken

 

[Ken Dibble]

Thanks for your response.

In my case, the solution needs to be quick and easy.

I realize there is a one-size-fits-all "conventional wisdom" for these
things, but it doesn't meet my needs.

Issue 1-- this is a small agency whose network has grown slowly over
several years. It started before Win 2000 was a factor, and at that
time "profiles" weren't an issue. My official policy is that I don't
change everything I do every time Microsoft comes up with a new
"latest and greatest". The people who should have planned in advance
are the MS folks who came up with this cockeyed "profiles" thing in
the first place. I'm still running lots of Win 98 machines with
network-authenticated logins, and this isn't even an issue with them.
Planning an entire network in advance is a luxury that small
organizations don't have. And even if I had been able to do it, I
would not have sacrificed what I consider to be the security merits of
a decentralized system in the process.

Issue 2 - Putting everybody's stuff on a central location means that
when that location goes down, NOBODY can do ANY work. That makes
absolutely no sense to me whatsoever. And it's not just about the
servers; its about the switches and the wiring as well. As a human out
in the world dealing with countless numbers of computerized entities,
one of the most annoying, annoyingly frequent, and, to my mind, most
frequently unnecessary annoyances, is to be told by somebody that I
can't get what I need because their "system is down". In my situation,
if a person logs in before the network, or the connection to it, goes
down, they can keep working on local stuff as long as the workstation
keeps running.

Issue 3 - Putting everybody's software on a server and running it
there is an invitation to slow performance.

Issue 4 - Putting everybody's data in a central location means that if
that data is hosed, perhaps beyond recovery, EVERYBODY's data is
hosed, perhaps beyond recovery. That also makes absolutely no sense to
me whatsoever. Yes, I back up--but having to restore an entire network
before ANYBODY can do ANYTHING is ridiculous, IMO. And requiring
people to be responsible for backing up their own data has a salutary
effect on employees' sense of responsibilty and caution with regard to
how they use their workstations.

Issue 5 - Organizations use networks for different purposes; we don't
all operate on the same assumptions. Our purpose for having a network
is primarily to share internet access and internal email. We don't use
it for a lot of shared data or printing or such stuff.

Issue 6 - I don't let people set their own passwords; that just makes
it harder for me to deal with staff turnover--not to mention stuff
like not being able to diagnose and test OE because it won't download
email if you don't log in with the right account. I have a list of all
accounts and passwords under lock and key. So I can easily deal with
situations like the one you described.

Issue 7 - Everything I've read suggests that copying one profile to
another should have worked. I still don't understand why it didn't.

Ken

 

[Doug Sherman [MVP]]

Is Joe a member of a global or local group in the domain which has been
added to the the Win2k machine's built-in Administrators or Power Users
group?

Doug Sherman
MCSE Win2k/NT4.0, MCSA, MCP+I, MVP

 

[Ken Dibble]

Joe and Mary are both members of NT Server Domain Users
NT Server Domain Users is a member of NT Server Users

On the Win2k box, no groups have been added to the Administrators or
Power Users group. Joe has a local restricted user account on this box
but does not use it; he logs on to the domain exclusively. My goal is
for Mary to log on the same way and get the same profile.

I've tried this several different ways now, starting from scratch
(having deleted any changes from previous attempts) each time:

1. Log on with my Domain Administrator account, use the Network ID
Wizard to connect to the domain and add Mary as a restricted user
without first creating a local user account for Mary. Reboot. Log on
as Mary to get a profile, log on as Administrator, copy Joe's profile
to Mary via the User Profiles tab in My Computer->Properties, log on
as Mary and expect to see all Joe's stuff. No joy.

2. Log on with my Domain Administrator account, create a local
restricted user account for Mary, then use the Network ID Wizard to
connect to the domain and add Mary as a restricted user. Reboot. Log
on as Mary to get a profile, log on as Administrator, copy Joe's
profile to Mary via the User Profiles tab in My Computer->Properties,
log on as Mary and expect to see all Joe's stuff. No joy.

3. Log on as Mary without first having created either a local or
network user account for Mary. This creates a profile for Mary. Log on
with my Domain Administrator account, copy Joe's profile to Mary via
the User Profiles tab in My Computer->Properties, log on as Mary and
expect to see all Joe's stuff. No joy.

4. Log on with my Domain Administrator account, don't create any new
users, copy Joe's profile to %SYSTEMROOT%\Documents and
Settings\Default Users via the User Profiles tab in My
Computer->Properties, log on as Mary and expect to see all Joe's
stuff. No joy.

5. Log on with my Domain Administrator account, don't create any new
users, use Windows Explorer to manually create a copy of Joe's profile
in C:\Documents and Settings and rename it "Mary". Log on as Mary and
expect to see all Joe's stuff. No joy.

In all cases, I can get out to the network as Mary but don't get a
complete copy of Joe's desktop or access to his local resources. Not
only doesn't stuff that's in Joe's StartUp folder run, the antivirus
software that's installed as a global service won't even run
automatically when I log in as Mary. I can start it from the Start
Menu but it won't run automatically the next time I log into her
account.

