Appendix A: Technical Primer

To set up the Microsoft® Shared Computer Toolkit for Windows® XP and manage shared computers requires familiarity with a number of technologies and Windows features.

On This Page

User Accounts and Profiles
How the Profile Manager Tool Works
How the User Restrictions Tool Works
Disks and Partitions
How the Windows Disk Protection Tool Works

User Accounts and Profiles

A user account is a collection of information that defines a user. This information includes the user name, password, groups to which the user belongs, basic environment settings that apply to the user, and other details about the user.

A user profile is a group of settings and files that defines the environment that Windows XP loads when a user logs on. The profile includes all the user-specific configuration settings, such as program items, screen colors, network connections, printer connections, mouse settings, and window size and position. A user profile also allows you to specify different programs, languages, and accessibility features for each user account.

A user profile consists of two parts:

  • A set of folders and files stored on the hard disk. By default, these folders are stored in the Documents and Settings folder on the Windows partition. As the following figure illustrates, Windows creates a folder for each user profile in the Documents and Settings folder. A user folder is a container for programs and other operating system components to populate with subfolders and user-specific settings, such as shortcut links, desktop icons, startup programs, documents, configuration files, and so on. Windows Explorer uses the user profile folders extensively for special folders such as the user's desktop, Start menu and My Documents folder.

  • A registry data file. The registry is a database used to store computer-specific and user-specific settings on a computer running Windows XP. Portions of the registry can be saved as files. Windows can then reload these files for use as necessary. User profiles take advantage of this feature to provide user profile functionality. The user profile registry file for each user is saved as a file named Ntuser.dat in the profile folder. The information in this file is mapped to the HKEY_CURRENT_USER portion of the registry whenever the user logs on. It stores those settings that maintain network connections, Control Panel configurations that are unique to the user (such as the desktop color and mouse settings), and program-specific settings.

    Figure A.1 A user profile is a collection of files and folders

    Figure A.1 A user profile is a collection of files and folders

User profiles can be stored on the local hard disk drive, or can be set so that the data roams with the user wherever he or she logs on. The following types of user profiles are available in Windows XP:

  • Local user profile. Created the first time that a user logs on to a computer, the local user profile is stored on a computer's local hard disk. Any changes made to the local user profile are specific to the computer on which the changes are made.

  • Roaming user profile. The local profile is copied to (and stored in) a network-accessible location. This profile is downloaded every time that a user logs on to any computer on the network, and any changes made to a roaming user profile are synchronized with the server copy upon logoff.

  • Mandatory user profile. A type of profile that administrators can use to specify particular settings for users, a mandatory profile is essentially a roaming user profile to which a user cannot make permanent changes. Only system administrators can make changes to mandatory user profiles. Changes made by the user to desktop settings are lost when the user logs off. A mandatory user profile is often referred to as stateless, which just means that changes made in the session are not saved in the profile. This is useful on shared user accounts where one user should not be able to change the experience of other users. The Lock this profile option in the User Restrictions tool works by turning the user profile into a mandatory user profile (and thus, a roaming profile).

  • Temporary user profile. A temporary profile is issued any time that an error prevents the user's default profile from being loaded. Temporary profiles are deleted at the end of each session— changes made by the user to desktop settings and files are lost when the user logs off.

How the Profile Manager Tool Works

Typically, a user profile is not created until the first time that a user logs on to the computer with a new user account. When this logon happens, Windows automatically creates a new user profile for that user account. The Profile Manager tool lets you create user profiles without logging on as the user and, more importantly, lets you create profiles on alternative hard disk partitions. You can also delete user profiles for existing user accounts. This includes the ability to delete profiles locked by User Restrictions (which are really mandatory user profiles).

When you create a profile using the Profile Manager tool, the tool simulates logging on with the user account so that it can create the user profile (though this simulation is completely transparent to the user). After creating the profile, if you specified that the profile be created on an alternative partition, the tool moves the profile to that partition.

How the User Restrictions Tool Works

Most of the restrictions available in the User Restrictions tool work by modifying the registry settings related to a user profile. Locking a profile in User Restrictions turns that profile into a mandatory profile that is stored within /Documents and Settings/<user>.orig.

You can view the exact list of restrictions applied to HKEY_CURRENT_USER for each restricted user profile by viewing the Restrict.xml file in the Xml subfolder of the Toolkit installation folder.

When the User Restrictions tool restricts a user, a copy of Restrict.xml is created called User.<user>.xml that contains the exact list of restrictions applied to that user profile. This file can be manually customized (with extreme care) and applied again using the Restrict.wsf command-line tool on other local profiles. To help advanced operators with this customization process, this appendix lists all of the registry settings contained in these .xml files and describes what they do.

Microsoft cannot support any customizations made to Restrict.xml, because it drives much of the user interface in the User Restrictions tool. It is strongly recommended and preferred that you customize a User.<user>.xml file and process it using the Restrict.wsf command-line tool. However, if you plan to change Restrict.xml despite these support implications, be sure to make a backup copy and do not modify the restrictions within the General Settings section, because it is the one section that is closely tied to hard-coded fields in the user interface of the User Restrictions tool (contained in Restrict.hta).

