+ Post New Thread
Page 2 of 2 FirstFirst 12
Results 16 to 20 of 20
Windows Thread, Mandatory profile and Group Policy Preferences in Technical; Hi Stefano, i am also planning to use local mandatory Profiles. The Goal is to assign a mandatory Profile to ...
  1. #16

    Join Date
    Jun 2012
    Thank Post
    Thanked 5 Times in 5 Posts
    Rep Power
    Hi Stefano,

    i am also planning to use local mandatory Profiles.

    The Goal is to assign a mandatory Profile to a shared account as described here:

    I found that under some circumstances the history for IE9 would not revert back to the Mandory Profile after logon/logoff.
    Instead before typed URLs for the same User do reappear. This typed URLs remain sticky even after i manually delete the cached Profile(!)

    did you come across a problem like this?

    many thanks


  2. #17

    Join Date
    Jun 2012
    Thank Post
    Thanked 0 Times in 0 Posts
    Rep Power
    Quote Originally Posted by 3s-gtech View Post
    As an admin on the local machine, load ntuser.dat from your customised profile into regedit (File / load hive). Now right click on the root of the hive, and change the permissions so your users have full control. You can make some tweaks in regedit to the entries too if you want, but not necessary really.

    Then File / unload hive. Now that ntuser.dat can be read by anyone, it can be used for mandatory profiles, so place the entire profile on a network share with the correct ntfs permissions, and it should work. May take some trial and error, but this is how my seperate XP and 7 profiles were built twelve months ago and they work nicely.
    One more note on this, the windows 7 profiles have the username hard coded in various places; if you are planning on using the same mandatory profile for multiple users when you load the ntuser.dat registry hive, export it to your desktop as "tempfile.reg" then open this tempfile.reg in notepad and do a search and replace. If the original user that setup the profile was "student123" then search for all instances if "student123" and replace it with %username%. Save the text file before closing it and then double click on the tempfile.reg that you just modified. It should load the changes you made back into the registry hive. unload the registry hive and then you can rename your ntuser.dat back to ntuser.man

  3. #18

    3s-gtech's Avatar
    Join Date
    Mar 2009
    Thank Post
    Thanked 564 Times in 508 Posts
    Rep Power
    This can also be done in regedit itself with Find, by loading the hive. It is a good point though - however some programs may not read %username% correctly. Works for the most part though, i haven't found a fault yet on a broad suite of common educational software.

  4. #19
    gshaw's Avatar
    Join Date
    Sep 2007
    Thank Post
    Thanked 220 Times in 203 Posts
    Rep Power
    Quote Originally Posted by morganw View Post
    The only supported method is to export the default profile from a Windows 7 install, the only supported way to modify this profile is using the sysprep process. I just exported the default profile, then loaded the hive into regedit to modify the keys I needed to set, then unloaded it.

    Windows 7 is buggy with mandatory profile, you'll encounter bizarrely long logon times if you are using folder redirection and group policy preferences. Caching the profile should speed things up but you then loose some of the benefit of using the mandatory profile and it doesn't improve the lack of management options.

    You can export a normal users profile using something like 'Windows Enabler' or 'Hack UI' to ungrey the copy button but the resultant profile will have incorrect AppData references in it. Depending on what software you are using this may be acceptable to you or you may be able to fix these issues by deleting or correcting the keys.
    Interesting, I'm testing Win7 at the moment and have a mandatory profile with folder redirection and various Preferences (printers etc)... from powered off I get to the desktop in just under a minute (so that's BIOS, boot, profile, GPO, GPP etc). Only thing that might be different is that my redirected folder already exists as opposed to being auto-created on logon... not sure how much difference that makes.

    Made our mandatory profile on a VM via the MS-supported method then when I want to make changes I just revert to the snapshot I make before running sysprep, rinse and repeat as many times as you want

    The only thing I do differently to the MS method is I keep the profile machine off the domain (stops accidental contamination with GPOs) and copy the resultant mandatory profile in two stages... first locally to the VM's C: drive then grab it via the admin C$ share. Reason being I found it doesn't like copying up in one stage when not on the domain.

  5. #20

    Join Date
    Mar 2013
    Thank Post
    Thanked 4 Times in 3 Posts
    Rep Power


    Quote Originally Posted by stefpronti View Post
    i had the same problem. I have to set up a P.C. classroom for students with mandatory profiles without the use of an active directory domain server.
    I needed to setup and customize a LOCAL mandatory profile on a sample machine for replication.
    I wrote some notes to describe the working solution, in italian, below an attempt to translate it (i apologize for my poor english)

    1) login as an user of group 'Administrators'

    2) From the "User Management" create user 'student' with password 'student' and set:
    -Password never expires
    -User can not change password

    3) Start Menu> Change User> log in as user 'student'

    4) "Disconnect"

    5) Create a new folder in C:\Users\ and call it with a name like 'bloccato.v2'.

    6) Login as Administrator and copy the profile "DEFAULT" (the default system profile) to the newly created folder using the System Settings menu Advanced> User Profiles Settings> BUTTON "Copy to ...".
    IMPORTANT! Before you copy use the "Change" to allow the group 'Authenticated Users' use of the new profile.

    This operation overwrites the entire contents of the folder 'bloccato.v2' with the content of the default profile, but allows 'Authenticated Users' to use it.

    7) Menu "User Management"> user "student"> "Profile" - enter in the "Profile Path" box the path of the folder 'bloccato.v2' remembering that the folder must be specified omitting the extension. v2 - so the path becomes C:\Users\bloccato

    8) "Switch User"

    9) login again as "student"

    10) customize the desktop settings, the home page of the browsers, the proxy, and anything else you need blocked.

    11) "Disconnect"

    12) go back in as user 'student' and verify that the settings are all stored.

    13) Before you continue you should Log off and back several times, opening several applications to make sure they are all properly configured.

    14) At this point it is time to change, within the profile folder "bloccato.v2" filename "ntuser.dat" in "Ntuser.man"

    15) "Switch User"

    16) DONE! login as "student" and try to change some settings - disconnect and go back. The profile "student" is locked!

    Further customizations of the mandatory profile can be done ulocking it by renaming back ntuser.man to ntuser.dat.

    I hope this is useful to someone. By,
    Sorry to revive this one, but....

    Thanks, this was the only working way i found to get a local mandatory profile on Windows 7, without using AD.

    In the above guide, the only edit i would make is to substitute "Disconnect" for "Log Off" in the early stpes where it is mentioned, the author correctly uses "Log Off" later in the guide.

    Basically my need was to lock down one "guest" account and revert/discard and changes at logoff..i.e.e steadystate style...thanks MS for taking out the guest mode option in the final version of Windows 7!

    So my shared PC setup is for:

    * A static guest account that reverts/discards user changes at logoff - sorted due to above post. I'd tried a few different ways, the above was the winner!

    * A custom "default user" profile for normal user accounts - ability to save etc, usual GPO lockdown - sorted out using the info ive posted below in case it helps others.

    Copy user to default user profile issue on Vista/Windows 7...and solution

    I also found the other issue with Windows 7, not being able to copy over a "templated" user profile over the default user one. In this instance, i used DelProf (Free), from ForensiT Free Downloads

    It allows you to specify the customised profile at the command line, and it copies this over the default user profile, generalising it on the way...

    As has been mentioned here and elsewhere where IT people gather, the only supported MS way is to do it via xml and sysprep as MS says that there are sections fo the profile that arent generalised/cleaned during this copy....stupid MS, rather than fix this, make it harder...

    So ForensiT went and fixed this generalisation/chleaning during copy issue....so far in testing i havent found an issue....and it avoids the sysprep bs...

    Hope the tip about the special ForensiT DelProf helps
    Last edited by stylemessiah; 1st March 2013 at 10:21 AM.

+ Post New Thread
Page 2 of 2 FirstFirst 12

Similar Threads

  1. Group Policy Preferences and IE8
    By Stuart_C in forum Windows Server 2000/2003
    Replies: 2
    Last Post: 12th October 2009, 12:07 PM
  2. Group Policy Preferences
    By cookie_monster in forum Windows Server 2008
    Replies: 9
    Last Post: 4th April 2008, 02:50 PM
  3. Replies: 16
    Last Post: 9th March 2007, 03:03 PM
  4. SIS 900 LAN and Group Policy = BAD COMBO! Help!
    By CM786 in forum Wireless Networks
    Replies: 19
    Last Post: 6th August 2006, 07:20 AM
  5. Mandatory profile and GPO settings
    By windy in forum Wireless Networks
    Replies: 14
    Last Post: 7th April 2006, 11:17 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts