Implementing Mandatory Profiles
User profile management can be a complete nightmare for a network administrator. There are literally dozens of ways to manage profiles based on the needs of your particular organization or department. One of the most complicated scenarios to properly administer is a typical lab environment in which you do not want user profiles to be modified at all. Through the use of mandatory profiles this type of profile administration becomes much easier.
For this example we will examine a typical University Campus. This small campus has one hundred computers spread across various labs. These are all Windows XP machines connected to a Windows 2003 domain. These computers are used by students to do research, type papers, and perform various other coursework. Along with these computers there are a total of 2000 students who each have their own unique user account. Our goal is to present each and every student user with the same profile settings, and disregard all profile changes when a user logs out so that they are presented with the same profile as everyone else when they log back in.
Step 1: Setting up the Base Profile
The first thing you will want to do is setup a model profile on a workstation (preferably an identical one to the workstations in the lab) that will serve as the profile that everyone sees when they log into a computer. Here you will want to make sure you have configured all desktop settings, shortcut icons, and installed printers correctly as to how they will appear on all other workstations.
Step 2: Copying the Profile to a Server
Once you have your profile setup how you want it, the next step is to copy the profile to a server. It is important that you set the permissions on the folder holding the profile so that all users accessing it will have complete read and write access to it. Once setup the workstations will pull each user profile from this location. In order to properly copy this profile to a server you will complete the following steps:
- Login as a user other than the one you used to make your model profile
- Right click My Computer and click Properties
- Click the Advanced tab
- Click Profiles
- Select your model profile and click the Copy to button
- Browse to the location you want to store the profile at
- Click Change under Permitted to Use near the bottom of the window and add the Authenticated Users group
- Click OK
- Exit out of any dialog boxes that may remain open.
Step 3: Making the Profile Mandatory
The next step in creating your profile is the actual process of making it mandatory and therefore unchangeable.
- Browse to the location of your saved profile on the server and locate the NTUSER.dat file (make sure hidden files are set to be visible)
- Rename this file to NTUSER.man
Step 4: Configuring the User Accounts
- Open Active Directory Users and Computers and browse to the location of the user or group of users you wish to assign a mandatory profile to
- Right click the user or group of users and click Properties
- Click on the Profile tab
- In the Profile Path box type the UNC path to the folder where the mandatory profile is located
- Click OKExit Active Directory Users and Computers
With those steps completed you have successfully setup mandatory profiles for your student population. You may now reap the benefits of having a central location to store all of your user profiles so that they can be modified with ease. This also provides a great layer of additional security for your network. Mandatory profiles can also be extended upon greatly with the use of Group Policy, which is something that I would highly recommend looking into.
This is great. I previously have wasted hours trying to find this sort of help at the microsoft website with no luck. I had tried manually copying profiles and then changing the ntuser.dat to .man but the startup menu wasn’t copied. Your help is simple, clear and straight forward. Thanks.
Chris,
I also work for a school district (ohio)and I found your mandatory profile idea perfect for my school. I will have to wait and implement it next year.
Thanks,
Robert
Hey Chris, that is a great tip there. I will use it once I become admin at my new location.
Is there any way to enforce a manditory profile on some computers, and allow a standard local or roaming profile on other computers?
This would me useful in a mixed environment where some computers are a standard image for all users (including Staff) while staff are also able to log on to their own machine.
-Matt
Glad i found this you explained it better than the book.
I just started at a school where i’m the admin and i had never used the profiles before.
Your site is great.
Jonno
Chris, As others have said…. super explination. I have been struggling for several days to implement this. I will use this tomorrow. Does it matter which “group” users are in DL or GG? Can it be applied easily to “computer group”. Thanks for taking the time to post.
-Jim
Found that pretty straight forward and worked for what I needed. Pretty much needed the printers to show up for each AD user. I’ve notice though that it takes awhile to log in, but that might be because of the systems/network I’m testing with. I work for a university which was primarily using Novell and somewhat new to the AD environment.
Thanks again
Setting up, not a problem, im here to actually find information, My manditory profile works perfectly, for 700 students, but, it has a habit of deleting itself for no reason
.
Anyone else finding their manditory profile vanishing??
Let me know, support@mail.greenfieldschool.net
Thanks
Thanks for this tutorial. It really helped me with an assessment for school.
This was great
The tutorial is very good. Once you make a profile mandatory, then it appears you cannot amend it. I have mandatory profiles that I need to add a printer to and make it the default, do I have to restart from scratch and set up a new profile?