Mandatory profile-XP problem

[Pat Wisch]

Hello,

I really would like to find an answer to this question. I've
exhausted all the resources I have access to- Microsoft Knowledge
Base, Windows XP Resource Kit documentation, newsgroups...etc.
Microsoft wants $35 to talk to me about this, and I don't think I
should have to pay for an answer to this question.
My question is this:

I use mandatory profiles as part of how I lock down workstations in a
university computer lab. The mandatory profiles work differently with
Windows XP than they did with Windows 2000. The difference is that in
Windows XP the locally cached profile on the workstation is deleted
every time the computer is rebooted. This did not happen in Windows
2000. In Windows 2000, the locally cached profile would stay on the
workstation.
This new behavior in Windows XP is NOT desirable. If someone removes
the network cable from the workstation after a reboot, when they log
in they will get a profile based on the Default User which will not
have necessary group policy settings applied. This gives the user
access to parts of the file system we do not want them to access.

I would really like to find a way to make Windows XP NOT delete the
locally cached mandatory profile, in other words, the same behavior as
in Windows 2000. I know about the group policy setting available in
Computer Configuration\Administrative Templates\System\User Profiles
"Delete cached copies of roaming profiles" I have set that to
disabled, but apparently it doesn't work with mandatory profiles.

I know Microsoft people monitor this newsgroup, and I would really
appreciate if someone could let me know how to make the locally cached
profile not be removed at reboot.

Thanks.
Pat

 

[Jetro]

Pat,

You're fighting this problem since May, right? I believe you've lost more
than $35 already.

Anyway, run 'gpresult.exe' from any XP station. Upload XP group policy
templates onto W2k servers. Ensure both local and network NTFS and share
permissions are set properly.

 

[Pat Wisch]

Pat,

You're fighting this problem since May, right? I believe you've lost more
than $35 already.

Anyway, run 'gpresult.exe' from any XP station. Upload XP group policy
templates onto W2k servers. Ensure both local and network NTFS and share
permissions are set properly.

You're probably right about the $35, but I don't see what gpresult.exe
will do for me in relation to mandatory profiles....
My group policies are working fine, the mandatory profile is
downloading correctly from the server, everything is good except that
the locally cached profiles gets deleted everytime the pc is rebooted.
If I log off, the locally cached profile is still there, it only gets
removed on a reboot. This happens in XP, it didn't happen in Win2000.
In an open computer lab environment, for several reasons, it is
desirable to have the locally cached profile not be deleted at reboot.

 

[Jetro]

Pat,

Only you have an access to the systems, you are everyone's eyes and hands in
this community. You wouldn't ask if everything would work fine. Moreover,
everyone would lose his job if setup and network work fine, G-d forbid )
I would emphasis gpresult in super-verbose mode using /z key.

 

[Pat Wisch]

Pat,

Only you have an access to the systems, you are everyone's eyes and hands in
this community. You wouldn't ask if everything would work fine. Moreover,
everyone would lose his job if setup and network work fine, G-d forbid )
I would emphasis gpresult in super-verbose mode using /z key.

Perhaps I'm not being clear-
I can take a freshly installed Windows XP computer, log in with a
domain user account, set the desktop to look how I want. Then I can
log in as an administrator, copy the profile of the domain user to a
server share. I then set the domain user's account in Active
Directory Users and Computers so that it will get it's profile from
the server share. If I set it up to be a mandatory profile
(ntuser.man on both the server share and in the locally cached
profile) when the domain user logs in, he gets the mandatory profile.
When the computer is *rebooted* the locally cached profile is
*removed* If the user logs in again, the mandatory profile is
downloaded just like it is supposed to. If the domain user logs off,
the locally cached profile remains. It is only removed upon reboot.
This did not happen in Windows 2000. This has nothing to do with
group policy.

There is a group policy setting- Computer Configuration\Administrative
Templates\System\User Profiles "Delete cached copies of roaming
profiles" This works fine if I set up a *roaming* profile (ntuser.dat
on the server share and in the locally cached profile). This group
policy setting has *no* effect on the mandatory profile.

I would simply like to know how to stop the locally cached mandatory
profile from being deleted upon reboot- the same behavior as in
Windows 2000. There's got to be an undocumented registry setting that
would accomplish this.

So, I really don't understand what gpresult is going to do for
me........

Cheers,
Pat

 

[Jetro]

Pat,
This was the real challenge!
The error is reproduced easily - just change the extention from .dat to .man
and voila! - the locally cached profile is deleted during the system boot.
Believe me or not, the solution is as easy as the error reproducing: leave
the .dat extention and implement Computer Configuration/Administrative
Templates/System/User Profiles policy "Prevent Roaming profile changes from
propagating to the server". If computer is disconnected from network, a user
can bend and rig her cached profile as she wants indeed, but everything
returns to normal after the real network logon.

Certainly it took some time parsing the userenv.log and digging the
Internet, and finally I found out a funny feature named Super-mandatory
profiles
(http://msdn.microsoft.com/library/default.asp?url=/library/en-us/policy/pol
icy/mandatory_user_profiles.asp). The article states that "Super-mandatory
user profiles are similar to normal mandatory profiles, with the exception
that users who have super-mandatory profiles cannot log on when the server
that stores the mandatory profile is unavailable." User profiles become
super-mandatory when the folder name of the profile path ends in .man. Neat,
huh? Unfortunately the feature didn't work for me when I immediately tried
it (the system just hung up after logon to the super-duper profile). I am
only guessing now that XP treats the ntuser.man file as something relevant
and marks the locally cached mandatory profile for deleting exactly as we
observe.

