[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now


Group Policy settings not applied to users with mandatory profiles.

Posted on 2004-10-22
Medium Priority
Last Modified: 2008-02-01
Its a school network that i manage, Windows 2003 Server with XP Clients (both SP1 and SP2).
Due to the way schools are, i use mandatory profiles to make life easier.

I have the users in organisational units, and i apply group policys to them. The problem is the Group policy does not applyied. If however i rename the ntuser.man to ntuser.dat , the group policys get applied.

Do group policys work with mandatory profiles?
Question by:dwol
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2

Accepted Solution

corneliup earned 500 total points
ID: 12380026
This is by design, mandatory user profiles are read-only.

Mandatory User Profiles
A mandatory user profile is a special type of pre-configured roaming user profile that administrators can use to specify settings for users. With mandatory user profiles, a user can modify his or her desktop, but the changes are not saved when the user logs off. The next time the user logs on, the mandatory user profile created by the administrator is downloaded. There are two types of mandatory profiles: normal mandatory profiles and super-mandatory profiles.

User profiles become mandatory profiles when the administrator renames the NTuser.dat file (the registry hive) on the server to NTuser.man. The .man extension causes the user profile to be a read-only profile.

User profiles become super-mandatory when the folder name of the profile path ends in .man; for example, \\server\share\mandatoryprofile.man\.

Super-mandatory user profiles are similar to normal mandatory profiles, with the exception that users who have super-mandatory profiles cannot log on when the server that stores the mandatory profile is unavailable. Users with normal mandatory profiles can log on with the locally cached copy of the mandatory profile.

Only system administrators can make changes to mandatory user profiles.


Expert Comment

ID: 12380168
What corneliup said was right on.  I would recommend just using GPO's to set everything up.  Mandatory profiles is more from the NT 4.0 days.  If done correctly GPO's can do everything your mandatory profiles do and more.

If you want special setting on some stations to be applied no matter who is loging in use loopback.  It is perfect for locking down a lab.  You can also set security so that the GPO only applies to some groups but not others.  That way if your an admin logging in it doesn't apply to you.  Here is a link that explains loopback and some other things as well.  Let me know if you need any specifics.


Author Comment

ID: 12380796
Using non mandatory profiles is not an option.

When the network was first setup in April everybody had a roaming user profile, and i used GPO's to lock things down. It was a nightmare!

The kids would just go and get third party programs to get around the GPO settings, they would blote their profiles making logon take for ever, and it was difficult to customise things exactly how we wanted without the kids making a mess of things.

Then SP2 came out and made folder redirection policys take forever to apply, with Microsofts responce of, wait for the next service pack!

Things run so smoothly now with mandatory profiles, it would just be nice to be able to drop them in another organisational unit and there proxy settings change.......

Expert Comment

ID: 12382679
If the students where locked down with the correct security setting they shouldn't be able to install third party apps.  It sounds like corneliup gave the answer you needed.  I would recommend giving him the points please.

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Organizations create, modify, and maintain huge amounts of data to help their businesses earn money and generally function.  Typically every network user within an organization has a bit of disk space to store in process items and personal files.   …
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question