Mandatory Profiles, How to make them?

[ravenadsl]

Hi everyone,

 

I'am currently setting up our shiny new windows 7 domain we are almost there but I have hit a bump in the road. Please help

 

I went to create a mandatory profile for our students and copy it to a share like i have always done in windows XP and found the button grayed out. After talking to Google I have found Microsoft have disabled this button. I have also found loads of old men moaning about it. every one was so busy slating Microsoft i cant find any guides on how i should go about making a mandatory profile.

 

Please help!

 

Thanks,

[featured_spectre]

We had this, we had to create a new user, and do everything on that user. We copied the profile and overwrote the "default" profile and then copied the default profile to our server and renamed it to Mandatory.V2

 

Not very in-depth explanation but it is how we did it.

[sted]

download windows enabler then you can make the copy button work like it does in previous versions of windows

 

Windows Enabler 1.1 Download - Freeware Files.com - Utilities Category

[ajbritton]

This sounds to me like an account security elevation issue. As I'm sure you know, when you run apps in Win7, it runs as a limited user, even if you have local admin rights. The Copy To button is presumably part of the Explorer shell process or is launched by it and therefore runs in the same security context. I've not looked at Windows Enabler, but my guess is that it allows you to use shell features in an elevated context.

 

EDIT - Ignore all the above. There is more to this than security levels and Windows Enabler does not affect privilege levels.

 

Also turned up this...

 

The Deployment Guys : Configuring Default User Settings

Edited May 12, 2010 by ajbritton

[ravenadsl]

We had this, we had to create a new user, and do everything on that user. We copied the profile and overwrote the "default" profile and then copied the default profile to our server and renamed it to Mandatory.V2

 

Not very in-depth explanation but it is how we did it.

 

Thanks nephilim,

your Not very in-depth explanation worked fine. thanks !

 

download windows enabler then you can make the copy button work like it does in previous versions of windows

 

Windows Enabler 1.1 Download - Freeware Files.com - Utilities Category

 

Thats a nice little tool. This also worked well.

 

its a bit strange Microsoft just grayed out the button but left behind the code so it still works :S

 

 

Thanks for you help guys!

[mjs_mjs]

its a bit strange Microsoft just grayed out the button but left behind the code so it still works :S

 

Apple macs have a right click but they done come with a mouse that can right click.

[ajbritton]

We had this, we had to create a new user, and do everything on that user. We copied the profile and overwrote the "default" profile and then copied the default profile to our server and renamed it to Mandatory.V2

 

Not very in-depth explanation but it is how we did it.

Nephilim, how did you copy the profile if the 'CopyTo' button was greyed out? Do you mean you just copied the files? I don't consider myself an expert on profiles on Win 7, but in the XP days, this would not have worked as it would not reset the permissions inside the user registry file NTUSER.DAT. This would mean the group policies would not be applied.

 

Interestingly, I note that on my home PC (Windows 7 Home Premium), the CopyTo button does become enabled if I select the 'Default Profile' entry. Not sure what this means.

[sted]

Nephilim, how did you copy the profile if the 'CopyTo' button was greyed out? Do you mean you just copied the files? I don't consider myself an expert on profiles on Win 7, but in the XP days, this would not have worked as it would not reset the permissions inside the user registry file NTUSER.DAT. This would mean the group policies would not be applied.

 

Interestingly, I note that on my home PC (Windows 7 Home Premium), the CopyTo button does become enabled if I select the 'Default Profile' entry. Not sure what this means.

 

windows enabler allows you to ungrey the button so it works as in previous versions of windows

[ajbritton]

windows enabler allows you to ungrey the button so it works as in previous versions of windows

Indeed, but in Nephilims first post, he simply said that he copied the profile. He did not say how. I'm concerned that if he simply copied the files, there will problems further down the line.

 

I would also sound a note of caution about what Windows Enabler appears to do. There is presumably a reason why the Copy To button is greyed out in some instances. It would seem to me unlikely that the programmers disabled the CopyTo button just to inconvenience everyone. More likely there is a reason for this.

Edited May 12, 2010 by ajbritton

[sted]

Indeed, but in Nephilims first post, he simply said that he copied the profile. He did not say how. I'm concerned that if he simply copied the files, there will problems further down the line.

 

I would also sound a note of caution about what Windows Enabler appears to do. There is presumably a reason why the Copy To button is greyed out in some instances. It would seem to me unlikely that the programmers disabled the CopyTo button just to inconvenience everyone. More likely there is a reason for this.

 

possibly but it could just be an oversight and i have yet to find a better way of doing it reliably

[marekbrad]

How to make mandatory profiles the microsoft way

 

How to customize default user profiles in Windows 7 and in Windows Server 2008 R2

[ajbritton]

How to make mandatory profiles the microsoft way

 

How to customize default user profiles in Windows 7 and in Windows Server 2008 R2

 

Props to Marekbrad for sorting this out. I also came across that MS KB article, but did not read close enough until now. It mentions that the CopyTo button has been deliberately disabled (as I suspected) to avoid problems. As I noted in a previous post though, CopyTo is enabled for the Default User profile, and the MS KB article tells us all we need to know.

 

In essence then, the 'supported' way of doing things is as follows;

 

To customize the Default User profile on a Win 7 PC;

1 - Create a local account with admin rights (cannot be domain account)

2 - Log on to that account and set it up the way you want it

3 - Whilst still logged on, use Sysprep (as detailed in MS KB 973289) to copy the profile to Default User profile

 

To make a custom Default User profile for the network;

1 - Make a custom Default User profile on a Win 7 PC (as above)

2 - Log on as network user with the necessary rights to right to NETLOGON share

3 - Use the 'Copy To' button to copy the Default User profile to the appropriate folder under NETLOGON (again, as detailed in MS KB 973289)

 

EDIT - I also note several other threads on EG relating to this. At least one of which gives mentions reasons why the use of Windows Enabler to force the Copy To button live is not recommended. http://www.edugeek.net/forums/windows-7/45004-creating-user-profile-use-windows-7-0-a.html#post446895

Edited May 13, 2010 by ajbritton

[marekbrad]

@ajbritton .. cheers fella! .. Tested the MS way this am and works a treat ... don't forget the tricks mentioned in the gottcha post to get folder redirection working properly

[CtrlAltDel]

Good afternoon,

 

I also have been messing about with profiles on Windows 7.

 

The problem i'm having is that after a period of time, any windows 7 machine can randomly deny logon attempts. We'll often end up with certain machines only granting access to certain users.

All the users use the same mandatory profile on the server with the .v2 extension on the folder, and when a logon attempt is successfull everything appears to work correctly.

I've struggled to recreate the problem in testing, and it only appears to occur during the average daily use of the computer.

The server profile was created from a clean domain profile and copied using the windows enabler method.

 

I'm running Server 2003 and use the windows 7 RSAT to administer group policy on the win 7 machines. I've populated the central store with .admx files and group policy works ok.

 

If anyone has got any input it'd be much appreciated.

 

i'm guessing its the profile at fault, possibly not unloading the registry settings properly.

My next task would be to try the sysprep profile method, but i'm a little unsure about the unattend.xml file.

 

Cheers,

Mike

Edited May 14, 2010 by CtrlAltDel
typo

[sted]

ive had that with xp i think. in that case it just wasnt deleting the local cached copy of the profile i just wrote a script that at boot up deletes all profiles except mine default user all user and any others i need

[chriscubed]

I'm looking into setting up mandatory profiles here, and I'm trying to follow the MS way but I'm having trouble with the unattend.xml file and adding the CopyProfile parameter to it.

 

I have no experience of WAIK before now, could anyone provide detailed instructions on how to generate the Unattend.xml file with the CopyProfile parameter please?

[featured_spectre]

sorry, i havent reviewed this thread further. I used windows enabler to be able to copy the profile.

