The following tools are used to configure user’s work environments, make network connections, start applications, and control desktop appearance:
A logon script is a batch file (.bat) or executable file (.exe) that runs whenever a user logs on at any type of workstation on the network. The script can contain operating system commands, such as commands to make network connections or start applications.
Environment variables specify a computer’s search path, directory for temporary files, and other information.
The user profile contains all user-definable settings for the work environment of a computer running Windows NT, including display settings and network connections.
System policies enable administrators to control the user-definable settings in Windows NT and Windows 95 user profiles, as well as system configuration settings. You can use the System Policy Editor to change desktop settings and to restrict the actions that users can perform from their desktops.
A logon script is an executable or batch file composed of operating system commands that runs automatically when a user logs on to a computer running Advanced Server, Windows NT Server, or Windows NT Workstation. Logon scripts are used to configure users’ working environments, make network connections, and start applications. They also can be used to run programs that scan for viruses on client computers.
There are several advantages to using logon scripts:
You can manage parts of users’ environments, such as network connections, without managing every aspect of the environment.
You can use them to create common network connections for multiple users.
Logon scripts are easy to create and maintain.
You can continue to use logon scripts that were created in LAN Manager, Version 2.x.
Note
User profiles can restore network connections at logon that were established prior to logging off but they cannot be used to create new network connections at logon.
You can create logon scripts using a text editor and then use User Manager for Domains to assign different logon scripts to different users or to assign the same logon script to multiple users.
There are several special parameters you can use when creating logon scripts:
|
Parameter |
Description |
|
%HOMEDRIVE% |
The user’s local workstation drive letter connected to the user’s home directory |
|
%HOMEPATH% |
The full path of the user’s home directory |
|
%HOMESHARE% |
The share name containing the user’s home directory |
|
%OS% |
The operating system of the user’s workstation |
|
%PROCESSOR_ARCHITECTURE% |
The processor type of the user’s workstation |
|
%PROCESSOR_LEVEL% |
The processor level of the user’s workstation |
|
%USERDOMAIN% |
The domain containing the user’s account |
|
%USERNAME% |
The user name |
You can assign a logon script to a user account or group account by entering a path in the logon script file in User Manager for Domains. When a user logs on and a path to a logon script is present in the user account, the file is located and run.
In the User Environment Profile dialog box, you can assign logon scripts to user accounts by typing the file name (for example, clerks.bat) in the Logon Script Name box. At logon, the server authenticating the logon locates the logon script by looking for the specified file following that server’s local logon script path (usually /var/opt/lanman/shares/asu/repl/import/scripts on import computers or /export/scripts on export servers). If a relative path is provided before the file name (for example, admins/cristalw.bat), the server looks for the logon script in that subdirectory of the logon script path.
The entry in the Logon Script Name box specifies only the file name (and optionally the relative path); it does not create the actual logon script. You create the logon script and place it in the appropriate directory on the replication export server.
You can place a logon script in a local directory on a user’s computer but usually this location is used when administering user accounts that exist on a single computer rather than in a domain. In this case, the logon script following the logon script is placed after the computer’s logon script path or in a subdirectory of that path.
For more information about configuring a user environment profile, see User Manager for Domains Help.
A logon script always is downloaded from the server that validates a user’s logon request. For users with accounts in Advanced Server domains that have one or more backup domain controllers, any one of the domain controllers can authorize a user’s logon attempt. To be certain that logon scripts always will work for users, ensure that the logon scripts for every user account in a domain exist on every primary and backup domain controller in the domain.
The best way to ensure that logon scripts always are available is to use the Directory Replicator service. This service maintains identical copies of a directory tree on multiple computers. When you make a change to a file in the master copy of the tree (located on the export server), the Directory Replicator service automatically copies the change to the import computers.
When the Directory Replicator service is used with logon scripts, set up one domain controller as the export server and all of the other domain controllers in the domain as import computers.
The logon script path can be configured for every server in a domain using either Server Manager (locally or remotely) or the Server option in each server’s Control Panel. Use the Directory Replication dialog box to set up replication export and import and to specify a local path to user logon scripts.
Generally, a master collection of logon scripts is maintained by an administrator in an export directory (usually /var/opt/lanman/shares/asu/repl/export/scripts and its subdirectories) of one replication export server in the domain, and this master collection is replicated to all the servers in the domain so that each server has its own local copy of all logon scripts.
