Mandatory Profiles
A mandatory profile is a roaming profile that is configured as read-only. Users will use this profile as a roaming profile, but any changes made by the user will not be saved. The primary reason to create mandatory profiles is so that users have a consistent profile.
It is possible for enthusiastic users to modify the standard profile in such a way that it adversely affects the system. This results in a call to the help desk and troubleshooting by a technician. Some companies have had one too many of these calls and have decided to use mandatory profiles to prevent these problems.
As a reminder, here's how the roaming profile works. The user logs on, the profile is retrieved from the server where it's stored, and then the profile is copied down to the local computer. When the user logs off, any changes to the profile are copied back up to the server where the roaming profile is stored.
The only difference between a roaming profile and a mandatory profile is that the changes are never copied back up to the server when the user logs off. The user can still make changes to the local profile. However, because these changes aren't saved to the server, the next time the user logs on, the mandatory profile will be copied from the server down to the client, overwriting any changes the user may have made.
There are three primary steps involved in creating a mandatory user profile:
- Create a profile with the desired settings on a Windows 7 system. Copy it to a network share.
- Rename ntuser.dat to ntuser.man. This is a hidden system file, so you'll need to modify the Windows Explorer view to show hidden files and show system files. The steps to do this are listed in the "Understanding User Profiles" section in this tutorial.
- Configure accounts to use the mandatory roaming user profile. This is similar to
"Implementing Roaming Profiles", which showed how to create a roaming user profile, except the %username%
variable isn't used. Instead, all users will use the UNC path of \\ServerName\ShareName.
Note You can set the profile path for multiple users at the same time in Active Directory Users and Computers. Use either the Shift key or the Ctrl key to select multiple user accounts. After you've selected all of the accounts, right-click one of them, select Properties, and then select the Profile tab.
In this tutorial:
- Managing Windows 7 in a Domain
- The Domain
- What is Wrong with Workgroups
- The Domain Concept
- Active Directory
- Domain Security
- Joining a Domain
- Windows 7 Offline Domain Join
- Browsing the Domain
- Searching the Domain
- Custom Searches
- Assigning Permissions to Domain Members
- The Double-Thick Security Trick
- Creating a Test Bed
- Creating a Domain
- Installing Windows Server 2008 on vPC
- Configuring a Windows Server 2008 Server
- Promoting a Server to a Domain Controller
- Joining Windows 7 to a Domain
- Authentication vs Authorization
- Authentication
- Authorization
- Built-in Groups
- Organizing Users with Groups
- Group Scope and Group Type
- Creating Users and Groups in a Domain
- Using HomeGroup with a Domain-Based Computer
- Identifying and Resolving Logon Issues
- Hardware vs. Network
- Using Cached Credentials
- Password Expiration
- Determining Logon Context
- Logon Hours Compliance
- Restricting Computer Access
- Time Synchronization
- Understanding User Profiles
- Standard Profiles
- Roaming Profiles
- Implementing Roaming Profiles
- Mandatory Profiles
- Super-Mandatory User Profiles
- Modifying the Default User Profile
- Configuring Settings with Scripts
- Anti-Malware Software
- Microsoft Windows 7 Defender
- Third-Party Anti-malware Software