Solved

Create a Mandatory Computer Profile

Posted on 2003-12-01
6
1,342 Views
Last Modified: 2008-02-01
How do I create a Mandatory "computer" profile on Windows 2000 Pro Clients connected to a Windows 2000 Server in Active Directory mode?
The best example I can give is a group of 'library' computers which I want with all the same looking icons, printers, appearance etc, and any modifications are lost when the user logs out - regardless of who the user is. (With an exception to Administrator if possible - to allow easy modification). I would like to implement roaming profiles on other machines if possible (per user).

Ive got a profile I want to use, copied it to the server in a share directory, renamed user.dat to user.man.... but where do I set those 'computers' that should use this profile?

I would have thought id do this in Active Directory Users and Computers under a separate 'GPO' for those computers, and enable loopback processing mode. And set it to 'override' user roaming profiles if its set to mandatory.

500 points here as ive tried searching without any luck. Is it possible and if so what limitations do I add to the system? (ie mixed computer profiles, roaming user profiles, local profiles etc)
0
Comment
Question by:Zebis_nz
  • 3
  • 2
6 Comments
 
LVL 5

Assisted Solution

by:juliancrawford
juliancrawford earned 250 total points
ID: 9856765
check this link out to see if you have followed the correct steps ..
http://support.microsoft.com/default.aspx?scid=kb;en-us;323368
0
 
LVL 5

Accepted Solution

by:
tstaddon earned 250 total points
ID: 9856953
The simplest way I can think of to do this, is to assign roaming profiles for the whole domain, THEN create a single user account in a child OU (which I'll call Library for the sake of simplicity).

Then, move the computer accounts for the library area into the Library OU.

Once this has been done, create a new group policy in the OU, and clamp it down tight.

Group policies assume the following inheritance:-

Local machine --> Site --> Domain --> Domain OU --> Child OU

The Library GPO is applied before login, THEN the GPO for either Library or its parent is applied (depending on the user), THEN the Library GPO is reapplied.

If you do explicitly deny anything in the Library's GPO, ideally lock the USER ACCOUNT down, not the machine, unless you really know your way around the Security Templates.

Here are a few settings I'd suggest you look at for the Library GPO:

Computer Configuration -> Administrative Templates :
---------------------------------------------------------------
System --> Logon (enable Delete cached copies of roaming profiles)
Network --> Offline Files (set the Enabled option to Disabled)

User Configuration -> Administrative Templates :
---------------------------------------------------------------
Windows Components --> Internet Explorer
(lock down ICW, Advanced page, changing home page settings etc)

Windows Components --> Desktop (Don't save settings at exit)

System --> Logon/Logoff
(exclude directories in roaming profile, add paths to Favorites, History, Recent etc)

What you can also do, is have a startup script for the user accounts in the Library container, which deletes the library user's profile directory in Documents and Settings subfolder if it exists.

I have to say I'm not completely fluent in group policies, but this would be how I'd start off.
0
 
LVL 5

Expert Comment

by:tstaddon
ID: 9856968
(Julian's answer is better!)
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 
LVL 1

Author Comment

by:Zebis_nz
ID: 9863265
Hi all again,

I had a look at that website and ive been there before, it only gets me half way as that is for "user mandatory profiles" not "computer mandatory profiles"

It seems its not easily done (well from what I can see)...

Do I need to create a 'fake' user inside the OU that contains these computers, and apply the profile ive created to this user. Then somehow can I apply it to these groups of PC's (loopback processing).

Ive seen an example on another website some time ago and I cant seem to find it. Ill keep trying and checking here or post when I have a solution.
0
 
LVL 5

Expert Comment

by:tstaddon
ID: 9866079
Ideally, yes you do need a user profile in the OU.

The trouble with doing it solely using computer profiles, is that a legitimate network user who needs access to other facilities, won't get them.

The way around it is to use a user profile for SPECIFIC clampdowns, the computer profile for the OU should contain GENERIC lockdowns.
0
 
LVL 1

Author Comment

by:Zebis_nz
ID: 9954177
Thanks for your comments and input.

There isnt a total 'solution' to my question. It has to be done in parts. So far ive created a roaming profile for each user and redirected the desktop / start menu etc for particular computer OU's. Not quite what I wanted, but it works.

Only problem I have now is the profile ive created over-rides the redirected folders, even when they have been excluded. Ill sort that in a seperate question.

Ill split the points 50/50.
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Learn how to PXE Boot both BIOS & UEFI machines with DHCP Policies and Custom Vendor Classes
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question