When a profile becomes .MAN-datory

Posted on 2011-02-07 in windows-server • 613 words • 3 minute read

Last updated on 2011-02-07

Tags: Administration, Windows

Yes. Sometimes a mandatory profile is needed to overcome certain situations; specially when a bunch of new hired contractors are threatening your systems. In those situations, a good Group Policy Object (GPO) and a Mandatory Profile help you so much to restrict all Windows capabilities and define shortcuts to a couple of non-dangerous applications. Today I will write some lines about the last one; Mandatory Profiles.

To cook a mandatory profile you will need:

• A network share to store all profile files.
• A preconfigured user to obtain the profile files.

The Network Share

On a Windows 2003 Server…

1. Log on to the computer as Administrator or as a member of the Administrators group.
2. Click Start, point to All Programs, point to Accessories, and then click Windows Explorer.
3. Expand My Computer, and then click the drive or folder in which you want to create a new folder.
4. On the File menu, point to New, and then click Folder.
5. Type a name for the new folder, and then press ENTER.
6. Right-click the folder, and then click Sharing and Security.
7. Click Share this folder and type Profile$ on the share name field (don’t forget the $ sign to hide the share, we don’t want to publicize it around) .
8. Give Full Control to Everyone group clicking on Permissions button.
9. Click OK.

On a Windows 2008 Server…

1. Log on to the computer as Administrator or as a member of the Administrators group.
2. Click Start, point to All Programs, point to Accessories, and then click Windows Explorer.
3. Expand My Computer, and then click the drive or folder in which you want to create a new folder.
4. On the File menu, point to New, and then click Folder.
5. Type a name for the new folder, and then press ENTER.
6. Right-click the folder, and then click Properties.
7. Click on Sharing tab and then on Advanced Sharing.
8. Check Share this folder and type Profile$ on the share name field (don’t forget the $ sign to hide the share, we don’t want to publicize it around) .
9. Give Full Control to Everyone group clicking on Permissions button.
10. Click OK and Close.

Note that permissions will be modified later by the copy process, so it is possible that you note that some have changed.

The Preconfigured User

To assign a mandatory user profile, you must also copy a preconfigured user profile to the location that you specified in the last step opening the user profile form.

1. Log on to a computer running Windows XP or Vista with any domain user account. (Do not use a domain administrator account).

2. Configure user settings such as background colors and screen savers to meet your company standard. Log off the computer.

3. Log on to the computer previously used in step 1 with a domain administrator account.

4. Click Start, right-click Computer, and then click Properties.

5. Click Advanced System Settings. Under User Profiles, click Settings.

6. The User Profiles dialog box shows a list of profiles stored on the computer. Click the name of the user you used in step 1. Click Copy To.

7. In the Copy To dialog box, type the network path you created previously.

8. Under Permitted to use, click Change. Type the name Everyone, and then click OK.

9. Click OK to start copying the profile. Close all remaining windows and log off the computer when the copying process is complete.

To convert this copied profile (at this point a Roaming Profile) rename the file NTUSER.DAT to NTUSER**.MAN**. This instructs Windows to consider this profile as mandatory and avoids saving profile changed during logoff processes. That’s it a fresh and clean profile always ready for your users….

More info on Technet’s article Managing Roaming User Data Deployment Guide.