we are in the process of moving away from winsuite to a mandatory desktop. we are using using folder redirection on user my documents and app data. these both work.
the issue is adding the mandatory desktop to the users account. i have followed microsoft documentation on how to create it and renaming the ntuser.dat to ntuser.man. i have added it into the user properties, but this doesn't work.
i have also tried to add it into the desktop part of the folder redirection in GPO. this still doesn't work. i have look through countless forums on the net and they all say it shoould work, but it doesn't.
When you say mandatory desktop do you mean profile as in users can't change settings etc or a desktop that has set shortcuts etc on and can't be modified by the user?
it is a desktop with set shortcuts so that user can't change it
You need to save the profile that you have made mandatory on a network share that the users have read access to, then set the path to this share as their profile path in AD, as you would with a roaming profile.
You can redirect the Start Menu and Desktop folders seperately in Group Policy in the same way as My Documents and App Data, and customise them as you need.
Easiest way is to set up a test user with the profile path you want to use for the mandatory profile. Give the user admin rights and log on with it. It will create a profile in the specified location. Log off, and change the users permissions back. Meanwhile, browse to the newly created .DAT file and rename it .MAN
Combined with your redirection settings you should now have a mandatory profile ready to use.
i have put the mandatory on a network share with read access. i have changed it from .dat to .man
am i right in think that if i redirect the desktop to the mandatory profile folder\desktop this will put all the folders / shortcuts on the desktop?
also when i add the path to the profile for a test user, it defaults the my documents to the local machine\documents and settings folder. am i missing something else
If you have not moved the desktop folder from its default location within the mandatory profile folders then you do not need to specify any folder redirection.
You can redirect the desktop to any location you wish. The desktop folder only contains shortcuts that you would want to appear on the users desktops. If you don't want them to make changes, only give them read permissions on the folder and turn off active desktop and so on. To achieve this you do not necessarily need to worry about a mandatory profile.
You only put the path to the .MAN into the Profile Path of the user details in Active Directory. It does not need to affect the desktop redirection. If the entire profile is stored in this location just as it was created (all folders are in the default locations) then you can specify the path in the user details in AD, and you do not need to redirect the desktop folder.
The advantage to using a redirected folder is that you can modify it on the fly, and the changes are instant, rather than requiring the users to log off and back on.
Hope that helps.
Originally Posted by alexsanger
The disadvantage to using a redirected folder is that you can modify it on the fly, and the changes are instant, rather than requiring the users to log off and back on.
Scenario: using a DFS based shared desktop, somebody forgot to tie down the security permissions to read only on a new replica added into the DFS. It didn't take long for students to discover that, sometimes after logging in (i.e. when they were directed to that particular DFS replica), they had write access to the desktop. On saving an MP3 there, suddenly it appeared on an awful lot of desktops! Other files then followed with, let's say, some "creative" filenames which soon led to complaints.
Luckily we were using push replication from the master share so they didn't do any permanent damage, and the "file owner" tab proved very useful ;)
Thanks for the chuckle - it would be nice if DFS could be set to propogate NTFS permissions based on the namespace or replication settings though. (Unless it can and I don't know...).
I think 2008R2 provides more features (such as ABE enabled DFS) but I was unable to pursue such a setup as our forest functional level is too low at the moment. Hopefully setting the NTFS/share settings can be set centrally too and will propogate through to all replicas - definitely something I'd like to see, but I don't know if that's there either at the moment.