Tag: Computer Configuration
Control slow network connection timeout for user profiles
This policy setting defines a slow connection for roaming user profiles and establishes thresholds for two tests of network speed. To determine the network performance characteristics a connection is made to the file share storing the user’s profile and 64 kilobytes of data is transfered. From that connection and data transfer the network’s latency and connection speed are determined. This policy setting and related policy settings in this folder together define the system’s response when roaming user profiles are slow to load. If you enable this policy setting you can change how long Windows waits for a response from the server before considering the connection to be slow. If you disable or do not configure this policy setting Windows considers the network connection to be slow if the server returns less than 500 kilobits of data per second or take 120 milliseconds to respond. Consider increasing this value for clients using DHCP Service-assigned addresses or for computers accessing profiles across dial-up connections. Important: If the “Do not detect slow network connections” policy setting is enabled this policy setting is ignored. Also if the “Delete cached copies of roaming profiles” policy setting is enabled there is no local copy of the roaming profile to load when the system detects a slow connection.
Delete user profiles older than a specified number of days on system restart
This policy setting allows an administrator to automatically delete user profiles on system restart that have not been used within a specified number of days. Note: One day is interpreted as 24 hours after a specific user profile was accessed. If you enable this policy setting the User Profile Service will automatically delete on the next system restart all user profiles on the computer that have not been used within the specified number of days. If you disable or do not configure this policy setting User Profile Service will not automatically delete any profiles on the next system restart.
Only allow local user profiles
This setting determines if roaming user profiles are available on a particular computer. By default when roaming profile users log on to a computer their roaming profile is copied down to the local computer. If they have already logged on to this computer in the past the roaming profile is merged with the local profile. Similarly when the user logs off this computer the local copy of their profile including any changes they have made is merged with the server copy of their profile. Using the setting you can prevent users configured to use roaming profiles from receiving their profile on a specific computer. If you enable this setting the following occurs on the affected computer: At first logon the user receives a new local profile rather than the roaming profile. At logoff changes are saved to the local profile. All subsequent logons use the local profile. If you disable this setting or do not configure it the default behavior occurs as indicated above. If you enable both the “Prevent Roaming Profile changes from propagating to the server” setting and the “Only allow local user profiles” setting roaming profiles are disabled. Note: This setting only affects roaming profile users.
Establish timeout value for dialog boxes
This policy setting controls how long Windows waits for a user response before it uses a default user profile for roaming user profiles. The default user profile is applied when the user does not respond to messages explaining that any of the following events has occurred:– The system detects a slow connection between the user’s computer and the server that stores users’ roaming user profiles. — The system cannot access users’ server-based profiles when users log on or off. — Users’ local profiles are newer than their server-based profiles. If you enable this policy setting you can override the amount of time Windows waits for user input before using a default user profile for roaming user profiles. The default timeout value is 30 seconds. To use this policy setting type the number of seconds Windows should wait for user input. The minumum value is 0 seconds and the maximum is 600 seconds. If you disable or do not configure this policy setting Windows waits 30 seconds for user input before applying the default user profile .
Do not log users on with temporary profiles
This policy setting will automatically log off a user when Windows cannot load their profile. If Windows cannot access the user profile folder or the profile contains errors that prevent it from loading Windows logs on the user with a temporary profile. This policy setting allows the administrator to disable this behavior preventing Windows from loggin on the user with a temporary profile. If you enable this policy setting Windows will not log on a user with a temporary profile. Windows logs the user off if their profile cannot be loaded. If you disable this policy setting or do not configure it Windows logs on the user with a temporary profile when Windows cannot load their user profile. Also see the “Delete cached copies of roaming profiles” policy setting.
Maximum retries to unload and update user profile
This policy setting determines how many times the system tries to unload and update the registry portion of a user profile. When the number of trials specified by this policy setting is exhausted the system stops trying. As a result the user profile might not be current and local and roaming user profiles might not match. When a user logs off of the computer the system unloads the user-specific section of the registry (HKEY_CURRENT_USER) into a file (NTUSER. DAT) and updates it. However if another program or service is reading or editing the registry the system cannot unload it. The system tries repeatedly (at a rate of once per second) to unload and update the registry settings. By default the system repeats its periodic attempts 60 times (over the course of one minute). If you enable this policy setting you can adjust the number of times the system tries to unload and update the user’s registry settings. (You cannot adjust the retry rate. )If you disable this policy setting or do not configure it the system repeats its attempt 60 times. If you set the number of retries to 0 the system tries just once to unload and update the user’s registry settings. It does not try again. Note: This policy setting is particularly important to servers running Remote Desktop Services. Because Remote Desktop Services edits the users’ registry settings when they log off the system’s first few attempts to unload the user settings are more likely to fail. This policy setting does not affect the system’s attempts to update the files in the user profile. Tip: Consider increasing the number of retries specified in this policy setting if there are many user profiles stored in the computer’s memory. This indicates that the system has not been able to unload the profile. Also check the Application Log in Event Viewer for events generated by Userenv. The system records an event whenever it tries to unload the registry portion of the user profile. The system also records an event when it fails to update the files in a user profile.
