Windows 7 Mandatory Profile Setup
Configure Windows 7 Mandatory Profiles Without Sysprep
Configure a default mandatory user profile on the network without Sysprep. This default profile gives every computer lab user the same desktop configuration, start menu, and other custom settings. You typically would create a customized default user profile when preparing a disk image to be deployed to multiple identical or nearly identical machines in the lab. The customized default user profile can then be copied to a shared folder on the local areal network. This default user profile is applied when users log on. This profile can be configured to be a mandatory "read only" profile so that all user changes are discarded when they log off. Students delete all the desktop icons or change the background? No problem, log off, and log back in and everything is back to normal.
The Microsoft Solution - Sysprep
Microsoft supports ONLY the use of Sysprep to copy a customized user profile to the local default profile. Once Sysprep copies the custom user profile to the local default profile, the new default profile can then be copied to an alternate location such as a shared folder on the network to be applied to your computer lab users.
Problems With Sysprep
Unfortunately the use of Sysprep strips (ruins) many painstakingly created customizations to a carefully crafted computer prepared for disk imaging. Additionally, Sysprep can be unnecessarily complicated to implement, wasting many hours (days?) to resolve cryptic and unexplained fatal errors during the initial sysprep and final imaging processes.
Third Party Sysprep Workarounds
For the reasons mentioned above, sysadmins have sought simpler more effective methods to quickly create and deploy default user profiles for Vista and Windows 7 systems. Previously, on Windows XP systems it was possible to access a dialog box that displayed user profiles and then click a "Copy to" button to move any of them to an alternate location. This button is now disabled (greyed out) on all user profiles except the default profile on current operating systems. Third party software is available to force the enabling of the "Copy to" button to allow a non default user profile to be copied to an alternate location.
Many sysadmins have discovered that Microsoft disabled the "Copy to" button for good reasons. The forcefully copied non default user profile has many user specific settings such as hardcoded system paths to user profile folders ( documents, images, music, recycle bin and many more) that will break the profile when used for other users. This wreaks havoc on the system and can cause corruption, stability issues, permissions problems and access problems for users.
A Mandatory Profile Solution That Works
This is a working solution to configure mandatory profiles without using Syprep or third party tools.
1) Create your ideal default user profile using a local administrative account.
2) Rename original default profile "OLD-default" . Rename newly created profile "default"
3) Use regedit to configure the new default user profile for use by any user.
4) Copy modified default user profile to a network share - Add .V2 extension to folder name.
5) Rename ntuser.dat to ntuser.man to create mandatory (read only) profile.
6) In ADUC - Set user's paths to network location of new default mandatory profile.
Create the Default Local User Profile
Ideally, start with a fresh installation. Create a new local administrator account called Student. Add all of your applications and updates. Configure your desktop icons, background, start menu, toolbars, browser homepage and preferences etc. Log off. Log on with the Student account and test everything you configured.
Reboot the computer.
Example of the desktop of my new default user profile:
Rename original default profile "OLD-default" . Rename newly created profile "default"
- Logon with a different local Administrator account (Not the Student account).
- Go to: C:\Users .
- Go to: Organize > Folder and search options > View tab.
- On the View tab: Select: Show hidden folders, files and drives.
- Deselect: Hide protected Operating System Files.
- Click: OK
Rename the hidden Default folder (not the Default User folder) to OLD-Default.
We are simply moving the original default profile folder out of the way so we can put our fully configured Student profile in it's place.
Rename Student to Default.
We are renaming the fully configured Student profile folder so it will take the Default profile's place..
The new fully configured Default profile is now in place.
This default profile needs to be edited for use by any user.
You can delete the OLD-Default profile folder.
Configure the Default Profile for Use by Any User
The newly created Default profile has many hardcoded references to our "Student" user. We will do a search and replace to remove those references and replace them with the Microsoft variable %username% .
Whenever a user logs on using this modified default profile, their name and user specific paths will automagically be substituted for the variable. This is the key to making our mandatory default user profile work properly for any user.
The user profile is really a database of user specific registry settings. We will use regedit to edit the default user profile.
Open the registry editor. Start > Run box > regedit .
Click on HKEY USERS
File > Load Hive...
Navigate to the location of the new default profile and open the ntuser.dat file.
When the .dat file is loaded, it will prompt for a name.
Name it TEMPORARY.
Right click on TEMPORARY and Export the file to the desktop.
We will edit this file in Notepad.
Right click on the exported registry file and click edit.
Do a search and replace in Notepad.
Replace all instances of "student" with the variable %username%
Save the changes and close the file.
Double click the modified registry file on the desktop to re-enter the changed data into the registry.
Unload the Temporary Hive.
We are done editing the default student profile. File > Unload Hive...
Copy the modified default profile to a network share.
Add a .V2 extension to the default profile folder name.
Go to My Computer on the desktop. Right click, Properties > Advanced system settings > Advanced tab > User Profiles > Settings button.
Select the Default Profile as shown below and click "Copy To".
Copy the default profile to your preferred network location.
Alternately, you could copy the default profile to a flash drive or other local location and copy and paste the default profile folder manually to your network share.
Set Permitted to use to Everyone.
Rename the default profile folder as necessary and add .V2 extension to the folder name.
Rename the folder to anything you like but add the extension .V2 to the end of it.
In this example I renamed the "Student" profile folder to "default.V2"
In the example below, the following profile folders are on the file server in a shared folder:
- default was created with an XP machine for XP users.
- default.V2 is the Win 7 profile for Win 7 users.
- Administrator has it's own profile suitable for (XP) only.
- There are backup copies of both types of default profiles.
Set default user profile to be a mandatory profile (read only)
Open the default.V2 folder and Rename ntuser.dat to ntuser.man .
This makes this modifed default user profile a "Mandatory Profile" which is "read only".
Assign Your Users the Path to the Modified User Profile Location on Your Server
In this example, Windows Server 2003 R2 is being used. In Active Directory Users and Computers, (ADUC) right click on a user or users and click "properties".
Enter the Profile path to the shared network location where you copied the modifed default user profile folder. In this example it is \\fileserver\profiles$\default .
Do NOT add the .V2 extension in the profile path.
If a user is using Windows 7 machine, it will automatically choose the default.V2 folder.
If a user is using an XP machine, it will use the standard default folder.