How to configure domain so that the limited domain users loose their data and settings when they logs off...??

Hi friends !

I am System and Network Administrator in an educational institute. I am running Windows 2003 Server Enterprise Edition as Domain Controller and DNS Server. On all the desktop computers in labs, Windows XP Professional Edition is installed and I have bought all the computers under the domain so now they can be controlled by centralized server.

I made two partitions C and D.

C is system and boot partition ( I will only allow local and domain administrator group on this partition and remove everyone and domain users group to access this partition by removing them from ACL.)

D will be used for Data and students will be able to save their work temporarily on this partition.
2. I have created normal domain users named: LAB1, LAB2, LAB3 and LAB4 for each lab. All the students in LAB1 will use LAB1 username and corresponding password. Likewise, students in LAB2/LAB3/LAB4 will use LAB2/LAB3/LAB4 usernames and corresponding passwords.

I know that because LAB1, LAB2, LAB3 and LAB4 user accounts are limited user accounts so they cant install or uninstall anything, they can format the partition. BUT&

Now, I want to know how can I configure all these computers so that when students use them and save some documents on D, then when they will log off or when the computer will shut down, there data will be automatically erased. If they have changed desktop screen or screen saver or change home page of internet explorer, every setting should not apply after they log off and log on again.

 (I will notify all the students on the screen of the computer that they save their data in flash or floppy (Removable Media) before logging off.


Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Brian PiercePhotographerCommented:
You can use a roaming profile for "limited users" and make it mandatory, that will help. however in your situation something like "deepfreeze" may be invaluabe. It can be used to "feeze" a computer settings, forgetting everyrhing that has happened at log off - see

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
David Johnson, CD, MVPOwnerCommented:
Get the steady state  from microsoft for windows xp
Firmin FrederickSenior IT ConsultantCommented:
I'm sure there's a group policy for domains settings under administrative templates that caters for that - as far as the workstations are concerned.  You should check that out...or not :)
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

JatinHemantAuthor Commented:
Thanks ve3ofa, KCTS and SHIELD1 !


You see, I explored the site link that you gave for Deepfreeze. But I can't buy any product like this because right now my department has some financial bars.

Second thing, you told me about mandatory profile for the user. You know my case. I have four labs and suppose in lab no. 1 I have 30 PCs, so if I create one user account named lab1user and make it roaming, then how to make it mandatory ? (I know that we need to rename one file user.dat to, please tell me if I am right or wrong)

I have made roaming profile but not mandatory profile. Once I changed the user.dat to but it didn't work. I don't know why ?

And one thing more...if all the 30 students will use this single account on differnet differnent PCs and logon simulteneously then there will be no problem and once again...How to make a mandatory profile ?

And as SHIELD1 suggested, there are some goup policies, I will check them. If you have some advises here in Group Policy then plese give.


Firmin FrederickSenior IT ConsultantCommented:
well here's a possible scenario - i haven't tested it so be wary of unpredictable results!

Open group policy for editing - if you have the group policy management update, use this to open group policy to ensure you have the right one.

go to computer configuration, administrative templates, system, user profiles.

In the right hand screen enable these items:

delete cached copies of roaming profiles
prevent roaming profile changes from propagating to the server

and or

only allow local user profiles

have a play :)
Brian PiercePhotographerCommented:
Group policies and mandatory profiles have their uses but if you want to completely "reset" a machine to a pre-defined state while not restricting what users can do then DeepFreeze or something simialr will have to be used.
Firmin FrederickSenior IT ConsultantCommented:
Acronis True Image, i believe, has an option to reset the PC image to a previously stored state upon reboot - I'm not sure how the automation of that addition it's fairly cheap.
JatinHemantAuthor Commented:
Thanks for your suggestions !

Let me do this exercise...I will let you know what I did but here, tomorrow and day after tomorrow, we have non-working days (Saturday and Sunday). So please continue your support.


David Johnson, CD, MVPOwnerCommented:
SteadyState is free from microsoft.. And it is designed for exactly what you want.
JatinHemantAuthor Commented:
Thanks again for your suggestions !

I am exploring the utilities like SteadyState and Deepfreeze. Meanwhile, I tried to create a mandatory profile but I completely failed. In my question, I had also asked how to create mandatory profiles ?

Please see, what I did...

1. On domain controller (, I created a user named: acuser
2. Again on domain controller, I created a folder for storing roaming profiles named: roaming. I gave read and write permission on this folder to domain users.
3. Then in the Active Directory Users and Computers, I went in the properties of acuser and in profile path I gave //
4. Then I made an organizational unit and put the acuser and a computer named AC-PC001 in that OU.
5. Then I went in the properties of that OU and created a new group policy named: Roaming Profile.
6. Then I edited this GPO. I went in User Configurations--->Windows Settings--->Folder Redirections and then in Desktop and My Documents, I redirected them to //

Now when I use computer AC-PC001 and log on as acuser, then I can clearly notice that my My Documents and Desktop folders are roaming and no longer exists on the local PC. They are on the server. Means Folder Redirection is OK

Now when I again logged on from client PC AC-PC001, I found that there is the local profile for this user and in that profile there is the file ntuser.dat

On AC-PC001, the file path is C:\Documents and Settings\acuser\ntuser.dat
On RDC domain controllder in Roaming Profile of acuser the file path is ( \\\roaming\acuser\ntuser.dat ), so I changed this filename on RDC to

BUT...whenever I logoff or I will log off from the client PC then in the logoff synchronization, the local file ntuser.dat will again replace the file in roaming profile. And if I change some settings on desktop of client machine while logging from acuser, those changes are replicated to domain controller profile and again reflect to the client machine. I don't want that the desktop wallpaper or any changes that I make should reflect in the roaming profile. Then what is the use of mandatory profile !!!!!!!!!!

Now please tell me where I am wrong. Where I made mistakes ?


It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.