Customizations to Default User Profile Do Not Affect Users

[Sha0]

Overview: A possible computer OS "image" development strategy to help to ensure that all applications operate correctly. Not intended to address user profiles already in existence, or profiles where NTUSER.DAT "roams" with the user (is copied between computers or from a network share). Not intended to address already-developed images, though you can adapt the process. Also see the bullets in post #4.

Description:

• An account has been used to make customizations to one or more software titles (such as toolbars, preferences, first-time-run options, etc.).
  
• That account's profile is then copied over top of the "C:\Documents and Settings\Default User\" profile, possibly with the "Permitted to use" option set to "Everyone".
  
• Logging in to test with a non-administrative account (such as student) reveals that the customizations have not taken effect!
  

Cause:

Some applications store Registry entries for the user with actual references to the account's profile. When such a user Registry is used by another user (such as the student account inheriting the user Registry of the Default User profile), the user will likely not be granted permissions to access these folders in the original account.

Example:

• The workstation-local Administrator account is customized with AutoCAD LT 2007 changes.
  
• The Administrator account is copied to the Default User profile.
  
• The student account inherits the workstation-local Administrator's user Registry (NTUSER.DAT).
  
• The student account runs AutoCAD
  
• AutoCAD attempts to access files inside "C:\Documents and Settings\Administrator\"
  
• AutoCAD is running as student, and thus access is denied, so AutoCAD builds fresh settings from scratch
  

Solution:

A logon script which replaces all references to the original profile with references to the current user's profile, before applications are able to run.

Whenever performing strong replacements, it is beneficial if the string to replace is "magic", in the sense that it is unique. This would suggest using a very unique account name for customizations which will be copied into the Default User profile; replacing this very unique account name in the user Registry should be straight-forward and yield best results.

Since some Registry entries might use "short names" for files/folders, it is best if the account name obeys an 8.3 naming convention. For example, "C:\Documents and Settings\Administrator\" or "C:\Docume~1\Admini~1\" versus "C:\Documents and Settings\defprof5.foo\" or "C:\Docume~1\defprof5.foo\". In the latter, the replacement string is still the account name.

Other solutions which grant Everyone permissions to folders inside the workstation-local Administrator's profile are superseded by this solution.

Sample logon batch:

rem Correct user profile references in the Registry
rem ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
call :_getUsername "%userprofile%"
\\ad.domain.com\netlogon\regreplace.exe /s defprof5.foo /r %username% /k HKEY_CURRENT_USER
echo Logged in as: %username%
goto :_skipRegreplace

:_getUsername
set username=%~nx1
goto :eof

:_skipRegreplace
rem ~~~~~~~~~~~~

(Requires RegReplace.exe)

Edited May 27, 2010 by Sha0

[allen2]

If you use %userprofile% in the reg entries before deploying this default profile it should work.

[Guest]

The Default User profile serves as a template for all newly created profiles. I do not believe it is intended to serve any other purpose.

Making changes to the Default User profile will not affect preexisting profiles, such as the Administrator account. Changes to the All Users profile will affect all existing users.

[Sha0]

allen2: I am aware of environment variable substitution in REG_EXPAND_SZ values[1]. Have you found that variable substitution works in REG_SZ and REG_MULTI_SZ values? I have not, but RegReplace.exe deals with these, also. I have found that many applications use these other Registry data types for directory references. A related claim is point 2 of this article[2].

5eraph: I'm not sure what you've misinterpreted from my post and why it seems that you are trying to correct something.

My post is fully congruent with the purpose of the Default User profile you mention and no other purpose.

The use of Administrator in the post examples is for the common scenario where an administrator uses the Administrator account for installing software, customizing settings, then SysPrepping with either an automatic Administrator-to-Default-User profile copy, or manually performing one. In such a situation, you don't need to retroactively affect the Administrator's profile; you used it as the source. Perhaps this was lacking from the original post and led to confusion.

Changes to an NTUSER.DAT file in the Documents and Settings\All Users\ profile do not appear to have any affect on users, contrary to your claim. Files and folders changes affect all users, yes. The original post is intended to deal with Registry entries that point at whatever profile is used to customize the Default User profile.

Please attempt to use Microsoft's SysInternals' Process Monitor (ProcMon.exe) to perform logging during boot, then log on with a brand new user account, then review the log. Do you observe Documents and Settings\All Users\NTUSER.DAT? If you do have a reference for how to use this file, please do share it.

Thanks for your contributions, both.

Perhaps I can add further steps:

• Install Windows XP
  
• When prompted to create a user account during the out-of-box-experience, call the user delme
  
• Log in as delme and rename the Administrator account to defprof5.foo (or some other 8.3 magic string of your choosing). Do not log on with the Administrator account before this rename has been performed
  
• Log out and back in as defprof5.foo
  
• Install software, customize settings, develop your OS image
  
• Include the batch from the original post along with RegReplace.exe as a logon script, or apply it with Active Directory Group Policy
  
• Delete the delme account
  
• Use the defprof5.foo account's profile to copy over the Default User profile either manually or, depending on your version of SysPrep and your decision to use it, automatically during SysPrep itself
  
• Observe the magic when applications' Registry entries pointing to the defprof5.foo profile are replaced with meaningful references to the logged-on user's profile for all new user accounts used for logging in
  

[1] Windows registry information for advanced users

[2] Some Mandatory Profile Best Practices

Edited May 27, 2010 by Sha0

[allen2]

Your regreplace script might be very dangerous in some case: you're replacing all values found in user hive so it might replace unwanted values for a some user login.

In my experience, setting directly the %userprofile% in default hive is the best solution.

Also as you're planning to use gpo to deploy the settings, i would go a different way:

I would use regshot to identify the registry entries for each application and create a gpo for each application with custom adm or/and script if needed.

[Sha0]

Your regreplace script might be very dangerous in some case: you're replacing all values found in user hive so it might replace unwanted values for a some user login.

That's a strong claim. Please feel free to describe a scenario in which replacing a magic string like defprof5.foo might be unwanted.

In my experience, setting directly the %userprofile% in default hive is the best solution.

As already mentioned, environment variable expansion includes REG_EXPAND_SZ only, so your "best solution" does not encompass any applications which use REG_SZ, for example. Do you disagree with point 2 of the "related claim" article I mentioned, after reading it?

Also as you're planning to use gpo to deploy the settings, i would go a different way:

I would use regshot to identify the registry entries for each application and create a gpo for each application with custom adm or/and script if needed.

That seems like a lot of extra work. The advantage of a magic string is that it's extremely unlikely to appear anywhere beyond where it's useful to replace. I would love to learn about an instance where this causes problems, if you can find one.

In the meanwhile, attached is a sampling of defprof5.foo references in HKEY_CURRENT_USER. Do any of those strike you as "dangerous" to replace with the user's logon name?

ProfileRefs.txt

Edited May 27, 2010 by Sha0

[allen2]

I was just saying that replacing might be very dangerous and mess with default profile hive but that's all. I agree that is very unlikely that this string is found elsewhere right now. I prefer doing a real job of finding what registry changes are needed but that's my way of working.

Also as you're planning to deploy this with gpo, you should know two things:

- your script will only affect default profile and all existing profiles (on client computers) will need to be recreated to get the new settings.

- your script will execute at every reboot or login.

That's a lot of work but my solution will affect existing user profile without the need to reconfigure users profiles because if you recreate existing user profiles, you'll loose at least their existing setting unless you backup/restore them after (but that a lot more complex).

Also for your reg type and variables, you could easily solve it by doing something like this in the login script:

subst P: /d
subst P: "%userprofile%"

With something like you'll only need to do the job once (the replace stuff) and it'll work for all user.

[Sha0]

...I prefer doing a real job of finding what registry changes are needed but that's my way of working.

