Group Policy settings not applied to users with mandatory profiles.

Posted on 2004-10-22
Last Modified: 2008-02-01
Its a school network that i manage, Windows 2003 Server with XP Clients (both SP1 and SP2).
Due to the way schools are, i use mandatory profiles to make life easier.

I have the users in organisational units, and i apply group policys to them. The problem is the Group policy does not applyied. If however i rename the to ntuser.dat , the group policys get applied.

Do group policys work with mandatory profiles?
Question by:dwol
    LVL 7

    Accepted Solution

    This is by design, mandatory user profiles are read-only.

    Mandatory User Profiles
    A mandatory user profile is a special type of pre-configured roaming user profile that administrators can use to specify settings for users. With mandatory user profiles, a user can modify his or her desktop, but the changes are not saved when the user logs off. The next time the user logs on, the mandatory user profile created by the administrator is downloaded. There are two types of mandatory profiles: normal mandatory profiles and super-mandatory profiles.

    User profiles become mandatory profiles when the administrator renames the NTuser.dat file (the registry hive) on the server to The .man extension causes the user profile to be a read-only profile.

    User profiles become super-mandatory when the folder name of the profile path ends in .man; for example, \\server\share\\.

    Super-mandatory user profiles are similar to normal mandatory profiles, with the exception that users who have super-mandatory profiles cannot log on when the server that stores the mandatory profile is unavailable. Users with normal mandatory profiles can log on with the locally cached copy of the mandatory profile.

    Only system administrators can make changes to mandatory user profiles.
    LVL 4

    Expert Comment

    What corneliup said was right on.  I would recommend just using GPO's to set everything up.  Mandatory profiles is more from the NT 4.0 days.  If done correctly GPO's can do everything your mandatory profiles do and more.

    If you want special setting on some stations to be applied no matter who is loging in use loopback.  It is perfect for locking down a lab.  You can also set security so that the GPO only applies to some groups but not others.  That way if your an admin logging in it doesn't apply to you.  Here is a link that explains loopback and some other things as well.  Let me know if you need any specifics.

    Author Comment

    Using non mandatory profiles is not an option.

    When the network was first setup in April everybody had a roaming user profile, and i used GPO's to lock things down. It was a nightmare!

    The kids would just go and get third party programs to get around the GPO settings, they would blote their profiles making logon take for ever, and it was difficult to customise things exactly how we wanted without the kids making a mess of things.

    Then SP2 came out and made folder redirection policys take forever to apply, with Microsofts responce of, wait for the next service pack!

    Things run so smoothly now with mandatory profiles, it would just be nice to be able to drop them in another organisational unit and there proxy settings change.......
    LVL 4

    Expert Comment

    If the students where locked down with the correct security setting they shouldn't be able to install third party apps.  It sounds like corneliup gave the answer you needed.  I would recommend giving him the points please.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    The Complete Ruby on Rails Developer Course

    Ruby on Rails is one of the most popular web development frameworks, and a useful tool used by both startups and more established companies to build strong graphic user interfaces, and responsive websites and apps.

    When bringing a new server on line, you may see an error that says: The Security System detected an authenticaton error for the server ldap/xxxxxxxt. The failure code from the authentication protocal Kerberos was "There are currently no logon se…
    by Batuhan Cetin Within the dynamic life of an IT administrator, we hold many information in our minds like user names, passwords, IDs, phone numbers, incomes, service tags, bills and the order from our wives to buy milk when coming back to home.…
    In this Experts Exchange video Micro Tutorial, I'm going to show how small business owners who use Google Apps can save money by setting up what is called a catch-all email address in their Gmail accounts. By using the catch-all feature, small busin…
    Want to pick and choose which updates you receive? Feel free to check out this quick video on how to manage your email notifications.

    857 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now