Deployment of mandatory user profiles

[Guest]

I've been deploying a mandatory user profile successfully for years, but due
to some managment problems of the machines and profile, I'm revisiting the
entire issue.

WHAT WORKED FOR YEARS:
Create and configure a profile on a local machine, then copy all of it to
the corresponding folder within a "profiles" share. Change ntuser.dat to
ntuser.man on the server copy. (The share has read only permissions by the
user.) When a user logs on, the profile is downloaded. He can make changes to
his local profile, but the next time someone logs in with that profile, it is
refreshed from the server copy. When admins want to make a change to the
profile, they log in as the user, make the changes, log out, log in as an
admin, and push the entire profile (the local cached copy) up to the server.

WHAT WENT WRONG:
At some point a couple months ago, purportedly after some MS patches (but
that may have nothing to do with it), the ntuser.man file could not be copied
by a logged in adminfrom the local copy to the server 'file busy'.

CURRENT INVESTIGATATIONS:
I've created a throwaway account to get a better understanding of all the
processes involved. Although I don't ultimately want a roaming profile (I
want a mandatory one), my thought was to set up a roaming profile initially,
then eventually change it to mandatory. Acc. to the MS docs I've read, I am
to allow Read only access to Authenticated Users. After logging in for the
first time as the user, a local profle was created, but on logout, it was not
uploaded to the server, most certainly due to a lack of permissions. After
manually moving the profile up to the server (as an admin), and creating a
desktop folder on the server copy, then logging on as the user, the new
folder does appear on the local machine. Another desktop folder I'd created
locally as the user also remained. So it appears that the profile is a
combination of what is on the server with the local cached copy.

I could of course give the user write access to the server profile; that
should make it roaming as expected (although I've never seen any documents
saying to give the user write access to the server copy).

I realize I can, at this point, change ntuser.dat to .man on the server, and
upon the next login, the server profile will be forced to download to the
client (barring network failure), and presumably any changes made to the
local cached copy will be neutralized (as they have successfully for years
here). I would also have to remove write access by the user to the server
copy, otherwise, even though the profile may be properly managed by Windows
(pushed down, overwriting the local copy), a user could make changes (adding
or removing folders, etc.) to the server copy by mounting that share.

So, that's a lot of preface. The most important question I have is: is the
way of manually moving a local copy of the user's profile up to the server by
an admin, when periodic changes to the profile is desired, a reasonable
approach, and does the local copy of ntuser.man need to be uploaded as well
(I think it does). What if I get a 'file busy' message?

I realize that MS recommends using Group Policy to manage roaming profiles
over using mandatory profiles, and when I am able to document every relevant
registry setting, I hope to go that route, but for now, I want to know
anything additional useful about mandatory profile updating.

 

[Guest]

It sounds like the .dat file isn't being closed properly. I meet this
frequently when creating default profiles on local disks, so it's not an
isolated issue.

Typing NET FILES at the server console should tell you if this is the case.
If so, forcing a disconnect of the user may clear the lock on the file.

 

[Guest]

I'll try the command you mention, but the problem we encountered was with teh
ntuser.man file -- i.t., it had long been renamed from ntuser.dat. thanks

 

[SchoolTech]

I've been deploying a mandatory user profile successfully for years, but due
to some managment problems of the machines and profile, I'm revisiting the
entire issue.

WHAT WORKED FOR YEARS:
Create and configure a profile on a local machine, then copy all of it to
the corresponding folder within a "profiles" share. Change ntuser.dat to
ntuser.man on the server copy. (The share has read only permissions by the
user.) When a user logs on, the profile is downloaded. He can make changes to
his local profile, but the next time someone logs in with that profile, it is
refreshed from the server copy. When admins want to make a change to the
profile, they log in as the user, make the changes, log out, log in as an
admin, and push the entire profile (the local cached copy) up to the server.

The permissions minimum on the profile folder must be Read for the
Everyone group. If these are not correctly set you will find GPOs will
not work when a user logs in for the mandatory profile.

I realize that MS recommends using Group Policy to manage roaming profiles
over using mandatory profiles, and when I am able to document every relevant
registry setting, I hope to go that route, but for now, I want to know
anything additional useful about mandatory profile updating.

What MS haven't addressed at all is that a mandatory profile is a single
shared profile. We have about 300 users all sharing the single mandatory
profile. It saves a lot of upload time and server disk space if we don't
have to support roaming profiles for every user.

For this reason you will find mandatory profiles are still supported
even in Windows Vista.

 

[Guest]

I'm continuing to the in's and out's of mandatory profiles. On another domain
(W2K3 server), I created an account initially with no profile path. On an XP
box joined to the domain, I logged in and then off. With an account with
local admin rights and full control rights to the profile share, I logged in
and under Profiles (in the XP interface), I used the Copy To feature to move
the profile to a folder on a share I created for it. The account has full
control over it. Then I add this profile path to the account (in Active
Directory). Now I have a Roaming profile. I make changes, log ff and in, and
it seems to be OK. I log off, and in the server profile, change ntuser.dat to
ntuser.man.

I logged on, deleted a folder, created a new one, and changed the desktop
background. Logged off and on, neither the folder deletion nor creation held,
as expected, however I got a generic blue background (a Desktop Background of
"(None")). Logged off. Renamed Ntuser.man to Ntuser.dat on the server. Logged
in. Tried to change the Desktop Background to a pattern, but the changes
won't apply. Odd. I then discovered that under (XP) User Profiles, the
account was still Mandatory/Mandatory, even despite the Ntuser.dat filename
rename on the share profile. I then logged onto XP as an admin, and could not
change the profile type, so I deleted it. Logged off and then on as the user
account. Still have a blue bg. The profile is now Roaming/Roaming, and the
earlier Desktop Pattern is now selected, but it is not showing (just a blue
background). I click OK, and it appears. Log off. Rename to ntuser.man. Log
in. Make changes. Changes don't stick; bg renames the same (good). Make
changes. Log off. Log in as an admin. Copy profile to the server. Log off and
on as the account. I get a blue bg. The last Desktop background is remembered
(selected), but not in effect. I click OK and it shows up. I make a couple of
changes (rename a folder and change the desktop bg), log off, and in again.
The folder name does not stick (good), but the background is not set. I
cannot figure out why the background is not sticking. On another system, I
created a custom graphic to server as the background, and that worked for
many years with a mandatory profile. I cannot figure out why the XP
backgrounds are not being applied, even though the pattern is remembered
(selected).