P.S. I hope Microsoft will forgive me for $35 )

 

[Pat Wisch]

Pat,
This was the real challenge!
The error is reproduced easily - just change the extention from .dat to .man
and voila! - the locally cached profile is deleted during the system boot.
Believe me or not, the solution is as easy as the error reproducing: leave
the .dat extention and implement Computer Configuration/Administrative
Templates/System/User Profiles policy "Prevent Roaming profile changes from
propagating to the server". If computer is disconnected from network, a user
can bend and rig her cached profile as she wants indeed, but everything
returns to normal after the real network logon.

Certainly it took some time parsing the userenv.log and digging the
Internet, and finally I found out a funny feature named Super-mandatory
profiles
(http://msdn.microsoft.com/library/default.asp?url=/library/en-us/policy/pol
icy/mandatory_user_profiles.asp). The article states that "Super-mandatory
user profiles are similar to normal mandatory profiles, with the exception
that users who have super-mandatory profiles cannot log on when the server
that stores the mandatory profile is unavailable." User profiles become
super-mandatory when the folder name of the profile path ends in .man. Neat,
huh? Unfortunately the feature didn't work for me when I immediately tried
it (the system just hung up after logon to the super-duper profile). I am
only guessing now that XP treats the ntuser.man file as something relevant
and marks the locally cached mandatory profile for deleting exactly as we
observe.

P.S. I hope Microsoft will forgive me for $35 )

Well, I know about the super-mandatory profiles, they worked for NT4.
Knowledge base article 307800 states that the folder name should not
contain .usr or .man extensions. There is a group policy setting that
would appear to provide the super-mandatory profile functionality
(Computer Configuration\Administrative Templates\System\User Profiles
"Log users off when roaming profile fails."

In any case I need to use mandatory profiles, not roaming profiles.
There has got to be an undocumented registry setting that will prevent
XP from deleting the local cached mandatory profile at reboot.....
Just gotta find the person who knows what it is....

 

[Jetro]

Whatever. BTW, the article 307800 talks about local user accounts and
produces the same effect. Super-mandatory profile information is fresh and
updated in May 2004.

 

[Pat Wisch]

Thanks to Craig from one of the Microsoft XP newsgroups, I have a
partial answer....
There is a registry value called RefCount in
HKLM\software\microsoft\windows
NT\currentversion\ProfileList\some-long-assed-user-SID

When the RefCount DWORD value is set to 1, the locally cached
mandatory profile remains after a reboot. The problem is that whenever
the mandatory profile user logs off, the RefCount value is set to 0.
If RefCount is 0, the locally cached mandatory profile is deleted.

I also determined that the locally cached mandatory profile is removed
at system startup, not when the system shuts down. (I logged in using
the recovery console, and the locally cached mandatory profile was
still there; after I let the system boot up, it was gone).

I have no idea what the RefCount value is supposed to do....it appears
that normally it is a value of 1 when a user is logged in, and a value
of 0 when the user logs out. It doesn't look like it matters what
type of profile it is, when a user is logged in, the value is 1; when
the user is logged out, the value is 0.

In any case, it may be a possible workaround. I've been messing around
with a group policy shutdown script that will set the RefCount value
to 1 at system shutdown. I use a utility called regini.exe to do this.
It worked, but I'll need to set that value for three different user
accounts with mandatory profiles that all share the same group policy.


It still would be better to have some nice clean registry setting that
would stick and prevent the mandatory profile from being deleted!

 

[Jetro]

You could find everything yourself and faster if you'd look into
userenv.log.

As M.Russinovich explains in his article
http://www.winntmag.com/Articles/Index.cfm?IssueID=24&ArticleID=299 Inside
NT's Object Manager,
"Regardless of whether resources are physical resources (such as disk drives
and keyboards) or logical resources (such as files and shared virtual
memory), NT represents them as object data structures, which the Object
Manager defines... Reference Count records the number of handles for an
object plus the number of active references that operating system components
make to the object. The Object Manager uses this count to determine when the
system no longer needs an object. When Reference Count drops to zero,
nothing in the system is using the object, so the system can remove the
object's state and storage. The Object Manager will call an object type's
Delete Procedure (which eliminates the object, not the resource the object
represents) with the object as a parameter."

Put simply, everything in NT is an object and every object has its RefCount.

 

[matt5930]

Hi Pat,

I have a similar problem to this, if you could email me i would be grateful as i am keen to see how you got round this issue.

Hope you can help.

Matt

 

[leavittg]

I found this on the MS site

"You may receive an unrestricted temporary profile when you log on to a Windows XP-based client computer without a network connection to the domain"

"CAUSE
This problem occurs because the mandatory profiles are deleted on a Windows XP-based client computer when the computer is restarted."

Sounds familiar... Here is the link:

http://support.microsoft.com/kb/893243/en-us

Unfortuately you have to call MS to download the hotfix that addresses this issue. When I called this morning I waited for a good 20 minutes only to find that their systems were all down and I should call back later.

best,
gabe

 

[NCSIT]

Hi there, we are having the opposite problem, we use mandatory profiles and have the correct setting ticked in Group policy but the students profiles are not being deleted after they log off and dont always delete after a reboot?? Any ideas?