Creating a small mandatory profile

[zag]

I am testing out mandatory profiles for the first time, does anyone have a walk through for creating the actual profile.

Basically I am trying to make it as small as possible to reduce network traffic. Our current roaming profiles are about 30mb big and that is too much.

What applications should I load and configure, Is there any software that I need to look out for like adobe stuff?

[elsiegee40]

Before you start - log on as administrator and go into RealPlayer, Quicktime, Acrobat Reader, JRE and check they're updated to where you want/need and test out flash and shockwave (BBC schools stuff is a good bet for making them fall over - I use Little Animals and Science Clips)

I move a mandatory profile user into Users in AD and make them a member of Administrators temporarily.
Go to the profile and rename ntuser.man to ntuser.dat (it's now a normal profile)

Then I logon as the mandatory profile user:
Go into Word, Excel, and set any defaults you use as standard :
e.g. default page size, default font, lose the "automatically create drawing canvas", add the picture toolbar, make default number of worksheets 1...

Go into BBC schools and try out the same flash/shockwave breakers as before - Try out RealPlayer using BBC Radio 2 or something.

Start RealPlayer, Acrobat Reader & QuickTime to make sure any Accept licence agreement stuff has been accepted.

After that, it's your own software

Before I finish, I delete cookies and temporary files to keep everything as small as poss

I go into google and turn Safe Search to its maximum (do this after deleting cookies as its in a cookie!)

After that log off - make the profile mandatory (rename ntuser.dat to ntuser.man) and put your user back where they should be in AD and remove them from Administrators.

[powdarrmonkey]

Walk through the registry and strip out everything that isn't neccessary (there's a whole load of junk in there) and then do the same for the profile's files (there's even more). Redirect *everything* you can - desktop, favourites, cookies, application data, temporary internet files - to a network location accessible to the user, so they don't have to carry the baggage around with them.

[Ryan]

I want to switch to mandatory profiles over summer, so this is very useful.

[elsiegee40]

I have just amended my earlier post to say that you must put Google Safe Search on Maxiximum AFTER you delete cookies - Safe search level is stored in a cookie!

[zag]

Walk through the registry and strip out everything that isn't neccessary (there's a whole load of junk in there) and then do the same for the profile's files (there's even more). Redirect *everything* you can - desktop, favourites, cookies, application data, temporary internet files - to a network location accessible to the user, so they don't have to carry the baggage around with them.

Can you go into a bit more detail on the registry stuff?

I'm trying to get this as small as possible and dont really know what I'm looking at.

[Ryan]

Redirection help would be useful. I have tried to implement this before and was forced to do a monster u-turn as offline files decided to rear its ugly head and screw things up

[Michael]

elsiegee40 is spot on, however one common problem with mandatory profiles is that the home drive is remembered, and of course (most of the time) each user has their own home drive.

The way I get around this, is create a copy of the domain administrator account (called admin2) and within Active Directory, remove the Home Folder directory for admin2. Leave it on Local Path and leave it blank.

When a user (configured to use the mandatory profile) logs on, the logon script will/should create the home directory dynamically without conflicting with any settings saved in the profile, because there's no home directory information saved

[elsiegee40]

elsiegee40 is spot on, however one common problem with mandatory profiles is that the home drive is remembered, and of course (most of the time) each user has their own home drive.

The way I get around this, is create a copy of the domain administrator account (called admin2) and within Active Directory, remove the Home Folder directory for admin2. Leave it on Local Path and leave it blank.

When a user (configured to use the mandatory profile) logs on, the logon script will/should create the home directory dynamically without conflicting with any settings saved in the profile, because there's no home directory information saved

I have absolutely no problem with home drives... the Home drive for each pupil is redirected - using the Profile tab for the pupil in AD

Connect U: to \\servername\intake-nn\%username%

[Michael]

Yes I agree, home drive information in AD and a logon script should usually do the trick, but I've seen it happen many times whereby home drive information stored in the profile (when the profile's being created) create conflicting results, such as home drives not being mapped correctly.

If the administrator account you're creating the profile with has no home drive, then there's nothing to conflict with

[powdarrmonkey]

You can only redirect so much with group policy; for other things, like 'Application Data', 'Desktop' etc you will find a set of registry keys in HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\UserShellFolders.

[Slartibartfast]

You can redirect Application Data and Desktop with Group Policy.

[powdarrmonkey]

you can?

[blacksheep]

The main prob I had was the My Documents redirection (the only redirect I do) it wouldnt work as like previously said it gets stuck on the one it was done on. So the trick is to create the original without and AD policys in effect.
I do shared mandatorys here, saves loads of hassle ( I have 1 for pupils, or 2 as one on each DC so its load balanced)
Also (at least with shared) its important to use the Advanced tabs on My Computer-> propertys to copy the final profile with the right ACLs. You would of though it was a simple matter of setting the ACLs on the resulting files but you are supposed to use this tab to do that (must alter other non file stuff also, maybe the reg hive?)
Also have found redirection occasionally not working (strange message in event log) and if a pupil then saves to my documents and it hasnt redirected its not pretty when they log off! I then use VB to create icons and printers after.

[gshaw]

Just started using mandatory profiles on our workstation PCs (auto logon for adult education) rather than the HDGuard (think Deepfreeze) system we have at the moment. Makes life a lot easier with consistent settings.

I've redirected My Documents, Start Menu and Desktop, stored in Sysvol so it's replicated and won't go down (well if it does then it means AD is broke anyway lol)

If I remember rightly to redirect Favorites in XP \ 2003 you have to use a reg patch, just need to find out what happens if a user adds their own in with mandatory profile - hopefully it'll wipe it on next logon...

There's a step by step guide here, very useful

Mandatory Profiles - EduGeek.net Wiki