This document includes information about how to manage your win.mit.edu (WIN) Roaming Profile.
It assumes you are familiar with the Athena Account Policies as covered in Athena at MIT, including:
- Who is eligible for an Athena account;
- Privileges granted with an account;
- Guidelines for deactivating an account.
On this page:
When the default user logs into a WIN machine for the first time, the files in the local machine's Default User directory will be replicated to form the user's initial profile. All of the default settings can be overridden by the user, so they should be thought of as a starting point from which the user may customize.
The WIN environment makes the following settings to Default User:
- The Quick Launch toolbar on the task bar initially is populated with four shortcuts: Internet Explorer, Outlook Express, Command Prompt and Show Desktop.
- The desktop initially is populated with a welcome text file.
- The Start Menu shows a Log Off option.
- While using the command prompt, the default user may hit the Tab key to auto-complete directory or file names.
The first time a user logs in a WIN machine, their home directory will acquire two additional subdirectories: .winprofile, and WinData. These will be set to the same permissions as the user's home directory with the exception that system:anyuser will have no rights, not even list privileges. (There may be some documents in these directories whose names alone could violate the user's privacy.)
The .winprofile directory contains the portion of the user's roaming profile that is downloaded entirely to the local machine when the user logs in. This includes the user's registry (NTUSER.DAT), Templates folder, Start Menu folder, SendTo folder, Recent folder, PrintHood folder, NetHood folder, Cookies folder, and Desktop folder. Since a user's Desktop folder must be down- and uploaded every logon and logoff, it would be unwise for a user to place a large amount of data on the desktop. Please place, and advise fellow users to place, such large files elsewhere and to use the desktop for shortcuts only. The same can be said for the other folders in this directory.
The WinData directory contains the portion of the user's roaming profile that is downloaded on demand after logon. This includes the My Documents directory (and the My Pictures subdirectory), the Favorites directory, and the Application Data directory. The files in these directories will not be copied to the local machine on logon. Therefore, it is fine to place large amounts of data in these directories.
The user's roaming profile is described in detail ist:later on in this document.
In general the %SystemDrive%\Documents and Settings\All Users folder gives one a handle to the user's desktop experience. For example:
If you want a program to run in the user's context at the beginning of all logons, place the program (or a shortcut to this program) in %SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\Startup. This may be done to each machine in a container should the container administrator use a group-policy-based startup script to do this.
If the container admin wanted a program to appear on all users' desktops when they are logged into machines in a container, one would place the program (or a shortcut to the program) in %SystemDrive%\Documents and Settings\All Users\Desktop. This could be done manually on each machine in the container or automatically using a group-policy-based startup script.
Your WIN Password:
First, there is no such thing as a WIN Password for users at MIT. Each user of WIN, on a machine in the win.mit.edu Domain, must have an Athena account. To be able to log onto a WIN machine the user must know their Athena username and password. To log onto a WIN machine, press the Ctrl + Alt + Del keystroke combination and the standard Microsoft password dialog box should appear. See an example at the Log On section of [Helping End-Users|Windows Server Platforms at MIT - End-User Help. Enter your Athena username and password, and make sure that the third line says,
Log on to: ATHENA.MIT.EDU (Kerberos Realm).
If the third line is not displayed click on Options>> to make it display.
Although each user in the WIN Domain has a unique password, that is different from their Athena password; by default nobody knows what this passwords is. The passwords within the WIN Domain are generated by a program during account creation and never used again. All authentication to the WIN Domain is made through the use of cross-realm trust, with the ATHENA.MIT.EDU Kerberos realm being the trust realm.
Changing Your Password:
Remember that your password is the key to your account and secure access to the system. Once someone has your password, that user is you on the system. It is a good idea to change your password regularly (at least once a semester is a good rule of thumb).
In most Windows 2000 or later Domains a logged-in user may change their password by using Ctrl-Alt-Del and choosing the button labeled Change Password...
This method is the easiest for you to use. If you have problems with it you may use an alternate method - change your password using Leash32. You can start Leash as follows:
- Choose Run from the Windows Start menu.
- Type Leash32.
- From the Action menu choose Change Password.
The program asks you for your old password, then has you type in the new password twice. Neither your old password nor your new one appears on the screen as you type it. The password-changing protocol checks your choice against a dictionary, and does not let you set a password that does not meet the Athena policies.
Your new password takes effect immediately. However, any programs you started before you changed your password, including the Windows screensaver, will continue to use the old password until you log on using the new one.
If you have forgotten your password or get the message:
The system could not log you on
when you try to log on, you can go to the Athena User Accounts office (E19 3rd Floor) during office hours to resolve the problem. Please remember to bring some form of photo ID. Users who cannot stop by E19 3rd Floor during office hours can call an Accounts Consultant at x3-1325, or, if possible, send mail to [firstname.lastname@example.org|mailto:email@example.com
- Never lend your account to another person (e.g., by telling anyone your password, or leaving someone logged into your account).
- Keep your password secret.
- Do not change the default file protection unless you want other people to see and use your files. The present default file protection prevents the casual browser from gaining access to your files.
- Do not leave your workstation unattended while you are logged in. If you are going further than to pick up printer output, either logout, or lock the system by hitting Ctrl - Alt - Del and choosing Lock Computer. It takes only a couple of seconds for somebody to compromise your account.
By default your profile will be in two top-level directories in your DFS home directory. The .winprofile and WinData directories are created the first time you log on to a WIN machine. The .winprofile directory contains your NTUSER.DAT file, Start Menu, Desktop, and Cookies information. The WinData directory contains your My Documents folder, Favorites, and application configuration data that is unique to your usage.
By default, others are prevented from listing the files contained in these directories or reading any of the contents.
Your disk quota is the limit on the amount of space in DFS you can use to store your files and on the number of files you can have. You initially have a limit of 1000 megabytes (1 GB). As you accumulate files in your directory, you may approach this limit. If you reach your limit, you are not able to save files.
The Windows Explorer program will report the space available in DFS directories.
If your usage is over or approaching your quota, you need to take action to avoid losing any files.
You will notice that you can not create any more files or use any more disk space.
Do not ignore the warning message, or any mysterious file disappearances. If you do, you risk losing the contents of any file that you try to edit.
- When using other programs: Not all programs give you messages if they are unable to finish writing successfully. If you are using a program that generates an output file, you should check your quota first to make sure that you have room for it.
The family of Microsoft Windows operating systems maintains its configuration information in a manner that is very different from that with which what most experienced Macintosh or UNIX users are familiar. When all the applications and operating system components are cooperating correctly, all of the configuration information that is specific to an individual resides in the user's profile. In the WIN environment we use by default what are called Roaming Profiles. Simply put, this means that each user has his or her own unique profile that will be used whenever and wherever the user logs into a machine that is a member of the win.mit.edu Domain. Most machines in the Domain are configured so that the user's profile is deleted from the local machine's hard disk when the user logs out.
Typically, a Domain using the Microsoft operating systems roaming profile feature copies the entire user's profile from the file server to the local workstation and back to the file server as each user logs in and logs out. A user's profile contains more than just startup scripts, registry data, shortcuts, and menus. It also contains the user's browser bookmarks, and all of their data files. It may even contain the user's own private applications. All of this can add up to a lot of bytes that need to be copied back and forth across the network. From the user's perspective this means that it takes a lot of time to log on and log out.
In order to optimize the use of the network bandwidth, and decrease the amount of time that it takes the user to log on and out, the WIN environment takes advantage of a feature called folder redirection. Folder redirection means that we are only copying a portion of the user's profile during logon and logout. Other portions of the user's profile remain on the remote file server, until a specific file is needed by the user on the local machine. Understanding how this works and how to control some of the behavior is important to each and every user.
Bad user habits will lead to excessively long log on and log out times. In testing worst and best case scenarios it is possible to create a profile that will vary the log on times from a few seconds to several hours. Users are strongly encouraged to learn about profile management and how their use of their profile will affect them.
As mentioned in the section on ist:keeping Your Profile Safe, user's profiles are split into two subdirectories that are created in each user's home directory in DFS. These two subdirectories are .winprofile and WinData. The .winprofile directory is not redirected. This means that anything in the .winprofile directory will be copied to the local workstation each time the user logs on to a WIN machine. The entire .winprofile directory will also be copied back to the user's home directory in DFS each time the user logs out. To optimize performance, users should minimize the amount of data that they store in the .winprofile directory, or any of its subdirectories.
By default the .winprofile directory contains the following information:
ntuser.dat - a binary file that is used to populate the HKCU registry hive on the client workstation
ntuser.pol - another file containing registry information
ntuser.ini - an ini file
Templates - a directory containing shortcuts to template items
Start Menu - a directory containing the files and folders that create the user's menus
SendTo - a directory that contains shortcut files that create the "SendTo" menu for the user
Recent - a directory that contains shortcuts to the most recently accessed files
PrintHood - a directory that contains shortcuts to items in the user's Printers folder
NetHood - a directory that contains shortcuts to items in the user's My Network Places folder
Desktop - a directory that contains the items that make up the user's desktop
Cookies - a directory that contains the browser cookies that the user has acquired while traversing the web
By default the WinData directory contains the following information:
Favorites - a directory that contains the user's Internet Explorer Favorites (like Bookmarks in other browsers)
My Documents - the user's default data directory. It exists on the user's desktop and tends to be the default location for Save As
Application Data - a directory that contains configuration data saved by applications run by the user.
Over time the My Documents subdirectory is the most likely subdirectory to grow the largest. This is the primary reason that this directory is being redirected. Please notice that the Desktop directory is not being redirected. Since the contents of the Desktop are always copied to the local machine, no advantage would be derived by using folder redirection on this subdirectory. However, the Desktop directory is one area that is likely to cause users problems.
- Do not store large data files or any applications directly on the Desktop. If you want to use the Desktop to provide easy access to data files and applications you are welcome to do so. However, you should put only shortcuts to the actual data files and applications on your desktop.
Shortcut files are small files that do not take long to transfer over the network. To stretch a simile almost to the breaking point, shortcut files are like symlinks or aliases used by other operating systems, in that they are a reference to the actual file. However, they behave much differently than traditional symlinks. Instead of being an extension of the file system they are more like a hint to some applications about what to do with the information that is contained in the shortcut file.
- Other Information about your Profile
When you log on to a WIN machine, two drive letters will be mapped for you. The H: drive is set to your home directory in DFS. This will be very useful, as command prompt windows will tend to initially present you with the H: prompt. Also, when saving data into your home directory within the Windows graphical interface, it is convenient to be able to select the H: drive. The Z: drive is set to the root of AFS, which on WIN machines is called "\\afs\all\." This is useful for programs which do not work with UNC path names (names which begin with the double backslash). Some programs will require the path to start with a drive letter. In this case, use Z:. For example, you cannot "cd" into "\\afs\all\athena\project\pismere," but you can "cd" into "Z:\athena\project\pismere."
If you want to launch a script or program on logon and logoff, place a file called ".winlogon" or ".winlogoff" with an executable extension (.cmd, .bat, .exe, .wsf, etc.) in your home directory. That is, if you create a file "H:\.winlogon.cmd" it will be run automatically for you at logon. Similarly, "H:\.winlogoff.wsf" would be run automatically at logoff.
Important: Create at most one of each. If you have both a ".winlogon.exe" and a ".winlogon.cmd" program in your home directory, only one will be run at logon, and the choice of which one is not guaranteed to be deterministic. If you require multiple programs to be run on logon, create a single batch file which calls these multiple programs. (The same is true for logoff.) As an aside, another way to run programs at logon (but not at logoff) is to place them in your Start Menu\Programs\Startup folder. Veteran Windows users should already be aware of this.
Do not set NTFS access control on portions of your roaming profile which get copied to the local machine from DFS.