G
Guest
I've been deploying a mandatory user profile successfully for years, but due
to some managment problems of the machines and profile, I'm revisiting the
entire issue.
WHAT WORKED FOR YEARS:
Create and configure a profile on a local machine, then copy all of it to
the corresponding folder within a "profiles" share. Change ntuser.dat to
ntuser.man on the server copy. (The share has read only permissions by the
user.) When a user logs on, the profile is downloaded. He can make changes to
his local profile, but the next time someone logs in with that profile, it is
refreshed from the server copy. When admins want to make a change to the
profile, they log in as the user, make the changes, log out, log in as an
admin, and push the entire profile (the local cached copy) up to the server.
WHAT WENT WRONG:
At some point a couple months ago, purportedly after some MS patches (but
that may have nothing to do with it), the ntuser.man file could not be copied
by a logged in adminfrom the local copy to the server 'file busy'.
CURRENT INVESTIGATATIONS:
I've created a throwaway account to get a better understanding of all the
processes involved. Although I don't ultimately want a roaming profile (I
want a mandatory one), my thought was to set up a roaming profile initially,
then eventually change it to mandatory. Acc. to the MS docs I've read, I am
to allow Read only access to Authenticated Users. After logging in for the
first time as the user, a local profle was created, but on logout, it was not
uploaded to the server, most certainly due to a lack of permissions. After
manually moving the profile up to the server (as an admin), and creating a
desktop folder on the server copy, then logging on as the user, the new
folder does appear on the local machine. Another desktop folder I'd created
locally as the user also remained. So it appears that the profile is a
combination of what is on the server with the local cached copy.
I could of course give the user write access to the server profile; that
should make it roaming as expected (although I've never seen any documents
saying to give the user write access to the server copy).
I realize I can, at this point, change ntuser.dat to .man on the server, and
upon the next login, the server profile will be forced to download to the
client (barring network failure), and presumably any changes made to the
local cached copy will be neutralized (as they have successfully for years
here). I would also have to remove write access by the user to the server
copy, otherwise, even though the profile may be properly managed by Windows
(pushed down, overwriting the local copy), a user could make changes (adding
or removing folders, etc.) to the server copy by mounting that share.
So, that's a lot of preface. The most important question I have is: is the
way of manually moving a local copy of the user's profile up to the server by
an admin, when periodic changes to the profile is desired, a reasonable
approach, and does the local copy of ntuser.man need to be uploaded as well
(I think it does). What if I get a 'file busy' message?
I realize that MS recommends using Group Policy to manage roaming profiles
over using mandatory profiles, and when I am able to document every relevant
registry setting, I hope to go that route, but for now, I want to know
anything additional useful about mandatory profile updating.
to some managment problems of the machines and profile, I'm revisiting the
entire issue.
WHAT WORKED FOR YEARS:
Create and configure a profile on a local machine, then copy all of it to
the corresponding folder within a "profiles" share. Change ntuser.dat to
ntuser.man on the server copy. (The share has read only permissions by the
user.) When a user logs on, the profile is downloaded. He can make changes to
his local profile, but the next time someone logs in with that profile, it is
refreshed from the server copy. When admins want to make a change to the
profile, they log in as the user, make the changes, log out, log in as an
admin, and push the entire profile (the local cached copy) up to the server.
WHAT WENT WRONG:
At some point a couple months ago, purportedly after some MS patches (but
that may have nothing to do with it), the ntuser.man file could not be copied
by a logged in adminfrom the local copy to the server 'file busy'.
CURRENT INVESTIGATATIONS:
I've created a throwaway account to get a better understanding of all the
processes involved. Although I don't ultimately want a roaming profile (I
want a mandatory one), my thought was to set up a roaming profile initially,
then eventually change it to mandatory. Acc. to the MS docs I've read, I am
to allow Read only access to Authenticated Users. After logging in for the
first time as the user, a local profle was created, but on logout, it was not
uploaded to the server, most certainly due to a lack of permissions. After
manually moving the profile up to the server (as an admin), and creating a
desktop folder on the server copy, then logging on as the user, the new
folder does appear on the local machine. Another desktop folder I'd created
locally as the user also remained. So it appears that the profile is a
combination of what is on the server with the local cached copy.
I could of course give the user write access to the server profile; that
should make it roaming as expected (although I've never seen any documents
saying to give the user write access to the server copy).
I realize I can, at this point, change ntuser.dat to .man on the server, and
upon the next login, the server profile will be forced to download to the
client (barring network failure), and presumably any changes made to the
local cached copy will be neutralized (as they have successfully for years
here). I would also have to remove write access by the user to the server
copy, otherwise, even though the profile may be properly managed by Windows
(pushed down, overwriting the local copy), a user could make changes (adding
or removing folders, etc.) to the server copy by mounting that share.
So, that's a lot of preface. The most important question I have is: is the
way of manually moving a local copy of the user's profile up to the server by
an admin, when periodic changes to the profile is desired, a reasonable
approach, and does the local copy of ntuser.man need to be uploaded as well
(I think it does). What if I get a 'file busy' message?
I realize that MS recommends using Group Policy to manage roaming profiles
over using mandatory profiles, and when I am able to document every relevant
registry setting, I hope to go that route, but for now, I want to know
anything additional useful about mandatory profile updating.