For more information about the Directory Replication service, see Chapter 5, "Managing Shared Resources and Resource Security." Also, see "Managing Export Replication" and "Managing Import Replication" in Server Manager Help.
When managing multiple user and group accounts, you often need to make the same change to many accounts. You can use environment variables to replace specific names or labels with a general one that is replaced by specific data when copied.
A user’s home directory is a directory that is accessible to the user and contains files and programs for that user. When a user logs on at a workstation running Windows NT, a connection is made automatically to that user’s home directory; this becomes that user’s default directory for the File Open and Save As dialog boxes, for the command prompt, and for all applications that do not have a working directory defined.
Home directories make it easier for an administrator to back up user files and delete user accounts because they can collect all of a user’s files in one location.
On a Windows NT Workstation computer, the default home directory is \USERS\DEFAULT on the user’s local drive where Windows NT is installed. With User Manager for Domains you can change this to a shared network directory or to another local directory on the user’s workstation. You should assign network home directories when administering user accounts in a domain.
If you specify a network path for the home directory, in most cases User Manager for Domains automatically creates that home directory. In order for users to access their home directories, appropriate permissions must be granted
Note
If an Advanced Server domain user also has a UNIX system account, it may be useful for the administrator to make the network home directory the same as the UNIX system home directory.
You can substitute the %USERNAME% variable for the last subdirectory in the path in the User Profile Path and the Home Directory boxes. The system then substitutes the user name of the user account. This is useful when multiple user accounts are selected.
For example, if eight user accounts are selected, in the User Profile Path you could type \\terrier\users\%username%.usr; under Home Directory you would select the Connect option, specify a drive letter of K, select the To box, and type \\terrier\home\%username%. When you choose the OK button and the User Environment Profile is saved, for each user account the actual user name will be substituted for the %USERNAME% entry.
When a user account is copied, the logon script name is copied exactly. When a user account is copied, the home directory is copied in one of two ways. If the last subdirectory of the home directory path of the user account being copied is the same as the user’s name, then the new account substitutes the new user’s name when copying the home directory path. Otherwise, the home directory path is copied exactly. The following are two examples:
If the original account has the user name CARYR and the home directory \\SETTER\USERS\CARYR, a new account with the user name BILLO is given the home directory \\SETTER\USERS\BILLO.
If the original account has the user name BLAKER and the home directory \\HOUND\USERS\HOME, then a new account with the user name JIMGR is given the same home directory, \\HOUND\USERS\HOME.
On computers running Windows NT Workstation or Windows NT Server, user profiles automatically create and maintain the desktop settings for each user’s work environment on the local computer. Although you can save user profiles in shared network directories on Advanced Server computers, user profiles have no effect on computers running Advanced Server nor on client computers running MS-DOS or OS/2.
User profiles can be used on computers running Windows 95 but they must be enabled before they are available.
You can create and modify user profiles using the tools provided in Windows NT and Windows 95.
In Windows NT and Windows 95, a user profile is created for each user when the user logs on to a computer for the first time. User profiles provide the following advantages to users:
When users log on to their workstations, they receive the desktop settings as they existed when they logged off.
Several users can use the same computer, with each receiving a customized desktop when they log on.
User profiles can be stored on a server so that user profiles can follow users to any computer running the Windows NT or Advanced Server on the network. These are called roaming user profiles.
As an administrative tool, user profiles provide the following options:
You can create customized user profiles and assign them to users to provide consistent work environments that are appropriate to their tasks.
You can specify common group settings for all users.
For more information about user profiles on computers running Windows NT or Windows 95, see Windows NT Server Concepts and Planning.
On computers running Windows NT Workstation or Windows NT Server, the contents of the user profile are taken from the user portion of the Windows NT Registry. Another part of the registry, the local computer portion, contains configuration settings that can be managed along with user profiles.
Using the System Policy Editor, you can create a system policy to control user work environments and actions and to enforce system configuration for all computers running Windows NT Workstation and Windows NT Server.
With system policies, you can control some aspects of user work environments without enforcing the restrictions of a mandatory user profile. You can restrict what users can do from the desktop, such as which options in Control Panel they can use, and customize parts of the desktop or configure network settings.
For more information on using the System Policy Editor to control user work environments, see Windows NT Server Concepts and Planning.
