Mandatory profiles are increasingly being used. This is partly due the rise of user virtualizations software like AppSense, RES Software and Microsoft UE/V, which use a mandatory profile as a basis. Not surprising because with mandatory profiles in combination with user virtualization software, the user logon times are pretty reduced and there is less risk of profile corruption.
There are quite a few ways to create a mandatory profile, with this blog I want to explain my way of creating a mandatory profile and what I think is the most efficient.
Before you begin, go to the Folder Options and make sure “Show hidden files, folders, and drives” is selected and that “Hide extensions for known file types” and “Hide protected operating system files (Recommended)” is deselected.
Step 1 – Create a share for the Mandatory profile
On a central file server, create and share a folder that you want to use for the Mandatory profile. Apply the following share permissions;
Authenticated Users – Read
Administrators – Full Control
To provide better security, always create the share on a NTFS volume. Make sure you set the following NTFS access permissions (including child objects);
SYSTEM – Full Control
Administrators – Full Control
Authenticated Users – Read & Execute
Step 2 – Create a Share for the Folder Redirections
On a central file server, create and share a folder that you want to use for the folder redirections and apply the following share and NTFS permissions.
Share Permissions
Everyone – Change
Administrators – Full Control
NTFS Permissions
CREATOR OWNER (Subfolders and files only)
– Full control
Authenticated Users (This folder only)
– Traverse folder / execute files
– List folder / read data
– Read attributes
– Read extended attributes
– Create folders / append data
– Read permissions
SYSTEM (This folder, subfolders and files)
– Full control
Administrators (This folder, subfolders and files)
– Full control
To configure that users only can see the files and folders they have access rights to, enable Access Based Enumeration on the share.
Step 3 – Create a Local Template user
On a Windows Server 2008 R2 (or Windows 7 client) create a Local non-administrative user account.
If you do create a Local administrator account you get the following unnecessary settings within the profile;
Software\Microsoft\Microsoft Management Console
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 (through 4)
The last registry hive has a lot of setting… and why should you’re creating an administrator account anyway?
For this guide I will create a Template user with the name “robinhobo-com”.
Step 4 – Login with the Template account you just created
Login with the local user account created in step 3 and do the necessary customizations. To keep the profile as clean as possible, customize only what is necessary. Mostly I customize the Pinned Items, the System Tray icons behaviour and some Start Menu properties.
I also remove all the public folders from the users Libraries. You can do this while customize the template user or afterwards by editing the library XML files (see step 5).
To clear the recently opened programs in the Start menu (as shown in the right image below), open the Taskbar and Start Menu Properties, open the Start Menu tab, unselect “Store and display recently opened programs in the Start menu” and “Store and display recently opened items in the Start menu and the taskbar” (as shown in the left image below), hit the Apply button. Now select both options again and click Apply.
When you’re done with the customization of the profile, log out.
Step 5 – Clean up the Template user
First of all, I will make a local backup copy of the profile (under an administrator account). As you can see in the picture below, all unnecessary shortcuts from the profile are automatically removed by this copy action.
I will use the backup copy to finish the Mandatory profile. The next step is to load the NTUSER.DAT in the Registry Editor.
Open the Registry Editor, select HKEY_LOCAL_MACHINE, open the File menu and select Load Hive..
Enter a key name, in this case I will give the key the name “robinhobo-com”.
Right click the Loaded Hive and select Permissions. Remove the template user and the administrators group. Add Authenticated Users and give this group Full Control permissions. Click OK.
Consider whether you can empty / delete the following registry keys in your environment;
– <loaded hive>\Software\Microsoft\SoftGrid\4.5\Client\UserInfo\DataDirectory
– <loaded hive>\Software\Microsoft\WAB\(Default)
– <loaded hive>\Software\Policies
– <loaded hive>\Software\Microsoft\CurrentVersion\Policies
– <loaded hive>\Software\Microsoft\Windows\CurrentVersion\Run
– <loaded hive>\Software\Microsoft\Windows\CurrentVersion\RunOnce
Within the <loaded hive> search for the template user name and replace it with %username%, except for Shell Folders.
Shell Folders
Shell Folders is a different story. Some people leave as it is, some people replaces the Template username with %username% and some people delete all the Shell Folder keys.
The problem is that some applications needs this keys to work well and they cannot handle with variables.
I will delete the keys except the “(default)”, “!Do not use this registry key” and “Fonts” and let Windows recreate the keys with the Active Setup at user logon.
To do that delete the following registry key;
– <loaded hive>\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}
Now when the user logs on, the Active Setup will recreate the Shell Folders in the right way so that programs that need the Shell Folder keys will work well.
Select the <loaded hive>, go the File menu and click on Unload Hive. Close the registry editor.
Delete the following files and folders within the profile folder;
– AppData\Local
– AppData\LocalLow
– Contacts\<username>.contact
– The .LOG1, .LOG2, .blf and the .regtrans-ms files
Public Folders
As I mentioned in step 4 you can remove afterwards the public folders from the libraries.
To do so edit the following (hidden) files;
– Documents.library-ms
– Music.library-ms
– Pictures.library-ms
– Videos.library-ms
These files are located in the following location and are only visible through the command prompt;
C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Libraries\
Remove the last “searchConnectorDescription” element from the files to remove the Public folder as shown in the picture below.
Step 6 – Copy the profile to the network share
Copy the profile to the network share created in step 1. Rename the folder to a name so that it is recognizable as a mandatory profile and append the .V2 extension to it (for example “manprofw2k8.V2”).
Rename the NTUSER.DAT to NTUSER.MAN.
Step 7 – Configure the Group Policies
Enable the Mandatory profile for Remote Desktop Services / Citrix XenApp
To enable a mandatory profile for Remote Desktop Services or Citrix XenApp, apply the following GPO settings for the RDS/XenApp OU: (mandatory profile will only be applied when connecting through RDP or ICA)
Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Profiles
– Use mandatory profiles on the RD Session Host server – Enabled
– Set path for Remote Desktop Services Roaming User Profile – Enabled
In the last setting specify the profile path in this form: “\\Computername or DFS namespace\Sharename\profile folder”. DO NOT INCLUDE THE .V2 OF THE PROFILE FOLDER. For example “\\hobo.lan\dfs\Mandatory\manprofw2k8”
Enable the Mandatory profile for Windows 7
To enable a mandatory profile for Windows 7, apply the following GPO settings for the Windows 7 OU:
Computer Configuration > Policies > Administrative Templates > System > User Profiles
– Delete cached copies of roaming profiles – Enabled
– Set roaming profile path for all users logging onto this computer – Enabled
In the last setting specify the profile path in this form: “\\Computername or DFS namespace\Sharename\profile folder”. DO NOT INCLUDE THE .V2 OF THE PROFILE FOLDER. For example “\\hobo.lan\dfs\Mandatory\manprofw7”.
Enable Folder Redirection
To enable user folder redirection, apply the following GPO settings for (domain) users:
User Configuration > Policies > Windows Settings > Folder Redirection
You can redirect the following folders;
– AppData (Roaming) (Not recommended with a mandatory profile)
– Desktop
– Start Menu
– Documents
– Pictures
– Music
– Videos
– Favorites
– Contacts
– Downloads
– Links
– Searches
– Saved Games
On the Target tab select “Basic – Redirect everyone’s folder to the same location”. By Target folder location select “Create a folder for each user under the root path”. By Root Path fill in the share created in step 2. Make sure that “Grant the user exclusive rights to Documents” is deselected on the Settings tab.
To disable the message “Some library features are unavailable due to unsupported library locations” from appearing apply the following policy;
User Configuration > Policies > Administrative Templates > Windows Components > File Explorer
– Turn off Windows Libraries features that rely on indexed file data – Enabled