1

In a Windows AD environment with Windows 7 clients I am looking for ways of providing departmental admins with means to maintain mandatory profiles for their respective users. As settings required within the mandatory profile are going to change with every new client application installation, I need to find a mode where mandatory profiles could be changed effortlessly on demand.

On from Windows Vista, the procedure of creating a mandatory profile has changed substantially. The official documentation mandates the creation of a default user profile, which in turn requires a run of

sysprep /oobe /reboot /generalize /unattend: unattend.xml

to create the default user profile. It also states

Other methods of creating default user profiles exist. [...] However, the steps that this section describes are the only steps that Microsoft supports for customizing a default user profile. These steps clean the source user profile so that it supports multiple users.

As I cannot burden the mentioned admins with running sysprep on every profile change, I would need the details about the "cleaning" of the source user profile done by the WAIK's CopyProfile so I could mimic this procedure through scripting.

Another approach might be to create the profile with the sysprep method once and export settings changes from another template profile on demand by scripting. For this to work reliably, I would need to know which keys in the mandatory profile must not be overwritten.

In the past, I have done something similar with Windows XP workstations by simply exporting the registry of a (special) user logged on with the mandatory profile using a reg export call directly to the respective .MAN file. With the latest changes in profile handling, I am all but sure that this still would be a sane way to handle it.

Insight and references much appreciated.

the-wabbit
  • 40,319
  • 13
  • 105
  • 169
  • I've posted an answer to my own question reflecting my current state of research. It is however extremely vague as I do not have a detailed listing nor a reference for the reg keys changed by CopyProfile. Thus, the bounty would go to the answer providing this listing / reference. – the-wabbit Apr 22 '13 at 14:04
  • Can you explain why a standard first use account with first run scripts and policies won't work for you? I recently did a large project (40 desks * 2 PC's running multiple screens & custom software) to deploy machines with very specific user experience requirements and I rejected the majority of cooked in customisation during the first build, and went with first use scripts and group policy to configure new users as I needed. – Patrick Apr 22 '13 at 15:30
  • @Patrick the idea is to have pre-set profiles for different groups of users. The groups are homogeneous in their requirements and supported by local admins. The local admins are free to do deployment and software installation as they see fit, and they need a standardized way to provide users with profiles which can't be messed up beyond all repair to reduce support expenses. On the other hand, the profiles need to be customizable *by the admins only* to be able to provide sane configurations for installed applications as not everything can be done conveniently by group policies. – the-wabbit Apr 22 '13 at 17:48

2 Answers2

0

According to a Technet blog entry about the Default user profile these seem to be the points CopyProfile is addressing in a user's profile when sysprep is run:

  • Their list of most frequently run programs is not cleared
  • Whether the user has been introduced to the Start menu (will be set to TRUE for the source account, but should be FALSE for new users). Windows Explorer does some special things the first time you log on to introduce you to the Start menu and other new features.
  • Whether the user is an administrator (and should therefore see the Administrative Tools, etc).
  • The personalized name for “My Documents” will be incorrect. All users documents folders will be called “Administrator's Documents”. This is documented in the Knowledge Base article “The Desktop.ini File Does Not Work Correctly When You Create a Custom Default Profile” (http://support.microsoft.com/?id=321281).
  • The default download directory for IE will be set to the Administrator's Desktop folder.
  • The default Save and Open locations for some application with point to the Administrator's documents folder.
  • Windows 7 Libraries are broken.

Also, a scripted method of changing the profile is proposed:

Identify the needed Registry changes. Then use a tool like Reg.exe or KiXtart to load the Default User hive into a temporary location into the Registry, write only the needed settings, and then unload the hive.

[...]

You should exercise caution using this method. Try to keep all changes limited to only the individual Registry or file system changes needed for a particular desired result (e.g., a Windows or application setting). Do not do wholesale export and import of Registry keys or folder trees. This can potentially lead to the same problems as a manual profile copy.

The challenge for a generic approach if the changes done to the registry are unknown would be identifying the problematic locations which must not be copied over and excluding them from a settings copy. Creating a profile, copying it, going through the CopyProfile operation and comparing both (e.g. by using RegShot) should help finding the settings changed by CopyProfile.

the-wabbit
  • 40,319
  • 13
  • 105
  • 169
-1

If i am not mistaken. You can just login to a normal roaming profile in the AD environment. In the user home folder it stores a hidden file ntuser.dat. simply change that to ntuser.man and that then converts the roaming (ntuser.dat) into a mandatory access profile (ntuser.man).

PsychoData
  • 141
  • 9
  • Thank you for taking the time for your answer. This indeed has been the procedure up to Windows XP. With Vista, the documentation to create mandatory user profiles has been significantly changed. What I have linked in my answer describes running `sysprep /oobe /generalize` with a modified unattend.xml as a required step in the solution. As this clearly is too laborious if you have frequent changes to make to the mandatory profile, I am seeking for internals and the rationale behind this procedure so I could tailor a solution which is easier to handle. – the-wabbit Apr 22 '13 at 08:43
  • The process i described is the process covered in my text on administering Windows 7 computers. Vista may be different. But I have personally done the process I have outlined with Server 2008 R2 and Windows 7 client. In my class we deployed settings through group policy to make the ntuser.dat and converted it to the .man to make it a mandatory profile. – PsychoData Apr 22 '13 at 13:19
  • Take a look at http://blogs.technet.com/b/deploymentguys/archive/2009/10/29/configuring-default-user-settings-full-update-for-windows-7-and-windows-server-2008-r2.aspx for things which might go wrong with simply copying a profile. Also, I found several references within the documentation stating that it is explicitly unsupported. This being said, I have taken a similar approach for Windows XP clients in a project once - it worked out well. – the-wabbit Apr 22 '13 at 14:08
  • Copying profiles on Windows 7 was a messy experience that i backed out of again very quickly. – Patrick Apr 22 '13 at 15:19