Mandatory Profiles

Posted by robd on December 23, 2014
Server / 1 Comment

Step 1 – Create a share for the Mandatory profile

On a central file server, create and share a folder that you want to use for the Mandatory profile. Apply the following share permissions;

Authenticated Users – Read
Administrators – Full Control

To provide better security, always create the share on a NTFS volume. Make sure you set the following NTFS access permissions (including child objects);

SYSTEM – Full Control
Administrators – Full Control
Authenticated Users – Read & Execute

Step 2 – Create a Share for the Folder Redirections

On a central file server, create and share a folder that you want to use for the folder redirections and apply the following share and NTFS permissions.

Share Permissions

Everyone – Change
Administrators – Full Control

NTFS Permissions

CREATOR OWNER (Subfolders and files only)
–        Full control
Authenticated Users (This folder only)
–        Traverse folder / execute files
–        List folder / read data
–        Read attributes
–        Read extended attributes
–        Create folders / append data
–        Read permissions
SYSTEM (This folder, subfolders and files)
–        Full control
Administrators (This folder, subfolders and files)
–        Full control

To configure that users only can see the files and folders they have access rights to, enable Access Based Enumeration on the share.


Step 3 – Create a Local Template user

On a Windows 7 client create a Local non-administrative user account.

If you do create a Local administrator account you get the following unnecessary settings within the profile;

Software\Microsoft\Microsoft Management Console
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 (through 4)

The last registry hive has a lot of setting… and why should you’re creating an administrator account anyway?

For this guide I will create a Template user with the name “robinhobo-com”.

Step 4 – Login with the Template account you just created

Login with the local user account created in step 3 and do the necessary customizations. To keep the profile as clean as possible, customize only what is necessary. Mostly I customize the Pinned Items, the System Tray icons behaviour and some Start Menu properties.


I also remove all the public folders from the users Libraries. You can do this while customize the template user or afterwards by editing the library XML files (see step 5).

To clear the recently opened programs in the Start menu (as shown in the right image below), open the Taskbar and Start Menu Properties, open the Start Menu tab, unselect “Store and display recently opened programs in the Start menu” and “Store and display recently opened items in the Start menu and the taskbar” (as shown in the left image below), hit the Apply button. Now select both options again and click Apply.


When you’re done with the customization of the profile, log out.

Step 5 – Clean up the Template user

First of all, I will make a local backup copy of the profile. As you can see in the picture below, all unnecessary shortcuts from the profile are automatically removed by this copy action.


I will use the backup copy to finish the Mandatory profile. The next step is to load the NTUSER.DAT in the Registry Editor.


Open the Registry Editor, select HKEY_LOCAL_MACHINE, open the File menu and select Load Hive..

Enter a key name, in this case I will give the key the name “PROFILEMAN”.


Right click the Loaded Hive and select Permissions. Remove the template user and the administrators group. Add Authenticated Users and give this group Full Control permissions. Click OK.

Consider whether you can empty / delete the following registry keys in your environment;

–        <loaded hive>\Software\Microsoft\SoftGrid\4.5\Client\UserInfo\DataDirectory
–        <loaded hive>\Software\Microsoft\WAB\(Default)
–        <loaded hive>\Software\Policies
–        <loaded hive>\Software\Microsoft\CurrentVersion\Policies
–        <loaded hive>\Software\Microsoft\Windows\CurrentVersion\Run
–        <loaded hive>\Software\Microsoft\Windows\CurrentVersion\RunOnce

Within the <loaded hive> search for the template user name and replace it with %username%, except for Shell Folders.

Shell Folders

Shell Folders is a different story. Some people leave as it is, some people replaces the Template username with %username% and some people delete all the Shell Folder keys.
The problem is that some applications needs this keys to work well and they cannot handle with variables.

I will delete the keys except the “(default)”, “!Do not use this registry key” and “Fonts” and let Windows recreate the keys with the Active Setup at user logon.


To do that delete the following registry key;

–        <loaded hive>\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}

Now when the user logs on, the Active Setup will recreate the Shell Folders in the right way so that programs that need the Shell Folder keys will work well.


Select the <loaded hive>, go the File menu and click on Unload Hive. Close the registry editor.

Delete the following files and folders within the profile folder;

–        AppData\Local
–        AppData\LocalLow
–        Contacts\<username>.contact
–        The .LOG1, .LOG2, .blf and the .regtrans-ms files


Public Folders

As I mentioned in step 4 you can remove afterwards the public folders from the libraries.
To do so edit the following (hidden) files;

–        Documents.library-ms
–        Music.library-ms
–        Pictures.library-ms
–        Videos.library-ms

These files are located in the following location and are only visible through the command prompt;


Remove the last “searchConnectorDescription” element from the files to remove the Public folder as shown in the picture below.


Step 6 – Copy the profile to the network share

 Copy the profile to the network share created in step 1. Rename the folder to a name so that it is recognizable as a mandatory profile and append the .V2 extension to it.


