Solved

Create a Mandatory Computer Profile

Posted on 2003-12-01
6
1,338 Views
Last Modified: 2008-02-01
How do I create a Mandatory "computer" profile on Windows 2000 Pro Clients connected to a Windows 2000 Server in Active Directory mode?
The best example I can give is a group of 'library' computers which I want with all the same looking icons, printers, appearance etc, and any modifications are lost when the user logs out - regardless of who the user is. (With an exception to Administrator if possible - to allow easy modification). I would like to implement roaming profiles on other machines if possible (per user).

Ive got a profile I want to use, copied it to the server in a share directory, renamed user.dat to user.man.... but where do I set those 'computers' that should use this profile?

I would have thought id do this in Active Directory Users and Computers under a separate 'GPO' for those computers, and enable loopback processing mode. And set it to 'override' user roaming profiles if its set to mandatory.

500 points here as ive tried searching without any luck. Is it possible and if so what limitations do I add to the system? (ie mixed computer profiles, roaming user profiles, local profiles etc)
0
Comment
Question by:Zebis_nz
  • 3
  • 2
6 Comments
 
LVL 5

Assisted Solution

by:juliancrawford
juliancrawford earned 250 total points
ID: 9856765
check this link out to see if you have followed the correct steps ..
http://support.microsoft.com/default.aspx?scid=kb;en-us;323368
0
 
LVL 5

Accepted Solution

by:
tstaddon earned 250 total points
ID: 9856953
The simplest way I can think of to do this, is to assign roaming profiles for the whole domain, THEN create a single user account in a child OU (which I'll call Library for the sake of simplicity).

Then, move the computer accounts for the library area into the Library OU.

Once this has been done, create a new group policy in the OU, and clamp it down tight.

Group policies assume the following inheritance:-

Local machine --> Site --> Domain --> Domain OU --> Child OU

The Library GPO is applied before login, THEN the GPO for either Library or its parent is applied (depending on the user), THEN the Library GPO is reapplied.

If you do explicitly deny anything in the Library's GPO, ideally lock the USER ACCOUNT down, not the machine, unless you really know your way around the Security Templates.

Here are a few settings I'd suggest you look at for the Library GPO:

Computer Configuration -> Administrative Templates :
---------------------------------------------------------------
System --> Logon (enable Delete cached copies of roaming profiles)
Network --> Offline Files (set the Enabled option to Disabled)

User Configuration -> Administrative Templates :
---------------------------------------------------------------
Windows Components --> Internet Explorer
(lock down ICW, Advanced page, changing home page settings etc)

Windows Components --> Desktop (Don't save settings at exit)

System --> Logon/Logoff
(exclude directories in roaming profile, add paths to Favorites, History, Recent etc)

What you can also do, is have a startup script for the user accounts in the Library container, which deletes the library user's profile directory in Documents and Settings subfolder if it exists.

I have to say I'm not completely fluent in group policies, but this would be how I'd start off.
0
 
LVL 5

Expert Comment

by:tstaddon
ID: 9856968
(Julian's answer is better!)
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 1

Author Comment

by:Zebis_nz
ID: 9863265
Hi all again,

I had a look at that website and ive been there before, it only gets me half way as that is for "user mandatory profiles" not "computer mandatory profiles"

It seems its not easily done (well from what I can see)...

Do I need to create a 'fake' user inside the OU that contains these computers, and apply the profile ive created to this user. Then somehow can I apply it to these groups of PC's (loopback processing).

Ive seen an example on another website some time ago and I cant seem to find it. Ill keep trying and checking here or post when I have a solution.
0
 
LVL 5

Expert Comment

by:tstaddon
ID: 9866079
Ideally, yes you do need a user profile in the OU.

The trouble with doing it solely using computer profiles, is that a legitimate network user who needs access to other facilities, won't get them.

The way around it is to use a user profile for SPECIFIC clampdowns, the computer profile for the OU should contain GENERIC lockdowns.
0
 
LVL 1

Author Comment

by:Zebis_nz
ID: 9954177
Thanks for your comments and input.

There isnt a total 'solution' to my question. It has to be done in parts. So far ive created a roaming profile for each user and redirected the desktop / start menu etc for particular computer OU's. Not quite what I wanted, but it works.

Only problem I have now is the profile ive created over-rides the redirected folders, even when they have been excluded. Ill sort that in a seperate question.

Ill split the points 50/50.
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
A Short Story about the Best File Recovery Software – Acronis True Image 2017
This video discusses moving either the default database or any database to a new volume.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now