No user data is lost because the data still remains in the user's local user profile on the computer, but data could be lost if profiles are set to be deleted after the user logs off-for example, in a Terminal Services scenario. In this case, any changes the user made during his current session would be gone, but the server copy of his profile is still intact.
Considerations for Mixed Environments The following considerations apply when implementing RUP in mixed environments that consist of a combination of computers running Windows Vista and later versions and computers running Windows XP or Windows Default network profiles created for computers running an earlier version of Windows are not compatible with default network profiles created for Windows Vista and later computers because the profile namespace of Windows Vista and later versions is incompatible with the profile namespace of Windows XP.
Because of this incompatibility, users who log on to a computer running an earlier version of Windows cannot roam their profiles to Windows Vista and later computers and vice versa. If users must use Windows Vista and later computers as well as computers running earlier versions of Windows, they will need separate roaming profiles for each computer and must manage the profiles separately. If Folder Redirection is implemented, however, part of the user profiles the redirected folders can be shared between the two desktop environments.
A mandatory user profile is a special type of pre-configured roaming user profile that administrators can use to specify settings for users. With mandatory user profiles, a user can modify his or her desktop, but the changes are not saved when the user logs off. The next time the user logs on, the mandatory user profile created by the administrator is downloaded. There are two types of mandatory profiles: normal mandatory profiles and super-mandatory profiles.
You will see this dialog. Click on Default Profile so it is highlighted. The Copy To button will now become available.
Click on it and another dialog box will open. Fill in the Copy profile to location with the folder you wish to store the mandatory profile in. Ensure the Mandatory checkbox is ticked. The dialog box should now look like this. Also, if the user account does not have access to the destination folder you will get an error like this. Once you have resolved any access issues, click OK and the profile will be copied. The folder should now contain your copied default profile.
Make sure that your destination folder contains the ntuser. The file copy will have added Authenticated Users with RX permissions, but we also need to make sure the All Application Packages user has access as well.
Make the permissions on the root folder of your mandatory profile store as below, and set them to propagate. Also, make sure that the Administrators group owns the folder, and all subfolders. The pertinent settings are highlighted below. Now we need to do the same for the Registry, but we need to be a little more careful here. Open the Registry file ntuser.
Browse to the folder where the mandatory profile is and select the ntuser. Once you do this it will ask you to give the hive a name, simply type anything in as this will not be saved anywhere. You can then right-click on the root of the hive and select Permissions.
Modify it again so that it looks like this this time we have given Authenticated Users Full Control, because the Registry is essentially a filesystem within a file that has its own ACLs. When clicking OK, it is normal to see an error like this, as some of the subkeys cannot be accessed.
Now, one of the questions that always comes up here is, because Authenticated Users now have Full Control over the Registry in the mandatory profile, does that mean that a tech-savvy user could access the Registry of a user on the same system, or another? But just in case there was an instance where they could, there are a couple of things you can do to mitigate this. In a high-security environment this might be necessary, but for most normal operations the NTFS protection on the ntuser.
Remove all references to the Administrator username from the Registry hive there is a Find command you can use for this in regedit. You can also go through, if you wish, and delete any Registry keys or values that you deem unnecessary.
You may find some keys like Google, naming no names have keys that are locked via permissions and you will need to take ownership of them and edit permissions to get rid of them. Just delete these. Now log in as a different test user and see if you get the mandatory profile loaded you can check the profile type from the sysdm.
Check that the User Profile Service is running and that you can access the location where the profile is stored, be it local or networked. If you do get issues, especially if logon fails, then checking the event log is paramount. The User Profile Service logs any errors here and you should be able to figure them out from the details here. For those of us who still use mandatory profiles and there are more of them than anyone would think , using this guide should help you avoid the pitfalls you may well encounter on Windows 10 version I will try and record a video to go along with this, as well as possibly keep it updated for newer Windows 10 versions.
Hi, I am following your instructions and am stuck at the point of setting permissions on filesystem. I cannot work out how to add all application packages when editing permissions on the file share.
The file server is r2. That group is not found. I am unable to add all application packages to the permissions on the r2 file share where the profile is stored. Please help. Apparently, since , mandatory profiles have not worked with Chrome. Sounds like you have put. Watching the video How to set up a mandatory profile on Windows 10 Creators Update I saw that we should not put the extension. V6 in the profile path in the DA. I need help. Sorry my English is not good. I decided this problem.
Mandatory profiles no removed after logout user. I added key Delete Roaming Cache in reestr. And rename profile mandatory. Now all OK. But i got new problem. In my test system, with mandatory profile, not work Windows 10 modern app. In you video, i see calculator is work. Hello — followed your instructions — Thanks Very Much!! But, I must be missing something as when assigning mandatory profile to a user, everything seems to work, but Start Menu will not launch.
I am testing with ver … also you mentioned upgrading V2 profiles to V6 profiles… how is that done? Great write-up. Helped out a lot.
0コメント