windows 10: create local mandatory (unchangeable) user profile

We have a stand alone (not in a domain) desktop computer running Windows 10 x64 Pro that is connected to a projector.

This computer is used by various teachers for teaching purpose using programs like Autocad, Archicad, Office 2013, Visual Studio and so on.

It often happens that teachers customize the environment moving bars, palettes, changing colors, and other stuff and this annoys the other teachers that have to restore the normal configuration of the environment manually.

So we'd like to create a local mandatory user profile so that every change people do to the environment, every file copied to Desktop or Documents folder etc. , every customization will be lost at next logon. All the infos we found on the web don't work or only work for a domain environment. So, the question is:

Is it possible to create a local mandatory (i.e. unchangeable) profile for a stand alone computer running Windows 10 Pro just using the features offred by the operating system without using third party programs?

We found that forcing the account acting as a temporary account works for our needs but we are not able to remove the warning telling that all data will be lost at logoff: for us this approach can be useful if there is the possibility to eliminate these warnings and notices. Thanks.

filograndipad2

Posted 2017-03-21T12:19:38.443

Reputation: 31

Answers

I was stuck in similar situation like you. Here is my current solution: Overwrite the profile everytime shutdown using robocopy.

create an account with all default settings you want to use.
make a copy of that profile folder by robocopy. eg, robocopy c:\users\xxx c:\users\xxx_bak /mir /xj
create a bat. "echo d | robocopy c:\users\xxx_bak c:\users\xxx /mir /xj"
set shutdown script to run the bat

for my 10-year-old PC (Core2Duo + new SSD), it takes maybe 10-20 seconds to shutdown for profile with around 300MB.

it can't restore (until next shutdown) if power off suddenly / log out. I thought about using robocopy in start script, just not sure if windows will wait the bat to finish before login. you could try.

Raymond Leung

Posted 2017-03-21T12:19:38.443

Reputation: 11

Yes it can be done easily:

Login with your local administrator account ( if not present enable it and set a password from local users groups by navigating to > right click on ThisPc > manage > local users and groups > users )

Navigate to C:\Users\YourUsername . Then show hidden files and folders from folder option and locate the file name NTUSER.dat and change its extension to .man > NTUSER.man .

Make sure you edit your settings before changing the extension file name .

Elie

Posted 2017-03-21T12:19:38.443

Reputation: 479

An alternative to this solution, is to make seperate accounts for each user, that way each user can configure it the way they want. You can also use, the program of your choice, that rolls back any changes to the machine each time its restarted. – Ramhound – 2017-03-21T17:33:52.230

Doesn't work! As I told in my question, I found a lot of infos about my problem and the solutions offered (like rename ntuser.dat in ntuser.man) are useless. – filograndipad2 – 2017-03-21T21:46:13.050

Then be more specific what was the error cause there is no other solution to create a mandatory profile – Elie – 2017-03-21T21:49:19.057

Also renaiming the ntuser.dat file in ntuser.man file the profile is not mandatory: all the changes are still there after logoff or reboot. I remind that the computer is a stand alone pc i.e. is not in a domain environment. Temporary user account seems to work perfectly for the pourpose but the warning notices are very annoyng. Bye – filograndipad2 – 2017-03-21T21:55:21.233

Again you are not moving in the right direction you are still not providing enough information about the error, I don't know any other way maybe perhaps because you still have the temporary profile still active ? PS: try not to be rude to people who waste their time trying to help you. – Elie – 2017-03-21T21:59:51.317

Forgive me if I have been rude, it was not my intention. I try to be more clear but english is not my language: the user account on which I made the test renaiming dat in man is not a temporary account but a normal user account. Renaiming ntuser.dat in .man doesn't produce any error, simply on the next logon all changes made are still there: files created on desktop, bars moved and so on. – filograndipad2 – 2017-03-21T22:06:56.143

I want you to create a new user and modify it the way you want then log out and login again then logout, next login with local administrator account navigate to the user folder and rename NTUSER.dat to NTUSER.man reboot the computer and try logging in. If changes doesn't occurs there must be a an error popping up as you have been signed in with a temporary profile or so provide the error . – Elie – 2017-03-21T22:09:42.387

I can guarantee you that I made exactly what you tell. As soon as I can I'll make a video screen recorder about all the steps followed. Anyway thanks for the attention you're giving me. – filograndipad2 – 2017-03-21T22:17:26.390

Do you have any local policies on the computer ? – Elie – 2017-03-21T22:18:42.080

No policies set, just a fresh Win 10 Pro x64 installation with updates and some programs like Office, Acad 2016, Visual Studio 2015 Community. – filograndipad2 – 2017-03-21T22:26:07.313

Version of windows is 1607 or 1511? – Elie – 2017-03-21T22:26:41.940

Windows version used is 1607. – filograndipad2 – 2017-03-21T22:33:33.343

I managed to do it with this method. After creating default profile :

    1. Go to control panel 》 system 》 advanced system properties 》 user
profiles settings 》
    2. Select Default Profile and press copy to, desktop address name it Mandatory.v6
    3. Below permitted to use, Press change and type "authenticated users" 
       ,press check names. Also DO NOT tick mandatory profile
    4. Right click on Mandatory folder we just created, Security > Edit > 
       Add > change location to your PC's name > type ALL
       APPLICATION PACKAGES and check names, give it full control
    5. On Security tab press advance, tick "replace all object permission 
       entries with inheritable permission entries from this object"
    6. Open regedit with administrator privilege, highlight HKEY_USERS, file > load hive > select ntuser.dat on mandatory.v6
folder we created earlier, name it mandatory
    7. Right click on that folder > permission > add user > Authenticated Users, check name and give it full control
    8. Right click on that folder > permission > add user > type ALL APPLICATION PACKAGES > check name and give it full control
    9. Still on regedit Create new key #Mandatory, and new text file mandatoryv6 on mandatory.v6 folder earlier
    10. Delete all occurences of Administrator using right click > find, keep pressing del and f3 (next result) careful only delete
occurences under mandatory folder.
    11. Right Mandatory folder and export keys, name it mandatory.v6
    12. Highlight mandatory folder, file > unload hive
    13. Rename ntuser.dat into ntuser.man in mandatory.v6 folder
    14. Open regedit with administrator privilege, highlight HKEY_USERS, file > load hive > select ntuser.man on mandatory.v6
folder we created earlier, name it mandatory
    15. Run mandatory.reg that we exported in step#22
    16. Unload mandatory hive!
    17. Repeat from step #1 according to how many profile you plan to make
    18. Win+ Run > lusrmgr.msc, then on profile tab give each user the address of mandatory profile folder (without v6!)
    19. Your Mandatory profile is now ready, test it by adding something on the desktop, logoff and logon, the changes should not
persist anymore

Modifying mandatory profile :

    1.  Login as admin
    2. Rename ntuser.man in mandatory folder with ntuser.dat
    3. login as any of the mandatory profile
    4. Make changes, enter admin pass when required
    5. Logout mandatory profile, login admin, rename ntuser.dat to ntuser.man again

But after a couple of reboot or so i noticed sometimes it fails to login.. I havent tested it on newer windows version though..

denywinarto

Posted 2017-03-21T12:19:38.443

Reputation: 1

Please Backup first and try this, go to

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

and create these 4 DWORDS there and set value 0 for all

ShowInfoTip
FolderContentsInfoTip
StartButtonBalloonTip
EnableBalloonTips

RAJA

Posted 2017-03-21T12:19:38.443

Reputation: 11

Doesn't work: every changes made still remain after logoff or reboot – filograndipad2 – 2018-11-07T13:58:00.623

i update answer please check hope this will help – RAJA – 2018-11-11T13:57:31.920