+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 20
Windows Thread, Mandatory profile and Group Policy Preferences in Technical; Hello, We don't want our Windows7 student lab users to change the desktop icons, screensaver, or anything else. And if ...
  1. #1

    Join Date
    Aug 2011
    Posts
    4
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Question Mandatory profile and Group Policy Preferences

    Hello,
    We don't want our Windows7 student lab users to change the desktop
    icons, screensaver, or anything else. And if they change it, we want it
    reset at next login. They should be able to permanently store files
    locally but just in one predefined folder in the root of the hd.

    We are going to set up a basic server2008r2 domain.

    We may create a single, mandatory "student" profile that would be used
    simultaneously by all students. But unfortunately it seems that the
    official MS procedure (sysprep) is time consuming and impratical in case
    we'd need to modify this default profile later.

    Would the best solution be to create a "basic" and un-restricted
    mandatory profile and apply a set of group policy preferences to it?

    Thanks, Regards

  2. #2

    Steve21's Avatar
    Join Date
    Feb 2011
    Location
    Swindon
    Posts
    2,696
    Thank Post
    335
    Thanked 515 Times in 483 Posts
    Rep Power
    179
    Not quite sure what you mean by reference to sysprep, as thats deploying operating systems, not profiles as such.

    Do you really need students to save files "locally", or can they write back to server?

    Under what you said, best idea (imo) would be configuring a restricted mandatory profile, and use that for all users. Even with that you can apply GPOs to it, doesn't need to be unconfigured for that.

    Steve

  3. #3
    steve's Avatar
    Join Date
    Oct 2005
    Location
    West Yorkshire
    Posts
    1,043
    Thank Post
    22
    Thanked 177 Times in 123 Posts
    Rep Power
    52
    I think what you're after is what we've just done - super mandatory profiles.

    These delete themselves after logoff so any changes a student makes are not shown at next login.

    The super mandatory profile can be kept on a share, then when each user logs in they take a copy to form there local profile. Any changes made to this shared profile then come into affect at the users next login.

    You could implement the shared local store via a shortcut on the start menu.

    One thing to note about super mandatory profiles is they can't be cached - so if the share isn't there, you can't login.

  4. #4

    Join Date
    Aug 2009
    Posts
    268
    Thank Post
    20
    Thanked 20 Times in 18 Posts
    Rep Power
    14
    I heard Microsoft's recommendation nowadays was to move away from Mandatory profiles and to use roaming profiles with a ton of GPO settings applied, which you may as well follow if it's a brand new domain, IMO.

  5. #5

    Join Date
    Aug 2011
    Posts
    4
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Quote Originally Posted by Steve21 View Post
    Not quite sure what you mean by reference to sysprep, as thats deploying operating systems, not profiles as such.

    Do you really need students to save files "locally", or can they write back to server?

    Under what you said, best idea (imo) would be configuring a restricted mandatory profile, and use that for all users. Even with that you can apply GPOs to it, doesn't need to be unconfigured for that.

    Steve
    @Steve21 In fact you're right about sysprep, let's forget it. They already read/write to our SMB server but they have to be able to save certain huge (yyy MB), non private files to a local folder
    ("C:\LocalStore").

    @steve The network is not that reliable so unfortunately we have to avoid super-mandatory
    profiles, a cached copy is important. The shortcut seems a good idea.

  6. #6

    Join Date
    Aug 2011
    Posts
    4
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Quote Originally Posted by Blue_Cookeh View Post
    I heard Microsoft's recommendation nowadays was to move away from Mandatory profiles and to use roaming profiles with a ton of GPO settings applied, which you may as well follow if it's a brand new domain, IMO.
    Yes it's a brand new domain... It would be interesting to know why MS may recommend to move away from mandatory profiles.
    It seems that a single mandatory profile would be easier to mantain and have much faster login/logout times than multiple, nominative
    roaming profiles for a situation like this one.
    Last edited by mp12; 23rd August 2011 at 09:51 PM.