[Dave84]

I'm looking into setting up mandatory profiles here, and I'm trying to follow the MS way but I'm having trouble with the unattend.xml file and adding the CopyProfile parameter to it.

 

I have no experience of WAIK before now, could anyone provide detailed instructions on how to generate the Unattend.xml file with the CopyProfile parameter please?

 

I used this to help me build the unattend.xml to create the default profile.

[stefpronti]

Hi,

i had the same problem. I have to set up a P.C. classroom for students with mandatory profiles without the use of an active directory domain server.

I needed to setup and customize a LOCAL mandatory profile on a sample machine for replication.

I wrote some notes to describe the working solution, in italian, below an attempt to translate it (i apologize for my poor english)

 

1) login as an user of group 'Administrators'

 

2) From the "User Management" create user 'student' with password 'student' and set:

-Password never expires

-User can not change password

 

3) Start Menu> Change User> log in as user 'student'

 

4) "Disconnect"

 

5) Create a new folder in C:\Users\ and call it with a name like 'bloccato.v2'.

 

6) Login as Administrator and copy the profile "DEFAULT" (the default system profile) to the newly created folder using the System Settings menu Advanced> User Profiles Settings> BUTTON "Copy to ...".

IMPORTANT! Before you copy use the "Change" to allow the group 'Authenticated Users' use of the new profile.

 

This operation overwrites the entire contents of the folder 'bloccato.v2' with the content of the default profile, but allows 'Authenticated Users' to use it.

 

7) Menu "User Management"> user "student"> "Profile" - enter in the "Profile Path" box the path of the folder 'bloccato.v2' remembering that the folder must be specified omitting the extension. v2 - so the path becomes C:\Users\bloccato

 

8) "Switch User"

 

9) login again as "student"

 

10) customize the desktop settings, the home page of the browsers, the proxy, and anything else you need blocked.

 

11) "Disconnect"

 

12) go back in as user 'student' and verify that the settings are all stored.

 

13) Before you continue you should Log off and back several times, opening several applications to make sure they are all properly configured.

 

14) At this point it is time to change, within the profile folder "bloccato.v2" filename "ntuser.dat" in "Ntuser.man"

 

15) "Switch User"

 

16) DONE! login as "student" and try to change some settings - disconnect and go back. The profile "student" is locked!

 

Further customizations of the mandatory profile can be done ulocking it by renaming back ntuser.man to ntuser.dat.

 

I hope this is useful to someone. By,

Stefano

[Michael]

Interesting how a lot of have different methods. This is how I do it:

 

Create a template account in Active Directory, but with no home directory specified.

 

Logon as an administrator on a workstation. Navigate to Control Panel > User Accounts > Configure advanced user profile profile properties.

 

Highlight the Default profile and the 'Copy to' button becomes active.

 

Copy this to your \\SERVERNAME\Profiles$ share, name the profile (randomname) and give Everyone access. Logoff the workstation as an administrator.

 

Update the template account profile directory in Active Directory so it reads the same (as above) - \\SERVERNAME\Profiles$\randomname

 

Logon using the template account on a workstation and make required changes.

 

Logoff the workstation, then return to the server. On the server navigate to Control Panel > Folder Options > View and untick Hide protected operating system files (Recommended).

 

Rename the profile ntuser.dat to ntuser.man, then re-tick Hide protected operating system files (Recommended) when finished.

 

Update other account to use the mandatory profile, job complete.

[gshaw]

I remember reading that unless you do it the MS supported way certain symbolic links and other background pieces stop working properly?

 

When we do our Windows 7 build I'm thinking of doing this...

 

- build "Gold" image in VMWare so it's truly hardware-agnostic

- capture to SCCM

- deploy via SCCM with driver packages

- take a snapshot of the VM before making changes

- do all the settings required for mandatory profile

- sysprep etc as per MS documentation

- revert snapshot to "clean" state

 

Rinse and repeat for as many times as we need to make changes to the profile

Edited February 27, 2012 by gshaw