+ Post New Thread
Page 2 of 5 FirstFirst 12345 LastLast
Results 16 to 30 of 62
Windows Thread, Locking down desktops and mandatory profiles in Technical; Thanks all for the latest replies. That clarifies things regarding NTUser.MAN. I'd still be interested in a specific GPO setting ...
  1. #16

    Join Date
    Sep 2005
    Location
    Gloucestershire
    Posts
    8
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Re: Locking down desktops and mandatory profiles

    Thanks all for the latest replies. That clarifies things regarding NTUser.MAN. I'd still be interested in a specific GPO setting that stops icons being added to or moved on the desktop. I can't spot it and I've tried a fair few as well.

    Andy

  2. #17

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,803
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: Locking down desktops and mandatory profiles

    The following setting stops things like moving the taskbar and quick bars around.

    http://msdn.microsoft.com/library/de...-us/gp/126.asp

    For the actual desktop and shortcuts I use folder redirection and set the folder permissions to read only. This also works for the start menu.

  3. #18
    OverWorked's Avatar
    Join Date
    Jul 2005
    Location
    N. Yorks
    Posts
    1,014
    Thank Post
    198
    Thanked 42 Times in 34 Posts
    Rep Power
    30

    Re: Locking down desktops and mandatory profiles

    I agree with ICTNUT, except I don't know what he means when he says there's no profiles. I don't see how it's possible to do without profiles.

    I used to use a mandatory profile (ntuser.man) but it caused a lot of problems. I now have a desktop heavily locked down with GP, and roaming profiles. It works for me.

    As for the desktop: Just use folder redirection to redirect the all the pupils' desktops to a single shared folder. Make it 'read only' to them with NTFS permissions. Do the same with the start menu folder. This is what I do.

    Andrew - I'll send you a dump of my pupils group policy object giving a thoroughly locked down desktop.

    To summarise, use roaming profiles and GPO's to lock down the desktop. That's my advice anyway - it works for me.

  4. #19

    Join Date
    Sep 2005
    Location
    Gloucestershire
    Posts
    8
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Re: Locking down desktops and mandatory profiles

    Quote Originally Posted by OverWorked
    Andrew - I'll send you a dump of my pupils group policy object giving a thoroughly locked down desktop.
    Thanks for all the extra feedback. I've sent you an email with my address details.

    Regards

    Andy

  5. #20
    OverWorked's Avatar
    Join Date
    Jul 2005
    Location
    N. Yorks
    Posts
    1,014
    Thank Post
    198
    Thanked 42 Times in 34 Posts
    Rep Power
    30

    Re: Locking down desktops and mandatory profiles

    It's on its way.

  6. #21

    Join Date
    Jun 2005
    Location
    Leeds
    Posts
    113
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0

    Re: Locking down desktops and mandatory profiles

    it's certainly possible

    ran a place with 2500 kids and 800 workstations in this manner

  7. #22
    ajbritton's Avatar
    Join Date
    Jul 2005
    Location
    Wandsworth
    Posts
    1,632
    Thank Post
    23
    Thanked 75 Times in 45 Posts
    Rep Power
    34

    Re: Locking down desktops and mandatory profiles

    @ICTNUT:

    If you don't configure roaming profiles, what happens to any information stored in the user registry when users log off? Do you use the same strategy form staff and students?

  8. #23

    Dos_Box's Avatar
    Join Date
    Jun 2005
    Location
    Preston, Lancashire
    Posts
    9,011
    Thank Post
    613
    Thanked 2,194 Times in 1,006 Posts
    Blog Entries
    23
    Rep Power
    632

    Re: Locking down desktops and mandatory profiles

    The way it works with AD is that a local profile is created using the default user profile as a template. This profile will be created on every PC they logon to from the local defualt user profile, or the network one if specified. As for the registry, that is what GPOs are. A customised registry for every user. The AD user logs on, takes whatever settings are set for the default user, including printers etc and creates a ntuser.dat file in the local profile. The rest of the profile information is provided via GPOs from active directory, and these will change as and when the GPO does. When the next user logs on they will have a different registary loaded for them depending on their group policy membership. Think of it as a new registery being loaded for every user.

  9. #24
    ajbritton's Avatar
    Join Date
    Jul 2005
    Location
    Wandsworth
    Posts
    1,632
    Thank Post
    23
    Thanked 75 Times in 45 Posts
    Rep Power
    34

    Re: Locking down desktops and mandatory profiles

    Yes, but what I'm getting at is that when a user has a roaming profile, any changes he makes to his environment are saved in his personal registry. These settings are then available at any PC he logs on to. It would seem that unless you use roaming profiles (even if you redirect every possible folder; MyDocs,Desktop,StartMenu,AppData), anything saved in the user registry will be lost when the user logs off.