There's enough Process Monitor Registry auditing to keep busy with until the Windows OS no longer uses a Registry. So many of the application issues I've encountered during image development were due to meaningless Registry references to the account used for mastering the Default User profile, that I now use/recommend this approach. I agree that "doing a real job of..." is a worth-while skill to have, though it can be tedious.

Also as you're planning to deploy this with gpo, you should know two things:

- your script will only affect default profile and all existing profiles (on client computers) will need to be recreated to get the new settings.

Original post has been modified to try to alleviate confusion around what scenario this process is intended for: Image development and profiles whose Registries are not copied between computers (non-roaming, etc.). I apologize.

- your script will execute at every reboot or login.

As quickly as RegReplace.exe does its work, you are right. You can wrap this batch with an "already-done" check.

That's a lot of work but my solution

Which is to keep a database of applications and their Registry entries, then modify as-need, possibly by using .ADM templates or multiple run-once logon scripts, right?

will affect existing user profile

By reconfiguring Registry entries you've identified as needing special attention, right?

without the need to reconfigure users profiles because if you recreate existing user profiles, you'll loose at least their existing setting...

Such as a default templates directory the user might already have chosen? Hopefully that is not overwritten when your solution is applied. How does one know what is all right to overwrite and what is not, when a user has already generated a profile and possibly customized it? Through careful scrutiny? Is that what keeps us employed?

Also for your reg type and variables, you could easily solve it by doing something like this in the login script:

subst P: /d
subst P: "%userprofile%"

With something like you'll only need to do the job once (the replace stuff) and it'll work for all user.

Using subst P: "%userprofile%" is a great idea for dealing with REG_SZ. Then your .ADM templates can be used to throw P:\ in such entries. Do these Group Policies enforce these settings permanently? If so, does this mean that these references are mandatory in your environment?

Thanks for the strategy offering.

Edited May 27, 2010 by Sha0

[Sha0]

Well allen2, how about a combined approach? If one uses defprof5.foo to develop the OS image, one can replace all references to that account's profile with your P:, thus avoiding RegReplace.exe in the logon script. In the codebox below (and attached) is a batch file which can be used to help facilitate such changes. The defprof5.bat /precopy invocation corresponds to making the replacements before copying over the Default User profile. There are other invocations, also.

=============================@( GOto  :@:  CRAZY )=============================
123456789A123456789A123456789A123456789A123456789A123456789A123456789A123456789
ÉÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍÍÏÍÍÍÍÍÍÍÍ»
º _ _ _ Each line of this file is optimally formatted for 79 columns. _ _ _ _ º
º _ _ _ Best viewed from a command-line interface (a DOS box), with the _ _ _ º
º _ _ _ _ 'type' command or in Windows Notepad with the Terminal font _ _ _ _ º
ÇÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄĶ
º Programmed by Shao Miller @ 2010-05-14_19:52. _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ º
ÇÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄĶ
º Revised for allen2's Default User profile method @ 2010-05-27_20:52 _ _ _ _ º
ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ

Custom settings by you
:_custom

:: Change the profile virtual drive as you like
set _prof_drive=P:

:: Turn do-nothing mode off or on
:: Off
set D=
:: On (uncomment)
REM set D=echo.

%Q%



-----README.TXT-----



When building a Windows XP/2003 OS image for cloning to multiple computers,
you might find it beneficial to modify the Default User profile in such a way 

as to have customized settings preset for any users logging in.  Whichever 

account you use to master the Default User profile ("master account"), you may 

use that account to install applications and perform the customizations.

When the master account is copied over the Default User profile, new users will 

inherit the NTUSER.DAT Registry of the master account, which is loaded at 

HKEY_CURRENT_USER for that user when they log on.

Unfortunately, some applications will save Registry entries with references to 

the master account.  When a new user runs applications, those applications 

might attempt to access items within the master account's profile, rather than 

the items in the user's own profile.  This can be a cause of failure or 

unexpected behaviour.  Some applications might detect a lack of access and 

rebuild files and settings, adding to the application launch time and possibly 

undoing customizations that were performed with the master account.

If you use a master account with a "magic" name such as "defprof5.foo", then it 

is trivial to find all references to the master account, since such a string is 

so unique and unlikely to appear in the Registry for any other reason.  You can 

use RegReplace.exe to search for such references and replace them with 

references which are more meaningful and appropriate for the logged-on user.

This batch file will search for references to the master account's profile and 

replace those references based on an idea from allen2.  allen2's idea is that 

the computer or all users have a logon script including:

subst p: %userprofile%

so that all users will map a virtual P: drive to their profile.  Then all 

Registry entries pointing at the master account's profile can be pointed to 

this P: drive, instead.  A replacement might look like:

HKEY_CURRENT_USER\Software\Microsoft\Dependency Walker\Recent File List\
  File1		REG_SZ		C:\Documents and Settings\defprof5.foo\test.exe

to:

HKEY_CURRENT_USER\Software\Microsoft\Dependency Walker\Recent File List\
  File1		REG_SZ		P:\test.exe

8.3 "short names" for paths should also be replaced, so you should keep your 

master account's "magic" name conformant to an 8.3 name, such as 

"defprof5.foo".

This batch file can be run in three modes, described below.

  defprof5.bat /precopy

This invocation is useful when run as the master account itself and will 

attempt to make the replacements before the master account has been coped over 

the Default User profile.

  defprof5.bat /postcopy <master>

This invocation will load the NTUSER.DAT in the Default User profile and 

perform the replacements assuming <master> as the master account name to 

replace.

  defprof5.bat /current <master>

This invocation is for the case of a user who has references to the <master> 

account in their Registry and needs them replaced.  Users that already have a 

profile might benefit from this.

This batch file depends on Reg.exe, RegReplace.exe, FindStr.exe.  Reg.exe and 

FindStr.exe should be included with Windows XP/2003.

A log-file called "DefProf5.log" is produced in the directory referenced by the 

TEMP environment variable, or in the Windows installation's Temp\ directory.



-----EOF-----



-----MAIN-----



This is the DefProf5.foo-specific batch file functionality, as opposed to the 

README.TXT or LIBRARY sections.

===

 Determine invocation mode

===
:_main

%@%

:: Check if the user needs help
if "%1"=="" goto :_usage
if /i "%1" equ "/?" goto :_usage
if /i "%1" equ "/h" goto :_usage
if /i "%1" equ "/help" goto :_usage
if /i "%1" equ "-?" goto :_usage
if /i "%1" equ "-h" goto :_usage
if /i "%1" equ "-help" goto :_usage
if /i "%1" equ "--help" goto :_usage

:: Note the master account
set _a2=%~2

:: Check for /PRECOPY
if /i "%1" equ "/precopy" goto :_precopy
if /i "%1" equ "-precopy" goto :_precopy
if /i "%1" equ "--precopy" goto :_precopy

:: Check for /POSTCOPY
if /i "%1" equ "/postcopy" goto :_postcopy
if /i "%1" equ "-postcopy" goto :_postcopy
if /i "%1" equ "--postcopy" goto :_postcopy

:: Check for /CURRENT
if /i "%1" equ "/current" goto :_current
if /i "%1" equ "-current" goto :_current
if /i "%1" equ "--current" goto :_current

:: Check for /EXTRACT
if /i "%1" equ "/extract" goto :_ex_cmd
if /i "%1" equ "-extract" goto :_ex_cmd
if /i "%1" equ "--extract" goto :_ex_cmd


%@% Perhaps you need help and meant: %0 /?

%Q%



===

 Log something

===
:_log_it

echo [%date% %time%] %* %_log%

:: Un-comment the line below to also display loggable output
REM echo [%date% %time%] %*

%Q%



===

 Make log file arrangements

===
:_set_log

:: Called by ourself to get the short name
if not "%~1"=="" (
  set _temp=%~fs1
  %Q%
  )

:: Set logging defaults.  There is a space at the end of the line below
set L=call :_log_it 
set _log=

if "%temp%"=="" (
  set temp=%systemroot%\Temp
  )

:: Call ourself to get the short name
call :_set_log "%temp%"

if not exist "%_temp%" (
  %@% WARNING: Log files unavailable!: %_temp%
  )
if exist "%_temp%" (
  %@% A log-file will be produced at:
  %@% %_temp%\%~ns0.log
  set _log= ^>^> %_temp%\%~ns0.log 2^>^&1
  )
%@%
%Q%



===

 Show usage

===
:_usage

:: This next line is word-wrapped
%@% Usage: %~nx0 [/PRECOPY ^| /POSTCOPY ^<master^> ^| /CURRENT ^<master^> ^| 

/?]
%@%
%@% /PRECOPY	Replaces references in the current user's HKCU Registry to the
%@%		current user's profile with references to P:\
%@% /POSTCOPY	Replaces references in the Default User profile's HKCU Registry
%@%		to the ^<master^> profile with references to P:\
%@% /CURRENT	Replaces references in the current user's HKCU Registry to the
%@%		^<master^> profile with references to P:\
%@% /?		This usage.  You might also enjoy extracting the ReadMe.txt:
%@%		%~nx0 /extract README.TXT
%@%		(The README.TXT is case-sensitive!)
%@%

%@% %~nx0 is handy for replacing references to a master profile in a user's
%@% HKCU Registry with references to drive P:.

:: Log file info
call :_set_log

:: Also word-wrapped
%@% Also see: 

http://www.msfn.org/board/topic/144209-customizations-to-default-user-profile-d

o-not-affect-users/

%@%
%Q%



===

 Extract an embedded file specified on the command-line

===
:_ex_cmd

:: Check for lack of filename
if "%2"=="" (
  %@% You didn't specify a file to extract!  Try: %~nx0 /?
  %Q%
  )
call :_extract %2 > %2

%Q%



===

 Set full and short profile paths

===
:_set_paths

:: Set full path
set _full=%~f1

%L% Current or master profile (long): %_full%

:: Set short path
set _short=%~fs1

%L% Current or master profile (short): %_short%

%Q%



===

 Set common variables, logging, check for RegReplace, set profile drive, etc.

===
:_common

:: Log file info
call :_set_log

:: Visual separator in the log-file
%@%%_log%
%@%%_log%
%@%%_log%


:: Set full and short profile paths
call :_set_paths "%_master%"

:: Check for RegReplace
%C%
regreplace.exe /? %_%
if errorlevel 2 (
  %L% RegReplace.exe not found!
  %Q%
  )
%L% Found RegReplace.exe

call :_custom

%Q%



===

 Get the ProfilesDirectory

===
:_prof_dir

:: Called by ourself to expand %SystemDrive%
if not "%~1"=="" (
  set _prof_dir=%~1
  %Q%
  )

:: The next line is word-wrapped
for /f "tokens=2,*" %%a in ('reg query "hklm\software\microsoft\windows 

nt\currentversion\profilelist" /v ProfilesDirectory 2^>NUL') do (
  set _prof_dir=%%b
  )

:: Call ourself to expand %SystemDrive%
call :_prof_dir "%_prof_dir%"

%Q%



===

 /PRECOPY
 Prepare the master account's HKCU with P: references

===
:_precopy

:: Use the current user as the master
set _master=%userprofile%

:: Common setup
call :_common

%L% Performing long path replacements...
%D%regreplace.exe /s "%_full%" /r %_prof_drive% /k HKEY_CURRENT_USER %_log%
%@%%_log%

%L% Performing short path replacements...
%D%regreplace.exe /s "%_short%" /r %_prof_drive% /k HKEY_CURRENT_USER %_log%
%@%%_log%

%L% Done.
%Q%



===

 /POSTCOPY <master>
 Prepare the Default User profile's HKCU with P: references

===
:_postcopy

:: We need a master account
if "%_a2%"=="" (
  %@% No master account specified!
  %Q%
  )

:: Get the Profiles Directory
call :_prof_dir

:: Get the Default User profile.  The next line is word-wrapped
for /f "tokens=2,*" %%a in ('reg query "hklm\software\microsoft\windows 

nt\currentversion\profilelist" /v DefaultUserProfile 2^>NUL') do (
  set _def_user=%%b
  )

set _master=%_prof_dir%\%_a2%

:: Common setup
call :_common

%L% Profiles dir: %_prof_dir%
%L% Default User profile subdir: %_def_user%

%L% Loading the Default User Registry...
%C%
%D%reg load HKLM\defuserprof "%_prof_dir%\%_def_user%\NTUSER.DAT" %_log%
if errorlevel 1 (
  %L% Could not load!
  %Q%
  )

%L% Performing long path replacements...
%D%regreplace.exe /s "%_full%" /r %_prof_drive% /k HKLM\defuserprof %_log%
%@%%_log%

%L% Performing short path replacements...
%D%regreplace.exe /s "%_short%" /r %_prof_drive% /k HKLM\defuserprof %_log%
%@%%_log%

%L% Unloading the Default User Registry...
%D%reg unload HKLM\defuserprof %_log%

%L% Done.
%Q%



===

 /CURRENT <master>
 Prepare the master account's HKCU with P: references

===
:_current

:: We need a master account
if "%_a2%"=="" (
  %@% No master account specified!
  %Q%
  )

:: Get the Profiles Directory
call :_prof_dir

set _master=%_prof_dir%\%_a2%

:: Common setup
call :_common

%L% Profiles dir: %_prof_dir%

%L% Performing long path replacements...
%D%regreplace.exe /s "%_full%" /r %_prof_drive% /k HKEY_CURRENT_USER %_log%
%@%%_log%

%L% Performing short path replacements...
%D%regreplace.exe /s "%_short%" /r %_prof_drive% /k HKEY_CURRENT_USER %_log%
%@%%_log%

%L% Done.
%Q%



-----EOF-----



-----LIBRARY-----



===

 Sets _line to the line number that is found for
 the -----SECTION----- "embedded file" found in this file

===
:_find_section

set _line=
for /f "delims=:" %%a in ('findstr /b /n /c:-----%1----- %~sf0') do (
  set _line=%%a
  )
%C%
if "%_line%"=="" (
  %@% Section not found!>&2
  %E%
  )
%Q%



===

 Extract a section from this batch file.  Blank lines and
 the special illegal character are excluded from the output

===
:_extract

call :_find_section %1
%QOE%
for /f "delims=%_ill% skip=%_line%" %%a in (%~sf0) do (
  if "%%a"=="-----EOF-----" (
    %Q%
    )
  %@%%%a
  )
%Q%



===

 Set variable to a generated unique string (we sure hope)

===
:_unique_str

set _unique_str=%time::=_%
set _unique_str=%_unique_str:.=_%
set _unique_str=%_unique_str%_%random%
set %1=%_unique_str%
set _unique_str=
%Q%



===

 Display arbitrary characters, given hex input...  Except CR, LF, ':'
 Example: call :_hexchar 010101

===
:_hexchar

:: Next line is word-wrapped.  Add the hex and some magic to the Registry
reg add hkcu\goto_crazy /v hex /t reg_binary /d 

0D0A%13A4D414749434D414749430D0A /f %_%

:: Save the data out of the Registry
call :_unique_str _hive
reg save hkcu\goto_crazy %_hive%.tmp %_%

:: Clean the data out of the Registry
reg delete hkcu\goto_crazy /f %_%

:: Extract the data by the associated magic
call :_unique_str _magic
findstr MAGICMAGIC %_hive%.tmp > %_magic%.tmp 2> NUL

:: Clean-up
del %_hive%.tmp
set _hive=

:: Display the requested data; it's before the magic
for /f "delims=:" %%a in (%_magic%.tmp) do (
  %@%%%a
  )

:: Clean-up
del %_magic%.tmp
set _magic=
%Q%



===

 Sets up the environment for common features used in the batch file

===
:@:

:: Don't show commands
@echo off

:: Display a message
set @=echo.

:: Exit a function or the batch file
set Q=goto :eof

:: Exit a function or the batch file on error condition
set QOE=if errorlevel 1 %Q%

:: Suppress standard output and error messages
set _= ^> NUL 2^>^&1

:: Signal an error condition
set E=cd:^> NUL 2^>^&1

:: Clear an error condition
set C=cd.^> NUL 2^>^&1

:: The unique character not to be used in "file" sections.  Please
:: note that if you are displaying this very LIBRARY section, you
:: will be missing this special character, since it's illegal!
set _ill=#

:: Goto the _main function
goto :_main



-----EOF-----



-----INIFILE-----



[IniSection]
IniEntry = IniValue



-----EOF-----

Some limitations of this technique not found with the original post's method are:

• Non-profile-directory references do not get replaced. It can be nice when an "author" field (such as the first entry given in my previously attached sampling) is replaced with the user's name
  
• Paths that do not include the expanded path to the master profile are not replaced
  

Thanks again and enjoy.

DefProf5.txt

[allen2]

...I prefer doing a real job of finding what registry changes are needed but that's my way of working.

There's enough Process Monitor Registry auditing to keep busy with until the Windows OS no longer uses a Registry. So many of the application issues I've encountered during image development were due to meaningless Registry references to the account used for mastering the Default User profile, that I now use/recommend this approach. I agree that "doing a real job of..." is a worth-while skill to have, though it can be tedious.

I use regshot and shot before installing the new application and shot again after install then again after first launch of the application and its customization. Then i use the compare of regshot and i know all modified/added/removed registry entries during the customization and /or install process.

Also as you're planning to deploy this with gpo, you should know two things:

- your script will only affect default profile and all existing profiles (on client computers) will need to be recreated to get the new settings.

Original post has been modified to try to alleviate confusion around what scenario this process is intended for: Image development and profiles whose Registries are not copied between computers (non-roaming, etc.). I apologize.

No need to apologize, i understood that point, but my point was that you might not deploy again all client computer when a new application is needed unless you want to work a lot more.

That's a lot of work but my solution

Which is to keep a database of applications and their Registry entries, then modify as-need, possibly by using .ADM templates or multiple run-once logon scripts, right?

Exactly.

will affect existing user profile

By reconfiguring Registry entries you've identified as needing special attention, right?

Most of the time, there only a few registry entries for each application.

without the need to reconfigure users profiles because if you recreate existing user profiles, you'll loose at least their existing setting...

Such as a default templates directory the user might already have chosen? Hopefully that is not overwritten when your solution is applied. How does one know what is all right to overwrite and what is not, when a user has already generated a profile and possibly customized it? Through careful scrutiny? Is that what keeps us employed?

Yes for example, but there a lot of other things like mails settings, toolbar position and behaviour etc...

Most of the time in this case, i was just asking the user what was missing after giving him the new profile and restore part of his registry and files. And yes it is something that keep some of us employed.

Also for your reg type and variables, you could easily solve it by doing something like this in the login script:

subst P: /d
subst P: "%userprofile%"

With something like you'll only need to do the job once (the replace stuff) and it'll work for all user.

Using subst P: "%userprofile%" is a great idea for dealing with REG_SZ. Then your .ADM templates can be used to throw P:\ in such entries. Do these Group Policies enforce these settings permanently?

Yes unless you reset them to another value.

If so, does this mean that these references are mandatory in your environment?

Thanks for the strategy offering.

They are mandatory for applications which need it but it save a lot of work and end users are happier because they don't loose their setting like their childs picture set as wallpaper.

Well allen2, how about a combined approach?

I agree : That's the better way to do things.

Edited May 28, 2010 by allen2