+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 23
Windows Server 2008 R2 Thread, Mandatory profile vs. Fully loaded GPO/GPP... FIGHT! in Technical; Hi All, As I can't seem to get a working Windows 7 mandatory profile working, I'm looking for alternatives and ...
  1. #1
    Koldov's Avatar
    Join Date
    May 2011
    Location
    Bedfordshire
    Posts
    544
    Thank Post
    116
    Thanked 56 Times in 48 Posts
    Rep Power
    41

    Mandatory profile vs. Fully loaded GPO/GPP... FIGHT!

    Hi All,

    As I can't seem to get a working Windows 7 mandatory profile working, I'm looking for alternatives and it got me thinking...

    What are the benefits of a mandatory profile (with folder redirection) versus a heavily locked down OU?

    Scenario is we only have 13 classes, all children log-on as their class = 13 log-ins and 13 profiles, so storage for each profile on the local PC is a non-issue. All work is stored in their home folder on the server and their PC access is really only on the ICT suite computers. All pupils sit in one OU with one GPO attached.

    I'm aware that going through all the GPO's and GPP's is a massive job to lock it down hard enough for them not to do any damage and close all the little loopholes, but really every turn in making a mandatory profile and folder redirection has hit an error which requires masses more research and trial and error. Obviously there is no black and white way to do anything and everyone has a different opinion on how to achieve it. From white icons, or no Start menu icons, to no wallpaper or not picking up desktops shortcuts! It seems that everything is a problem and I'm not getting any clear, simple, comprehensive answers...

    Time is running out for me to accomplish getting rid of all the XP and I've been driving myself mad trying to work it out, pulling my hair out and losing sleep!

    Can I just put 7 on these PC's and lock down an OU hard enough through GPO to ensure they can't do anything they aren't supposed to?

    Kol.
    Last edited by Koldov; 28th February 2014 at 10:36 AM.

  2. #2
    simpsonj's Avatar
    Join Date
    Apr 2009
    Location
    Oxford
    Posts
    397
    Thank Post
    164
    Thanked 69 Times in 58 Posts
    Blog Entries
    8
    Rep Power
    23
    I've used this guide t o get a machine ready to create a mandatory profile:

    http://idsuwarno.files.wordpress.com...-7-machine.pdf

    Then this to copy the profile and make it mandatory:

    Customize the default local user profile when preparing an image of Windows

    But, in fairness, I tend to have both a mandatory profile and a load of GPOs to lock down students...

  3. #3

    synaesthesia's Avatar
    Join Date
    Jan 2009
    Location
    Northamptonshire
    Posts
    6,255
    Thank Post
    604
    Thanked 1,110 Times in 849 Posts
    Blog Entries
    15
    Rep Power
    488
    Both here too. One of my favourite things about mandatory is no ruddy profile resets when things *will* go tits up for no apparent reason! That and a little extra security due to malware not hiding itself in profile locations. (in conjunction with delprof)

  4. #4
    Koldov's Avatar
    Join Date
    May 2011
    Location
    Bedfordshire
    Posts
    544
    Thank Post
    116
    Thanked 56 Times in 48 Posts
    Rep Power
    41
    Quote Originally Posted by simpsonj View Post
    I've used this guide t o get a machine ready to create a mandatory profile:

    http://idsuwarno.files.wordpress.com...-7-machine.pdf

    Then this to copy the profile and make it mandatory:

    Customize the default local user profile when preparing an image of Windows

    But, in fairness, I tend to have both a mandatory profile and a load of GPOs to lock down students...
    That is no small undertaking! Ah, bless XP with it's 'copy to' button out in the open 'letting it all hang out'!

    So kind of like an nLite thing?

    Quote Originally Posted by synaesthesia View Post
    Both here too. One of my favourite things about mandatory is no ruddy profile resets when things *will* go tits up for no apparent reason! That and a little extra security due to malware not hiding itself in profile locations. (in conjunction with delprof)
    Yeah, the way it was set up here was with XP mandatory profiles and GPO's which I've locked down further since I started.

    I even made a new mandatory profile for XP, just created a user and hit the 'copy to' button. That was after a couple of minutes reading... The profile was small and worked first time!

    It appears 7 is a bit more of a complicated beast. I tried to make a new user, but there is no copy to button... Then I tried another suggestion about just copying the user's folders, then deleting some of it and a bit of registry-fu (it was 70MB, but I can't find out what to lose as it's not well documented because it's unsupported). Anyway this just plain gave me issues, as I guess I deleted some important stuff (trying to get it to 1 or 2MB). So then I got told about folder redirection (especially APPDATA), but sometimes it works, sometimes it doesn't... I've got no Start Menu, no Desktop, white Taskbar icons....

