fierobuffMemberAug 11, 2014 at 8:41 am #164102
I am volunteering for a school to replace their existing computer lab which is Windows XP to the new computer lab running Windows Server 2008 R2. Their current solution does not allow the user to make changes to their Desktop or computer settings and they would like to keep it this way. Their old AD structure is messed up and we are going to be starting from scratch. They have a new AD domain set up on Windows Server 2012 R2.
I did some research on how to do this but can’t seem to get it to work correctly. It appears I need to create a mandatory profile to be used for the students. To do this I followed the following guide: markswinkels.nl/2009/12/how-to-create-a-mandatory-profile-in-windows-server-2008-r2/
How to: Create a Mandatory profile in Windows Server 2008 R2
1.) Make a local user on the server (Windows Server 2008 R2 in my environment)
2.) Make the user member of the local administrators group on your server
3.) Login in with this user and customize for example the start menu
4.) Logoff and login again with an administrator account
5.) Create a share on your file server. For example \SRV-RDSDC-01TSmandatory
6.) For share permissions choose Everyone Full Control, NTFS permissions choose Authenticated Users Read
7.) Turn off Caching on this share
8.) Copy the complete template folder from the C:Users directory to the new TSmandatory share
9.) Rename the template folder to TSmandatory.V2
You have to add the .V2 in the name of your folder, because it’s the new profile type in Windows Server 2008 and 2008 R2!
10.) Delete the Local and LocalLow folders from the AppData folder
11.) The next step is to add the right permissions on the mandatory profile
12.) Open REGEDIT and load the NTUSER.DAT hive
13.) Right-click on the TS Mandatory profile and choose permissions
14.) Delete the template user and add the Authenticated Users (Full Control)
15.) Unload the NTUSER.DAT from your registry
16.) Rename the NTUSER.DAT to NTUSER.MAN
17.) When you configure a GPO to specify the location of the Mandatory profile, you’ve to choose to following location:
\SRV-RDSDC-01TSmandatoryTSmandatory without the .V2!
The only difference is on step 14 I substituted “Authenticated Users” with a custom group I created called “Folder Redirect Students”.
Step 17 wasn’t clear on how to configure the GPO so I followed this guide: jasonsamuel.com/2012/12/10/how-to-create-a-windows-7-or-server-2008-r2-mandatory-profile-for-appsense/
I skipped a couple of steps that were repeats from the first guide. I also did the GPO stuff in a custom policy I created on my Domain Controller. Again, here I replaced “Authenticated Users” with my custom group called “Folder Redirect Students”. I also verified that the user I am testing is a member of this group.
Go to Start > Run > and type gpedit.msc.
Then navigate to:
Local Computer Policy > Computer Configuration > Administrative Templates > System > User Profiles
There will be 3 items we need to change to “Enabled”:
-Delete cached copies of roaming profiles
-Set roaming profile path for all users logging on this computer
-Prevent Roaming Profile changes from propagating to the server
11. For “Set roaming profile path for all users logging on this computer”, you need to put a UNC path to the share that holds your mandatory profile. So since it’s on the local server in this example, I will do:\servernamemandatoryprofile
Notice I did not add “.v2″ at the end. Windows will automatically look for it as the users login.
13. Now navigate to:
Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Profiles
There will be 2 items we need to change to “Enabled”:
-Use mandatory profiles on the RD Session Host server
-Set path for Remote Desktop Services Roaming User Profile
14. For “Set path for Remote Desktop Services Roaming User Profile”, you need to put a UNC path to the share that holds your mandatory profile just like the previous setting.\servernamemandatoryprofile
Notice again I did not add “.v2″ at the end. Windows will automatically look for it as the users login.
16. Now navigate to the mandatory profiles desktop and add a text file. So in this example “c:mandatoryprofile.v2Desktop”. I’ve created a file called “This is a mandatory profile in action.txt”.
17. Now right click on the mandatoryprofile.v2 folder and share it out. Make sure “Everyone” has access:
18. Now RDP into the server using any account you like. You will get the mandatory profile and you will see the text file we had created earlier on the desktop.
For both guides I followed, I made sure to use the same naming scheme but it didn’t work. When I RDP into a PC on the Domain, the profile gets created for my user but it doesn’t appear to be the mandatory profile I created. It isn’t customized and when I make a change like add a text file to the desktop, log off and log back in. The changes are still there. If anyone can help identify what I am doing wrong, I would appreciate the help.
You must be logged in to reply to this topic.