Disks and Partitions

A partition is a logical section of a hard disk on which Windows can write data. Every hard disk must be partitioned before it can be used. Often, a hard disk is set up as one big partition, but you can divide a hard disk into multiple partitions. When you partition a hard disk, you decide how much space to allocate to each partition.

For example, assume that your computer has an 80-GB hard disk. If you purchased your computer with Windows XP already installed, or if you installed Windows XP using the default choices during installation, the hard disk likely has a single partition that takes up all of the 80 GB on the disk. However, you could divide that same disk into multiple partitions—maybe a 40-GB partition to hold Windows and program files, a 20-GB partition to hold your documents, and another 20-GB partition for future use.

When you partition a hard disk, you do not have to use all of the space on the hard disk at once. For example, on the 80-GB hard disk, you could create a single 40-GB partition and leave the rest of the space unpartitioned. Unpartitioned space on a hard disk is called unallocated space.

Definition unallocated disk space
Unused space on a hard disk that is not part of any partition.

Windows XP treats each partition on a hard disk as though it were a separate drive, assigning each partition a drive letter. Typically, the first partition (and the one that usually holds the Windows system files) is assigned drive letter C. This Handbook refers to the partition that holds the Windows files as the Windows partition. Other partitions are assigned drive letters as they are created, and the exact drive letters assigned depend on when the other partitions are created (during installation or afterward) and on what other drives you have on the computer (such as CD or DVD drives).

Definition Windows partition
The hard disk partition that holds Windows system files and programs.

Windows can recognize up to four primary partitions. To get around this limit, Windows allows you to create an extended partition (in place of one of the four primary partitions) that acts as a shell in which you can install any number of logical partitions. Windows Disk Protection reduces the limit on primary partitions to three, plus the requirement for unallocated space.

Windows XP supports two types of disk storage. The first, called basic storage, uses partitions to allocate storage space to Windows. This is the type of storage discussed throughput this Handbook. Another type, called dynamic storage, offers more storage flexibility. Dynamic storage breaks the limits of four partitions per disk and allows for more flexible use of disk space. Server versions of Windows can even use dynamic storage volumes to create fault tolerant disk arrays for storage reliability.

Windows Disk Protection is designed to support basic storage only. Computers that use dynamic storage will fail Step 1 in Getting Started, and cannot turn on Windows Disk Protection.

How the Windows Disk Protection Tool Works

The Windows Disk Protection tool is designed to protect the Windows partition by rejecting all changes made to that partition since the last restart. Examples of changes include modifications to Windows configuration settings, installation of programs (including viruses and spyware), or even simple changes to the desktop environment.

The Protection Partition

To achieve this protection, the Windows Disk Protection tool creates a special partition using unallocated disk space on your hard disk. This special partition is called the protection partition. The tool saves changes made during the user session to that special partition, making it appear to the user as though everything is operating ordinarily. Depending on how the Windows Disk Protection tool is configured, the tool can discard changes made within the protection partition when a user session finishes or save those changes to the Windows partition.

Definition protection partition
The partition that Windows Disk Protection uses to safeguard the computer from changes that you have not authorized.

The Critical Updates Process

When Windows Disk Protection is turned on, it disables the Automatic Updates client in Windows XP, which is usually accessed through Control Panel. Any schedule set through Automatic Updates will have no affect on the computer while Windows Disk Protection is on. After you turn on Windows Disk Protection, critical updates schedule changes must be made in the Critical Updates section of the Windows Disk Protection tool.

If you want to change the schedule for critical updates, set Windows Disk Protection to use the Save changes with next restart restart option, make the appropriate changes, and then restart the computer.

After you turn on Windows Disk Protection, you will find three tasks in your system’s Scheduled Tasks folder. These tasks, typically named At1, At2, and At3, are set to run one after the other based on the schedule you selected in the Windows Disk Protection tool.

  • At1 displays a banner message at five minutes before the scheduled hour to inform any interactive user that they will be logged off automatically in 60 seconds for maintenance, after which the computer restarts. This restart clears any potentially untrustworthy changes made to the Windows partition through the default behavior of Windows Disk Protection.

  • At2 displays the same message one minute before the scheduled hour. Any interactive user is then logged off and all local user accounts are disabled except the Toolkit administrator and the Windows XP Professional administrator account. Domain accounts are not disabled.

  • At3 occurs at the scheduled hour and runs the actual critical updates script. This script downloads and installs Microsoft critical updates, starts the identified antivirus script and other script if they have been configured through the Windows Disk Protection tool. It then enables the accounts previously disabled, sets the Windows Disk Protection restart option to Save changes with next restart, and restarts the computer. After the restart, Windows Disk Protection resets the restart option to the default: Clear changes with each restart.

To allow for other updates you might have scheduled to occur at the same time as Windows Disk Protection critical updates, the At3 task described above will wait for a minimum of 10 minutes before restarting the computer. This delay can be increased by changing the number of minutes in the following registry key (set to 10 by default):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Computer Toolkit\CriticalUpdatesMins

While the Windows Disk Protection critical updates process downloads and installs updates, it is important that neither you nor any domain accounts use the computer— so that unwanted disk changes are not saved along with the critical updates.

For this reason, schedule the critical updates process to occur during the lightest user demand period of the day in the environment that you manage. If you manage computers that operate 24 hours a day, consider staggering the critical updates schedule among the computers so that some computers are always available to users.