    I wonder what the effect of this will be on applications like Microsoft Office, which install a significant number of user registry entries (courtesy of Windows Installer). Will these entries be recreated each time the user logs onto a new PC?

  10. #25

    Ric_'s Avatar
    Join Date
    Jun 2005
    Location
    London
    Posts
    7,592
    Thank Post
    109
    Thanked 769 Times in 598 Posts
    Rep Power
    181

    Re: Locking down desktops and mandatory profiles

    @ajbritton: You are correct, these changes are lost. This is precisely why you configure the 'Default User' profile by simply running and configuring all the apps first.

    When a user logs on, the Default User profile is loaded (loading your standard settings) and you then delete the local user profile on logoff.

  11. #26

    Dos_Box's Avatar
    Join Date
    Jun 2005
    Location
    Preston, Lancashire
    Posts
    9,011
    Thank Post
    613
    Thanked 2,194 Times in 1,006 Posts
    Blog Entries
    23
    Rep Power
    632

    Re: Locking down desktops and mandatory profiles

    All together now...roaming profiles are evil, roaming profiles are evil, roaming profiles are evil.
    Repeat ad nausiem

  12. #27
    ajbritton's Avatar
    Join Date
    Jul 2005
    Location
    Wandsworth
    Posts
    1,632
    Thank Post
    23
    Thanked 75 Times in 45 Posts
    Rep Power
    34

    Re: Locking down desktops and mandatory profiles

    OK, I'm getting there...

    When I have used roaming/mandatory profiles, I have enabled to policy which automatically deletes local copies of roaming profiles. This presumably would have no effect on 'local' profiles. Each PC therefore will accumulate a set of profiles unless they are deleted in some way. What's the best course here? Leave them or delete them? If delete, what's the best way to automate it?

  13. #28

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,803
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: Locking down desktops and mandatory profiles

    I use Remote Profile Cleaner.

    http://www.no-nonsens.nl/

  14. #29
    mark's Avatar
    Join Date
    Jun 2005
    Posts
    3,966
    Thank Post
    248
    Thanked 49 Times in 45 Posts
    Blog Entries
    2
    Rep Power
    46

    Re: Locking down desktops and mandatory profiles

    Thanks for that link Geoff. Blimey this is such a complicated subject! I have roaming profiles still. Are the policies left in place on each PC then local profiles - or am I confusing things here? I have the GPO setting on to delete cached copies of roaming profiles. I don't have instaled tho' the UPHClean utility, but still, it seems all users in some new machines i've added are filling up with everyone that's logged in's profiles.

  15. #30
    tarquel's Avatar
    Join Date
    Jun 2005
    Location
    Powys, Mid-Wales, UK
    Posts
    1,740
    Thank Post
    13
    Thanked 45 Times in 35 Posts
    Rep Power
    29

    Re: Locking down desktops and mandatory profiles

    *big eye rolling*

    Havent we already talked about this?

    @the people (DB :P) not using roaming profiles:

    so what about when people open office for the first time? I take it that by opening it in the locally created default user (or network one) you achive this but imagine if you forget when creating a new image (or images)? the complaints soon would flood in.

    Same goes with other apps that have to be run and go through a "mini-config" setup on first run (like office does).

    Much easier to use roaming profiles I think (for those forgetful and time-limited ppl like myself hehe) - the users dont mind waiting a minute to log on - and they get to customise office a bit too [by way of name etc - pointless but hey, some of them might like it hehe]

    If a users profile gets corrupted then no problem - wipe it and it'll get recreated on first logon

    [better than that have to reimage a pc or recreate the network one - imagine the network default user profile not working properly. No one could logon properly lmao]

    Another thought is that if u have a network one - manditory or whatever - then it would still need to transfer to a pc when a user logs on [just like a roaming profile ] unless it doesnt quite work the same.

    Just a few pence there

    Regards
    N.

SHARE:
+ Post New Thread
Page 2 of 5 FirstFirst 12345 LastLast

Similar Threads

  1. Mandatory Profiles
    By jcollings in forum Wireless Networks
    Replies: 7
    Last Post: 9th September 2009, 03:36 PM
  2. Mandatory Profiles and Desktops
    By faza in forum Wireless Networks
    Replies: 14
    Last Post: 19th December 2007, 11:05 AM
  3. Outlook with Mandatory Profiles
    By Zoom7000 in forum Windows
    Replies: 10
    Last Post: 30th May 2007, 12:59 PM
  4. Mandatory Profiles
    By HodgeHi in forum Windows
    Replies: 2
    Last Post: 6th December 2006, 11:56 AM
  5. Cant create Mandatory profiles
    By spike in forum Windows
    Replies: 10
    Last Post: 4th April 2006, 10:42 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •