Is there a simpler method for "creating mandatory profiles for Windows 7 users in an Active Directory environment" than the officially Microsoft supported method of using sysprep and AIK? If so, how?
4 Answers
Here is a workaround:
http://oakdome.com/k5/tutorials/windows-7-mandatory-roaming-profile.php
Mandatory Profiles can be created by renaming the ntuser.dat file into ntuser.man. You need to change "extension" from .DAT to .MAN.
You can also write a script to rename all the files or if all your users need to have the same desktop, create a "super-mandatory" profile by copying a predefined profile to a share, change the ntuser.dat name to ntuser.man and provide the profile path to the profile in all users' "profile" tab in Active Directory Users and Computers. In case you have Roaming Profile on the server for users, there is a group policy setting that makes profiles mandatory.
Here are the steps:
Computer Configuration Policies Administrative Templates System User Profile Prevent Roaming Profile changes from being propagated to the server
This makes profile mandatory by stopping system from updating the change to the server. This setting have the same effect with renaming NTUSER.DAT to NTUSER.MAN for a roaming profile.
- 351
- 1
- 5
There is, in fact, a number of methods to create mandatory profiles. The problem is just that there only is a single supported method. This is what the docs have to say about it:
Other methods of creating default user profiles exist. [...] However, the steps that this section describes are the only steps that Microsoft supports for customizing a default user profile. These steps clean the source user profile so that it supports multiple users.
I have found that creating a mandatory profile through sysprep's CopyProfile
is not much of a problem. The problem usually starts where you need to administratively modify the mandatory profile on a frequent basis. If this is your problem too, you might want to consider the following options:
- do not modify the profile itself, use group policies to override the profile settings
- use a scripted approach where you load the previously prepared mandatory profile, make the changes and export the relevant registry settings back out into the ntuser.man file - see my question on modifying mandatory user profiles for some ideas on how to do that.
- 40,319
- 13
- 105
- 169
There is a way to avoid manipulating the profile in the first place. If what you want is to manage specific items in the profile then you can Use the "User section" of Active Directory Group Policy to change those items which you want changed. You can put in files/folders or registry keys for the first time or every time.
It's easy, configurable, and centrally managed.
If you are configuring the policy for a particular computer then the main setting to add in the GPO is Computer Configuration\Policies\Administrative Templates\System\Group Policy Loopback processing in replace or merge mode. Here is an article about which setting you could use. This setting will turn on the User section.
- 160
- 1
- 7
We don't work with roaming profiles here, but I've also found Microsoft's requirement to use Sysprep for default user profiles onerous.
Instead I simply log in with a dummy AD user (one with no additional group policy), make my desired changes, and log out. Then I log in as an admin, open the profile manager (System Properties > Advanced > User Profiles), select my dummy user, run a utility called Enabler and "Copy To" C:\Users\Default.
I've never had any problems with this method.
- 718
- 5
- 15