Prevent Roaming Profile changes from propagating to the server
This policy setting determines if the changes a user makes to their roaming profile are merged with the server copy of their profile. By default when a user with a roaming profile logs on to a computer the roaming profile is copied down to the local computer. If the user has logged on to the computer in the past the roaming profile is merged with the local profile. Similarly when the user logs off the computer the local copy of their profile including any changes is merged with the server copy of the profile. Using this policy setting you can prevent changes made to a roaming profile on a particular computer from being persisted. If you enable this policy setting changes a user makes to their roaming profile aren’t merged with the server (roaming) copy when the user logs off. If you disable or not configure this policy setting the default behavior occurs as indicated above. Note: This policy setting only affects roaming profile users.
Wait for remote user profile
This policy setting directs the system to wait for the remote copy of the roaming user profile to load even when loading is slow. Also the system waits for the remote copy when the user is notified about a slow connection but does not respond in the time allowed. This policy setting and related policy settings in this folder together define the system’s response when roaming user profiles are slow to load. If you enable this policy setting the system waits for the remote copy of the roaming user profile to load even when loading is slow. If you disable this policy setting or do not configure it when a remote profile is slow to load the system loads the local copy of the roaming user profile. The local copy is also used when the user is consulted (as set in the “Prompt user when slow link is detected” policy setting) but does not respond in the time allowed (as set in the “Timeout for dialog boxes” policy setting). Waiting for the remote profile is appropriate when users move between computers frequently and the local copy of their profile is not always current. Using the local copy is desirable when quick logging on is a priority. Important: If the “Do not detect slow network connections” policy setting is enabled this policy setting is ignored. Also if the “Delete cached copies of roaming profiles” policy setting is enabled there is no local copy of the roaming profile to load when the system detects a slow connection.
Standard User Individual Lockout Threshold
This policy setting allows you to manage the maximum number of authorization failures for each standard user for the Trusted Platform Module (TPM). If the number of authorization failures for the user within the duration for Standard User Lockout Duration equals this value the standard user is prevented from sending commands to the Trusted Platform Module (TPM) that require authorization. This setting helps administrators prevent the TPM hardware from entering a lockout mode because it slows the speed standard users can send commands requiring authorization to the TPM. An authorization failure occurs each time a standard user sends a command to the TPM and receives an error response indicating an authorization failure occurred. Authorization failures older than the duration are ignored. For each standard user two thresholds apply. Exceeding either threshold will prevent the standard user from sending a command to the TPM that requires authorization. This value is the maximum number of authorization failures each standard user may have before the user is not allowed to send commands requiring authorization to the TPM. The Standard User Lockout Total Threshold value is the maximum total number of authorization failures all standard users may have before all standard users are not allowed to send commands requiring authorization to the TPM. The TPM is designed to protect itself against password guessing attacks by entering a hardware lockout mode when it receives too many commands with an incorrect authorization value. When the TPM enters a lockout mode it is global for all users including administrators and Windows features like BitLocker Drive Encryption. The number of authorization failures a TPM allows and how long it stays locked out vary by TPM manufacturer. Some TPMs may enter lockout mode for successively longer periods of time with fewer authorization failures depending on past failures. Some TPMs may require a system restart to exit the lockout mode. Other TPMs may require the system to be on so enough clock cycles elapse before the TPM exits the lockout mode. An administrator with the TPM owner password may fully reset the TPM’s hardware lockout logic using the TPM Management Console (tpm. msc). Each time an administrator resets the TPM’s hardware lockout logic all prior standard user TPM authorization failures are ignored; allowing standard users to use the TPM normally again immediately. If this value is not configured a default value of 4 is used. A value of zero means the OS will not allow standard users to send commands to the TPM which may cause an authorization failure.
Standard User Total Lockout Threshold
This policy setting allows you to manage the maximum number of authorization failures for all standard users for the Trusted Platform Module (TPM). If the total number of authorization failures for all standard users within the duration for Standard User Lockout Duration equals this value all standard users are prevented from sending commands to the Trusted Platform Module (TPM) that require authorization. This setting helps administrators prevent the TPM hardware from entering a lockout mode because it slows the speed standard users can send commands requiring authorization to the TPM. An authorization failure occurs each time a standard user sends a command to the TPM and receives an error response indicating an authorization failure occurred. Authorization failures older than the duration are ignored. For each standard user two thresholds apply. Exceeding either threshold will prevent the standard user from sending a command to the TPM that requires authorization. The Standard User Individual Lockout value is the maximum number of authorization failures each standard user may have before the user is not allowed to send commands requiring authorization to the TPM. This value is the maximum total number of authorization failures all standard users may have before all standard users are not allowed to send commands requiring authorization to the TPM. The TPM is designed to protect itself against password guessing attacks by entering a hardware lockout mode when it receives too many commands with an incorrect authorization value. When the TPM enters a lockout mode it is global for all users including administrators and Windows features like BitLocker Drive Encryption. The number of authorization failures a TPM allows and how long it stays locked out vary by TPM manufacturer. Some TPMs may enter lockout mode for successively longer periods of time with fewer authorization failures depending on past failures. Some TPMs may require a system restart to exit the lockout mode. Other TPMs may require the system to be on so enough clock cycles elapse before the TPM exits the lockout mode. An administrator with the TPM owner password may fully reset the TPM’s hardware lockout logic using the TPM Management Console (tpm. msc). Each time an administrator resets the TPM’s hardware lockout logic all prior standard user TPM authorization failures are ignored; allowing standard users to use the TPM normally again immediately. If this value is not configured a default value of 9 is used. A value of zero means the OS will not allow standard users to send commands to the TPM which may cause an authorization failure.