Mandatory profile and Group Policy Preferences

[mp12]

Hello,
We don't want our Windows7 student lab users to change the desktop
icons, screensaver, or anything else. And if they change it, we want it
reset at next login. They should be able to permanently store files
locally but just in one predefined folder in the root of the hd.

We are going to set up a basic server2008r2 domain.

We may create a single, mandatory "student" profile that would be used
simultaneously by all students. But unfortunately it seems that the
official MS procedure (sysprep) is time consuming and impratical in case
we'd need to modify this default profile later.

Would the best solution be to create a "basic" and un-restricted
mandatory profile and apply a set of group policy preferences to it?

Thanks, Regards

[Steve21]

Not quite sure what you mean by reference to sysprep, as thats deploying operating systems, not profiles as such.

Do you really need students to save files "locally", or can they write back to server?

Under what you said, best idea (imo) would be configuring a restricted mandatory profile, and use that for all users. Even with that you can apply GPOs to it, doesn't need to be unconfigured for that.

Steve

[steve]

I think what you're after is what we've just done - super mandatory profiles.

These delete themselves after logoff so any changes a student makes are not shown at next login.

The super mandatory profile can be kept on a share, then when each user logs in they take a copy to form there local profile. Any changes made to this shared profile then come into affect at the users next login.

You could implement the shared local store via a shortcut on the start menu.

One thing to note about super mandatory profiles is they can't be cached - so if the share isn't there, you can't login.

[Blue_Cookeh]

I heard Microsoft's recommendation nowadays was to move away from Mandatory profiles and to use roaming profiles with a ton of GPO settings applied, which you may as well follow if it's a brand new domain, IMO.

[mp12]

Not quite sure what you mean by reference to sysprep, as thats deploying operating systems, not profiles as such.

Do you really need students to save files "locally", or can they write back to server?

Under what you said, best idea (imo) would be configuring a restricted mandatory profile, and use that for all users. Even with that you can apply GPOs to it, doesn't need to be unconfigured for that.

Steve

@Steve21 In fact you're right about sysprep, let's forget it. They already read/write to our SMB server but they have to be able to save certain huge (yyy MB), non private files to a local folder
("C:\LocalStore").

@steve The network is not that reliable so unfortunately we have to avoid super-mandatory
profiles, a cached copy is important. The shortcut seems a good idea.

[mp12]

I heard Microsoft's recommendation nowadays was to move away from Mandatory profiles and to use roaming profiles with a ton of GPO settings applied, which you may as well follow if it's a brand new domain, IMO.

Yes it's a brand new domain... It would be interesting to know why MS may recommend to move away from mandatory profiles.
It seems that a single mandatory profile would be easier to mantain and have much faster login/logout times than multiple, nominative
roaming profiles for a situation like this one.

[morganw]

The only supported method is to export the default profile from a Windows 7 install, the only supported way to modify this profile is using the sysprep process. I just exported the default profile, then loaded the hive into regedit to modify the keys I needed to set, then unloaded it.

Windows 7 is buggy with mandatory profile, you'll encounter bizarrely long logon times if you are using folder redirection and group policy preferences. Caching the profile should speed things up but you then loose some of the benefit of using the mandatory profile and it doesn't improve the lack of management options.

You can export a normal users profile using something like 'Windows Enabler' or 'Hack UI' to ungrey the copy button but the resultant profile will have incorrect AppData references in it. Depending on what software you are using this may be acceptable to you or you may be able to fix these issues by deleting or correcting the keys.

[mp12]

The only supported method is to export the default profile from a Windows 7 install, the only supported way to modify this profile is using the sysprep process. I just exported the default profile, then loaded the hive into regedit to modify the keys I needed to set, then unloaded it.

Are you referring to this procedure? How to customize the default local user profile when you prepare an image of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2

Windows 7 is buggy with mandatory profile, you'll encounter bizarrely long logon times if you are using folder redirection and group policy preferences. Caching the profile should speed things up but you then loose some of the benefit of using the mandatory profile and it doesn't improve the lack of management options.

Buggy...damn it..
....better use GPO than GPP to speed up logon times then?

You can export a normal users profile using something like 'Windows Enabler' or 'Hack UI' to ungrey the copy button but the resultant profile will have incorrect AppData references in it. Depending on what software you are using this may be acceptable to you or you may be able to fix these issues by deleting or correcting the keys.

