Home / server / Questions / 923159
In Process
nepdev
Asked: 2018-07-24 06:20:29 +0800 CST

Program files on Windows Server part of User profile?

  • 772

Consider this scenario:

3 Windows servers (Server 2016 Standard) joined to a domain.

Logging into server1 with a domain admin account. Changing a configuration file in a subfolder of c:\Program Files (for example c:\Program Files\Mozilla Firefox\defaults). And add a new file in the same directory.

If I now log onto any of the other 2 servers (server2 or server3) with the same domain admin account and browse to the same folder (e.g. c:\Program Files\Mozilla Firefox\defaults), the file is also modified there, same timestamp and content as the one on server1. The new file created on server1 is also present on server2.

Same with server3.

However, if I log on to that server with another user account, such as a regular domain user, then that file iis NOT changed, and the new file is NOT PRESENT.

So it looks like the entire C drive is now part of the user profile?

I must add that SOMETIMES the newly created file DOES show up in other user accounts.

My questions:

  1. Is it correct that the entire C drive is now, in newer Windows server versions, part of the user profile of a user?

  2. Where do I find documentation from Microsoft on it? Googling brings up nothing but I am not sure what to look for really. Heard some rumors that this is that way since Vista but where is that documented and what is the expected behaviour? If that is really true it is a HUGE change.

  3. Is that really supposed to happen that way or is that a bug / problem with my setup? How do I fix it then?

  4. About that problem that sometimes the newly created file shows up in another user account and sometimes it does not - what is SUPPOSED to happen, and what should not happen? Like, what is the expected behaviour?

  5. How am I supposed to exactly make changes as an admin to random files on the C drive, particularly on system files or progra files, so that they actually persist and transfer to other users? After all that is the only purpose to log in with an admin account so I can make changes which ALL USERS will be affected by!

This is the exact problem I am having - making changes to config files for Firefox do not get seen by users, and Firefox does not recognize the newly created file complaining that it cannot read the config file.

(NOte - if it is of any importance - the 3 servers are session hosts for a RDS farm).

windows

1 Answers

  1. You're likely getting caught up in UAC Virtualization.

    UAC Virtualization kicks in for applications which were designed for versions of Windows prior to Windows Vista. These applications often assume that they are running with administrative privileges, and when they try to write to file or registry locations that are normally restricted to administrators, they expect them to succeed. So UAC Virtualization lets those writes succeed by secretly redirecting them to another location inside the user profile. The reverse happens when the application later tries to read the file or registry key: If the file or key exists in the redirected location, it is used instead of the one in the administrative location.

    So basically when you originally tried to make changes in Program Files or wherever, the application you were using to make those changes (likely Explorer) was not elevated (running as admin). So Windows silently let you make the changes and just wrote them to your personal profile instead.

    The reason the changes also showed up on the other servers is likely because your profile is roaming with you to the other servers.

    The solution is to remove the files from the virtual store in your profile. Then re-apply your changes using an elevated process. Better yet since you're talking about a farm type scenario with multiple servers to make changes on, use group policy instead.

    • 3