Announcement

Collapse
No announcement yet.

Windows Server 2012 R2 Mandatory Profile Help

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Windows Server 2012 R2 Mandatory Profile Help

    I am volunteering for a school to replace their existing computer lab which is Windows XP to the new computer lab running Windows Server 2008 R2. Their current solution does not allow the user to make changes to their Desktop or computer settings and they would like to keep it this way. Their old AD structure is messed up and we are going to be starting from scratch. They have a new AD domain set up on Windows Server 2012 R2.

    I did some research on how to do this but can't seem to get it to work correctly. It appears I need to create a mandatory profile to be used for the students. To do this I followed the following guide: markswinkels.nl/2009/12/how-to-create-a-mandatory-profile-in-windows-server-2008-r2/
    Guide steps:
    How to: Create a Mandatory profile in Windows Server 2008 R2
    1.) Make a local user on the server (Windows Server 2008 R2 in my environment)
    2.) Make the user member of the local administrators group on your server
    3.) Login in with this user and customize for example the start menu
    4.) Logoff and login again with an administrator account
    5.) Create a share on your file server. For example \\SRV-RDSDC-01\TSmandatory
    6.) For share permissions choose Everyone Full Control, NTFS permissions choose Authenticated Users Read
    7.) Turn off Caching on this share
    8.) Copy the complete template folder from the C:\Users directory to the new TSmandatory share
    9.) Rename the template folder to TSmandatory.V2
    You have to add the .V2 in the name of your folder, because it’s the new profile type in Windows Server 2008 and 2008 R2!
    10.) Delete the Local and LocalLow folders from the AppData folder
    11.) The next step is to add the right permissions on the mandatory profile
    12.) Open REGEDIT and load the NTUSER.DAT hive
    13.) Right-click on the TS Mandatory profile and choose permissions
    14.) Delete the template user and add the Authenticated Users (Full Control)
    15.) Unload the NTUSER.DAT from your registry
    16.) Rename the NTUSER.DAT to NTUSER.MAN
    17.) When you configure a GPO to specify the location of the Mandatory profile, you’ve to choose to following location:
    \\SRV-RDSDC-01\TSmandatory\TSmandatory without the .V2!
    Notes:
    The only difference is on step 14 I substituted "Authenticated Users" with a custom group I created called "Folder Redirect Students".
    Step 17 wasn't clear on how to configure the GPO so I followed this guide: jasonsamuel.com/2012/12/10/how-to-create-a-windows-7-or-server-2008-r2-mandatory-profile-for-appsense/

    I skipped a couple of steps that were repeats from the first guide. I also did the GPO stuff in a custom policy I created on my Domain Controller. Again, here I replaced "Authenticated Users" with my custom group called "Folder Redirect Students". I also verified that the user I am testing is a member of this group.
    Guide steps:
    Go to Start > Run > and type gpedit.msc.
    Then navigate to:
    Local Computer Policy > Computer Configuration > Administrative Templates > System > User Profiles
    There will be 3 items we need to change to “Enabled”:
    -Delete cached copies of roaming profiles
    -Set roaming profile path for all users logging on this computer
    -Prevent Roaming Profile changes from propagating to the server
    11. For “Set roaming profile path for all users logging on this computer”, you need to put a UNC path to the share that holds your mandatory profile. So since it’s on the local server in this example, I will do:\\servername\mandatoryprofile
    Notice I did not add “.v2″ at the end. Windows will automatically look for it as the users login.
    13. Now navigate to:
    Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Profiles
    There will be 2 items we need to change to “Enabled”:
    -Use mandatory profiles on the RD Session Host server
    -Set path for Remote Desktop Services Roaming User Profile
    14. For “Set path for Remote Desktop Services Roaming User Profile”, you need to put a UNC path to the share that holds your mandatory profile just like the previous setting.\\servername\mandatoryprofile
    Notice again I did not add “.v2″ at the end. Windows will automatically look for it as the users login.
    16. Now navigate to the mandatory profiles desktop and add a text file. So in this example “c:\mandatoryprofile.v2\Desktop”. I’ve created a file called “This is a mandatory profile in action.txt”.
    17. Now right click on the mandatoryprofile.v2 folder and share it out. Make sure “Everyone” has access:
    18. Now RDP into the server using any account you like. You will get the mandatory profile and you will see the text file we had created earlier on the desktop.

    Results:
    For both guides I followed, I made sure to use the same naming scheme but it didn't work. When I RDP into a PC on the Domain, the profile gets created for my user but it doesn't appear to be the mandatory profile I created. It isn't customized and when I make a change like add a text file to the desktop, log off and log back in. The changes are still there. If anyone can help identify what I am doing wrong, I would appreciate the help.
Working...
X