Issues with changing a shared Mandatory profile

We are running a Windows XP based Server 2003 domain.
Some of our users are using a single mandatory domain with both serveral user accounts each of which are used by several users.

The issue we are having is that when we need to make changes we have to make sure everyone user is logged off, then make the changes, reset the Ntuser file to .man and get them to log back on.  The is , to say the least a bit of a pain when you have 20 users logged on with three accounts on 20 PCs on 4 floors.

Especially when, after 3 days, one person who hasn't logged off then logs off, and their old Ntuser file overwrites the new one (despite it being supposedly read only)

We just had a situation where someone dropped 10.5 Gig of songs on the desktop, somehow it got saved in the supposedly mandatory profile and then the users were effectively unable to log on (at least for about 6 hours while the new profile loaded)!  Is there any way of either forcing log off for all users with that profile, or forcing any changes made to remain unchangeable?  Without a third party product ideally (unless it's free).

Oh, and also deleting the local copy (we had a situation where it seemed a wireless laptop with a weak signal seemingly was unable to load a server copy, booted itself with a cached copy of the profile then overwrote the new profile when the user logged off).

The easiest way so far is to copy the profile, make the changes then start pointing the user accounts at it.
tinyasuraAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

James MontgomeryCommented:
What sort of changes are you making to the profile?

You can create very tidy, restricted user environments with GPOs and folder redirection. With read only access for joe user, administrators can drop files etc straight into shares on the server.
0
tinyasuraAuthor Commented:
Well, it's more a case of keeping the settings the same, we've had users manage to drop files on their desktop and somehow get ithem included in the mandatory profile (despite it being mandatory), then we get the pain of trying to get them all to log off so we can chjange it back. so it's mainly keeping the desktop clear and retaining the settings for a couple of 3rd party bits of software.

God alone knows how the users in question have managed to save the files in the first place.
0
James MontgomeryCommented:
Folder redirection:
http://www.tonotono.net/ua/nph-.cgi/000000A/http/www.windowsdevcenter.com/pub/a/windows/2004/08/24/folder_redirect.html

From a simple point of view you can redirect everyones desktop to a share, but on the share give domain users read only access.

You can redirect the app data folder too.

Is it just the desktop 'look' or is there something more that you want common?
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

tinyasuraAuthor Commented:
The settings are both to do with desktop look, and also with some application settings.  The problem, though, is that when we need to make any type of change to the profile, if someone is still logged in, when they log off again the new settings get overwritten with th e old.

We need a way of changing shared profile settings while users are still logged on without them being able to overwrite the new settings with their mandatory settings
0
James MontgomeryCommented:
This seems like odd behavior.

Anyway desktop look and feel easily controlled through gpo and folder redireciton without the issues you experience.

However if you continue down this root why not copy the mandatory profile folder, make your changes and point users to the new profile location?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
tinyasuraAuthor Commented:
Unfortunately there's Group Policy, and then company policy...
What we've been doing is basically that, creating a new profile and pointing the users at that.  It's just a bit of a clunky way of doing it, especially as several users use the same profile and therefore pick up the same problems.

I was hoping there was a perfect little method of forcing changes and stopping a non-logged off profile overwriting them next time they log off.  I think I'll try and do it with GP instead.

What I really don't understand is how (as in the case of 10.5 Gb of someone's music ending up in a desktop folder) changes get made against a supposedly mandatory profile in the first place.
0
James MontgomeryCommented:
do you have creator owner in ntfs permissions on the folder?
0
tinyasuraAuthor Commented:
Yep
0
James MontgomeryCommented:
Take it out of one of the profile folders which is supposed to be mandatory. Then see if it writes back
0
tinyasuraAuthor Commented:
Yep
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.