Mandatory Profiles: My personal belief is that until you are hiring under-grads in your company, you should not apply unnecessary restrictions on your employees...Trust them... But the you know that there are "Corporate Policies"....
As discussed earlier, there are different kinds of User Profiles and Mandatory Profile is one of them. As the name is quite self explanatory, Mandatory Profiles give settings to the users which are "Mandatory"
Users can change the settings BUT the settings will not remain permanent, they will get lost once the user logs off and logs in back.
Configuring Mandatory Profiles in Windows 2003 was simple. Majorly, it involved just creating a roaming profile and then renaming NTUSER.DAT to NTUSER.MAN. But Windows Vista onwards, the behaviour have changed...
Lets configure Mandatory Profile on Windows 2008/Windows 7
Make sure you do not have any other profile on that server
Configure the desktop as per your requirement
Use the following XML file to run SYSPREP. This file will copy the data of the administrator profile into the Default Profile
The content of the XML file is added at the end of this post
Below is the domain controller that I have used to create the “Profiles” folder
In system properties, you will be able to view the Default Profile
Highlight Default Profile and use Copy To
Provide the path of the “Profiles” folder that we created above and mention the name of folder.v2 inside it
Click on “change” in “permitted to use” and add “Everyone” group
Once done, come back to the server on which you created the profiles share and you will see that the contents of the default profile has been copied
In the same location, rename the NTUSER.DAT to NTUSER.MAN
In the user property, mention the path of the profiles folder
Now log on as the user on the member server
You should be able to get the same data that you configured in the administrator profile
Once you log on back as the user, you will see that the data that you deleted came back and the data you created got deleted (Mandatory Profile)
Go into the User Profile setting on that machine and you will see that the type of profile is “Mandatory”
XML File
<?xml version="1.0" encoding="utf-8" ?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
<settings pass="specialize">
<component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<CopyProfile>true</CopyProfile>
</component>
</settings>
<cpi:offlineImage cpi:source="catalog://win-hk9vmr49pqs/cusers/administrator/desktop/install_windows server 2008 r2 serverenterprise.clg" xmlns:cpi="urn:schemas-microsoft-com:cpi" />
</unattend>
As discussed earlier, there are different kinds of User Profiles and Mandatory Profile is one of them. As the name is quite self explanatory, Mandatory Profiles give settings to the users which are "Mandatory"
Users can change the settings BUT the settings will not remain permanent, they will get lost once the user logs off and logs in back.
Configuring Mandatory Profiles in Windows 2003 was simple. Majorly, it involved just creating a roaming profile and then renaming NTUSER.DAT to NTUSER.MAN. But Windows Vista onwards, the behaviour have changed...
Lets configure Mandatory Profile on Windows 2008/Windows 7
You need a Windows 2008 Server (Member Server/Standalone Machine) to do the configuration.
NOTE:- Make sure this machine should not be a server running some kind of Role like File Server/Print Server/Exchange/SQL/SharePoint/Etc... As down the line we need to run SYSPREP on this machine which will dis-join the machine and might even require us to reactivate it...
NOTE:- Make sure this machine should not be a server running some kind of Role like File Server/Print Server/Exchange/SQL/SharePoint/Etc... As down the line we need to run SYSPREP on this machine which will dis-join the machine and might even require us to reactivate it...
Log on locally on that server as an built-in administrator
Make sure you do not have any other profile on that server
Configure the desktop as per your requirement
Use the following XML file to run SYSPREP. This file will copy the data of the administrator profile into the Default Profile
The content of the XML file is added at the end of this post
Run the following command to execute SYSPREP
Sysprep will dis join the machine from the domain and may even ask you to reactivate windows
This is the administrator profile
The same data is copied over to the default profile
Create a Shared Folder on the Network where the default profile folder from that machine will be copied
Below is the domain controller that I have used to create the “Profiles” folder
Join the machine back to the domain
Make sure you are able to access the Profile folder from this machine
Log on to this machine as a domain administrator
In system properties, you will be able to view the Default Profile
Highlight Default Profile and use Copy To
Provide the path of the “Profiles” folder that we created above and mention the name of folder.v2 inside it
Click on “change” in “permitted to use” and add “Everyone” group
Once done, come back to the server on which you created the profiles share and you will see that the contents of the default profile has been copied
In the same location, rename the NTUSER.DAT to NTUSER.MAN
Please remember that this is the network location where the profile was copied
In the user property, mention the path of the profiles folder
Do not use “V2” after the profile name
Now log on as the user on the member server
You should be able to get the same data that you configured in the administrator profile
Now try to delete some data and add some data and then log off and log in back
Once you log on back as the user, you will see that the data that you deleted came back and the data you created got deleted (Mandatory Profile)
Go into the User Profile setting on that machine and you will see that the type of profile is “Mandatory”
XML File
<?xml version="1.0" encoding="utf-8" ?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
<settings pass="specialize">
<component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<CopyProfile>true</CopyProfile>
</component>
</settings>
<cpi:offlineImage cpi:source="catalog://win-hk9vmr49pqs/cusers/administrator/desktop/install_windows server 2008 r2 serverenterprise.clg" xmlns:cpi="urn:schemas-microsoft-com:cpi" />
</unattend>
