Group Policy settings not applied to users with mandatory profiles.

Its a school network that i manage, Windows 2003 Server with XP Clients (both SP1 and SP2).
Due to the way schools are, i use mandatory profiles to make life easier.

I have the users in organisational units, and i apply group policys to them. The problem is the Group policy does not applyied. If however i rename the ntuser.man to ntuser.dat , the group policys get applied.

Do group policys work with mandatory profiles?
dwolAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

corneliupCommented:
This is by design, mandatory user profiles are read-only.

Mandatory User Profiles
A mandatory user profile is a special type of pre-configured roaming user profile that administrators can use to specify settings for users. With mandatory user profiles, a user can modify his or her desktop, but the changes are not saved when the user logs off. The next time the user logs on, the mandatory user profile created by the administrator is downloaded. There are two types of mandatory profiles: normal mandatory profiles and super-mandatory profiles.

User profiles become mandatory profiles when the administrator renames the NTuser.dat file (the registry hive) on the server to NTuser.man. The .man extension causes the user profile to be a read-only profile.

User profiles become super-mandatory when the folder name of the profile path ends in .man; for example, \\server\share\mandatoryprofile.man\.

Super-mandatory user profiles are similar to normal mandatory profiles, with the exception that users who have super-mandatory profiles cannot log on when the server that stores the mandatory profile is unavailable. Users with normal mandatory profiles can log on with the locally cached copy of the mandatory profile.

Only system administrators can make changes to mandatory user profiles.

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/policy/policy/mandatory_user_profiles.asp
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
shard26Commented:
What corneliup said was right on.  I would recommend just using GPO's to set everything up.  Mandatory profiles is more from the NT 4.0 days.  If done correctly GPO's can do everything your mandatory profiles do and more.

If you want special setting on some stations to be applied no matter who is loging in use loopback.  It is perfect for locking down a lab.  You can also set security so that the GPO only applies to some groups but not others.  That way if your an admin logging in it doesn't apply to you.  Here is a link that explains loopback and some other things as well.  Let me know if you need any specifics.

http://windows.stanford.edu/docs/gpoorder.htm
0
dwolAuthor Commented:
Using non mandatory profiles is not an option.

When the network was first setup in April everybody had a roaming user profile, and i used GPO's to lock things down. It was a nightmare!

The kids would just go and get third party programs to get around the GPO settings, they would blote their profiles making logon take for ever, and it was difficult to customise things exactly how we wanted without the kids making a mess of things.

Then SP2 came out and made folder redirection policys take forever to apply, with Microsofts responce of, wait for the next service pack!

Things run so smoothly now with mandatory profiles, it would just be nice to be able to drop them in another organisational unit and there proxy settings change.......
0
shard26Commented:
If the students where locked down with the correct security setting they shouldn't be able to install third party apps.  It sounds like corneliup gave the answer you needed.  I would recommend giving him the points please.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.