Mandatory profile and GPO settings

[windy]

I'm trying to test mandatory profiles at present we run roaming profiles. I've created a test ou with a test user in it. Created a mandatory profile by copying a local account from a machine etc etc. Point the users profile to the mandatory profile works fine. Add our standard gpo's to the ou and it all goes wrong. None of the GPO settings are applied you get a machine with no restrictions. Remove the mandatory profile from the user and the GPO settings are applied. It's only when you put the two together it all goes wrong. HELP!

[Quackers]

You cannot have mandatory profiles and GPO's. Windows DOES NOT apply them when its a user.man and not a user.dat. A pain i know, as i had this problem. What is it your trying to achieve with the mandatory profiles?

[ChrisH]

I have a mandatory profile running for one year as it was a quick solution to get their DreamWeaver site setup and stay there and that is locked down by GPOs no problem. Are you talking about a Man profile thats been locked down through the registry?

[eejit]

You can definitely run mandatory profiles and GPOs together. Policies are applied in this order I believe
Local Policies >> Mandatory profiles >> Group policies

i.e If there is a setting that is in a mandatory profile AND a GPO, then the Group Policy would "win"

[NetworkGeezer]

Add our standard gpo's to the ou and it all goes wrong. None of the GPO settings are applied you get a machine with no restrictions. Remove the mandatory profile from the user and the GPO settings are applied. It's only when you put the two together it all goes wrong. HELP!

I hope chaneg the registry permissions on the user hive before copying the profile to the server.

[windy]

Add our standard gpo's to the ou and it all goes wrong. None of the GPO settings are applied you get a machine with no restrictions. Remove the mandatory profile from the user and the GPO settings are applied. It's only when you put the two together it all goes wrong. HELP! evil

I hope chaneg the registry permissions on the user hive before copying the profile to the server.

I copy the profile from the local machine using the copy profile from the advanced functions on the local machine. Can you just enlighten me on the user hive bit please.

[eejit]

That sounds right Windy. Something else must be wrong. Are there event log errors on the local machine? Also, have you ran the "group policy results wizard", that can throw up some interesting pointers.

[NetworkGeezer]

I copy the profile from the local machine using the copy profile from the advanced functions on the local machine. Can you just enlighten me on the user hive bit please.

The user hive is the section of the registry that settings of the currently logged on user (HKCu) is stored. This normally saved as ntuser.dat in the profile.

The above was just me asking in a round about way if you had changed the permitted use to Everyone or Authenticated Users.

If you are using someone elses's profile and only they have permissions to use it then you can't make any changes to HKCU and so per user GPOs won't take effect.

[eejit]

Windy, as NetworkGeezer is saying, when you copy the profile from the advanced tab do you alter the "permitted to use" box to "Everyone"?

[DMcCoy]

you can use groups other than everyone. I just use 'students' for mine, as all students are in this group. I dislike using the everyone setting for permissions.

[windy]

OK I've made a test bed server 2003 and a xp prof client. But I get the same outcome GPO fine, mandatory profile fine put the two together and it all goes wrong! I've cleared down the event viewer on the local machine and I get two errors after trying to log on.

The group policy client-side extension folder redirection failed to execute.Please look for any errors reported earlier

and

Unable to apply folder redirect policy, initiaization failed.

[eejit]

It could be the permissions of the policy itself (who is allowed to run it?) or the permission of the redirected folder. (Pupil doesn't have access to it.)

[Geoff]

Your not setting Application folder redirection and IE settings at the same time are you?

[windy]

Your not setting Application folder redirection and IE settings at the same time are you? )

No I'm trying to redirect the start menu and my docs.

[ajbritton]

Have you created the folders on the server ahead of time or are you letting Windows create them as and when the user logs on. Microsoft reccomend the latter, but the permissions on the parent folders must be correct.

E.g. If you are redirecting to \\server\userfolders\%username%\My Documents

The permissions on the folder that hosts the userfolders share must be as follows;

Administrators: Full Control (This folder, subfolders & files)
System: Full Control (This folder, subfolders & files)
CREATOR OWNER: Full Control (subfolders & files only)
Authenticated Users: Special (Traverse Folder, List Folder, Read Attributes, Read Extended Attributes, Create Folders, Read Permissions) (This folder only)

These permissions will allow windows to create folders for your users which they then become the owners of. You may like to read the Wiki How To section on roaming profiles...