We use software such as Autocad, Adobe, probably some keys would need to be fixed....

What about the procedure in this video? Mandatory Profile on Windows Server 2008 R2 - YouTube

[3s-gtech]

'Best' practice recommended by MS, and what works well, aren't necessarily the same. We use super MPs, but they weren't built using the Default profile and sysprep, they were made using a modified user profile that was then edited in regedit (ntuser.dat) to allow full access. With this method (and we use folder redirection and GPP) logons on quick machines are around 10 seconds.

[morganw]

'Best' practice recommended by MS, and what works well, aren't necessarily the same. We use super MPs, but they weren't built using the Default profile and sysprep, they were made using a modified user profile that was then edited in regedit (ntuser.dat) to allow full access. With this method (and we use folder redirection and GPP) logons on quick machines are around 10 seconds.

Could you give more details on what you are actually changing permissions on? It would be great to have a 10 second logon time!

[morganw]

Are you referring to this procedure? How to customize the default local user profile when you prepare an image of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2

Yes, this is the only Microsoft supported method.

[3s-gtech]

Could you give more details on what you are actually changing permissions on? It would be great to have a 10 second logon time!

As an admin on the local machine, load ntuser.dat from your customised profile into regedit (File / load hive). Now right click on the root of the hive, and change the permissions so your users have full control. You can make some tweaks in regedit to the entries too if you want, but not necessary really.

Then File / unload hive. Now that ntuser.dat can be read by anyone, it can be used for mandatory profiles, so place the entire profile on a network share with the correct ntfs permissions, and it should work. May take some trial and error, but this is how my seperate XP and 7 profiles were built twelve months ago and they work nicely.

[gshaw]

I heard Microsoft's recommendation nowadays was to move away from Mandatory profiles and to use roaming profiles with a ton of GPO settings applied, which you may as well follow if it's a brand new domain, IMO.

All very well until you need to have settings that can't be done by GPO... or what about 3rd party software?

Thanks Microsoft for making life awkward... again...

[gshaw]

Using the sysprep method looks clunky but I guess if you do it with a VM and snapshots you could get sysprepping and reverting back to the image to make changes? Bit clunky but I guess at least it means there's no possibly broken parts in the profile?

[stefpronti]

Hi,
i had the same problem. I have to set up a P.C. classroom for students with mandatory profiles without the use of an active directory domain server.
I needed to setup and customize a LOCAL mandatory profile on a sample machine for replication.
I wrote some notes to describe the working solution, in italian, below an attempt to translate it (i apologize for my poor english)

1) login as an user of group 'Administrators'

2) From the "User Management" create user 'student' with password 'student' and set:
-Password never expires
-User can not change password

3) Start Menu> Change User> log in as user 'student'

4) "Disconnect"

5) Create a new folder in C:\Users\ and call it with a name like 'bloccato.v2'.

6) Login as Administrator and copy the profile "DEFAULT" (the default system profile) to the newly created folder using the System Settings menu Advanced> User Profiles Settings> BUTTON "Copy to ...".
IMPORTANT! Before you copy use the "Change" to allow the group 'Authenticated Users' use of the new profile.

This operation overwrites the entire contents of the folder 'bloccato.v2' with the content of the default profile, but allows 'Authenticated Users' to use it.

7) Menu "User Management"> user "student"> "Profile" - enter in the "Profile Path" box the path of the folder 'bloccato.v2' remembering that the folder must be specified omitting the extension. v2 - so the path becomes C:\Users\bloccato

8) "Switch User"

9) login again as "student"

10) customize the desktop settings, the home page of the browsers, the proxy, and anything else you need blocked.

11) "Disconnect"

12) go back in as user 'student' and verify that the settings are all stored.

13) Before you continue you should Log off and back several times, opening several applications to make sure they are all properly configured.

14) At this point it is time to change, within the profile folder "bloccato.v2" filename "ntuser.dat" in "Ntuser.man"

15) "Switch User"

16) DONE! login as "student" and try to change some settings - disconnect and go back. The profile "student" is locked!

Further customizations of the mandatory profile can be done ulocking it by renaming back ntuser.man to ntuser.dat.

I hope this is useful to someone. By,
Stefano