none
Windows 2008 R2 Mandatory Profile GPO

    Question

  • Hi All,

    I am trying to configure Mandatory profiles for any user who logs onto any of our Windows 2008 R2 servers. I have a test environment consisting of a 2008 R2 DC and a few 2008 R2 Application servers. The process I followed was this:

    On the DC I created a foler on the c: drive and called it profile, then shared it as profiles$ with authenticated users and domain admins with full control. Set the NTFS permissions to Authenticted users read and Domain Admins full.

    Then I Logged onto one of the 2008 servers, created a local user called Mandatory, logged on with that user, modified the desktop and added some files to the desktop, logged off then logged back on with a Domain admin account. Copied the local user folder for Mandatory including hidden files to the share \\Server\profile$\mandatory .

    Then I imported the NTUSER.DAT into regedit removed the permissions and added Authenticated users ( READ ) and Domain Admins (Full ) and unloaded the hive. Rnamed NTUSER.DAT to NTUSER.MAN and renamed the Mandatory folder to Mandatory.V2.

    Now I created a new GPO and enabled "Use Mandatory profiles aon the RD Session Host Server" and enabled "Set path for Remote Desktop Services Roaming User Profile" with the path of \\Server\Profile$\Mandatory

    I then linked the GPO to the OU containing the Windows 2008 R2 servers, quick GPUpdate on the server then logged in. The profile is not the mandatory one. I have tried enabling loopback for the goup policy  applying filtering  to all users and the computer account but still no mandatory profile is applied for any user logging on. An RSOP shows that the GPO is processed and applied as I have made some other changes to the GPO and the settings do apply. Yet the Mandatory profile doesn't apply. When logged on if you go to %userprofile% it points to the local cache i.e C:\users\username and I can make changes that are still there when logging off and back on again.

    Am I missing something obvious?

    Thanks

    Tuesday, March 15, 2011 4:16 PM

All replies

  • Hi,

      

    Use mandatory profiles on the RD Session Host server

    This policy setting allows you to specify whether Remote Desktop Services uses a mandatory profile for all users connecting remotely to the RD Session Host server.

     

    If you enable this policy setting, Remote Desktop Services uses the path specified in the Set path for Remote Desktop Services Roaming User Profile policy setting as the root folder for the mandatory user profile. All users connecting remotely to the RD Session Host server use the same user profile.

     

    Note:

    For this policy setting to take effect, you must also enable and configure the Set path for Remote Desktop Services Roaming User Profile policy setting.

     

    You can also open Start, click RUN, type CMD, press Enter, type GPRESULT /H GPReport.html in Terminal server Command prompt, then you can check the report whether the Group Policy has been successfully applied .

     

    More information:

    Profiles

    http://technet.microsoft.com/en-us/library/ee791865(WS.10).aspx

     

    Manage User Profiles for Remote Desktop Services

    http://technet.microsoft.com/en-us/library/cc742820.aspx

     


    Technology changes life……
    Sunday, April 10, 2011 12:26 PM
  • Hi, thanks for the feedback, but as I mentioned in my post I hve already set up theGPO with those options enabled:

    "Now I created a new GPO and enabled "Use Mandatory profiles aon the RD Session Host Server" and enabled "Set path for Remote Desktop Services Roaming User Profile" with the path of \\Server\Profile$\Mandatory"

     

    Thanks

    Marsh

    Friday, April 15, 2011 2:51 PM
  • Hi, did you get this figured out? 

    I read through what you've done a couple of times and it seems like possibly a permissions error with the mandatory folder. What are the permissions on that folder?

    My folder is set with Users permissions at: Read & Execute; List Folder Contents; Read.

    Oh - Also! Before you can import/export the Mandatory profile into the registry, you need to delete Local and LocalLow from the \AppData folder. That, combined with renaming the .DAT to .MAN makes it mandatory. 

    Hope that information helps, unless you've already figured it out, in which case, Well Done! :)

    Lindsay

    Thursday, May 26, 2011 6:57 PM