5

I want to configure my Windows Server 2008 servers like this. A user logs on, they load a profile that has been configured for that server and no changes can be made to the profile.

I want to do this is with a mandatory profile, and 2 policies: "Use mandatory profiles on the RD Session Host server" and "Set path for Remote Desktop Services User Profile"

So for each server, I log on, create a profile, save it as a mandatory profile, enable both policies, and in "Set path for Remote Desktop Services User Profile" I set the path to the previously saved mandatory profile.

I've tested this, and it doesn't work. When I log on to the server using RDP, it loads the local default profile. When I log off it saves the profile in the usual location, C:\Users, and I can make changes which are then saved to the profile. It's as if the policy setting hasn't been applied, but when I view rsop I can see that the policy IS applied. There are no errors when logging on or in event viewer.

Can anyone offer any ideas why it's not working?

Nick C
  • 51
  • 1
  • 3

1 Answers1

1

Possible errors you made or missed

  1. The profile must be allowed to read by Authenticated Users (Apply file security reucrsively to profile folder)
  2. The profile folder must be named C:\Users\MandatoryUser.V2 ( and the Set path for Remote Desktop Services User Profile must be C:\Users\MandatoryUser without .V2 for Windows Server 2008 and higher.
  3. MandatoryUser is just an example username.
  4. You must open RegEdit and Load Mandatory user's ntuser.dat file into (Click HKEY_USERS, Click File-Load Hive), then set security on loaded hive to Authenticated Users:Full Control
  5. You must rename mandatory user ntuser.dat to ntuser.man
  6. (!) You need to delete users who previously logged on to server before let them use mandatory profile: delete c:\users\username, delete them from registry ( Delete hive HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\<user's SID>. Here you can look through all hives to find ProfileImagePath that corresponds to your user)
  7. The mandatory profile is recreated when user makes LogOn! When user is logged on,and after user logs off, it acts like a normal profile.
  8. In System Properties\Advanced\User Profiles mandatory profiles are marked as Mandatory.

Here is one of the best guides about mandatory profiles. It has some security issues, but as a beginning is very good

Per von Zweigbergk
  • 2,625
  • 2
  • 19
  • 28
filimonic
  • 323
  • 3
  • 14
  • Thanks for the tips. I went through the process again just to check I haven't missed anything, it's basically what I did to start with. Unfortunately it still doesn't load my mandatory profile - it logs me on with the default local profile again. Just a couple of things to clarify... 1. I loaded the file NTUSER.dat to the hive, and gave permissions Authenticated Users - Full Control. Is that right - or should I rename to NTUSER.man, then load that into the registry hive and assign it permissions? 2. I unloaded the hive after I assigned permissions - is that right? – Nick C Feb 17 '15 at 16:51
  • 3. "Set path for Remote Desktop Services User Profile" conatins a link to a share - \\MyComputerName\UsersFolder\TSProfile (actual folder is D:\UsersFolder\TSProfile.V2) - does it make a difference whether I enter \\MyComputerName\UsersFolder\TSProfile or D:\UsersFolder\TSProfile? – Nick C Feb 17 '15 at 16:51
  • After going through the process again System Properties\Advanced\User Profiles shows my profile as local – Nick C Feb 17 '15 at 16:52
  • Did you deleted your profile before try-again? From registry? – filimonic Feb 17 '15 at 17:16
  • Yes, and I know it isn't re-loading the same profile again because I made some changes, and those changes are gone - I just get the default local profile – Nick C Feb 18 '15 at 08:52