Solved

Create a Mandatory Computer Profile

Posted on 2003-12-01
6
1,346 Views
Last Modified: 2008-02-01
How do I create a Mandatory "computer" profile on Windows 2000 Pro Clients connected to a Windows 2000 Server in Active Directory mode?
The best example I can give is a group of 'library' computers which I want with all the same looking icons, printers, appearance etc, and any modifications are lost when the user logs out - regardless of who the user is. (With an exception to Administrator if possible - to allow easy modification). I would like to implement roaming profiles on other machines if possible (per user).

Ive got a profile I want to use, copied it to the server in a share directory, renamed user.dat to user.man.... but where do I set those 'computers' that should use this profile?

I would have thought id do this in Active Directory Users and Computers under a separate 'GPO' for those computers, and enable loopback processing mode. And set it to 'override' user roaming profiles if its set to mandatory.

500 points here as ive tried searching without any luck. Is it possible and if so what limitations do I add to the system? (ie mixed computer profiles, roaming user profiles, local profiles etc)
0
Comment
Question by:Zebis_nz
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 5

Assisted Solution

by:juliancrawford
juliancrawford earned 250 total points
ID: 9856765
check this link out to see if you have followed the correct steps ..
http://support.microsoft.com/default.aspx?scid=kb;en-us;323368
0
 
LVL 5

Accepted Solution

by:
tstaddon earned 250 total points
ID: 9856953
The simplest way I can think of to do this, is to assign roaming profiles for the whole domain, THEN create a single user account in a child OU (which I'll call Library for the sake of simplicity).

Then, move the computer accounts for the library area into the Library OU.

Once this has been done, create a new group policy in the OU, and clamp it down tight.

Group policies assume the following inheritance:-

Local machine --> Site --> Domain --> Domain OU --> Child OU

The Library GPO is applied before login, THEN the GPO for either Library or its parent is applied (depending on the user), THEN the Library GPO is reapplied.

If you do explicitly deny anything in the Library's GPO, ideally lock the USER ACCOUNT down, not the machine, unless you really know your way around the Security Templates.

Here are a few settings I'd suggest you look at for the Library GPO:

Computer Configuration -> Administrative Templates :
---------------------------------------------------------------
System --> Logon (enable Delete cached copies of roaming profiles)
Network --> Offline Files (set the Enabled option to Disabled)

User Configuration -> Administrative Templates :
---------------------------------------------------------------
Windows Components --> Internet Explorer
(lock down ICW, Advanced page, changing home page settings etc)

Windows Components --> Desktop (Don't save settings at exit)

System --> Logon/Logoff
(exclude directories in roaming profile, add paths to Favorites, History, Recent etc)

What you can also do, is have a startup script for the user accounts in the Library container, which deletes the library user's profile directory in Documents and Settings subfolder if it exists.

I have to say I'm not completely fluent in group policies, but this would be how I'd start off.
0
 
LVL 5

Expert Comment

by:tstaddon
ID: 9856968
(Julian's answer is better!)
0
What Is Transaction Monitoring and who needs it?

Synthetic Transaction Monitoring that you need for the day to day, which ensures your business website keeps running optimally, and that there is no downtime to impact your customer experience.

 
LVL 1

Author Comment

by:Zebis_nz
ID: 9863265
Hi all again,

I had a look at that website and ive been there before, it only gets me half way as that is for "user mandatory profiles" not "computer mandatory profiles"

It seems its not easily done (well from what I can see)...

Do I need to create a 'fake' user inside the OU that contains these computers, and apply the profile ive created to this user. Then somehow can I apply it to these groups of PC's (loopback processing).

Ive seen an example on another website some time ago and I cant seem to find it. Ill keep trying and checking here or post when I have a solution.
0
 
LVL 5

Expert Comment

by:tstaddon
ID: 9866079
Ideally, yes you do need a user profile in the OU.

The trouble with doing it solely using computer profiles, is that a legitimate network user who needs access to other facilities, won't get them.

The way around it is to use a user profile for SPECIFIC clampdowns, the computer profile for the OU should contain GENERIC lockdowns.
0
 
LVL 1

Author Comment

by:Zebis_nz
ID: 9954177
Thanks for your comments and input.

There isnt a total 'solution' to my question. It has to be done in parts. So far ive created a roaming profile for each user and redirected the desktop / start menu etc for particular computer OU's. Not quite what I wanted, but it works.

Only problem I have now is the profile ive created over-rides the redirected folders, even when they have been excluded. Ill sort that in a seperate question.

Ill split the points 50/50.
0

Featured Post

Free eBook: Backup on AWS

Everything you need to know about backup and disaster recovery with AWS, for FREE!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question