Creating a new Default user profile for our domain


  1. jpjeffery
    Posts : 7
    Windows 7 and XP and Vista and Ubuntu
       New #1

    Creating a new Default user profile for our domain


    I know, the MS way is to use SysPrep, but that seems enormously OTT when all I want to do is create a Windows 7 Default Profile for our domain.



    So, according to my (Google driven) research an easier method is to
    1. Logon with a user account
    2. Make it 'so' (i.e. set the default profile how you want it for all new users)
    3. Log off
    4. Log on as Admin
    5. Rename c:\users\default (as default.bak, or .old, whatever)
    6. Rename the folder for the user account used in step 1 to 'default'
    7. Apply Full control permissions to 'Everyone' on the new Default folder.
    Simples!

    Except that at step 7 I get 'Access Denied' on many of the profile's sub-folders...be that with our domain's administrator account or the local administartor account.

    Am I doing something wrong (polite answers only, please!)?
      My Computer
    Quote Quote

  3. Barman58
    Posts : 31,249
    Windows 11 Pro x64 [Latest Release and Release Preview]
       New #2

    One thing that could cause this issue is the fact that the user folder tree contains some symbolic links for compatability with badly written older programs, that assume the folder name will always be the same, over OS changes.

    The default for these symlinks is to have a deny permission set for all users including admins to prevent the accidental creation of endless loop situations, where links are called for folders they link to
      My Computers
    Quote Quote

  4. jpjeffery
    Posts : 7
    Windows 7 and XP and Vista and Ubuntu
    Thread Starter
       New #3

    Ah right, it's not the folders producing the 'Access Denied' message, it's the junctions/symbolic links.

    If so, that should mean I can more or less disregard these errors.
      My Computer
    Quote Quote

  6. Barman58
    Posts : 31,249
    Windows 11 Pro x64 [Latest Release and Release Preview]
       New #4

    Assuming that I am correct then yes, you should be OK to proceed, as the permissions on the symbolic links will not have changed from their designed settings.

    I would suggest you try a test system and see if any further errors appear
      My Computers
    Quote Quote

  7. jpjeffery
    Posts : 7
    Windows 7 and XP and Vista and Ubuntu
    Thread Starter
       New #5

    This already is a test system. :)

    Getting a different error now though (when logging on as a test user having renamed the intended default profile and re-applied Everyone:FC permissions): "The User Profile Service service failed the logon. User profile cannot be loaded".

    Am investigating. I suspect permissions will still be at fault somewhere...
      My Computer
    Quote Quote

  8. myfree
    Posts : 1
    Windows 7 Ultimate x64
       New #6

    The methods listed below has been verified in a non AD domain, so if you use Domain level GPOs (with AD) you may need to do further testing to make sure that the local gpo settings listed below are not over written by the domain policies. Also, if there is a Default User.v2 share in your netlogon shares on your servers you may need to set the permissions to that folder to "deny all" so that the windows 7 client won't pull whatever profile is there. Or you can make sure that there is no profile in that folder. Windows 7 domain computers will look in that share for the "domain user default profile" and apply it to any domain user the first time they log on to that machine.
    Non sysprep method (sysprep method follows)
    Make group policy changes (these are what causes win 7 to not look toward the server for a default profile)
    • Computer Config > Administrative Templates > System > User Profiles >
    o Only Allow User Profiles = Enabled
    o Set Roaming Profile Path for all users logging onto this computer = Disabled
    o Prevent Roaming Profile changes from propagating to the server = Enabled
    • Customize the Test or Setup account (if from mini setup, if from image create a setup account)
    • Enable built-in Administrator account
    • Log on as Administrator
    • Install RichCopy from Technet
    • Use Explorer to unhide system files and folders
    • Use RichCopy to copy the profile from the account used to implement customizations to "Default User"
    • Join machine to the domain
    • Reboot
    • Log on domain user and all customizations that can be transferred should be applied to the users' profile

    Sysprep Method - You may want to use this method because this method should be fully supported by MS
    • Login as the setup account
    • Enable Administrator Account - log off
    • Log on as Administrator
    • Go to Manage Users
    • Delete Setup account and any other accounts that have a profile folder and choose "delete files"
    • Make group policy changes
    • Computer Config > Administrative Templates > System > User Profiles >
    • Only Allow User Profiles = Enabled
    • Set Roaming Profile Path for all users logging onto this computer = Disabled
    • Prevent Roaming Profile changes from propagating to the server = Enabled
    • Complete all customizations
    • Copy validated answer file to C: root
    • Go to windows\system32\sysprep
    • Right click while holding shift and choose "open command window here"
    • run "sysprep.exe /oobe /generalize /unattend:c:\yourunattendfile.xml /reboot
    • Once the system reboots go through whatever portion of mini-setup your answer file dictates
    • Join machine to the domain
    • Log on as a domain user
    • Basic look and feel customizations should have been applied from the local Defaul User profile

    And as long as the local policies that we set above remain intact, any domain user that logs onto the machine will receive the look and feel that you want for your organization.
    Because MS has not published a comprehensive list of items/settings that cannot be applied to a default profile, you will have to experiment with that. I did find a doc that made it clear that the quick launch as well as the area of the start menu where you "pin" shortcuts do not persist when copying customizations to the default profile. See this site for step by step for much of the above Newsletter #89:* Changing Win 7 Default Profile and Sysprep Tricks
      My Computer
    Quote Quote

 

  Related Discussions
Has anyone come across this issue happening frequently lately .... In the past 3 weeks I must have had 20+ PC's / Laptops that have had the same problem (see image below) Although I know how to fix it and I have had it crop up before, I've never had it hit so many units in such a short space...
I have the same issue the other user mentions. I can log on as a domain admin, but not as a domain user. There are only 4 profiles in the registry, with no .bak extensions: 1 is the default user 2 is the localservice account 3 is the networkservice account 4 is the local "Administrator"...
I can create a default profile with Windows 7 however the problem I'm having is with a themepack. I'll explain my process step by step so you can get a better idea of my process/problem. Create a standard user account and log on with it Set my customizations (remove certain features,...
creating a re-usable default profile
in Installation & Setup

In the past... (since windows 98, sorry, showing my age) We have always been able to do the first time logon, setup all the applications, desktop settings, IE settings, everything, with a 'profile' user. We then rebooted the machine, logged on as adminstrator and Deleted the contents of the...
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

 © Designer Media Ltd
All times are GMT -5. The time now is 20:42.
Find Us