Create a Mandatory Computer Profile

How do I create a Mandatory "computer" profile on Windows 2000 Pro Clients connected to a Windows 2000 Server in Active Directory mode?
The best example I can give is a group of 'library' computers which I want with all the same looking icons, printers, appearance etc, and any modifications are lost when the user logs out - regardless of who the user is. (With an exception to Administrator if possible - to allow easy modification). I would like to implement roaming profiles on other machines if possible (per user).

Ive got a profile I want to use, copied it to the server in a share directory, renamed user.dat to but where do I set those 'computers' that should use this profile?

I would have thought id do this in Active Directory Users and Computers under a separate 'GPO' for those computers, and enable loopback processing mode. And set it to 'override' user roaming profiles if its set to mandatory.

500 points here as ive tried searching without any luck. Is it possible and if so what limitations do I add to the system? (ie mixed computer profiles, roaming user profiles, local profiles etc)
Who is Participating?
tstaddonConnect With a Mentor Commented:
The simplest way I can think of to do this, is to assign roaming profiles for the whole domain, THEN create a single user account in a child OU (which I'll call Library for the sake of simplicity).

Then, move the computer accounts for the library area into the Library OU.

Once this has been done, create a new group policy in the OU, and clamp it down tight.

Group policies assume the following inheritance:-

Local machine --> Site --> Domain --> Domain OU --> Child OU

The Library GPO is applied before login, THEN the GPO for either Library or its parent is applied (depending on the user), THEN the Library GPO is reapplied.

If you do explicitly deny anything in the Library's GPO, ideally lock the USER ACCOUNT down, not the machine, unless you really know your way around the Security Templates.

Here are a few settings I'd suggest you look at for the Library GPO:

Computer Configuration -> Administrative Templates :
System --> Logon (enable Delete cached copies of roaming profiles)
Network --> Offline Files (set the Enabled option to Disabled)

User Configuration -> Administrative Templates :
Windows Components --> Internet Explorer
(lock down ICW, Advanced page, changing home page settings etc)

Windows Components --> Desktop (Don't save settings at exit)

System --> Logon/Logoff
(exclude directories in roaming profile, add paths to Favorites, History, Recent etc)

What you can also do, is have a startup script for the user accounts in the Library container, which deletes the library user's profile directory in Documents and Settings subfolder if it exists.

I have to say I'm not completely fluent in group policies, but this would be how I'd start off.
juliancrawfordConnect With a Mentor Commented:
check this link out to see if you have followed the correct steps ..;en-us;323368
(Julian's answer is better!)
Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Zebis_nzAuthor Commented:
Hi all again,

I had a look at that website and ive been there before, it only gets me half way as that is for "user mandatory profiles" not "computer mandatory profiles"

It seems its not easily done (well from what I can see)...

Do I need to create a 'fake' user inside the OU that contains these computers, and apply the profile ive created to this user. Then somehow can I apply it to these groups of PC's (loopback processing).

Ive seen an example on another website some time ago and I cant seem to find it. Ill keep trying and checking here or post when I have a solution.
Ideally, yes you do need a user profile in the OU.

The trouble with doing it solely using computer profiles, is that a legitimate network user who needs access to other facilities, won't get them.

The way around it is to use a user profile for SPECIFIC clampdowns, the computer profile for the OU should contain GENERIC lockdowns.
Zebis_nzAuthor Commented:
Thanks for your comments and input.

There isnt a total 'solution' to my question. It has to be done in parts. So far ive created a roaming profile for each user and redirected the desktop / start menu etc for particular computer OU's. Not quite what I wanted, but it works.

Only problem I have now is the profile ive created over-rides the redirected folders, even when they have been excluded. Ill sort that in a seperate question.

Ill split the points 50/50.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.