Forced Mandatory Profiles (a.k.a. Super-Mandatory)
Mandatory Profiles might not always be so—if the server is down or a user unplugs their network cable, the Mandatory Profile does not load. Indeed, the user will get the Local Default User Profile. This could be a potential security problem and possibly a violation of your corporate policy.
In instances like this, you need to determine if it’s more important that a user logs on (and gets the Default Local User Profile) or that, if they don’t get the Mandatory Profile, they don’t get to log on at all. Microsoft calls this type of profile “Super-Mandatory.” In Figure 9.30 earlier, we used a folder named allnurses as our Mandatory Profile folder. We can take this to the next step and ensure that no users using the allnurses folder can log on unless they can connect to the share on the server.
Don’t forget: profiles are different for Type 1 (pre–Windows Vista) and Type 2 (Windows Vista and later). To that end, you’ll need to set up Mandatory Profiles that fit for each type.
To force users who log onto Windows Vista and later to use a Mandatory Profile or lose logon capability, you need to first rename the allnurses.v2 folder so that it has .man.v2 instead. So, the final folder name will be allnurses.man.v2.
To force users to use the Mandatory Profile, or lose logon capability, simply follow these steps:
- Create a Mandatory Profile as described earlier, including renaming the NTUSER.DAT to NTUSER.MAN.
- For Windows XP machines, rename the entire folder from allnurses to allnurses.man. For Windows Vista machines, rename the entire folder from allnurses.v2 to allnurses.man.v2
- Change the affected users’ Profile tabs to point to the new location, such as \\Dc01\profiles\allnurses.man, as shown in Figure 9.34.
Once the forced Mandatory Profile is introduced onto a system, the system always checks to see if the profile is available. If the forced Mandatory Profile is unavailable, the user is not permitted to log on
. Technically, you can couple a Mandatory Profile with the "Log users off when roaming profile fails" policy setting to create the same effect. However, the method detailed here is preferred. (Source