Can you use a local path for mandatory profiles?

i had the same problem. I have to set up a P.C. classroom for students with mandatory profiles without the use of an active directory domain server. I needed to setup and customize a LOCAL mandatory profile on a sample machine for replication. I wrote some notes to describe the working solution, in italian, below an attempt to translate it (i apologize for my poor english)

  1. login as a user in the Administrators group
  2. From "User Management" create user student with password student and set:
    -Password never expires
    -User can not change password
  3. Start Menu > Change User > log in as user student
  4. Log Off
  5. Create a new folder in C:\Users\ and give it a name like defstudprofile.v2.

  6. Login as Administrator and copy the profile "DEFAULT" (the default system profile) to the newly created folder using the System Settings menu > Advanced > User Profiles Settings > BUTTON "Copy to ...".

    IMPORTANT! Before you copy use the "Change" to allow the group "Authenticated Users" use of the new profile.

    This operation overwrites the entire contents of the folder 'defstudprofile.v2' with the contents of the default profile, but allows 'Authenticated Users' to use it.

  7. Menu "Edit Local Users and Groups" > user "student" > "Profile" - enter in the "Profile Path" box the path of the folder defstudprofile.v2 ... remembering that the folder must be specified without the .v2 extension. so the path becomes C:\Users\defstudprofile
  8. Log Off
  9. login again as user student
  10. Customize the desktop settings, the home page of the browsers, the proxy, and anything else you need blocked or changed
  11. Log Off
  12. Log back in as user student and verify that the settings are all stored.
  13. Before you continue you should Log off and back several times, opening several applications to make sure they are all properly configured.
  14. Log in as an administrator. Go to the the C:\Users\defstudprofile.v2 profile folder and rename the ntuser.dat file to ntuser.man
  15. Log Off
  16. DONE! login as student and try to change some settings - disconnect and go back. The profile student is locked!

Further customizations of the mandatory profile can be done by renaming ntuser.man back to ntuser.dat to unlock the profile, and setting the file back to ntuser.man again to re-lock it.


You can use any path that is reachable from the system when logging on. In case of a roaming profile, the user needs change permissions on the profile directory. In case of a mandatory profile read permissions are sufficient.

Advice: The creation of a new user profile involves a lot of disk activity. It might be faster if the profile template (in your case the mandatory profile stored locally) is read from the network since that reduces the IOPS the local disk has to deal with.

More information from my blog:

Articles about mandatory profiles

User Profile Design: A Primer

Tags:

Windows

Active Directory

User Profile

Recent Posts