Step 1 – Create a share for the Mandatory profile
On a central file server, create and share a folder that you want to use for the Mandatory profile. Apply the following share permissions;
Authenticated Users – Read
Administrators – Full Control
To provide better security, always create the share on a NTFS volume. Make sure you set the following NTFS access permissions (including child objects);
SYSTEM – Full Control
Administrators – Full Control
Authenticated Users – Read & Execute
Step 2 – Create a Share for the Folder Redirections
On a central file server, create and share a folder that you want to use for the folder redirections and apply the following share and NTFS permissions.
Share Permissions
Everyone – Change
Administrators – Full Control
NTFS Permissions
CREATOR OWNER (Subfolders and files only)
– Full control
Authenticated Users (This folder only)
– Traverse folder / execute files
– List folder / read data
– Read attributes
– Read extended attributes
– Create folders / append data
– Read permissions
SYSTEM (This folder, subfolders and files)
– Full control
Administrators (This folder, subfolders and files)
– Full control
To configure that users only can see the files and folders they have access rights to, enable Access Based Enumeration on the share.
Step 3 – Create a Local Template user
On a Windows 7 client create a Local non-administrative user account.
If you do create a Local administrator account you get the following unnecessary settings within the profile;
Software\Microsoft\Microsoft Management Console
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 (through 4)
The last registry hive has a lot of setting… and why should you’re creating an administrator account anyway?
For this guide I will create a Template user with the name “robinhobo-com”.
Step 4 – Login with the Template account you just created
Login with the local user account created in step 3 and do the necessary customizations. To keep the profile as clean as possible, customize only what is necessary. Mostly I customize the Pinned Items, the System Tray icons behaviour and some Start Menu properties.
I also remove all the public folders from the users Libraries. You can do this while customize the template user or afterwards by editing the library XML files (see step 5).
To clear the recently opened programs in the Start menu (as shown in the right image below), open the Taskbar and Start Menu Properties, open the Start Menu tab, unselect “Store and display recently opened programs in the Start menu” and “Store and display recently opened items in the Start menu and the taskbar” (as shown in the left image below), hit the Apply button. Now select both options again and click Apply.
When you’re done with the customization of the profile, log out.
Step 5 – Clean up the Template user
First of all, I will make a local backup copy of the profile. As you can see in the picture below, all unnecessary shortcuts from the profile are automatically removed by this copy action.
I will use the backup copy to finish the Mandatory profile. The next step is to load the NTUSER.DAT in the Registry Editor.
Open the Registry Editor, select HKEY_LOCAL_MACHINE, open the File menu and select Load Hive..
Enter a key name, in this case I will give the key the name “PROFILEMAN”.
Right click the Loaded Hive and select Permissions. Remove the template user and the administrators group. Add Authenticated Users and give this group Full Control permissions. Click OK.
Consider whether you can empty / delete the following registry keys in your environment;
– <loaded hive>\Software\Microsoft\SoftGrid\4.5\Client\UserInfo\DataDirectory
– <loaded hive>\Software\Microsoft\WAB\(Default)
– <loaded hive>\Software\Policies
– <loaded hive>\Software\Microsoft\CurrentVersion\Policies
– <loaded hive>\Software\Microsoft\Windows\CurrentVersion\Run
– <loaded hive>\Software\Microsoft\Windows\CurrentVersion\RunOnce
Within the <loaded hive> search for the template user name and replace it with %username%, except for Shell Folders.
Shell Folders
Shell Folders is a different story. Some people leave as it is, some people replaces the Template username with %username% and some people delete all the Shell Folder keys.
The problem is that some applications needs this keys to work well and they cannot handle with variables.
I will delete the keys except the “(default)”, “!Do not use this registry key” and “Fonts” and let Windows recreate the keys with the Active Setup at user logon.
To do that delete the following registry key;
– <loaded hive>\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}
Now when the user logs on, the Active Setup will recreate the Shell Folders in the right way so that programs that need the Shell Folder keys will work well.
Select the <loaded hive>, go the File menu and click on Unload Hive. Close the registry editor.
Delete the following files and folders within the profile folder;
– AppData\Local
– AppData\LocalLow
– Contacts\<username>.contact
– The .LOG1, .LOG2, .blf and the .regtrans-ms files
Public Folders
As I mentioned in step 4 you can remove afterwards the public folders from the libraries.
To do so edit the following (hidden) files;
– Documents.library-ms
– Music.library-ms
– Pictures.library-ms
– Videos.library-ms
These files are located in the following location and are only visible through the command prompt;
C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Libraries\
Remove the last “searchConnectorDescription” element from the files to remove the Public folder as shown in the picture below.
Step 6 – Copy the profile to the network share
Copy the profile to the network share created in step 1. Rename the folder to a name so that it is recognizable as a mandatory profile and append the .V2 extension to it.
Rename the NTUSER.DAT to NTUSER.MAN.
Step 7 – Add the profile to the user in AD:
Find a user in AD, go to Profile and change the path to the profile:
DO NOT INCLUDE THE .V2 OF THE PROFILE FOLDER.
Enable Folder Redirection
To enable user folder redirection, apply the following GPO settings for (domain) users:
User Configuration > Policies > Windows Settings > Folder Redirection
You can redirect the following folders;
– AppData (Roaming) (Not recommended with a mandatory profile)
– Desktop
– Start Menu
– Documents
– Pictures
– Music
– Videos
– Favorites
– Contacts
– Downloads
– Links
– Searches
– Saved Games
On the Target tab select “Basic – Redirect everyone’s folder to the same location”. By Target folder location select “Create a folder for each user under the root path”. By Root Path fill in the share created in step 2. Make sure that “Grant the user exclusive rights to Documents” is deselected on the Settings tab.
To disable the message “Some library features are unavailable due to unsupported library locations” from appearing apply the following policy;
User Configuration > Policies > Administrative Templates > Windows Components > File Explorer
– Turn off Windows Libraries features that rely on indexed file data – Enabled
[…] I'd delprof2 after each attempt just to make sure the profile on the PC isnt causing issues with your attempts. Then I used this guide: Mandatory Profiles | Tech Blog […]