March 30th, 2006, 11:21 PM
mandatory group profile
I created a local profile and copied it to a shared folder on a file server. I then changed the ntuser extenstion to man. Well everything is working fine, but I'm unable to get the custom picture I had centered on my desktop.
I later redid the template and put the picture on the same file sever and browsed for it. I still was unable to see the picture in any of the practice users I created.
Does anyone know how I can create a mandatory profile that uses a custom picture? Do I drop it into my template folder?
March 31st, 2006, 12:31 AM
nevermind guys, I figured it out.
April 1st, 2006, 06:24 AM
for those of you that might come across this type of problem. Just be patient, things will work. I ended up running "secedit refreshpolicy user_policy /enforce" and then I ran "secedit freshpolicy machine_policy /enforce"
You could get the same with a reboot though, but I didn't have the luxury of doing that.
April 1st, 2006, 06:33 AM
It is always best to post your fix.....
specially when you posed the question in the first place.........
just a tip
How people treat you is their karma- how you react is yours-Wayne Dyer
April 1st, 2006, 08:14 AM
thanks mlf. That was actually all I did. Well it could have been that or the reboot of the workstation. Now that I think of it, it was probably the roboot.
I ended up taking this practice senario and applying it at work. I'm at home now, so I'll try and redo the steps from memory and then come back to edit if I messed something up.
My boss didn't like that some of the guys were changing their desktops at work after he gave them some specific instructions, that actually drove everyone nuts. Well he came to me to figure out a way to force a profile and have it not be changed.
This is what I did:
I created a user in Active Directory Users and Computers from one of my templates I created a few weeks earlier. For those of you that have never created a template, it's just a template user that has all the information filled in and has group policy membership that is standard for the users in your company. In my case, I have multiple template users I created. BTW, make sure to disable these template users when you create them.
Ok, now back to the user I created. I named the user, "TempProfile" and then logged on to a network workstation. I then setup all the didn't variables that my boss wanted: desktop; etc... After I was done, I logged off.
I then went back to the Server, "actually logged in remotely to save time", and then created a shared folder named Profiles$. For those of you that are unfamilar with the dollar sign at the end up a share name, it is used to make the folder invisible. Within that folder, I created another folder called, "MandatoryLog". I applied the appropriate share and security measures that allowed members of my global security group access, but with proper restrictions. I guess you should toy around with this because I'm pretty sure we all have different ACL's that we deal with.
Next I went back to the workstation I logged into earlier. This time I logged into a domain account that had administrative privledges on the local machine as well as proper privledges on the server. To do this, you can log into the workstation with the local admin account or whatever account that you usually use that you have set as local administrator. Once you log in, go into, "Users and Computers" and add your domain user with local administrative privledges.
After giving that users the privledges needed, log on to the workstation with that domain account. Now go into the Control Panel/ System / Advanced Tab/ and then into the User Profiles settings. I highlighted the tempProfile user's profile and selected copy to. I then put the address to the shared folder and named the file , "Mandatory" Selected ok and then the profile was copied.
I went back to the Server and found the file labled ntuser.dat and renamed the extension to .man. This made the profile uneditable. Just like how you would set up roaming profile, do the same in this case to the users you want to have mandatory profles. Do this by going into Active Directory Users and Computers or your MMC you created; go into the properties of each user and set the profile path to the mandatory profile that was created. Come to think of it, you could probably edit all the users you want to do this to at the same time since they'll all have the same file.]
If you don't want to reboot,
in the run command type:
secedit refreshpolicy machine_policy user policy /enforce
Keep in mind that each of the users will have the same profile and changes to their profile will not be saved. These guys had mapped network drives where they're suppose to save their files to anyway. If you want them to save into their mydocs, you could probably redirect the mydocuments folder. You'll probably have to edit your group policy and setup redirect, but that's another issue.