+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 22
Windows Thread, Local admins and Mandatory Profiles in Technical; (At first posted in networks folder then realized it is more of a windows problem) Hello there, first post on ...
  1. #1

    Join Date
    Apr 2007
    Location
    Bournemouth
    Posts
    72
    Thank Post
    13
    Thanked 4 Times in 2 Posts
    Rep Power
    16

    Local admins and Mandatory Profiles

    (At first posted in networks folder then realized it is more of a windows problem)

    Hello there, first post on the forum so I thought I'd say hello at least. Only just found out about this forum, was posting a little on icttechnician but that site seems to have sadly passed away. Was looking for a bit of advice on a few recent problems.

    I mainly work in primary schools so sometimes I can be a little less strict than maybe I should as it is rare that kids try much. Out of "convenience" (mainly for myself) I have in the last year made mandatory profiles for everyone but also made everyone a local administrator, meaning a lot of the older software does not have a hissy fit. Problem is, some of my schools are more rough than others so the kids will push their luck a lot more. Certain IM's will be installed and be useable and the such with local administrator rights and I feel it is now time to lock down all of my schools.

    Problem is, I have one mandatory profile for all the kids and it works fine when the users are local admins. As soon as I take the privelidges away the profile just isnt right. The desktop and start menu icons are not the locked down ones from AD. The profile isnt being picked up or implimented properly. It has to be something security related I'm sure? And I know there are people here who would know how to answer the question.

    So what do I need to do to make mandatory profiles work without users' needing to be local admins?

    On a seperate note, do you all create images for each new type of desktop or laptop. I have always used a combination of sysprep and windows repair to make one good image work on all the Pcs in my schools. Do you all make a new image or share them where possible. As the one I have not yet managed to make work or found an answer to sorting yet is the HP Nx6325, no matter what I do it will always either blue screen or die in some way shape or form, even if I remove all hardware, get into safe mode or any tricks that have always worked before. Anyone know any sneaky tricks, or do you all just recreate images?

    Thanks for all your help anything would be hugely appreciated.

  2. #2

    Join Date
    Feb 2006
    Posts
    1,187
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0

    Re: Local admins and Mandatory Profiles

    Quote Originally Posted by Bobo
    Problem is, I have one mandatory profile for all the kids and it works fine when the users are local admins. As soon as I take the privelidges away the profile just isnt right. The desktop and start menu icons are not the locked down ones from AD. The profile isnt being picked up or implimented properly. It has to be something security related I'm sure? And I know there are people here who would know how to answer the question.

    So what do I need to do to make mandatory profiles work without users' needing to be local admins?
    .
    It sounds like that the registry permissions on the NTUSER.MAN hive file weren't change to allow other users to use the profile. This is why it only works for local admin. Redo the profile but when you copy it make sure you change the permissions.

  3. #3

    Join Date
    Dec 2005
    Location
    Bradford
    Posts
    10
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Re: Local admins and Mandatory Profiles

    We use one image for single processor PCs and one for Dual processor PCs (different HAL). Its easy, you just collect together all the drivers that you need for the different machines in a folder on the Hard Drive and Download and run the Sysprep Driver Scanner from Vernalex.com (its free). Then you run Sysprep as normal. Once you have ghosted the machine you will be able to use the image on any of your machines.

  4. #4

    Join Date
    Apr 2007
    Location
    Bournemouth
    Posts
    72
    Thank Post
    13
    Thanked 4 Times in 2 Posts
    Rep Power
    16

    Re: Local admins and Mandatory Profiles

    Thanks for the help. One good thing I like about forums like this is the friendliness.

    I do not actually copy the profile into each of the users' directories so only have one profile for all the kids, or a group of kids pointing to the main man profile. Can I still change the permissions without profile recreation and how would I go about doing it? It seems this is something I have completely overlooked so have little knowledge on it so any help would be great.

  5. #5

    Join Date
    Apr 2007
    Location
    Bournemouth
    Posts
    72
    Thank Post
    13
    Thanked 4 Times in 2 Posts
    Rep Power
    16

    Re: Local admins and Mandatory Profiles

    Quote Originally Posted by dodgydave
    We use one image for single processor PCs and one for Dual processor PCs (different HAL). Its easy, you just collect together all the drivers that you need for the different machines in a folder on the Hard Drive and Download and run the Sysprep Driver Scanner from Vernalex.com (its free). Then you run Sysprep as normal. Once you have ghosted the machine you will be able to use the image on any of your machines.
    I think that is the problem with the Nx6325. It is a 64 bit AMD as opposed to a 32 bit Intel, not different HALs in the windows sense but a different processor, so would that matter? The nx6325 has a lot of hardware with 3rd party drivers, it could always be any of that causing hte problem.

    Is there any way around the differnet HAL problem though? Could you not make the computer a simple Pc before sysprep then clone, then repair it making it back to a better HAL then image again?

  6. #6

    Join Date
    Dec 2005
    Location
    Bradford
    Posts
    10
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Re: Local admins and Mandatory Profiles

    We only have a couple of 64 bit AMD machines on campus and have ended up just creating custom images for them to make our life easier. For everything else we just use the standard images.

  7. #7

    Join Date
    Apr 2007
    Location
    Bournemouth
    Posts
    72
    Thank Post
    13
    Thanked 4 Times in 2 Posts
    Rep Power
    16

    Re: Local admins and Mandatory Profiles

    Ah yeah, that is the direction we have had to take at a few schools, just dont want to work those 64 AMDs, so am recreating them as we speak. Was just hoping and wishing someone would say "no, dont recreate the images, I have a foolproof solution" but no such luck.

    Still though, anyone know how to change hive permissions on a profile after it has been created and used as a mandatory profile?