I'm about out of time for messing with this even as an educational
exercise, and I'm about to reach the conclusion that this thing just
doesn't work as advertised. If you have any more thoughts, though,
I'll try to make good use of them.

Thanks very much again for your help.

Ken

 

[Phillip Windell]

"latest and greatest". The people who should have planned in advance
are the MS folks who came up with this cockeyed "profiles" thing in
the first place.

They didn't come up with it. It has been that way with Unix style systems
from the begining, and before that it was "dumb terminals" that were nothing
more than a monitor and keyboard and did not store anything locally. User
Profiles is an old technique that MS finally decided was the best way to go
when they came out with NT. Linux does the same thing following after the
Unix pattern.

I'm still running lots of Win 98 machines with
network-authenticated logins, and this isn't even an issue with them.

It is also a home-user operating system with its networking abilities added
"on the side".

Planning an entire network in advance is a luxury that small

It isn't a luxery, it is a requirement,...no matter how small they are.

Issue 3 - Putting everybody's software on a server and running it
there is an invitation to slow performance.

No one is saying to do that and such a situation is rarely done.
Applications are traditionally loaded and run locally. It is only the
datastore for the Applications that are centrally located.

Issue 4 - Putting everybody's data in a central location means that if
that data is hosed, perhaps beyond recovery, EVERYBODY's data is
hosed, perhaps beyond recovery. That also makes absolutely no sense to
me whatsoever. Yes, I back up--but having to restore an entire network
before ANYBODY can do ANYTHING is ridiculous, IMO.

You are not backing up and restoring a "network". It is only a single
machine and very often only the stored files themselves need restored.
Server hardware is built more studier and is much less likely to fail than a
simple desktop machine and running a backup tape on a schedule is much more
dependable than hopping that all the users remeber to make copies of all
their stuff everytime on every machine and put it in a safe place. At our
place,...we do both,...most is centrally stored,..I back it up to tape,..and
users who depend on it the most burn some things to CD periodically

Issue 5 - Organizations use networks for different purposes; we don't
all operate on the same assumptions. Our purpose for having a network
is primarily to share internet access and internal email. We don't use
it for a lot of shared data or printing or such stuff.

....and that is why your management task will become more unmanagable and
solutions will become more difficult to "invent",...as you are now seeing.

Issue 6 - I don't let people set their own passwords; that just makes
it harder for me to deal with staff turnover--not to mention stuff
like not being able to diagnose and test OE because it won't download
email if you don't log in with the right account. I have a list of all
accounts and passwords under lock and key. So I can easily deal with
situations like the one you described.

I do exactly the same here because that is the way they want it done, and I
do tend to like it that way. But don't say that too load, there are some
strange guys in the "security" group that might hear you and they'd come
over here and beat us both to death with their bare hands.

Issue 7 - Everything I've read suggests that copying one profile to
another should have worked. I still don't understand why it didn't.

No there is no way that would have worked unless Joe is gone forever and all
his "suff" is now going to reside permanently under this other user's
profile. I don't mean it in an offensive way, but I believe your concepts of
how a network should be designed and what the pros & cons are of each method
is not acuarte.

 

[Ken Dibble]

They didn't come up with it. It has been that way with Unix style systems
from the begining, and before that it was "dumb terminals" that were nothing
more than a monitor and keyboard and did not store anything locally. User
Profiles is an old technique that MS finally decided was the best way to go
when they came out with NT. Linux does the same thing following after the
Unix pattern.

I stand corrected on who invented them.

However, I contend that they are both inconvenient and unnecessary at
times, and a wiser design would have been to provide a way to dispense
with them as needed.

It is also a home-user operating system with its networking abilities added
"on the side".

I consider this to be irrelevant since it has done everything I've
asked of it for many, many years. Ideally, I would like an OS with the
simplicity of 98 and the stability of NT server, but that's not
available in the Windows world, and Linux isn't ready for an
organization of basically computer-illiterate users.

It isn't a luxery, it is a requirement,...no matter how small they are.

It's an impossibility in the real world to plan in advance for what
Microsoft decides to do 3 or 5 or 10 years hence.

No one is saying to do that and such a situation is rarely done.
Applications are traditionally loaded and run locally. It is only the
datastore for the Applications that are centrally located.


You are not backing up and restoring a "network". It is only a single
machine and very often only the stored files themselves need restored.
Server hardware is built more studier and is much less likely to fail than a
simple desktop machine and running a backup tape on a schedule is much more
dependable than hopping that all the users remeber to make copies of all
their stuff everytime on every machine and put it in a safe place. At our
place,...we do both,...most is centrally stored,..I back it up to tape,..and
users who depend on it the most burn some things to CD periodically

It's not just servers, its wiring and switches. I've never had a
server fail, but I've had the "network" or some node of it fail
frequently--and that will keep people from accessing their centralized
data just as surely as if the server had died.

...and that is why your management task will become more unmanagable and
solutions will become more difficult to "invent",...as you are now seeing.

Nah--I'll just give Mary Joe's password and change Joe's when he comes
back. Very simple.

I do exactly the same here because that is the way they want it done, and I
do tend to like it that way. But don't say that too load, there are some
strange guys in the "security" group that might hear you and they'd come
over here and beat us both to death with their bare hands.

No there is no way that would have worked unless Joe is gone forever and all
his "suff" is now going to reside permanently under this other user's
profile. I don't mean it in an offensive way, but I believe your concepts of
how a network should be designed and what the pros & cons are of each method
is not acuarte.

Well, I'm not sure that's true. It certainly does work if both users
are Administrators; I just did it on my development machine a week
ago. The other person who replied here seems to think it should have
worked. Mark Minasi seems to think it should work--and even if copying
one restricted user's profile to another can't work, then copying
Joe's profile to Default User before Mary ever logged on should have
worked.

Ken

 

[Phillip Windell]

Yeah, I know about those guys. <g>

They really been on the rampage today...

Well, I'm not sure that's true. It certainly does work if both users
are Administrators; I just did it on my development machine a week
ago. The other person who replied here seems to think it should have
worked. Mark Minasi seems to think it should work--and even if copying
one restricted user's profile to another can't work, then copying
Joe's profile to Default User before Mary ever logged on should have
worked.

It will give Mary the file Joes may have stored. The problem is that you now
have two copies of them and when Mary changes one it only changes hers and
has no effect on Joe's so now you have two versions of the same file and
they are out of sync with each other.

I was thinking after the last post,...here's what I would do in that
situation assuming both users are logging into the same physical machine.
This is the closest I can think of to being like Win98 would be:

1. Get all the required Applications to work for each user that is going to
log on. At the very *worse* this simply means you have to reinstall the App
over the top of itself once for each user while being logged in as that
user. We have one Application like that, but most arent' that bad.

2. Teach the users to *not* save files in "My Documents" and *not* to save
them directly on the Desktop, both of which are user specific, but rather
create a folder on the machine that all users can get to,...like maybe
"C:\CompanyDocuments".

Now no matter which user logs in all the applications they need will work
them and they will all look to the same place for stored documents. You will
now also have things "self-contained" on one machine according to the best
of my understanding of what you want it to be. You can repeat this process
on whatever other machines might be in the same situation.

Now I think that XP Pro might have a unified login feature that would be
similar to the behavior of Win98, but I haven't done it and so am not sure
what can really be done and how it would really behave.

 

[Doug Sherman [MVP]]

When you are dealing with profiles for members of the local users group
(this includes the domain users group), copying and renaming through Windows
Explorer will not give the target user all the source user's settings unless
they are also a member of the built-in administrators group. You should be
able to do this successfully with the copy profile tool in My Computer
Properties provided you use the 'Permitted to use' button to change
permissions. Did you change permissions when you used the tool to copy
Joe's profile?

Dopug Sherman
MCSE Win2k/NT4.0, MCSA, MCP+I, MVP

 

[Phillip Windell]

Properties provided you use the 'Permitted to use' button to change
permissions. Did you change permissions when you used the tool to copy
Joe's profile?

What are the ramifications of that "Permitted to use" button? When and in
what way did MS intend for it to be used? That thing has always been a bit
fuzzy to me on what I would really do with it.

 

[Ken Dibble]

It will give Mary the file Joes may have stored. The problem is that you now
have two copies of them and when Mary changes one it only changes hers and
has no effect on Joe's so now you have two versions of the same file and
they are out of sync with each other.

This is the crux of the matter, actually. I had not thought about
this. As long as this is the case, there's not much point in even
pursuing this strategy--especially since I actually need to give two
different people access to this machine during "Joe's" leave.

I was thinking after the last post,...here's what I would do in that
situation assuming both users are logging into the same physical machine.
This is the closest I can think of to being like Win98 would be:

1. Get all the required Applications to work for each user that is going to
log on. At the very *worse* this simply means you have to reinstall the App
over the top of itself once for each user while being logged in as that
user. We have one Application like that, but most arent' that bad.

2. Teach the users to *not* save files in "My Documents" and *not* to save
them directly on the Desktop, both of which are user specific, but rather
create a folder on the machine that all users can get to,...like maybe
"C:\CompanyDocuments".

Now no matter which user logs in all the applications they need will work
them and they will all look to the same place for stored documents. You will
now also have things "self-contained" on one machine according to the best
of my understanding of what you want it to be. You can repeat this process
on whatever other machines might be in the same situation.

This would be a good idea for the future and I may implement it.

Thanks for all your help.

Ken

 

[Ken Dibble]

For reasons I stated in the other thread--that is, that in the current
situation changes to documents and data in one user's profile won't be
transmitted to the same documents or data in the other profiles--I'm
giving up on this.

And as you note, this wouldn't work anyway unless everybody's an
Administrator.

FWIW, I did try to change the Permitted to Use value, without success.

I'll just give the people who have to use Joe's machine Joe's
password, and have Joe change it when he comes back.

Thanks for all your help.

Ken

 

[Phillip Windell]

I think storing the files on a centralized location on the hard-drive
instead of in the user's profile is the best bet, as I mentioned in the
other post. Dividing different files into different subfolders will allow
varying permissions to be given to them easily.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com