  7. #7
    morganw's Avatar
    Join Date
    Apr 2009
    Location
    Cambridge
    Posts
    816
    Thank Post
    46
    Thanked 132 Times in 126 Posts
    Rep Power
    39
    The only supported method is to export the default profile from a Windows 7 install, the only supported way to modify this profile is using the sysprep process. I just exported the default profile, then loaded the hive into regedit to modify the keys I needed to set, then unloaded it.

    Windows 7 is buggy with mandatory profile, you'll encounter bizarrely long logon times if you are using folder redirection and group policy preferences. Caching the profile should speed things up but you then loose some of the benefit of using the mandatory profile and it doesn't improve the lack of management options.

    You can export a normal users profile using something like 'Windows Enabler' or 'Hack UI' to ungrey the copy button but the resultant profile will have incorrect AppData references in it. Depending on what software you are using this may be acceptable to you or you may be able to fix these issues by deleting or correcting the keys.

  8. #8

    Join Date
    Aug 2011
    Posts
    4
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Quote Originally Posted by morganw View Post
    The only supported method is to export the default profile from a Windows 7 install, the only supported way to modify this profile is using the sysprep process. I just exported the default profile, then loaded the hive into regedit to modify the keys I needed to set, then unloaded it.
    Are you referring to this procedure? How to customize the default local user profile when you prepare an image of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2

    Quote Originally Posted by morganw View Post
    Windows 7 is buggy with mandatory profile, you'll encounter bizarrely long logon times if you are using folder redirection and group policy preferences. Caching the profile should speed things up but you then loose some of the benefit of using the mandatory profile and it doesn't improve the lack of management options.
    Buggy...damn it..
    ....better use GPO than GPP to speed up logon times then?

    Quote Originally Posted by morganw View Post
    You can export a normal users profile using something like 'Windows Enabler' or 'Hack UI' to ungrey the copy button but the resultant profile will have incorrect AppData references in it. Depending on what software you are using this may be acceptable to you or you may be able to fix these issues by deleting or correcting the keys.
    We use software such as Autocad, Adobe, probably some keys would need to be fixed....

    What about the procedure in this video? Mandatory Profile on Windows Server 2008 R2 - YouTube

  9. #9

    3s-gtech's Avatar
    Join Date
    Mar 2009
    Location
    Wales
    Posts
    2,779
    Thank Post
    146
    Thanked 564 Times in 508 Posts
    Rep Power
    153
    'Best' practice recommended by MS, and what works well, aren't necessarily the same. We use super MPs, but they weren't built using the Default profile and sysprep, they were made using a modified user profile that was then edited in regedit (ntuser.dat) to allow full access. With this method (and we use folder redirection and GPP) logons on quick machines are around 10 seconds.

  10. #10
    morganw's Avatar
    Join Date
    Apr 2009
    Location
    Cambridge
    Posts
    816
    Thank Post
    46
    Thanked 132 Times in 126 Posts
    Rep Power
    39
    Quote Originally Posted by 3s-gtech View Post
    'Best' practice recommended by MS, and what works well, aren't necessarily the same. We use super MPs, but they weren't built using the Default profile and sysprep, they were made using a modified user profile that was then edited in regedit (ntuser.dat) to allow full access. With this method (and we use folder redirection and GPP) logons on quick machines are around 10 seconds.
    Could you give more details on what you are actually changing permissions on? It would be great to have a 10 second logon time!

  11. #11
    morganw's Avatar
    Join Date
    Apr 2009
    Location
    Cambridge
    Posts
    816
    Thank Post
    46
    Thanked 132 Times in 126 Posts
    Rep Power
    39
    Yes, this is the only Microsoft supported method.

  12. #12

    3s-gtech's Avatar
    Join Date
    Mar 2009
    Location
    Wales
    Posts
    2,779
    Thank Post
    146
    Thanked 564 Times in 508 Posts
    Rep Power
    153
    Quote Originally Posted by morganw View Post
    Could you give more details on what you are actually changing permissions on? It would be great to have a 10 second logon time!
    As an admin on the local machine, load ntuser.dat from your customised profile into regedit (File / load hive). Now right click on the root of the hive, and change the permissions so your users have full control. You can make some tweaks in regedit to the entries too if you want, but not necessary really.