  8. #8

    Join Date
    Apr 2007
    Location
    Bournemouth
    Posts
    72
    Thank Post
    13
    Thanked 4 Times in 2 Posts
    Rep Power
    16

    Re: Local admins and Mandatory Profiles

    Did some research and worked out the hive permission problem, thanks everyone. Still though, if anyone has any more light on AMD 64s with intel 32s I would be much appreciated knowing.

  9. #9

    Join Date
    Feb 2006
    Posts
    1,187
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0

    Re: Local admins and Mandatory Profiles

    Quote Originally Posted by Bobo
    I do not actually copy the profile into each of the users' directories so only have one profile for all the kids, or a group of kids pointing to the main man profile. Can I still change the permissions without profile recreation and how would I go about doing it? It seems this is something I have completely overlooked so have little knowledge on it so any help would be great.
    A copy of the mandatory profile is cached/copied to the PC student is on when they log in. That's how how changes are obliterated from session to session.

    You could use either the programs regedit or SubInAcl.exe or SetACL to change registry permissions. SubInAcl is a Microsoft download and I think SetACL is opensource availible at soureforge.net

    It will probably be a bit fiddly to retrorespectively change user hive registry permissions. You have load NTUSER.MAN into HKUSERS then make the required changes and (never forget to) unload it again.

    It is much easier to create a test account on clean machine, configure the profile to how it would appear to the users. After this is done just copy the profile to a central location using the profiles screen from the Advanced tab of the system properties dialog (control panel or press Win+Pause). Make sure the Permitted to Use field is set to Authenticated Users.

  10. #10

    Join Date
    Apr 2007
    Location
    Bournemouth
    Posts
    72
    Thank Post
    13
    Thanked 4 Times in 2 Posts
    Rep Power
    16

    Re: Local admins and Mandatory Profiles

    After some research I loaded the ntuser.man into hkusers in the registry. I then right clicked the whole profile while loaded and allowed "everyone" to be read only. I then unloaded the hive again. It wasn't that fiddly as I was only changing one user profile.

    But still when I log in everything isnt right still.

  11. #11

    Join Date
    Feb 2006
    Posts
    1,187
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0

    Re: Local admins and Mandatory Profiles

    Quote Originally Posted by Bobo
    After some research I loaded the ntuser.man into hkusers in the registry. I then right clicked the whole profile while loaded and allowed "everyone" to be read only. I then unloaded the hive again. It wasn't that fiddly as I was only changing one user profile.

    But still when I log in everything isnt right still.
    You should give Everyone full permission. If only give students readonly access to the mand hive then then GPOs can't be applied because the student can't make changes to their downloaded copy of the NTUSER.MAN.

    Mandotory profiles ignore user made changes because unlike a roaming profile those changes aren't copied back to the server.

    You did also rember to unload the hive. Regedit doesn't do this automatically. If a hive is still loaded then it is effectively locked and can't be used a user. That's nice little gotcha courtsey of our friends in Redmond, WA.

  12. #12

    maniac's Avatar
    Join Date
    Feb 2007
    Location
    Kent
    Posts
    3,067
    Thank Post
    209
    Thanked 430 Times in 310 Posts
    Rep Power
    144

    Re: Local admins and Mandatory Profiles

    Make sure the directory or share you're actually hosting the mandatory profile in has the correct read permissions as well, and also the actual user.man file. Silly point, which I expect you've relised already, but thought I'd suggest it all the same.

    Mike.

    edit: thinking about this, you'd get a glaring big error if this was wrong, so ignore the above.

  13. #13

    Join Date
    Apr 2007
    Location
    Bournemouth
    Posts
    72
    Thank Post
    13
    Thanked 4 Times in 2 Posts
    Rep Power
    16

    Re: Local admins and Mandatory Profiles

    I gave them full control but still the profile isnt the same... very odd. Doesnt seem to be working

  14. #14

    maniac's Avatar
    Join Date
    Feb 2007
    Location
    Kent
    Posts
    3,067
    Thank Post
    209
    Thanked 430 Times in 310 Posts
    Rep Power
    144

    Re: Local admins and Mandatory Profiles

    Have you made sure you've removed all traces of old profiles from the machine you're testing it on to make sure it can't be using an old copy of the profile that might be remaining on the workstation. There's a little utility call DELPROF in the windows resource kit (I think) that removes all profiles from a workstation.#

    Mike.

  15. #15

    Join Date
    Apr 2007
    Location
    Bournemouth
    Posts
    72
    Thank Post
    13
    Thanked 4 Times in 2 Posts
    Rep Power
    16

    Re: Local admins and Mandatory Profiles

    Right, I thought, scrap it and start from the start:

    So I created a new account lets call X. Gave it admin rights to start with and created the profile and changed all the settings. Then logged out and gave X normal rights, logged in and it was super duper working with all the normal shortcuts as the account should be.

    Made X profile sharable to Y account. Went into the registry and changed the hive privelidges to everyone with full control. Logged in with Y and the desktop and start menu has twice the shortcuts it should.

    Any ideas? FYI I use ranger as a lockdown with GPOs.

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Mandatory Profiles
    By jcollings in forum Wireless Networks
    Replies: 7
    Last Post: 9th September 2009, 03:36 PM
  2. Replies: 6
    Last Post: 22nd February 2007, 07:36 PM
  3. Mandatory Profiles
    By HodgeHi in forum Windows
    Replies: 2
    Last Post: 6th December 2006, 11:56 AM
  4. Replies: 9
    Last Post: 12th September 2006, 11:09 AM
  5. Cant create Mandatory profiles
    By spike in forum Windows
    Replies: 10
    Last Post: 4th April 2006, 10:42 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •