How to Prevent a User from Changing the User Profile Type

ID: Q150919


The information in this article applies to:


SUMMARY

If roaming user profiles are used with Windows NT 4.0 systems, system administrators may wish to not allow users to change the profile type to local. To do this, remove the read permission from the %systemroot%\System32\Sysdm.cpl file for the users or groups that should not be able to modify profile settings. This removes the System icon from Control Panel. As a result, those users cannot change system settings.

NOTE: The Windows NT 4.0 system has to be installed on an NTFS partition to be able to set file permissions.


MORE INFORMATION

User profile settings are stored in the registry under the following registry key:


   HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
      NT\CurrentVersion\ProfileList 


For every user ever logged on to a Windows NT 4.0 system there is a subkey named after the security ID (SID) of that user where the actual values are stored. The user profile type is stored in the State value under the users subkey. Setting this value using system policies is possible but it does not prevent the System icon from Control Panel from appearing and therefore the user can change the profile type once logged on. Another disadvantage of changing the profile type in the registry is that you must ensure that you change the value in the subkey associated with the user. This implies that you must find the appropriate SID for the user.

Additional query words: prodnt


Keywords          : kbui ntdomain ntsecurity NTSrvWkst 
Version           : 4.0
Platform          : winnt 
Issue type        : kbinfo 

Last Reviewed: February 18, 1999