Solved

Create a Mandatory Computer Profile

Posted on 2003-12-01
6
1,339 Views
Last Modified: 2008-02-01
How do I create a Mandatory "computer" profile on Windows 2000 Pro Clients connected to a Windows 2000 Server in Active Directory mode?
The best example I can give is a group of 'library' computers which I want with all the same looking icons, printers, appearance etc, and any modifications are lost when the user logs out - regardless of who the user is. (With an exception to Administrator if possible - to allow easy modification). I would like to implement roaming profiles on other machines if possible (per user).

Ive got a profile I want to use, copied it to the server in a share directory, renamed user.dat to user.man.... but where do I set those 'computers' that should use this profile?

I would have thought id do this in Active Directory Users and Computers under a separate 'GPO' for those computers, and enable loopback processing mode. And set it to 'override' user roaming profiles if its set to mandatory.

500 points here as ive tried searching without any luck. Is it possible and if so what limitations do I add to the system? (ie mixed computer profiles, roaming user profiles, local profiles etc)
0
Comment
Question by:Zebis_nz
  • 3
  • 2
6 Comments
 
LVL 5

Assisted Solution

by:juliancrawford
juliancrawford earned 250 total points
ID: 9856765
check this link out to see if you have followed the correct steps ..
http://support.microsoft.com/default.aspx?scid=kb;en-us;323368
0
 
LVL 5

Accepted Solution

by:
tstaddon earned 250 total points
ID: 9856953
The simplest way I can think of to do this, is to assign roaming profiles for the whole domain, THEN create a single user account in a child OU (which I'll call Library for the sake of simplicity).

Then, move the computer accounts for the library area into the Library OU.

Once this has been done, create a new group policy in the OU, and clamp it down tight.

Group policies assume the following inheritance:-

Local machine --> Site --> Domain --> Domain OU --> Child OU

The Library GPO is applied before login, THEN the GPO for either Library or its parent is applied (depending on the user), THEN the Library GPO is reapplied.

If you do explicitly deny anything in the Library's GPO, ideally lock the USER ACCOUNT down, not the machine, unless you really know your way around the Security Templates.

Here are a few settings I'd suggest you look at for the Library GPO:

Computer Configuration -> Administrative Templates :
---------------------------------------------------------------
System --> Logon (enable Delete cached copies of roaming profiles)
Network --> Offline Files (set the Enabled option to Disabled)

User Configuration -> Administrative Templates :
---------------------------------------------------------------
Windows Components --> Internet Explorer
(lock down ICW, Advanced page, changing home page settings etc)

Windows Components --> Desktop (Don't save settings at exit)

System --> Logon/Logoff
(exclude directories in roaming profile, add paths to Favorites, History, Recent etc)

What you can also do, is have a startup script for the user accounts in the Library container, which deletes the library user's profile directory in Documents and Settings subfolder if it exists.

I have to say I'm not completely fluent in group policies, but this would be how I'd start off.
0
 
LVL 5

Expert Comment

by:tstaddon
ID: 9856968
(Julian's answer is better!)
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 
LVL 1

Author Comment

by:Zebis_nz
ID: 9863265
Hi all again,

I had a look at that website and ive been there before, it only gets me half way as that is for "user mandatory profiles" not "computer mandatory profiles"

It seems its not easily done (well from what I can see)...

Do I need to create a 'fake' user inside the OU that contains these computers, and apply the profile ive created to this user. Then somehow can I apply it to these groups of PC's (loopback processing).

Ive seen an example on another website some time ago and I cant seem to find it. Ill keep trying and checking here or post when I have a solution.
0
 
LVL 5

Expert Comment

by:tstaddon
ID: 9866079
Ideally, yes you do need a user profile in the OU.

The trouble with doing it solely using computer profiles, is that a legitimate network user who needs access to other facilities, won't get them.

The way around it is to use a user profile for SPECIFIC clampdowns, the computer profile for the OU should contain GENERIC lockdowns.
0
 
LVL 1

Author Comment

by:Zebis_nz
ID: 9954177
Thanks for your comments and input.

There isnt a total 'solution' to my question. It has to be done in parts. So far ive created a roaming profile for each user and redirected the desktop / start menu etc for particular computer OU's. Not quite what I wanted, but it works.

Only problem I have now is the profile ive created over-rides the redirected folders, even when they have been excluded. Ill sort that in a seperate question.

Ill split the points 50/50.
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
With the rapid rise in mobile usage, mobile devices are here to stay and have become an integral part of doing business. Here are 9 great apps for your BYOD environment.
This tutorial gives a high-level tour of the interface of Marketo (a marketing automation tool to help businesses track and engage prospective customers and drive them to purchase). You will see the main areas including Marketing Activities, Design …
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now