[Samba] ntuser.dat

Ed Plese ed at edplese.com
Wed Feb 7 02:32:51 GMT 2007


On Tue, Feb 06, 2007 at 01:42:07PM -0600, Keith Lynn wrote:
> What are the implications of locking the ntuser.dat file on the user's 
> server profile? That is, if I make the ntuser.dat file read-only, what 
> affects will that have on the client?

When a user logs in and doesn't have a local profile already on the
machine, Windows will copy the ntuser.dat file as part of the initial
profile that is used for the user.  Once copied to the client machine,
the ntuser.dat is then writable.  In most (and likely almost all) cases,
the ntuser.dat is already read-only on the server because you don't
want a user to modify the default profile for every new user.

That being said, I'm guessing that it's not even possible to load a
registry hive (in this case ntuser.dat) as read-only in Windows.

If your goal is to try to prevent modifications to the user profile,
what I've found works quite well is the following:

 1. Set it up to pull the default profile from the server when a user logs
    in (this is usually the default if roaming profiles aren't setup).
 2. Run a script every time the client starts up to delete every local user
    profile (everything in C:\Documents and Settings except for certain
    system user profiles).
 3. Automatically shut down computers at night to enforce that the
    script to delete the profiles runs at least daily, plus it saves power.

Obviously there are tradeoffs with this method but I find it to work
exceedingly well.  Users can still make changes to the settings which
are not locked out by Group Policies but they are completely restored
to their defaults every time the computer is restarted.


Ed Plese


More information about the samba mailing list