Windows Server 2008 R2 Thread, Mandatory profile vs. Fully loaded GPO/GPP... FIGHT! in Technical; Hi All,
As I can't seem to get a working Windows 7 mandatory profile working, I'm looking for alternatives and ...
28th February 2014, 10:34 AM #1
Mandatory profile vs. Fully loaded GPO/GPP... FIGHT!
As I can't seem to get a working Windows 7 mandatory profile working, I'm looking for alternatives and it got me thinking...
What are the benefits of a mandatory profile (with folder redirection) versus a heavily locked down OU?
Scenario is we only have 13 classes, all children log-on as their class = 13 log-ins and 13 profiles, so storage for each profile on the local PC is a non-issue. All work is stored in their home folder on the server and their PC access is really only on the ICT suite computers. All pupils sit in one OU with one GPO attached.
I'm aware that going through all the GPO's and GPP's is a massive job to lock it down hard enough for them not to do any damage and close all the little loopholes, but really every turn in making a mandatory profile and folder redirection has hit an error which requires masses more research and trial and error. Obviously there is no black and white way to do anything and everyone has a different opinion on how to achieve it. From white icons, or no Start menu icons, to no wallpaper or not picking up desktops shortcuts! It seems that everything is a problem and I'm not getting any clear, simple, comprehensive answers...
Time is running out for me to accomplish getting rid of all the XP and I've been driving myself mad trying to work it out, pulling my hair out and losing sleep!
Can I just put 7 on these PC's and lock down an OU hard enough through GPO to ensure they can't do anything they aren't supposed to?
Last edited by Koldov; 28th February 2014 at 10:36 AM.
28th February 2014, 11:39 AM #2
I've used this guide t o get a machine ready to create a mandatory profile:
Then this to copy the profile and make it mandatory:
Customize the default local user profile when preparing an image of Windows
But, in fairness, I tend to have both a mandatory profile and a load of GPOs to lock down students...
28th February 2014, 11:41 AM #3
Both here too. One of my favourite things about mandatory is no ruddy profile resets when things *will* go tits up for no apparent reason! That and a little extra security due to malware not hiding itself in profile locations. (in conjunction with delprof)
28th February 2014, 02:09 PM #4
That is no small undertaking! Ah, bless XP with it's 'copy to' button out in the open 'letting it all hang out'!
Originally Posted by simpsonj
So kind of like an nLite thing?
Yeah, the way it was set up here was with XP mandatory profiles and GPO's which I've locked down further since I started.
Originally Posted by synaesthesia
I even made a new mandatory profile for XP, just created a user and hit the 'copy to' button. That was after a couple of minutes reading... The profile was small and worked first time!
It appears 7 is a bit more of a complicated beast. I tried to make a new user, but there is no copy to button... Then I tried another suggestion about just copying the user's folders, then deleting some of it and a bit of registry-fu (it was 70MB, but I can't find out what to lose as it's not well documented because it's unsupported). Anyway this just plain gave me issues, as I guess I deleted some important stuff (trying to get it to 1 or 2MB). So then I got told about folder redirection (especially APPDATA), but sometimes it works, sometimes it doesn't... I've got no Start Menu, no Desktop, white Taskbar icons....
28th February 2014, 02:28 PM #5
Definitely do it the supported way, don't try the alternative methods as you'll eventually run into headaches later down the line. It takes a little while to get the setup done for the windows 7 way but if you use vmware workstation rather than faffing about with a physical machine (or other VM system like virtualbox etc) then it's nice and quick.
Originally Posted by Koldov
I had an "alternative" method mandatory profile for the first 2 years of windows 7 here, there was always an issue i could never resolve that drove me mad (it mainly effected wireless devices like laptops) then i built it the supported way on a whim one day, and low and behold, not only is the profile tiny, i have absolutely no issues with it. 816kb mandatory profile that nothing ever gets added to is soooooo much nicer than roaming ones.
Last edited by mrbios; 28th February 2014 at 02:29 PM.
28th February 2014, 03:05 PM #6
- Rep Power
As I have understood it, one of the main motivations for using mandatory profiles as opposed to local profiles (e.g. leaving the profile field blank in AD) is to prevent all of the extra bits and pieces running the first time a user logs onto a machine. These can significantly increase the login time, and of course the user might get nagged about settings things up (or invited to take the Windows Xp tour, etc).
Since it appears that your students will be logging in to all of the computers with shared logins, this likely isn't an issue as all of the computers should have a cached profile for each login anyway (assuming you don't clear out profiles on a regular basis). Even with well baked GPOs and everything set up with preferences however, there is still a chance that something could creep into the local profiles; the benefit of mandatory profiles here would be that the registry hive would be restored on each login - you could also zap the cached profiles once a day to try to keep things clean (do mandatory profiles delete files that shouldn't belong at login, or do they just copy down the profile and overwrite as needed?)
28th February 2014, 03:11 PM #7
For reference, it's been a long time since we created our profiles (and the last new one was a modified copy of the original) we used a tool that ungreyed out the option that allowed you to copy a profile (doable in windows XP by default but wasn't in 7). Unfortunately I can't remember what that tool was! Fairly sure I'd have found it on here though.
28th February 2014, 03:26 PM #8
Thanks, but I'm even having trouble with the 'supported' way!
Take for example typing 'create a Windows 7 Mandatory Profile' into Google...
Great! The first hit is a technet.microsoft page, this will tell me all I need!
Creating a Mandatory User Profile
Oh wait! First line in and it tells me I should have done this (another link).
Configuring Standard User Accounts
Ok I think that will be it... No! Half way down I need to do this...
Customize the Default User Profile by Using CopyProfile - Which looks like a Windows 8 thing!
And get this...
Windows Automated Installation Kit for Windows 7
Anyway, by this time I'm a bit lost... Unfortunately I'm a 'doing' learner (kinesthetic) and after reading all of that and flicking between pages, it just doesn't sink in. Why can't they put the whole procedure on one page. I'm sure someone has but none of them are 'official' and it always says, 'oh we changed this' or 'you don't need to do this bit' or 'use this bit of 3rd party software to do that bit' AAAAAAAAAGH!
I don't have any 'clean' installs of 7 and the last one I did took a day due to 168 updates, (and all the other stuff I have to do) let alone installing software, office (more updates) and AV etc... I don't think I have any machines capable of running a VM either...
MS should know that probably 90% of their Business/Corporate/Education customer base are going to need to do this, why would they make it even half this stupidly long winded. Apparently they took the 'copy to' button out because it took extraneous information with it! Errrr... OK stop it doing that then! XP was not this convoluted...
Last edited by Koldov; 28th February 2014 at 03:30 PM.
28th February 2014, 03:51 PM #9
Provided you have instructions for the mandatory profile you could just go through them and create the gpo and gpps.
28th February 2014, 03:54 PM #10
- Rep Power
You'll have fun trying to get the libraries feature to function as you want it as well... not much in the way of group policy for those. Oh well, at least you don't have to configure the Start Screen or anything like that (yet).
MS should know that probably 90% of their Business/Corporate/Education customer base are going to need to do this, why would they make it even half this stupidly long winded.
I think you are going to struggle to get everything tweaked nicely though, without having virtual machines or at least some spare boxes you can rebuild as needed. The whole CopyProfile/sysprep thing being a great example of such a time.
28th February 2014, 04:26 PM #11
3rd March 2014, 12:31 PM #12
OK, well I've snagged an extra 1GB of ram from home and am clearing out some HDD space to enable a VM...
Any recomendations for a free easy to use VM solution. Oracle Virtual Box?
3rd March 2014, 12:36 PM #13
- Rep Power
You won't go too far wrong with Oracle VM VirtualBox, yes. There is also VMWare Player, but technically this is for personal/non-commercial use only.
4th March 2014, 02:40 PM #14
Cool, so I've got my VM in Virtual Box up and running Windows 7...
How much configuring do I have to do before I pull the profile from it? I mean should I do all 168 Windows updates? Install AV? Office?
What is actually going to be copied over in this profile anyway?
The last time I needed to change something on our old XP profile, I just browsed to it on the server and dropped the 'web shortcut' and a 'favourite' into the required folders and they appeared... How do you get a shortcut to appear when you tell it you want it to go to c:\Program Files\Office while you are on the server and it tells you that shortcut is invalid because you don't have Office installed on the server...?
Do I put stuff on the Start Menu now? Favourites? Desktop Icons? Or control all of that later via GPO/GPP?
4th March 2014, 02:47 PM #15
Locking down the GPO is the way to go in schools. We completely remove the profile on all users in the school.
Students don't need profiles. I have no idea why anyone would do that by design in a high user educational environment.
By jdell in forum Windows Server 2008 R2
Last Post: 20th September 2013, 10:54 AM
By burgemaster in forum Windows Server 2000/2003
Last Post: 18th November 2010, 01:09 PM
By joe90bass in forum Thin Client and Virtual Machines
Last Post: 17th September 2009, 01:18 PM
By maniac in forum Windows
Last Post: 6th October 2007, 05:27 PM
By windy in forum Wireless Networks
Last Post: 7th April 2006, 12:17 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)