    Kol.

  5. #5
    mrbios's Avatar
    Join Date
    Jun 2007
    Location
    Stroud, Gloucestershire
    Posts
    2,582
    Thank Post
    368
    Thanked 269 Times in 221 Posts
    Rep Power
    101
    Quote Originally Posted by Koldov View Post
    Then I tried another suggestion about just copying the user's folders, then deleting some of it and a bit of registry-fu (it was 70MB, but I can't find out what to lose as it's not well documented because it's unsupported). Anyway this just plain gave me issues, as I guess I deleted some important stuff (trying to get it to 1 or 2MB). So then I got told about folder redirection (especially APPDATA), but sometimes it works, sometimes it doesn't... I've got no Start Menu, no Desktop, white Taskbar icons....

    Kol.
    Definitely do it the supported way, don't try the alternative methods as you'll eventually run into headaches later down the line. It takes a little while to get the setup done for the windows 7 way but if you use vmware workstation rather than faffing about with a physical machine (or other VM system like virtualbox etc) then it's nice and quick.

    I had an "alternative" method mandatory profile for the first 2 years of windows 7 here, there was always an issue i could never resolve that drove me mad (it mainly effected wireless devices like laptops) then i built it the supported way on a whim one day, and low and behold, not only is the profile tiny, i have absolutely no issues with it. 816kb mandatory profile that nothing ever gets added to is soooooo much nicer than roaming ones.
    Last edited by mrbios; 28th February 2014 at 02:29 PM.

  6. #6

    Join Date
    Aug 2009
    Posts
    32
    Thank Post
    5
    Thanked 1 Time in 1 Post
    Rep Power
    0
    As I have understood it, one of the main motivations for using mandatory profiles as opposed to local profiles (e.g. leaving the profile field blank in AD) is to prevent all of the extra bits and pieces running the first time a user logs onto a machine. These can significantly increase the login time, and of course the user might get nagged about settings things up (or invited to take the Windows Xp tour, etc).

    Since it appears that your students will be logging in to all of the computers with shared logins, this likely isn't an issue as all of the computers should have a cached profile for each login anyway (assuming you don't clear out profiles on a regular basis). Even with well baked GPOs and everything set up with preferences however, there is still a chance that something could creep into the local profiles; the benefit of mandatory profiles here would be that the registry hive would be restored on each login - you could also zap the cached profiles once a day to try to keep things clean (do mandatory profiles delete files that shouldn't belong at login, or do they just copy down the profile and overwrite as needed?)

  7. #7

    synaesthesia's Avatar
    Join Date
    Jan 2009
    Location
    Northamptonshire
    Posts
    6,255
    Thank Post
    604
    Thanked 1,110 Times in 849 Posts
    Blog Entries
    15
    Rep Power
    488
    For reference, it's been a long time since we created our profiles (and the last new one was a modified copy of the original) we used a tool that ungreyed out the option that allowed you to copy a profile (doable in windows XP by default but wasn't in 7). Unfortunately I can't remember what that tool was! Fairly sure I'd have found it on here though.

  8. #8
    Koldov's Avatar
    Join Date
    May 2011
    Location
    Bedfordshire
    Posts
    544
    Thank Post
    116
    Thanked 56 Times in 48 Posts
    Rep Power
    41
    Thanks, but I'm even having trouble with the 'supported' way!

    Take for example typing 'create a Windows 7 Mandatory Profile' into Google...

    Great! The first hit is a technet.microsoft page, this will tell me all I need!

    Creating a Mandatory User Profile

    Oh wait! First line in and it tells me I should have done this (another link).

    Configuring Standard User Accounts

    Ok I think that will be it... No! Half way down I need to do this...

    Customize the Default User Profile by Using CopyProfile - Which looks like a Windows 8 thing!

    And get this...

    Windows Automated Installation Kit for Windows 7

    Anyway, by this time I'm a bit lost... Unfortunately I'm a 'doing' learner (kinesthetic) and after reading all of that and flicking between pages, it just doesn't sink in. Why can't they put the whole procedure on one page. I'm sure someone has but none of them are 'official' and it always says, 'oh we changed this' or 'you don't need to do this bit' or 'use this bit of 3rd party software to do that bit' AAAAAAAAAGH!

    I don't have any 'clean' installs of 7 and the last one I did took a day due to 168 updates, (and all the other stuff I have to do) let alone installing software, office (more updates) and AV etc... I don't think I have any machines capable of running a VM either...

    MS should know that probably 90% of their Business/Corporate/Education customer base are going to need to do this, why would they make it even half this stupidly long winded. Apparently they took the 'copy to' button out because it took extraneous information with it! Errrr... OK stop it doing that then! XP was not this convoluted...

    Kol.
    Last edited by Koldov; 28th February 2014 at 03:30 PM.

  9. #9
    free780's Avatar
    Join Date
    Sep 2012
    Posts
    1,068
    Thank Post
    45
    Thanked 86 Times in 81 Posts
    Rep Power
    23
    Provided you have instructions for the mandatory profile you could just go through them and create the gpo and gpps.

  10. #10

    Join Date
    Aug 2009
    Posts
    32
    Thank Post
    5
    Thanked 1 Time in 1 Post
    Rep Power
    0
    MS should know that probably 90% of their Business/Corporate/Education customer base are going to need to do this, why would they make it even half this stupidly long winded.
    You'll have fun trying to get the libraries feature to function as you want it as well... not much in the way of group policy for those. Oh well, at least you don't have to configure the Start Screen or anything like that (yet).

    I think you are going to struggle to get everything tweaked nicely though, without having virtual machines or at least some spare boxes you can rebuild as needed. The whole CopyProfile/sysprep thing being a great example of such a time.

  11. #11
    mrbios's Avatar
    Join Date
    Jun 2007
    Location
    Stroud, Gloucestershire
    Posts
    2,582
    Thank Post
    368
    Thanked 269 Times in 221 Posts
    Rep Power
    101
    Quote Originally Posted by Koldov View Post
    Oh wait! First line in and it tells me I should have done this (another link).

    Configuring Standard User Accounts

    Ok I think that will be it... No! Half way down I need to do this...

    Customize the Default User Profile by Using CopyProfile - Which looks like a Windows 8 thing!
    Welcome to Technet, where a step by step guide leads to an unlimited set of pre-requisite guides leaving stressed users lost in a never ending labyrinth of text.

    If you think this one is bad, then go take a look at their step by step systems for setting up AD FS and Office 365 hybrid deployments with an on premise exchange.

  12. #12
    Koldov's Avatar
    Join Date
    May 2011
    Location
    Bedfordshire
    Posts
    544
    Thank Post
    116
    Thanked 56 Times in 48 Posts
    Rep Power
    41
    OK, well I've snagged an extra 1GB of ram from home and am clearing out some HDD space to enable a VM...

    Any recomendations for a free easy to use VM solution. Oracle Virtual Box?

    Kol.

  13. #13

    Join Date
    Aug 2009
    Posts
    32
    Thank Post
    5
    Thanked 1 Time in 1 Post
    Rep Power
    0
    You won't go too far wrong with Oracle VM VirtualBox, yes. There is also VMWare Player, but technically this is for personal/non-commercial use only.

  14. #14
    Koldov's Avatar
    Join Date
    May 2011
    Location
    Bedfordshire
    Posts
    544
    Thank Post
    116
    Thanked 56 Times in 48 Posts
    Rep Power
    41
    Cool, so I've got my VM in Virtual Box up and running Windows 7...

    How much configuring do I have to do before I pull the profile from it? I mean should I do all 168 Windows updates? Install AV? Office?

    What is actually going to be copied over in this profile anyway?

    The last time I needed to change something on our old XP profile, I just browsed to it on the server and dropped the 'web shortcut' and a 'favourite' into the required folders and they appeared... How do you get a shortcut to appear when you tell it you want it to go to c:\Program Files\Office while you are on the server and it tells you that shortcut is invalid because you don't have Office installed on the server...?

    Do I put stuff on the Start Menu now? Favourites? Desktop Icons? Or control all of that later via GPO/GPP?

    Kol.

  15. #15
    zag
    zag is offline
    zag's Avatar
    Join Date
    Mar 2007
    Posts
    3,909
    Thank Post
    954
    Thanked 451 Times in 380 Posts
    Blog Entries
    12
    Rep Power
    93
    Locking down the GPO is the way to go in schools. We completely remove the profile on all users in the school.

    Students don't need profiles. I have no idea why anyone would do that by design in a high user educational environment.



SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Mandatory Profiles Not Setting via GPO
    By jdell in forum Windows Server 2008 R2
    Replies: 1
    Last Post: 20th September 2013, 10:54 AM
  2. Students - Mandatory Profiles Vs "NETLOGON\Default User" method?
    By burgemaster in forum Windows Server 2000/2003
    Replies: 18
    Last Post: 18th November 2010, 01:09 PM
  3. Mandatory profile 2008 TS via GPO
    By joe90bass in forum Thin Client and Virtual Machines
    Replies: 1
    Last Post: 17th September 2009, 01:18 PM
  4. Replies: 11
    Last Post: 6th October 2007, 05:27 PM
  5. Mandatory profile and GPO settings
    By windy in forum Wireless Networks
    Replies: 14
    Last Post: 7th April 2006, 12:17 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •