04 February, 2012

Configuring Mandatory Profiles for Windows 7

Mandatory Profiles: My personal belief is that until you are hiring under-grads in your company, you should not apply unnecessary restrictions on your employees...Trust them... But the you know that there are "Corporate Policies"....

As discussed earlier, there are different kinds of User Profiles and Mandatory Profile is one of them. As the name is quite self explanatory, Mandatory Profiles give settings to the users which are "Mandatory"

Users can change the settings BUT the settings will not remain permanent, they will get lost once the user logs off and logs in back.

Configuring Mandatory Profiles in Windows 2003 was simple. Majorly, it involved just creating a roaming profile and then renaming NTUSER.DAT to NTUSER.MAN. But Windows Vista onwards, the behaviour have changed...

Lets configure Mandatory Profile on Windows 2008/Windows 7

You need a Windows 2008 Server (Member Server/Standalone Machine) to do the configuration.

NOTE:- Make sure this machine should not be a server running some kind of Role like File Server/Print Server/Exchange/SQL/SharePoint/Etc... As down the line we need to run SYSPREP on this machine which will dis-join the machine and might even require us to reactivate it...

Log on locally on that server as an built-in administrator

Make sure you do not have any other profile on that server

Configure the desktop as per your requirement

Use the following XML file to run SYSPREP. This file will copy the data of the administrator profile into the Default Profile

The content of the XML file is added at the end of this post

Run the following command to execute SYSPREP

Sysprep will dis join the machine from the domain and may even ask you to reactivate windows

This is the administrator profile

The same data is copied over to the default profile

Create a Shared Folder on the Network where the default profile folder from that machine will be copied

Below is the domain controller that I have used to create the “Profiles” folder

Join the machine back to the domain

Make sure you are able to access the Profile folder from this machine

Log on to this machine as a domain administrator

In system properties, you will be able to view the Default Profile

Highlight Default Profile and use Copy To

Provide the path of the “Profiles” folder that we created above and mention the name of folder.v2 inside it

Click on “change” in “permitted to use” and add “Everyone” group

Once done, come back to the server on which you created the profiles share and you will see that the contents of the default profile has been copied

In the same location, rename the NTUSER.DAT to NTUSER.MAN

Please remember that this is the network location where the profile was copied

In the user property, mention the path of the profiles folder

Do not use “V2” after the profile name

Now log on as the user on the member server

You should be able to get the same data that you configured in the administrator profile

Now try to delete some data and add some data and then log off and log in back

Once you log on back as the user, you will see that the data that you deleted came back and the data you created got deleted (Mandatory Profile)

Go into the User Profile setting on that machine and you will see that the type of profile is “Mandatory

XML File

<?xml version="1.0" encoding="utf-8" ?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
<settings pass="specialize">
<component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<cpi:offlineImage cpi:source="catalog://win-hk9vmr49pqs/cusers/administrator/desktop/install_windows server 2008 r2 serverenterprise.clg" xmlns:cpi="urn:schemas-microsoft-com:cpi" />