Group Policy settings not applied to users with mandatory profiles.

Posted on 2004-10-22
Medium Priority
Last Modified: 2008-02-01
Its a school network that i manage, Windows 2003 Server with XP Clients (both SP1 and SP2).
Due to the way schools are, i use mandatory profiles to make life easier.

I have the users in organisational units, and i apply group policys to them. The problem is the Group policy does not applyied. If however i rename the ntuser.man to ntuser.dat , the group policys get applied.

Do group policys work with mandatory profiles?
Question by:dwol
  • 2

Accepted Solution

corneliup earned 500 total points
ID: 12380026
This is by design, mandatory user profiles are read-only.

Mandatory User Profiles
A mandatory user profile is a special type of pre-configured roaming user profile that administrators can use to specify settings for users. With mandatory user profiles, a user can modify his or her desktop, but the changes are not saved when the user logs off. The next time the user logs on, the mandatory user profile created by the administrator is downloaded. There are two types of mandatory profiles: normal mandatory profiles and super-mandatory profiles.

User profiles become mandatory profiles when the administrator renames the NTuser.dat file (the registry hive) on the server to NTuser.man. The .man extension causes the user profile to be a read-only profile.

User profiles become super-mandatory when the folder name of the profile path ends in .man; for example, \\server\share\mandatoryprofile.man\.

Super-mandatory user profiles are similar to normal mandatory profiles, with the exception that users who have super-mandatory profiles cannot log on when the server that stores the mandatory profile is unavailable. Users with normal mandatory profiles can log on with the locally cached copy of the mandatory profile.

Only system administrators can make changes to mandatory user profiles.


Expert Comment

ID: 12380168
What corneliup said was right on.  I would recommend just using GPO's to set everything up.  Mandatory profiles is more from the NT 4.0 days.  If done correctly GPO's can do everything your mandatory profiles do and more.

If you want special setting on some stations to be applied no matter who is loging in use loopback.  It is perfect for locking down a lab.  You can also set security so that the GPO only applies to some groups but not others.  That way if your an admin logging in it doesn't apply to you.  Here is a link that explains loopback and some other things as well.  Let me know if you need any specifics.


Author Comment

ID: 12380796
Using non mandatory profiles is not an option.

When the network was first setup in April everybody had a roaming user profile, and i used GPO's to lock things down. It was a nightmare!

The kids would just go and get third party programs to get around the GPO settings, they would blote their profiles making logon take for ever, and it was difficult to customise things exactly how we wanted without the kids making a mess of things.

Then SP2 came out and made folder redirection policys take forever to apply, with Microsofts responce of, wait for the next service pack!

Things run so smoothly now with mandatory profiles, it would just be nice to be able to drop them in another organisational unit and there proxy settings change.......

Expert Comment

ID: 12382679
If the students where locked down with the correct security setting they shouldn't be able to install third party apps.  It sounds like corneliup gave the answer you needed.  I would recommend giving him the points please.

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

So you have two Windows Servers and you have a directory/folder/files on one that you'd like to mirror to the other?  You don't really want to deal with DFS or a 3rd party solution like Doubletake. You can use Robocopy from the Windows Server 200…
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
The video provides a quick and easy steps to migrate MBOX file to well known Outlook PST and Office 365. Besides this, it also supports and migrates more than 20 email clients of MBOX which include AppleMail, Opera, Thunderbird and SeaMonkey effortl…
Free Data Recovery software is an advanced solution from Kernel Tools to recover data and files such as documents, emails, database, media and pictures, etc. It supports recovery from physical & logical drive after a hard disk crash, accidental/inte…
Suggested Courses

599 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question