Step 7 – Add the profile to the user in AD:

Find a user in AD, go to Profile and change the path to the profile:



Enable Folder Redirection

To enable user folder redirection, apply the following GPO settings for (domain) users:

User Configuration > Policies > Windows Settings > Folder Redirection

You can redirect the following folders;

–        AppData (Roaming) (Not recommended with a mandatory profile)
–        Desktop
–        Start Menu
–        Documents
–        Pictures
–        Music
–        Videos
–        Favorites
–        Contacts
–        Downloads
–        Links
–        Searches
–        Saved Games

On the Target tab select “Basic – Redirect everyone’s folder to the same location”. By Target folder location select “Create a folder for each user under the root path”. By Root Path fill in the share created in step 2. Make sure that “Grant the user exclusive rights to Documents” is deselected on the Settings tab.

To disable the message “Some library features are unavailable due to unsupported library locations” from appearing apply the following policy;

User Configuration > Policies > Administrative Templates > Windows Components > File Explorer

–        Turn off Windows Libraries features that rely on indexed file data – Enabled


Tags: , ,

Server 2012 UAC – You don’t currently have permission to access this folder.

Posted by robd on May 13, 2014
Server 2012 / 1 Comment

Hi All,

Today I thought I’d setup roaming profiles on a Server 2012 file server, easy I thought, take me 10 minutes I thought…I was wrong.

So first things first, I created a share on my server with permissions:


Tested the share from another PC, great I can get on.

Jumped back on the server and tried to open the folder from the rout i.e. E:\Share\staff and I got the following

You don’t currently have permission to access this folder. Click Continue to permanently get access to this folder


Well if I click Continue then my share is ruined with ugly permissions I don’t want! I.e. I only want the permissions I specified above not my username dotted everywhere.

So I turned to UAC and disabled it:


No change, well thats mental……after a good hour of searching I found the answer was to set the registry to:


to 0


Reboot the server and all was fine in the world!!.

So why does UAC do this? UAC strips the admin credential from any un-elevated process. If you’re attempting to use an un-elevated process such as explorer to access a remote share using only admin credentials, UAC will strip the admin credentials from the process’ security token and the process will receive an “access denied” error.  Which is stupid if you changing permissions.

Tags: , ,

DHCP, DNS and DCPROMO issues

Posted by robd on May 07, 2013
DCPROMO, DHCP, DNS / No Comments

Today was an interesting, over the bank holiday I demoted an old 2003 domain controller, let’s call it Server1.

All went to plan, changed the IP address of the DNS on the network card and ran DCPROMO, nexting through all the options.

Reboot, ran a few tests:

DCDIAG on all the remaining domain controllers,
REPADMIN /REPLSUMMARY to test replication,
Logged onto a few PC’s to check they could authenticate ok.


Well that all seemed fine and all the results were great.

Tuesday comes round and I turn up to bedlam!!

Around 20 or 30 machines were referencing Server1 for DNS and since the dcpromo the DNS server only had Active Directory integrated DNS running meaning users couldn’t get to a host of sites!!

The question was though, why on earth were they referencing Server1?

To try and resolve I did the normal client side:

 Rebooted the client,
IPCONFIG /Release,
Changed the settings in the registry:  HKLM/CCS/Services/TCP/Parameters

But no matter what I did the DNS server reverted back.

So after some thought I logged onto Sercver1 and checked DHCP because as you know DHCP assigns DNS and the default gateway etc to clients.

The service was enabled which worried me slightly and the Scopes were disabled but more importantly the Server options were all referencing the wrong server!!  So I quickly changed the options then disabled the DHCP service.

Rebooted the clients and Bam, everything was back up and running as it should.

For some strange reason the clients were using the  wrong DHCP server along with its incorrect settings.

So I urge you if you have this problem check all your DHCP server first!!

Tags: , , , , , , ,

Lync 2010 Disabled Users – Enabled them on Lync 2010

Posted by robd on September 07, 2012
Lync 2010 / 5 Comments

Hi All,

We use linked mailboxes within the company I work in as we’re too lazy to finish a AD/Exchange migration.  Now as you’ll know linked mailboxes need to have a disabled mailbox in AD to work….

Well a while ago we needed to install Lync 2010 and being proactive we installed the Lync sever on the new domain…then we realised that Lync 2010 cant natively work with disabled accounts.

So having a butchers about on the Internet we found this script to enable disabled users in a certain OU to use Lync 2010.  The script uses SIDMAP.WSF to synchronize the msExchMasterAccountSid attibute to the msRTCSIP-OriginatorSid attribute on the  SIP-enabled disabled user account.

So just for clarity, SIP enable the account through the Lync 2010 control panel, then run this batch script:

cd "c:\Program Files\Microsoft Lync Server 2010\ResKit\LcsSync"
wscript //h:cscript
sidmap.wsf /OU:OU="SIDTEST,OU=Users,OU=Linked Mailboxes,OU=Exchange Users,OU=Users,OU=Newport,OU=Sites,DC=targetgroup,DC=corp,DC=local" /logfile:c:\sipmap.txt

Tags: , , , ,