Configuring default settings for Windows image deployment
This topic has come up many times during both Microsoft internal discussions and during discussions with customers. This post is my attempt to collect my experiences on the topic together in one place. What inspired me to blog at this time was the RTM of Windows Server 2008 which will add another option for configuring default settings without additional cost and without requiring a full Windows Server 2008 infrastructure. This new option may be the best way to manage default settings yet.
Anyone who had been doing operating system deployments long enough has had to deal with configuring default settings for users that log on to the computer after the image is deployed. Some examples of these are folder settings, desktop wallpaper, and screen saver options. Most of these will be initial settings for user preferences that users will be able to change (unlike policies which are enforced). This is done so that users will have a consistent, known experience when logging on to any client computer for the first time.
This can be done in a number of ways. Below are the methods I have seen or used and my opinion as to the pros and cons of each.
A. Manual or scripted copy of a configured profile over the Default User profile
The traditional solution for this (developed during the Windows NT Workstation days) was to configure the Administrator account (or another designated account) with the settings, then copy the Administrator (or designated account) user profile over the Default User profile. This is documented in numerous Knowledge Base articles:
How to add customized user settings when you run Sysprep in Windows 2000
http://support.microsoft.com/?id=291586
HOW TO: Create a Custom Default User Profile
http://support.microsoft.com/?id=305709
325364 HOW TO: Create a Custom Default User Profile in the Windows Server 2003 Family
http://support.microsoft.com/?id=325364
156568 How to Assign the Administrator Profile to Other Users
http://support.microsoft.com/?id=156568
A tool was even created to script this process during unattended installations of Windows XP (CopyProfile tool):
http://www.microsoft.com/downloads/details.aspx?FamilyID=ed182a96-f3a6-4fdd-862b-1ae03dc130c1&DisplayLang=en
However, there are problems with using this procedure. These issues include:
1. It is very old procedure from NT4, when the shell was much simpler. The shell is more complicated for Windows 2000 and higher.
2. The process seems to work but you will find subtle problems. Windows XP and Windows Server 2003 have made those subtle problems more visible. This process will copy settings that should not be copied to the default user profile such as:
a. Their list of most frequently run programs
b. Whether the user has been introduced to the Start menu (will be set to TRUE for the source account, but should be FALSE for new users). Windows Explorer does some special things the first time you log on to introduce you to the Start menu and other new features.
c. Whether the user is an administrator (and should therefore see the Administrative Tools, etc).
d. The personalized name for “My Documents” will be incorrect. All users documents folders will be called “Administrator's Documents”. This is documented in the Knowledge Base article “The Desktop.ini File Does Not Work Correctly When You Create a Custom Default Profile” (http://support.microsoft.com/?id=321281).
e. The default download directory for IE will be set to the Administrator's Desktop folder.
f. The default Save and Open locations for some application with point to the Administrator's documents folder
3. Sysprep may cause some settings to go back to defaults.
Because of these issues, I believe this process should be discouraged.
B. Automated profile copy after Sysprep
First introduced in Windows XP Service Pack 2 (http://support.microsoft.com/?id=887816), Minisetup was modified so that it will copy customizations from the local administrator account to the default user profile. Windows Server 2003 and Windows Vista will also do this with the proper entries in the answer file.
Update: Windows XP Service Pack 3 changes the default behavior for the automated profile copy. See this post for details.
This was designed to avoid the problems with method A and is already automated. However, as many have found, this does not propagate all settings to Default User and there is no known documentation as to what will and will not be propagated. And it is difficult to determine if a setting did not carry over to a new user because it was considered inappropriate (i.e. not copied to Default User by design) or is being reset by Minisetup/Specialize or first logon processes.
C. Targeted changes to the Default User Registry hive and profile folders
I have used this method in the past to avoid the issues of methods A and B. It can be described as follows:
1. Identify the needed Registry changes. Then use a tool like Reg.exe or KiXtart to load the Default User hive into a temporary location into the Registry, write only the needed settings, and then unload the hive. The Knowledge Base article “How to run a logon script one time when a new user logs on” (http://support.microsoft.com/?id=284193) shows how to do this manually. This can be scripted for an unattended installation using Reg.exe as shown in this example (these lines may wrap due to page width):
:: ***** Configure Default User
:: *** Load Default User hive
reg load "hku\Test" "%USERPROFILE%\..\Default User\NTUSER.DAT"
:: *** Disable Desktop Cleanup
reg add "hku\Test\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\CleanupWiz" /v NoRun /t REG_DWORD /d 1 /f
:: *** Unload Default User hive
reg unload "hku\Test"
2. Copy only needed files or shortcuts to the Default User profile folder.
This has worked without issue at many customers and has the advantage that all changes to Default User are known and predictable. However, this requires that all changes be reduced to “scriptable” items (i.e. Registry or file system changes, no manual configuration).
To get this method to work on Windows XP SP2, you have to install the hotfix from this KB article: http://support.microsoft.com/?kbid=887816. You will have to request this from Customer Support. This hotfix reverts XP to not doing the profile copy by default. You would then do the Default User hive registry edit before Sysprep runs. (I never understood why they made the new profile copy the default with no builtin way to disable it. The Windows team saw the error of their ways with Windows Server 2003 and Windows Vista, which have to have the profile copy enabled in the answer file.)
D. Local logon script in the RunOnce Registry key
This is documented in “How to run a logon script one time when a new user logs on” (http://support.microsoft.com/?id=284193). This manual process can be scripted with reg.exe.
There are several advantages to using a script in the default user RunOnce key. It completely avoids Sysprep, CopyProfile, Minisetup/Specialize, or first logon processes effects. Also, if after deployment the default initial user settings need to changed, only the script file needs to be updated (instead of having to script a load/unload of the default user hive and fixing multiple settings). Finally, it is easy to “reset” a user’s setting to the defaults because the script can be kept up to date and present on every box through software distribution or Computer Startup Scripts. This method also requires that all changes be reduced to “scriptable” items.
E. Local or Domain GPO logon script
A Group Policy logon script can be used to set “default settings” once by having the script set a flag after it first runs (perhaps an HKCU Registry entry) that it will look for and exit if found on subsequent runs. A Domain logon script has the added benefit of being centrally managed. This method also has the same advantages as method D. This method also requires that all changes be reduced to “scriptable” items.
F. Group Policy Preferences
Group Policy preferences will ship as part of the Group Policy Management Console (GPMC) in Windows Server 2008. An updated GPMC will be provided as a separate download to run on Windows Vista with Service Pack 1. GP preferences consist of more than 20 Group Policy extensions that expand the range of configurable settings within a Group Policy object (GPO). Many of these extensions can configure settings that are commonly configured as default settings in a desktop image. Unlike policies, GP preferences can be changed by the user in most cases. Also, GP preferences can be configured to “apply once and do not reapply”. This allows them to behave exactly like initial default settings configured in an image but has the benefit of being centrally managed and updated.
GP preferences cover many of the areas where default settings are usually configured such as:
· Environment Variables
· Files
· Folders
· INI File Settings
· Registry
· Shortcuts
· ODBC Data Sources
· Folder Options
· Internet Settings
· Local Users and Groups
· Network Options
· Power Options
· Regional Options
· Scheduled Tasks
· Start Menu
The main disadvantages GP preferences are that it requires either Windows Server 2008 or the Remote Server Administration Tools (RSAT) update for Windows Vista with Service Pack 1 to manage them and client-side extensions (CSEs) have to be installed for Windows Vista RTM, Windows XP with Service Pack 2, and Windows Server 2003 with Service Pack 1 or higher. For those still managing Windows 2000 images, you will have to use one of the previous methods mentioned since GP preferences will not work on Windows 2000.
I believe that GP preferences will likely be the best way to manage this going forward. Simply create GPOs using GP preferences, target them as needed, install the CSEs into the image(s) as needed, and you no longer need to worry about configuring these settings in the client image(s).
For information about Group Policy preferences see the following web resources:
Group Policy Preferences Overview
http://www.microsoft.com/downloads/details.aspx?FamilyID=42e30e3f-6f01-4610-9d6e-f6e0fb7a0790
Group Policy Preferences Frequently Asked Questions (FAQ)
http://technet2.microsoft.com/windowsserver/en/technologies/featured/gp/preferencesfaq.mspx
Disclaimer: The information on this site is provided "AS IS" with no warranties, confers no rights, and is not supported by the authors or Microsoft Corporation. Use of included script samples are subject to the terms specified in the Terms of Use.
This post was contributed by Michael Murgolo a Senior Consultant with Microsoft Services, U.S. East Region.
