[PS] Should PSConfiguration be in "My Documents"?

Discussion in 'Scripting' started by Andrew Watt [MVP], May 17, 2006.

  1. I just want to sound out the opinion of others on the fact that the
    PSConfiguration folder is in "My Documents".

    That seems an odd place to put configuration information. In fact,
    isn't it at odds with Microsoft's (implicit?) intention to keep
    program and configuration information well away from "My Documents"?

    I haven't bugged this yet, pending hearing alternative opinions. But
    "My Documents" just feels "wrong" as a place to put config
    information.

    Thoughts?

    Andrew Watt MVP
     
    Andrew Watt [MVP], May 17, 2006
    #1
    1. Advertisements

  2. Andrew Watt [MVP]

    Mark Ayers Guest

    Bug! It belongs in Env:USERPROFILE.

    Example. I run two PowerShell windows with the same user account and
    differnt rights. One has "My Documents" on a network drive. The other has
    local "My Documents". In order to share a profile, I keep the PSConfiguration
    directory in the local location. It works because of how PowerShell searches
    for the profile. It should work because the PSConfiguration directory is
    located in the Profile directory described by Env:USERPROFILE. On profile to
    rule them all in my case. A user can move "My Documents" Any place they want
    and some do. [wink]
     
    Mark Ayers, May 17, 2006
    #2
    1. Advertisements

  3. That would be better IMO. I tend to set it once and forget about it. I
    then find it annoying that it shows up in "My Documents". BTW I still wish
    PowerShell would reserve and use the simpler name "profile.ps1" and then let
    other hosts use a fully decorated name e.g. Acme.PShell_profile.ps1. With
    this in place I would have my profile.ksh and profile.ps1 files in the same
    place. :) Seriously it has long bugged me that the profile has to be
    placed under "My Documents".
     
    Keith Hill [MVP], May 17, 2006
    #3
  4. Andrew Watt [MVP]

    Mark Ayers Guest

    I think many of us would like control of this. As it stands you can have
    four profile files, two each for All Users and Current User. They execute in
    this order:

    Global settings...profile.ps1
    Global settings...Microsoft.PowerShell_profile.ps1
    User settings...profile.ps1
    User settings...Microsoft.PowerShell_profile.ps1
     
    Mark Ayers, May 17, 2006
    #4
  5. Please bug this. Btw, what do you think if we specify the profiles using
    software settings in group policy?
     
    Wei Wu [MSFT], May 17, 2006
    #5
  6. Done - 76765 on Connect.

    Andrew Watt MVP

     
    Andrew Watt [MVP], May 18, 2006
    #6
  7. Here are the detailed reasons behind our decisions:

    http://www.leeholmes.com/blog/TheStoryBehindTheNamingAndLocationOfPowerShellProfiles.aspx

    Does that rationale change anything?

    --
    Lee Holmes [MSFT]
    Windows PowerShell Development
    Microsoft Corporation
    This posting is provided "AS IS" with no warranties, and confers no rights.


     
    Lee Holmes [MSFT], May 19, 2006
    #7
  8. Andrew Watt [MVP]

    Harald Ums Guest

    After reading
    http://www.leeholmes.com/blog/TheStoryBehindTheNamingAndLocationOfPowerShellProfiles.aspx
    I think the handling of the profiles (at least the global/allusers part) is
    completely wrong.

    Powershell should not execute any profile files by default. This is
    consistent with with the way the execution policy is initialzed.
    I am quite surprised when I see that powershell.exe has a commandline switch
    of "-NoProfile" instead of one lets say "-UseProfile".
    Having four additional places from where software automatically starts is a
    not a good decision (sysinternals autoruns now lists more than 20).
    This is not my interpretation of "secure by default".

    My favorite would be:
    - no profiles processing by default
    - two group policy switches to enable profile processing (one for global,
    one for private)
    - additional group policy settings to define the paths

    In a domain environment, this gives me the chance to use differnet
    configuration for administrators and users.

    On a server I need the garantee, that any program runs always with the same
    configuration - any profile processing is problematic here.
    On my private workstation I really do not need any global profiles

    The "All Users\Documents\PsConfiguration" is a bad place to put any security
    relevant configuration to, since the ACLs get to easily clobbered there. For
    me this is a place for public documents (the name in Vista is btw
    c:\users\public\documents).
    Now consider this szenario:
    - Me as Administrator MOVE files from my Documents folder to the All Users
    Documents Folder (happens all the time since I use two accounts on my
    machine)
    - Since I MOVED the files, they are not readable by any other user on that
    machine, so I have to reset the ACLs for that files
    - Now I have to find any file and directory that has wrong ACLs since I
    cannot propagate the ACLs form the top Level without clobbering
    PSConfiguration.

    Maybe the default location should go one level higher (same level as "All
    Users\Desktop" and "All Users\Start Menu") so there is only one level where
    we have to look for different and restricted ACLs.
    But for me the place that "feels" OK is AllUsers\ApplicationData for global
    configuration settings.

    BTW: Vista moved even the All Users\StartMenu,Templates... to
    ApplicationData. They only left All Users\Desktop, which should be moved as
    well. Then everything under "All users" has about the same security
    relevance.

    I do not have any particular preference for the private profiles.

     
    Harald Ums, May 21, 2006
    #8
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.