No announcement yet.

Mandatory Profiles in Win7 / S2008 R2 College Environment

  • Filter
  • Time
  • Show
Clear All
new posts

  • Mandatory Profiles in Win7 / S2008 R2 College Environment

    Greetings, all.

    I'm a computer technician at a local college in California, US. For 8 years now, I have been using network-based Mandatory Profiles in Windows XP and Windows Vista to create multiple homogeneous environments for my computer labs (specific printer configs, backgrounds, shortcuts, screen savers, etc.). This semester we're making a large transition to Windows 7, and the 'quick way' of making a local profile into a network-based mandatory profile has changed.

    Allegedly, MS is saying you need to create a local administrator, configure the settings the way you want the profile to look, run sysprep.exe as that administrator, throw in an XML file to add a <CopyProfile> command which ONLY runs in sysprep, causing the configured administrative profile to become the new Default User profile, which then can be copied to a network share. See Microsoft KB 973289. (link disabled cause I am a newb)

    This sounds like, and verified by my experience so far, a great deal more complicated than it should be. I'm looking for a way to accomplish what I've been doing for 8 years in previous operating systems as efficiently as possible in Windows 7. Here's some more information:

    * WDS - Windows Server 2008 R2 with latest Windows AIK installed
    * File Server - Windows Server 2003 R2
    * AD - Native Windows Server 2003 R2
    * I have VERY limited experience in creating scripts
    * I am NOT a Domain Admin, and don't have full access to upper level domain functions
    * I have tried a workaround posted in another forum using Windows Enabler v1.1 to unsuccessfully copy a profile to a network share and see if I can access it.
    * I have not yet checked other threads related to answers, and will do that next. If another thread has an answer, kindly link me to it.

    Any help or guidance on this issue is GREATLY appreciated.

    Thanks, in advance.

  • #2
    Re: Mandatory Profiles in Win7 / S2008 R2 College Environment

    I think that MS article is pretty much the same as it was in 2003.
    The only difference in there is the .V2 extension which is obligatory as the user profiles post vista have that.
    The other additional info in that is the sysprep section but you had to do that in 2003 as well just a bit different.
    I don't think you need Domain admin credential if your rights and permissions have been delegated properly.
    I can't see any additional steps. What exactly is bothering you?
    Caesar's cipher - 3




    • #3
      Re: Mandatory Profiles in Win7 / S2008 R2 College Environment

      Thanks for the prompt response, L4ndy.

      I suppose that I could add some clarity to my previous post. I used Mandatory profiles as a quick and efficient way of controlling the desktop environments in multiple computer labs configured with Windows XP and Windows Vista. In those OS's, I was able to Right Click on Computer > Properties > Advanced > User Profiles > Settings. Logged in as myself (NTFS permissions to add / modify from file server) I was able to click "Copy To" and specify the Share name and permission to use the folder for whichever user needed it (I based those off of which lab login it was for).

      A quick change on the extension from ntuser.dat to and my profiles were ready to go. If I needed additional help in changing the Profile tab on the AD account for the User, I had access to a Domain Admin to do that for me, but for the most part, anything in my OU was delegated to my abilities.

      The problem then is that the above method doesn't work the same in Windows 7. The KB article referenced takes me through a great deal of more steps - using Windows SIM to make an XML file (adding the Windows-Setup-Shell to "pass 4 specialize" to make <CopyProfile> appear, for example), creating a local admin that has network based shares and configurations, then zeroing out all personal information via Sysprep.exe /oobe /generalize /reboot /unattend:c:\image\Profile.xml (see below)

      <?xml version="1.0" encoding="utf-8" ?>
      - <unattend xmlns="urn:schemas-microsoft-com:unattend">
      - <settings pass="specialize">
      - <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="website I can't put in because I'm a newb" xmlnssi="website I can't put in because I'm a newb">
      <RegisteredOrganization>State Center Community College District</RegisteredOrganization>
      <cpifflineImage cpi:source="wim:d:/wds/ac1-120-su10.wim#AC1-120 - SU10 Configuration - 060410" xmlns:cpi="urn:schemas-microsoft-com:cpi" />
      ... it all seems very tedious. Not to mention when I mix the above XML file into the mix, it causes Sysprep to kill my install and configuration. I'm used to profiles not uploading correctly, or having to restart to make sure that an ntuser.dat file isn't in memory from being recently logged in, but this is an entirely different animal.

