Creating mandatory profiles windows 2003

Roaming Profiles are useful when users often change their computer. Using Roaming Profiles, the customized user settings the users created on one machine are automatically placed on and displayed at any network computer they log on to.

A roaming profile can be created if you have an Active Directory network. To keep the user profile folders and files centrally, we need a shared folder.

It can be in your Domain Controller or in your File Server. Here I am going to create it in Domain Controller itself. To share the folder, right click the folder and select properties from the context menu. Click the "Sharing" tab. Now the official way to now get a mandatory profile is this. There are shortcuts likemusing windows enabler or a manual copy with reg permission changes but no matter what people say on here they don't always work properly.

Create an unattend. Use windows system image manager for this by downloading the wi 7 aik - for thus I am assuming you will find out how it works elsewhere. On restart login as domain admin and then go to advanced system properties user profiles and click on default profile.

Then press copy to and choose location as before. Rename folder if on a share to folder name. If you don't do this your user experience will fail. Change ntuser.

It is important to note that if you expect a user to have a mandatory profile for xp and win 7 simultaneously you must make the profile share location the same folder name as the each other but the win7 folder should have the. Mandatoryprofile for xp profile and mandatoryprofile. This applies to network share using ad only. Modify users ad properties using admodify for bulk edits to unc location and delprof the same as before.

If wanting user to have both xp and win7 mandatory profile enter the location of the xp profile in the ad profile properties tab. By the way mandatory profiles will not allow a user to save any settings on log off. So every time they login it will be as it was the very first time thus achieving you goal.

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, learning, and sharing knowledge. You're trying to visit a URL that doesn't currently exist on the web. Most likely, a member posted a link a long time ago to a web page that has since been removed. It's also possible that there was a typo when posting the URL.

We redirect you to this notice instead of stripping out the link to preserve the integrity of the post. Dear All, I have a group of users on my domain that I would like to setup to have temporary profiles when the log onto the computer.

For xp you need to do following: Create local user account on workstation and give local admin rights. Then once done log off user and then log back in just to test everything is ok. Once happy log back off and log on as domain admin Go to system properties and click the advanced tab. In order to do this, there are two steps. We need to adjust the Registry permissions so that users can write to these values, and we need to overwrite the State value at logoff.

Therefore for the duration of the session we leave the profile type as local and only adjust this once the user has finished their session. With regards to setting the Registry values, people worry that opening them up is a security risk. You may want to run it by your security teams, but I think the settings I have configured below are pretty low risk, in all honesty. Once this GPO is applied to your machines, domain-authenticated users will now have access to be able to write the State value in this key.

This is simple enough, even for a PowerShell failure like myself A mandatory profile is treated as a roaming profile, so this setting ensures that it is purged correctly. The only other consideration to take into account is whether unsigned scripts are being allowed to run on the system or even if your users are allowed to run PowerShell at all! This works really reliably, is able to be targeted to specific users and groups, and is pretty simple to set up.

However, it does mean your users will need to be able to run PowerShell scripts. Simply save this as a. The other option is not to try and fool the OS into removing the profile and just remove it somehow after the user has finished their session. There is a great tool called delprof2. Obviously, if you just have specific devices where you want to enforce this behaviour, then you could simply configure this for all users and have done with it, but given that mandatory profiles are generally applied on the user object, we have approached this from a user-driven scope.

The problem is if you want to delete the profile rather than urging the OS to do it for you, you need to tell it which user profile s to delete. We need to call delprof2 from a command script. We are going to use net group to query the membership of the AD security group you want this to operate on. As net group has such a hideous output, we will have to do some serious parsing to tidy this up. Save this script as a Windows command script and store it somewhere on the target devices.

Next, we need to set up a Scheduled Task to execute at user logoff time. We also need to set the task to run with administrative privileges and run whether a user is logged on or not. With this in place, at every logoff, the script will iterate through the members of the AD group and delete the profiles of any of those users if they are found on the device.

Essentially, replicating your mandatory profile behaviour. This is also nice and simple to set up and works really well, but the drawback is you have to get delprof2 out to all your machines somehow. Mandatory profiles relied on AD user object settings annoying to maintain , or GPOs applied to devices annoying because they applied to all users on the device, including administrators. As to which method is best — the choice is yours. Sooo glad I came across this.

This is for an education environment. Hope this works OK for you! Thanks for the write-up! Any reason not to use 80 instead of 5?