MDFS::Docs.Comp.Windows.Hints.Network Search

Windows in a networked enviroment

The most common way a Windows PC is configured when run in a networked environment has some great holes in it:

User Profiles

The first of these is a horrendous waste of resources and a security leak. A user that uses many different client machines ends up leaving "droppings" on each machine in %WINDIR%\Profiles\<username>. This not only fills up the hard drive, these files can be examined by other users.

Some of the PCs where I work are regularly used by 40 or 50 different users, these users regularly use over a dozen different client machines. Some of these machines had more than half of a 2Gb hard drive filled with user profile information, and it was taking one user over half an hour to log on, such was the quantity of crap that was being thrown over the network onto the client machine.

Configuring users' pathnames to refer to their network home area fixes this. The relevent registry folders are

I set up my users' profiles so their home areas are arranged as follows. Our server allocates drive H: to the user's home area. 
H:\Config - Configuration settings, etc.
  H:\Config\AppData
  H:\Config\Desktop
  H:\Config\Favourites
  H:\Config\History
  H:\Config\NetHood
  H:\Config\Recent
  H:\Config\Start Menu
  H:\Config\SendTo
H:\Docs   - Documents folder, often set to "My Documents"
H:\Temp   - Temporary files
  H:\Temp\Cookies
  H:\Temp\Internet
I set the registry entries as follows: 
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"SendTo"="H:\\Config\\SendTo"
"Recent"="H:\\Config\\Recent"
"Desktop"="H:\\Config\\Desktop"
"Programs"="H:\\Config\\Start Menu\\Programs"
"Fonts"="C:\\%windir%\\Fonts"
"Personal"="H:\\Docs"
"Favorites"="H:\\Config\\Favourites"
"NetHood"="H:\\Config\\NetHood"
"PrintHood"="H:\\Config\\PrintHood"
"Templates"="C:\\%windir\\ShellNew"
"AppData"="H:\\Config\\AppData"
"Start Menu"="H:\\Config\\Start Menu"
"Startup"="H:\\Config\\Start Menu\\Programs\\Startup"
"Cache"="H:\\Temp\\Internet"
"Cookies"="H:\\Temp\\Cookies"
"History"="H:\\Config\\History"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders]
"AppData"="H:\\Config\\AppData"
"Desktop"="H:\\Config\\Desktop"
"Favorites"="H:\\Config\\Favourites"
"NetHood"="H:\\Config\\NetHood"
"PrintHood"="H:\\Config\\PrintHood"
"Recent"="H:\\Config\\Recent"
"SendTo"="H:\\Config\\SendTo"
"Start Menu"="H:\\Config\\Start Menu"
"Programs"="H:\\Config\\Start Menu\\Programs"
"Startup"="H:\\Config\\Start Menu\\Programs\\Startup"
"Cache"="H:\\Temp\\Internet"
"Cookies"="H:\\Temp\\Cookies"
"History"="H:\\Config\\History"
"Local AppData"="H:\\Config\\Local\\AppData"
"Personal"="H:\\Docs"
This can be downloaded as file Paths.reg. Once a user's paths have been changed to point to their networked home area, everything in %WINDIR%\Profiles\<username> can be deleted. In future, only two user configuration files will get copied in there on logon.

Logging Off

By default, Windows leaves the user's login id visible in the logon dialogue box after logging off, even after shutting down. This is a security leak, as well as a help-desk annoyance. The majority of the "I can't log on" calls tend to be because a user is entering their own password when somebody else's user id is still present. These users have allowed themselves to be brainwashed into thinking of their password as their logon identity, they never look at or think about the username box.

With WindowsNT clients, the administrator can change a registration key so that the username box is cleared after logon. The registration key does not exist on Win9x. However, JSI Inc supply a very useful free utility on one of their very useful Hints and Tips pages called ClrName.

The download comes with very clear installation instructions. Essentially, all you need to do is put the executable somewhere useful and edit a registry entry to point to it.

Our server connects drive G: to a group shared area that all users have access to, so I put clrname.exe in G:\Lib\ and then create the following registry entry: 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ClearName"="G:\\Lib\\Clrname.exe"

Bypassing logon dialogue

What's the point of networking machines, providing users with home areas, and putting a logon dialogue in place if users can bypass all that by selecting "Cancel"? They are then left with no access to their home area and end up trampling all over drive C. Windows NT client machines force you to log on before you can use the machine, but Windows 95/98 machines can let you bypass the logon dialogue.

I solved this problem by writing a little utility ChkLogOn.exe that checked if the username was unset, and if so it shut the machine back down. Rather brute force, but it works. I put this in the C:\Windows\System directory of all our Windows 95/98 machines and put a shortcut in C:\Windows\Start Menu\Programs\Startup to run it.

It's written as the following compiled BBCBasic program ChkLogOn.bbc: 

      DIM alen% 3,name% 256
      !alen%=255:SYS "GetUserName",name%,alen% TO r%
      IFr%=0:SYS "ExitWindowsEx",3:*Quit
      *Quit
At some point I may get around to writing it in a few bytes of machine code.

Unattended machines

Ideally, I would like to set the screensaver function to forcably log the client off and shut down when the machine has been left alone. I am currently tracking down the relevant information to do this.

Others

As well as all the above, I set a few other default settings for our users, things such as the proxy server settings, Outlook settings, WinWord default templates directory and custom dictionary file, etc. All these profile settings are in the file System.reg which you can customise for your own system.

Here are some useful registry settings.

Coming soon: multi-user enabling various applications.
Last updated: 12-Aug-2002 JGH