Mandatory Profiles

From Wiki

Revision as of 02:53, 23 June 2008 by SYNACK (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to:navigation, search

Mandatory Profiles Infrastructure

Mandatory Profile Manager Account

  • Log on to the server as Administrator and create a user account in Active Directory called MPM (Mandatory Profile Manager) with no entry for Profile Path.

Server Infrastructure

  • Log on to the server as Administrator
  • Create folder D:\MandatoryProfiles
  • Share the folder as MandatoryProfiles$ and set share permissions to Everyone: Full Control
  • Set folder permissions on D:\MandatoryProfiles as follows;
    • Administrators: Full Control
    • SYSTEM: Full Control
    • MPM: Full Control
    • Everyone: Read & List


Creating Mandatory Profiles

  • Log on to the server as Administrator
  • Check that the MPM user account has no entry in Profile Path
  • Select a PC where MPM has no local profile
  • Log on to the PC as MPM and make any initial settings required
  • Log off the PC
  • Log on to the PC with an account with local and network admin status (eg domain Administrator)
  • Use the Windows interface to copy the local MPM profile to \\(servername)\MandatoryProfiles$\(new profile name) (eg \\MyServer\MandatoryProfiles$\Profile1), remembering to assign access to Everyone. (You need to use the copy profile function from My computer, Properties, Advanced, User Profiles Settings, (select the profile), Copy To.)
  • Log on to the server as Administrator
  • Navigate to D:\MandatoryProfiles\(new profile name) (eg D:\MandatoryProfiles\Profile1) and rename NTUSER.DAT to NTUSER.MAN (make sure you rename NTUSER.DAT and not NTUSER.DAT.LOG - this is an easy mistake to make if Explorer is set to hide file extensions of known file types)


Assigning Mandatory Profiles to Users

  • Log on to the server as Administrator
  • Go to Active Directory Users & Computers and locate the user who you wish to allocate the roaming profile to
  • Modify the user's Profile Path to \\(servername)\MandatoryProfiles$\(profile name) (eg \\MyServer\MandatoryProfiles$\profile1)
  • Close the properties dialog box
  • To test the assignment, log on to a PC as the user with the mandatory profile, make some enviroment changes (eg Wallpaper) then log off. Log back on again as the user and the changes should disappear.

Managing an existing Mandatory Profile

Simple Changes

  • If all you need to do is add shortcuts to the Desktop or Start Menu, then this is possible by simply dragging and dropping shortcuts into the appropriate folders in D:\MandatoryProfiles\(profile name)\Desktop or \Start Menu

Complex Changes

  • Navigate to D:\MandatoryProfiles
  • Make a copy of the folder containing the profile you wish to edit (e.g. 'AllStudents' to 'Copy of AllStudents')
  • In the copy folder, rename NTUSER.MAN to NTUSER.DAT
  • Modify the MPM user account properties and set Profile Path to \\(servername)\MandatoryProfiles$\(name of copy) e.g. '\\(servername)\MandatoryProfiles$\Copy of AllStudents'
  • Log on to a PC as MPM
  • Make changes to the profile
  • Log off the PC
  • Make a backup copy the the original profile (e.g. AllStudents to 'Backup of AllStudents')
  • Delete the original profile folder
  • Rename the edited profile folder to be the original (e.g. 'Copy of AllStudents' to 'AllStudents'
  • **IMPORTANT** In the profile folder, rename NTUSER.DAT to NTUSER.MAN
  • Test the profile changes by logging on as a user with the mandatory profile assigned.

Super mandatory Profiles

Mandatory profiles can be made into 'super mandatory profiles' by naming the profile with a .man extension (e.g. 'AllStudents.man') and modifying the profile path on user accounts accordingly. When a user account is configured to use a super mandatory profile and the profile is unavailable, then the user will not be able to log on. This may help when users attempt to bypass restrictions in their mandatory profile by disconnecting the network cable during logon.

Questions

  • how do you deal with re-directed start menu's for several configurations?
  • If I set mandatory profile and checked NOT to delete cached roaming profiles on the client PC and disable slow link detection [see this thread: [Link] ] - it should log in very fast - correct? :)
  • In step 1, what sort of user should this be? - needs to have local admin rights to make some programs run, I copy a local profile across to default to achieve this - is that a problem?
  • Does the local profile take precedence over any central profile? - If I set a local proxy for example, it overrides server Group Policy settings.

Answers

  • You could have a different OU for each configuration, then (using loopback processing), set a different redirection policy for each OU. Personally, I don't redirect Start Menus. My locked down users have mandatory profiles with basically empty Start Menus. Then when the log on, a logon script determines which OU the computer account is in and copies down the appropriate shortcuts for their PC. It's complicated but quite flexible.
  • No - the profile is always copied down from the server to the client, wether it's mandatory or roaming, and removed at log off. There is no speed benefit. Profiles are only copied down from the server if they are deemed to be more up to date than a local cached copy. If the policy option to delete cached copies of roaming profiles is NOT set, then PCs WILL retain cached copies of roaming/mandatory profiles and will NOT download from the network copy.
  • My MPM account does not have any special access rights on the PC. I only use it to update the profile, and the necessary access for this is set on the server.
  • Mandatory profiles cannot be updated, so even if a copy is cached locally, nothing can change it. However, if there are machine policies that override user settings, then these would apply.