Microsoft Enterprise Platforms Support: Windows Server Core Team
EPS Team Blogs
Product Team Blogs
Today’s blog is going to cover some issues around customizing default user profiles when deploying Windows. There are a number of resources available on the CopyProfile topic
I wanted to let add some additional points around this topic to help with your deployments:
How you use CopyProfile depends on how the image is created and how it is deployed. Some of the common scenarios are listed below
Manual build of image (not recommended)
If you are building the image manually you should follow these basic steps
If you use ConfigMgr to deploy this image you do not need to do anything special in ConfigMgr to deploy it to get CopyProfile to work. So you do not need to modify any unattend settings in the task sequence
Use MDT 2010 to build the image and to deploy the image
Note: I would recommend that if you are using MDT 2010 to upgrade to MDT 2010 Update 1 because there have been a number of fixes in the sysprep and capture task sequence. You must always re-created your sysprep and capture task sequence after installing update 1 in order to get these fixes.
Because MDT runs setup.exe to apply an image (instead of just using imagex to apply it) the following outlines the steps required
Note: If you use MDT 2010 to capture the image it does not capture the Windows\Panther folder so if you were to deploy it manually using imagex, WDS, or some other manner then CopyProfile would not execute. It would be better to manually capture the image using imagex if you are not going to deploy it with MDT
Use MDT 2010 to build the image and capture it then use ConfigMgr to deploy the image
<?xml version="1.0" encoding="utf-8"?> <unattend xmlns="urn:schemas-microsoft-com:unattend"> <settings pass="specialize"> <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="<a href="http://schemas.microsoft.com/WMIConfig/2002/State"">http://schemas.microsoft.com/WMIConfig/2002/State"</a> xmlns:xsi="<a href="http://www.w3.org/2001/XMLSchema-instance"">http://www.w3.org/2001/XMLSchema-instance"</a>> <CopyProfile>true</CopyProfile> </component> </settings> <cpi:offlineImage cpi:source="catalog:c:\flat\install_windows 7 enterprise.clg" xmlns:cpi="urn:schemas-microsoft-com:cpi" /> </unattend>
Note: I would not recommend copying/pasting the example since you need to account for different architectures.
If you use the ConfigMgr capture media to capture the image instead of MDT 2010 you should follow steps 2-5.
The benefit of specifying the unattend.xml in this manner is that the file is located outside the image and is easy to update or change.
Hopefully this helps to explain more around this issue and if a specific customization is not copied as part of the CopyProfile process I would encourage readers of this blog to post the exact setting that was lost. We would also need exact steps on how the setting was configured so we can evaluate the impact of this issue
Scott McArthur Senior Support Escalation Engineer Microsoft Enterprise Platforms Support
Thanks for the info . . . much appreciated.
Thanks for the great post.. Correct me if I'm wrong but it appears that if IIS is enabled and ASP.net service/local account (Classic .NET AppPool) is created, during specialization stage, sysprep will kick off iissyspr.dll which updates the ntuser.dat file. Then copy profile task runs which in turn will use the Classic .NET AppPool account instead of the admin accounts because of latest timestamp.
btw- logs indicating the IIS Specialization is located c:\windows\Panther\setupact.log and the shell unattend copy profile logs is located here c:\windows\Panther\UnattendGC\setupact.log. Based my findings from the datetime entry for those 2 logs files and the datetime stamp of the ntuser.dat file in the service account. Is there a workaround for this (other than removing IIS features and/or delete that account)?
I too am seeing this issue. Did you find a workaround?
I thought maybe a syprep provider could be written to touch the NTUSER.DAT hive under \Administrator by executing under 'SysprepExternalProviders' in the registry. It looks like these providers are run after the main providers. I would be interested in another solution, aside from this (messy solution).
Great rundown. Thanks.
As a matter of interest, i posted the following at the Sysintenals Forums:
Ed Bott makes the following comment;
"She [Gina Trapani] recommends that you disable UAC while you’re getting set up initially and installing programs. Not a good idea, as you’ll discover if you try it. User settings for some programs go in different places, depending on whether UAC is on or off. If you install with UAC off and then turn it back on, some of your programs might get confused."
If programs are installed by the built-in administrator, and then Sysprep is run with the CopyProfile setting set to true in unattend.xml, will this not result in a *different* default profile being created than if the programs had been installed by an admin running in Admin Approval Mode? That is, %localappdata%\virtualstore will likely not have the same contents in each case. Are you aware of this causing problems?
This method works and if you need to make sure your systems are MS compliant, the sysprep method is below the non-sysprep method.
Create "Test" or "Setup" account
Make group policy changes
Computer Config > Administrative Templates > System > User Profiles >
Only Allow User Profiles = Enabled
Set Roaming Profile Path for all users logging onto this computer = Disabled
Prevent Roaming Profile changes from propagating to the server = Enabled
Customize the Test or Setup account
Enable built-in Administrator account
Log on as Administrator
Install RichCopy from Technet - robocopy may work also
Use Explorer to unhide system files and folders
Use RichCopy to copy the profile from the account used to implement customizations to "Default User"
Join machine to the domain
Log on domain user and all customizations should be applied to the users' profile
Sysprep Method - We may want to use this method because this method should be fully supported by MS
Login as the setup account
Enable Administrator Account
Go to Manage Users
Delete Setup account and any other accounts that have a profile folder and choose "delete files"
Make reg changes necessary to join Samba domain
3 .reg files located in root of ITS share = Win7-Hotfixes
Delete .reg files after applying them
Make group policy changes necessary for IMSA domain
Complete all customizations
Copy validated answer file to C: root
Go to windows\system32\sysprep
Right click while holding shift and choose "open command window here"
run "sysprep.exe /oobe /generalize /unattend:c:\yourunattendfile.xml
Once the system reboots go through whatever portion of mini-setup your answer file dictates
Log on as a domain user
Basic look and feel customizations should have been applied from the local Defaul User profile
how i can copy certain profile if i have many users profile on PC ?
Hello Mr. Scott, please answer this one question? Can I run sysprep without the "/generalize..." if I plan to go back to this .wim to make changes? I am doing a manual build and have run into many many errors - you see HANNAH all over the place....asking
questions about sysprep - I found one gentleman suggesting not to generalize until you are ready to deploy,,,,do not generalize while making changes to your install in audit mode...
is this something I can try - stuck for weeks now!
Please help this HANNAH in need!