On Windows computers it can be helpful to tweak all the settings on the "default users" account, so that when any new user logs into that machine, they inherit the settings and configurations.
For a list of recommended settings changes, see: Customizing Default Users Profile - Settings Changes
Directions for utilizing this approach:
Microsoft has this article on their knoweldge base, but it does not note the need to do this on the domain controller.
Make a backup copy of your current domain default user profile (typically on your domain controller in the NetLogon Volume.)
Temporarily give some domain account administrative rights on a laptop. (You can't use the local admin account for this.)
Log into the laptop as this new account, and make all the settings changes you need--don't forget power settings and other control panel stuff. (You need to do this on a laptop, since a desktop will not have all the specialized software that a laptop will.) Launch every single piece of software, tweak all your settings.
Once you're done with the configuration, log out, and log in as the domain admin. Right click on my computer and call up properties. Select the advanced tab. Select user profiles. Highlight the profile you just made, and select "copy to". Browse to your domain controller and then the NetLogon share - where you should see your current default users profile for the domain. Over-write that file (back it up first or save it with a different name)
[suggest: Double-check the permissions on it so that people can read, but not change it (i.e., check the permissions on the profile folder, and change the NTUSER.dat to NTUSER.man. --not sure this is required]
Remove the temporary administrative rights from that domain account.
This will set it up for domain accounts logging into the laptop for the first time. If you want to set it for the default user profile for local machine accounts, try the same "Copy to" procedure, only with the local machine default user profile. [I don't think that you need the local default user account tweaked, since typically all your student and faculty accounts are going to be domain ones.]
Issue: Customizations fail after imaging on WinXP SP2: MS hotfix
Another approach to achive custom settings:
Retrieved from ISED-L archives 6/26/08 CC3
We found that copying local admin or any other user profile over default user profile is more harmful than helpful. It tends to break default paths and settings for MS Office and other applications.
We use registry injection hack, instead. We modify the settings as we'd like for a local administrator account, then export the registry keys involved, inject it into the default user ntuser.dat registry database after editing paths in notepad appropriately.
Takes a bit more effort but seemed to work fine for us. That way we only modify exactly what we need instead of wiping out and replacing entire default profile.
We run sysprep and ghost at the end and settings stay the way we want.
Retrieved from ISED-L archives 10/22/02
Create the profile you want and then copy it into the Default Users profile using the advanced tab of system properties. If you merely copy the profile using Windows Explorer, the User.dat permissions won't be correct. After a lot of thought, we decided to place "My Documents," "Favorites," and "Desktop" on a separate FAT32 partition (D drive) and set up the Default User's profile to always point to the same directories on the D drive (HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\). We left the rest of the user's profile in Documents and Settings. This way no matter who logs on to the machine they will see the same desktop, my documents, and favorites. Also, this makes it possible to re-image the c partition without touching the user's data which speeds recloning for non-hard drive issues. We used FAT32 both to avoid potential security problems, and to make it easier to recover essential data in case of hard drive failure. Doing it this way also reduces the chance that all of a user's data getting deleted which would happen if a profile is deleted under the standard WinXP settings.
Another thing you have to think about is local security groups. My experience going back to Win2K Prof is that the owner of the laptop MUST be a local administrator on a laptop. I prefer not to do this, but have found not doing so is very problematic. However, you can't make "Domain Users" local administrators on the laptop because this would give everyone on the network complete access to EVERYONE's computer! While I could go on more about our reasons, the bottom line is that we make two groups and the laptop user local administrators: "Domain Admins", "Laptop Admins" (see below), and the user of the laptop. We also remove all groups from the local Users and Power Users groups on the theory that if a user isn't a local administrator, the user shouldn't log on. Lastly, make sure you give the local user "Administrator" a strong password that is not shared with ANYONE. Anyone who finds out this password will have access to all machines. Also, I recommend creating one additional LOCAL account with local admin privileges as a back door for your tech team in case the user manages to remove his computer from the domain and changes the local "administrator" password. This may seem unlikely, but it's already happened to us! User's don't understand that if they remove their computer from the domain they are removing their own access since they logon with domain accounts. There are tools to reset the local admin password, but this is much easier.
While I am a big fan of XP for many reasons, it is an unavoidable fact the cloning is not as easy as with Win98. You absolutely must use sysprep otherwise you'll have a bunch of computers with the same SID which will have you pulling your hair out in no time! Once we get done prepping an image we run sysprep and configure it for a mini install--sysprep is the LAST thing you do. After running sysprep you create your image BEFORE the next reboot. Note that there is a hotfix (Q322936) which must be applied to make the mini setup add computers to the domain correctly--without it two computer accounts are created. The end result is that the ONLY thing we have to enter before getting the logon prompt is the computer name--everything else is automated. As far a licensing is concerned, as long as you have the VL version of WinXP you should have no problem with licensing--we haven't had a single hiccup. You enter the VL activation code in the sysprep.ini file and that's it. You don't need to enter it at all after creating an image if you create your sysprep.inf file correctly. About third party programs, sysprep has worked great for us in conjunction with the latest version of Ghost which handles the image itself. Lastly, sysprep is never really installed, it is run from a directory in the root of the computer and then this directory is deleted the first restart after sysprep is run (i.e. after the mini setup process).
However, the first logon requires logging with a username that has local admin privileges and then adding the user's name to the local administrators group. This is what the "Laptop Admins" group mentioned above is for. When we prepare a bunch of machines in the summer, we make our student helpers (or the domain account they are using) members of the "Local Admins" group which gives them the power to configure newly cloned laptops, without giving them any additional privileges on the network.
Lastly, if you make custom settings on your NICs (e.g. SSID on a wireless NIC) you'll have to make the settings after a clone as the mini setup process sets NIC properties back to their default values. My guess is that there is a way around this, but our initial attempts were not successful and we were very pressed for time this summer. There are some other things that are reset after sysprep such as the "System Restore" feature which we turn off because it is such a hog and we would invariably reimage before using the restore feature.
I don't have time to proof this so I apologize for any mistakes.
I Hope this is helpful and good luck!
in response to...
We are planning to roll out XP Pro machines. We use cloning to maintain our computers. We would love any suggestions for the following areas: profiles and security ID's.
1. Profiles: We can't use roaming and probably not mandatory profiles since we don't want students to download their individual profiles on whatever machine they log on to. These students have their own laptops, and these same students often log on to our lab and library computers, too.
Our main goal is to set up a generic profile that has exactly what we want to have on it; to create an image based on that set up and clone all of our laptops with that image; and when the student gets his laptop after it has been cloned and he logs on, he will only get the profile we want him to get instead of XP's default profile.
We think all we have to do is create the set up we want and then copy this new profile into the default profile location that XP creates. We want to know if this is correct. If not, we would like to know what is the best method. And, finally, since the set up we create initially is the local administrator profile XP forces us to make along with the first log on, we would like to know if there is a negative impact to copying this administrator profile into the default profile folders.
2. Security ID's: We have heard much about the use of Sysprep. We, of course, don't want to be forced to visit each computer every time we clone it. And if we have to visit them, we want that time to be reduced to a minimum. Will you please provide your experience with implementing Sysprep the best way, including the best time during the process of setting up our master computer that Sysprep should be installed? What type of info will we need on hand for each machine, including our site licenses? What do we have to do to make sure we can keep our visits to each machine down.
We worry about how recent copyright additions to Sysprep might force us to attend more to each computer after we clone it. Are there third-party programs that work better and more simply?