locked
Mandatory profiles RRS feed

  • Question

  • Hi,

    I am trying to configure mandatory profiles in my environment, with no success. I configure everything following all the steps as Microsoft recommends. I rename the ntuser.dat to ntuser.man, and from then on, only users with administrator privileges can log into the server. The normal users get a client profile service error, and they cannot log into the server.

    The permissions in share folder, and in ntfs are as recommended by Microsoft. If I rename the ntuser.man to ntuser.dat, the users logs with a temporary profile.

    How can I manage this to work?

    Monday, August 19, 2013 1:12 PM

Answers

  • Hi,

    Thanks for the answers, I have finally found the cause of the malfunction. Under HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList, I have search the hive of the users which got the error, and deleted it.

    Now, the user logs in with mandatory profile correctly.

    • Marked as answer by Paco Gaspar Tuesday, August 20, 2013 8:17 AM
    Tuesday, August 20, 2013 8:17 AM

All replies

  • After you created the profile on a test machine, and before you saved the profile to the shared location, did you permit Everyone or Authenticated Users to use that profile? You would do that in the same spot where you saved it, in the machine's Computer Properties, Advanced, Profiles.


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    • Proposed as answer by Meinolf Weber Monday, August 19, 2013 6:35 PM
    Monday, August 19, 2013 3:27 PM
  • I forgot to ask, what exactly did you follow that you said you followed all the steps Microsoft recommends? Got a link?

    Watch this video. He shows how to set permissions on the Share for the profile share and other info:

    Mandatory Profile on Windows Server 2008 R2
    http://www.youtube.com/watch?v=bDWEsJ0bJe8

    Create a mandatory user profile
    http://technet.microsoft.com/en-us/library/cc786301(v=ws.10).aspx


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    • Proposed as answer by Meinolf Weber Monday, August 19, 2013 6:35 PM
    Monday, August 19, 2013 3:40 PM
  • My question is same as with Ace, how did you configure mandatory profile? Mandatory profile is nothing but a roaming profile where you make changes to the desktop items, but changes are not saved post logoff. You can also review below links. You can also use group policy to make profile mandatory.

    http://appsense.wordpress.com/2009/08/07/some-mandatory-profile-best-practices/

    http://social.technet.microsoft.com/Forums/windowsserver/en-US/c2a52267-0af2-4bdf-a93e-25821dcd5435/how-to-create-mandatory-profile-in-windows-server-2008


    Awinish Vishwakarma - MVP

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Tuesday, August 20, 2013 1:26 AM
  • Hi,

    I would agree with others.

    When you creating mandatory profiles, the first step is creating a shared directory and make sure that the group Everyone has access to it.

    For more and detail information, please refer to:

    Managing User Profiles

    http://technet.microsoft.com/en-us/library/bb726990.aspx

    Regards.

    If you have any feedback on our support, please click here


    Vivian Wang
    TechNet Community Support

    Tuesday, August 20, 2013 5:49 AM
  • Hi,

    Thanks for your answers and sorry for my short description of the problem.

    My scenary is some different than normal. We have four servers. We are using one of them to make tests. The target is to have one mandatory profile in each server, all of them exactly equal to each other, and use the 'local' mandatory profile when a user logs in.

    First, I have created a folder in C named profile. Then, I have given that folder the following NTFS permissions:

    SYSTEM: Full Control

    Administrators: Full Control

    Authenticated Users: Read & Execute

    Then, I have created another folder inside, named mandatory.v2

    Here I have tried to log in with a local non administrator user, and configure the profile, but when doing so and after log in with the administrator user, the button 'Copy to' in the dialog of profiles is grayed out. The only profile that is not grayed out to copy is 'default profile'. So I have selected the 'default profile', copy to, c:\profile\mandatory.v2 and give the right to use it to Everyone group.

    When the copy finish, I rename ntuser.dat to ntuser.man. I open registry, load hive, that ntuser.man, and I check that everyone group has full control permission in that hive. Then, unload hive.

    Last, I create a GPO and configure it to use mandatory profile, and the path to the profile 'C:\profile\mandatory'

    With this configuration, if i log in to the server with a domain account that is member of administrators group of the machine, a c:\users\username folder is created, being username the username of the user who logs in. I make some changes while logged with that user, and log off. The folder c:\users\username dissapears. Then, log in again with that user, and all the changes I made are not there, which is what is supposed to be, so the mandatory profile works for that administrator user. But if I log on with a normal user, a message with error 'Error in Service user profile service while logging on. Contact with system administrator'. The session then closes. And the event viewer logs an error with event 1500 saying 'Windows cannot start session because the profile cannot be loaded. Check that you are connected to the network and the network is working properly. Non specified error'.

    I forgot to mention that all those logs into the server are done via remote desktop.

    I know that use a 'local' path is not the way to do this, but I have tried the same with a \\servername\share$ located in a central server, with the same results.

    Now I will check all those links you have told me. Thanks

    Tuesday, August 20, 2013 6:42 AM
  • Hi,

    Thanks for the answers, I have finally found the cause of the malfunction. Under HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList, I have search the hive of the users which got the error, and deleted it.

    Now, the user logs in with mandatory profile correctly.

    • Marked as answer by Paco Gaspar Tuesday, August 20, 2013 8:17 AM
    Tuesday, August 20, 2013 8:17 AM
  • Hi,

    Thanks for the answers, I have finally found the cause of the malfunction. Under HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList, I have search the hive of the users which got the error, and deleted it.

    Now, the user logs in with mandatory profile correctly.


    Good to hear you've figured it out. :-)

    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Tuesday, August 20, 2013 1:52 PM