    Then File / unload hive. Now that ntuser.dat can be read by anyone, it can be used for mandatory profiles, so place the entire profile on a network share with the correct ntfs permissions, and it should work. May take some trial and error, but this is how my seperate XP and 7 profiles were built twelve months ago and they work nicely.

  13. #13
    gshaw's Avatar
    Join Date
    Sep 2007
    Location
    Essex
    Posts
    2,656
    Thank Post
    165
    Thanked 220 Times in 203 Posts
    Rep Power
    67
    Quote Originally Posted by Blue_Cookeh View Post
    I heard Microsoft's recommendation nowadays was to move away from Mandatory profiles and to use roaming profiles with a ton of GPO settings applied, which you may as well follow if it's a brand new domain, IMO.
    All very well until you need to have settings that can't be done by GPO... or what about 3rd party software?

    Thanks Microsoft for making life awkward... again...

  14. #14
    gshaw's Avatar
    Join Date
    Sep 2007
    Location
    Essex
    Posts
    2,656
    Thank Post
    165
    Thanked 220 Times in 203 Posts
    Rep Power
    67
    Using the sysprep method looks clunky but I guess if you do it with a VM and snapshots you could get sysprepping and reverting back to the image to make changes? Bit clunky but I guess at least it means there's no possibly broken parts in the profile?

  15. #15

    Join Date
    Feb 2012
    Location
    Florence
    Posts
    2
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Hi,
    i had the same problem. I have to set up a P.C. classroom for students with mandatory profiles without the use of an active directory domain server.
    I needed to setup and customize a LOCAL mandatory profile on a sample machine for replication.
    I wrote some notes to describe the working solution, in italian, below an attempt to translate it (i apologize for my poor english)

    1) login as an user of group 'Administrators'

    2) From the "User Management" create user 'student' with password 'student' and set:
    -Password never expires
    -User can not change password

    3) Start Menu> Change User> log in as user 'student'

    4) "Disconnect"

    5) Create a new folder in C:\Users\ and call it with a name like 'bloccato.v2'.

    6) Login as Administrator and copy the profile "DEFAULT" (the default system profile) to the newly created folder using the System Settings menu Advanced> User Profiles Settings> BUTTON "Copy to ...".
    IMPORTANT! Before you copy use the "Change" to allow the group 'Authenticated Users' use of the new profile.

    This operation overwrites the entire contents of the folder 'bloccato.v2' with the content of the default profile, but allows 'Authenticated Users' to use it.

    7) Menu "User Management"> user "student"> "Profile" - enter in the "Profile Path" box the path of the folder 'bloccato.v2' remembering that the folder must be specified omitting the extension. v2 - so the path becomes C:\Users\bloccato

    8) "Switch User"

    9) login again as "student"

    10) customize the desktop settings, the home page of the browsers, the proxy, and anything else you need blocked.

    11) "Disconnect"

    12) go back in as user 'student' and verify that the settings are all stored.

    13) Before you continue you should Log off and back several times, opening several applications to make sure they are all properly configured.

    14) At this point it is time to change, within the profile folder "bloccato.v2" filename "ntuser.dat" in "Ntuser.man"

    15) "Switch User"

    16) DONE! login as "student" and try to change some settings - disconnect and go back. The profile "student" is locked!

    Further customizations of the mandatory profile can be done ulocking it by renaming back ntuser.man to ntuser.dat.

    I hope this is useful to someone. By,
    Stefano

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Group Policy Preferences and IE8
    By Stuart_C in forum Windows Server 2000/2003
    Replies: 2
    Last Post: 12th October 2009, 12:07 PM
  2. Group Policy Preferences
    By cookie_monster in forum Windows Server 2008
    Replies: 9
    Last Post: 4th April 2008, 02:50 PM
  3. Replies: 16
    Last Post: 9th March 2007, 03:03 PM
  4. SIS 900 LAN and Group Policy = BAD COMBO! Help!
    By CM786 in forum Wireless Networks
    Replies: 19
    Last Post: 6th August 2006, 07:20 AM
  5. Mandatory profile and GPO settings
    By windy in forum Wireless Networks
    Replies: 14
    Last Post: 7th April 2006, 11:17 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •