Seems like a really n00b question, but having follwed the MS guide on how to create a mandatory profile and putting it on a test server, I can't figure out if it has worked or not...
I didn't really customise it as such (desktop, shortcuts etc.) as I was advised to redirect this and GPO that, I did the Office, IE and media player first runs. So although I do know it is a working mandatory profile due to me renaming .dat to .man and it not being able to save changes, when I log on as the test user it goes through some settings...
Setting up personalized settings for:
Web Platform Customizations
Microsoft Windows Media Player
Browser Customizations... and a few others that flash past too quickly!
It also does a Media Player set up and tries to take me to a 'go.microsoft' webpage on opening IE... All things I thought I'd done on the PC I took the default profile from.
I take it this means it didn't copy my test profile correctly to the 'default' profile?
Have you redirected any other folders? If not, then add something to the Start Menu or Favorites folder of your Mandatory profile. If they appear when you login with an account using that Mandatory profile then it's probably safe to assume it's worked!
Which I liked, had a couple of issues but 'think' I worked them out...
Copied out the 'new' default profile up to my test server and logged on to a workstation.
It seems to have worked fine and due to the fact .dat was changed to .man and the profile folder is read-only it disregards changes as it should (you know, could this work with a .dat and just a read-only folder?). There was a test document on the desktop which also replicated to the new profile desktop.
Thing is, as stated above in a previous post, there are some first run things happening on Media Player and IE... Does this happen with your mandatory profiles? Because Im' sure I ran them in the profile before I saved it...
Anyway, I've seen on a previous post that someone had created a profile by leaving .dat and the ability to write back to the profile on the server, make the changes actually in the profile whilst logged on, log off and change it back to read-only and .man...
So I did this, went through the first-runs and made it mandatory again. Well it worked, no more first-run screens but the question is if I'm going to see any issues from this procedure?
You'll most likely see issues when you try to login with a different user account using the same mandatory profile. I almost guarantee it won't work (that was the way it used to work with XP, much simpler days).
The first run issues I think do occur with mandatory profiles because they're aren't saved anywhere useful in the profile (at least, not as far as I'm aware of) and are more likely to be registry changes. There is a group policy that prevents the IE welcome screen, not sure about Media player as I never use it, preferring VLC across the school.
OK so I tested it and it didn't work for the 2nd user I assigned this mandatory profile to and then also wouldn't let the 1st user log in either... Whoops!
However, I deleted the locally cached copy of the profile (which it must of corrupted as you say) and then logged on as both users and it seems to work fine (with no first-run screens) will test it further, but seems to work.
Interesting, hope it works for you. I remember rebuilding to Windows 7 over the summer holidays, creating a mandatory profile the XP way, and watching in horror on the first day of term as no students could logon. That was a bit of a pressure situation to get a working profile!
Erm, yeah, about that... I'm a bit of a dummy with permissions
Especially when it gets past the basics into 'inheritable, descendants, special, effective'.
If I read you right, loading the ntuser.man hive and right-clicking on it and selecting permissions (the only tab is security) it seems 'everyone' has full control, the 'effective permissions' seem to show 'everyone' has evry permission going.
Not sure how to check if this is propogated down.
Need a quick permissions 101 or a step-by-step if anyone has a little time...