      I'm not familiar with XML at all. Windows SIM only gave me 11 notifications that specific areas of the Windows-Setup-Shell component were not going to be added to the file because they weren't edited - but said nothing about it being written incorrectly. It was frustrating to keep losing my configurations every time I needed to tweak a stupid XML file.

      Has anybody had experience getting this procedure to work? Perhaps had similar difficulties in this process that got worked out? I'll even go for alternative ideas to mandatory profiles at this point (which is why I mentioned not being a Domain Admin or knowing about writing login-specific VBScripts and so on).

      Thanks again for the assistance.

      P.S. - I have an added bonus later on of making the same user login have BOTH a Windows Vista *and* Windows 7 Profile. Will tackle that particular problem once I get a Windows 7 mandatory working and online.


      • #4
        Re: Mandatory Profiles in Win7 / S2008 R2 College Environment


        Did you figure this out. I'm having the same issue trying to get it to work on a Win 2008 R2 server.


        • #5
          Re: Mandatory Profiles in Win7 / S2008 R2 College Environment

          Hey there NetMGR1006. No solutions, no responses.

          I'd decided to try to investigate around and see if I could try a few other paths. I've had limited success with this method, but am still open to help myself. See if this will work for you; in lieu of using mandatory profiles, I think I can get my environment to work "right" with a default user profile that is identical across all logins on a per image basis. I called up some coworkers on a different campus and they told me that this is a 'known issue' and an 'unpublished Microsoft bug' and this workaround helps them out.

          1. Log in as a local administrator account (don't use a network account that has local rights, I hear this messes with the ntuser.dat file). From here on we'll call this the Profile Account.
          2. Configure this profile the way you want it to look / behave, including (but not limited to) default printer, wallpaper, screensaver, desktop icons, etc.
          3. Log out, log in as other local administrator (this could be your network account, for example)
          4. Open a folder and make sure you can view hidden / system files, extensions, etc. As an admin I always like to do that anyhow, even if the profile I'm configuring can't see all the goodies.
          5. Browse to C:\Users\
          6. Change the ownership on your Profile Account folder to the Administrators group. Change the permissions on the Profile Account folder to "Everyone/Full Control" (Note: as you can probably tell, this is going to reset all the NTFS permissions on the Profile Account locally, but this shouldn't be a security concern.)
          7. Rename the hidden system folder "Default" to something like "Default.old". This should make it so that your current default user profile does not exist.
          8. Rename your Profile Account folder to "Default" and hide it, applying similar attributes to it. This should make it so that you have manually replaced the Default User Profile with your new 'Configured' profile. You can check on this boot by logging in as the network user you wanted to assign the profile to. Make sure that their AD account has a blank profile path, of course.
          9. Create a new image using the sysprep command listed earlier in this thread, minus the /unattend switch. Deploy as normal and HOPEFULLY, it will work.

          I've had a few aberrations when I do these steps with each build, once I forgot to change the screensaver and the wallpaper didn't stick, the other time the desktop icons were all missing... and I perform the steps the same each time. If you're in a situation where you have the ability to try out the above steps and get back to me about what you find, please, please do. I'm not getting a whole bunch of support here otherwise.

          Thanks in advance, and best wishes.


          • #6
            Re: Mandatory Profiles in Win7 / S2008 R2 College Environment

            I've been working on this for some time now and I think I've got it pretty well nailed down. I'll post my steps and if you have questions, feel free to ask. To clarify: I'm using 2008 R2 with HP Thin Clients running RDP 7.0. Remote Desktop Services has been installed on Server 2008 R2 - as well as the Print Management. Desktop Experience is enable through Remote Desktop and all Hidden Files and Folders are on.
            1. Create a standard user (i.e. User1) - I was creating this user and changing them to an administrator account - making changes to the profile - logging off and changing back to a regular user and I noticed I was getting some strange irregularities. I chose to NOT change the user to an admin account and it took care of a lot of the problems I was having.
            2. Add user to Remote Desktop Users
            3. Install all the programs you want to run (MS Office, Mozilla, Adobe) on the Server 2008 R2 going to Control Panel - Programs - Install Applications on Remote Desktop Server
            4. Log on as the User1
            5. Make all the changes you want. Background color, run through all the programs - Internet Explore - Mozilla - Office - and get the profile set up the way you want. I go through and turn off all the automatic updates - just so they won't pester people.
            6. Make any changes to the Start Menu.
            7. Remove any unnecessary icons or programs
              • All Desktop Shortcuts should be located in the Public Desktop in the c:\users folder
              • This does not include the Computer icon
            8. Log off the user and log on as the Administrator
            Ok this is where it gets fun (tricky). If you want a reference point for this information, I got this directly from Minasi's book on Mastering Server 2008 R2. It's a really good fix for the lack of copyprofile and the geriatric sysprep that MS wants you to do.
            1. Check the Default user has no icons on the Default Profile Desktop
            2. Manually copy the User1 folder to the 2008 R2 Desktop
            3. Rename to Mandatory.V2 (the V2 makes it mandatory)
            4. Go into Mandatory.V2 and delete from AppData Folder
              • Local
              • LocalLow
            5. Copy back into the Users folder
            6. Run - regedit - HKEY_USERS
            7. File - load hive
            8. Navigate to the Mandatory.V2 folder and select the ntuser.DAT file
            9. Name it whatever you want - I usually just say MAN or something
            10. Right-click on the profile you loaded and select Permissions
              • Drop permissions and remove completely the original user/creator which should be User1
              • Give permissions to User group - Full permissions
              • Full permissions for Administrators
            11. Unload hive and all keys
            12. Go to the mandatory profile in the Users folder
            13. Confirm additional Folder permissions
              • Administrators: Full
              • System: Full
              • Users: Read & Execute
            14. Change ntuser.DAT to ntuser.MAN by renaming
            Ok - that's the initial creation!
            Create as many users as you want and log them on once to create the .DAT file in their folder. Then - you can go through the Remote Desktop Server Manager and right click on each user - Properties - and enter the profile path under the Remote Desktop Services Profile.
            If you don't log them in at least once, no .DAT file will be created and you won't be able to update their profile.

            When you want to update the profile - change out one user - log on as that user and make the changes - and then repeat the steps above. It's definitely a long process - makes me miss the copyprofile feature that basically did all that above.

            Hope this helps!


            • #7
              Re: Mandatory Profiles in Win7 / S2008 R2 College Environment

              Thanks for the information, clarice451.

              While the scenario I'm after is slightly different from yours, I think that there is a lot of information that I can glean from your efforts.

              Somewhat coincidentally, I did find out about keeping all my icons in the C:\Users\Public\Public Desktop folder. Works great for my situation, as the computers I am deploying require a set of icons and programs. I think what you were describing applies more to thin clients getting a set list of items from a server when a client logs in.

              Interestingly, this was the first time that it occurred to me to try and put the User.V2 mandatory profile on a W2K8 server instead of a W2K3 server (my file server is running an older version of Windows than my deployment server, so moving the V2 Profile may help).

              This is probably a bit of a tangent, but I've tried a couple methods and think that there must be something related to the date and time stamping of the Default User Profile in relation to the login attempt of the account you're associating it with. Whenever I change the local C:\Users\Default folder to a newer version, the SID information associated with that account is gone as well. Any previously logged in accounts may have difficulties with your new Default User profile, unable to access the older information that was renamed, and give you a temporary network profile instead.

              I'm not totally sure I have it right, but with my clock almost out of time, I have to focus on getting my 433 computers all ready to go by August 16th. Hooray for 55+ hour weeks, huh?


              • #8
                Re: Mandatory Profiles in Win7 / S2008 R2 College Environment

                You're welcome. I'm glad the info I passed your way was maybe able to help.

                In response to the tangent: I've read numerous times that you shouldn't mess around with the default profile. :\ It can cause weird things to happen. My users log in to the default profile the first time only, to create the .DAT file - a generic .DAT file, and then they never see it again. Everything is controlled through the Remote Desktop Service Profile.
                Otherwise, if you make changes to the default profile after a user has already logged in and created their profile - and then made changes to it their profile - anything you do to the default might cause... errors... that's not the word I'm looking for, inconsistencies. Maybe. Like, if some user (and you're using local or roaming profiles, not mandatory) sets the default templates on Word or adds a favorite in IE or changes the desktop color - and then you change the template for the default - that change might try to impose itself on the user profile.
                If you are using the default profile to control users - I would recommend not. You can really only use the default for that initial, one time user creation.

                At least, as far as I am aware. If you, or someone else knows differently, please correct me.
                The default creates the initial .DAT. A secondary profile that you create, and change, update, modify, controls everything else.

                -Oh, and about the .V2 on 2003, I dunno. Only 2008 R2. I think the change to .V2 only occurred with the 2008 and 2008 R2 releases.