[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Mandatory and Local users in Active directory ?

Posted on 2009-02-18
12
Medium Priority
?
340 Views
Last Modified: 2012-05-06
Hi Expert,

What is difference between mandatory and local users?

I currently have an AD on windows 2003.
I log in one of my servers and right click on 'My Computer'-> select Properties ->Advanced ->'Settings' button under 'User Profiles', I see couple users under 'Mandatory' type.

My questions are:
     Why do they have 'Mandatory' type under their accounts ?
     Why do the rest of users have 'Local' type ?
     Mandatory vs. Local type ?
     How do I set those who have 'Mandatory' type to 'Local' ?
Sorry about asking too much, but these are really something which I've been confusing for long time. Thanks.
0
Comment
Question by:tinhnho
  • 6
  • 4
10 Comments
 
LVL 58

Accepted Solution

by:
tigermatt earned 2000 total points
ID: 23669583

You are referring to users which have a Mandatory Profile, rather than a Local or Roaming profile.

A Mandatory Profile is a profile which is pre-configured with a set of settings. The user can use it just like normal, but when they log off, the changes they make are not saved. In other words, the profile can not be modified, since a logoff and then logon will reset things.

A profile is set as Mandatory when the NTUser.DAT file inside the profile's root folder (C:\Documents and Settings\<username>) is renamed to have an extension of .MAN. When the NTUser file is called NTUser.MAN, the profile becomes a mandatory profile.

Users who have a local profile are listed as having a local profile because their NTUser.DAT file is still called the default, NTUser.DAT (not .MAN).

Change the NTUser.MAN file to be called NTUser.DAT in each profile currently listed as a mandatory profile. This will switch it back to a local profile.

-Matt
0
 

Author Comment

by:tinhnho
ID: 23684954
Hi there,

After I renamed that file it's still showing me the 'Mandatory' type for that user.

But I found other solution that if I go to the DC ->AD console -> select that user ->right click and select 'Properties' -> click tab 'Terminal Services Profile' -> leave the field under 'Profile Path' as blank (before it had '\\server02\Profiles\ourCitrixUsers.man'). Then go to 'C:\Documents and Settings' of that server (not the DC machine), I delete that user and then ask him to log in again. After this, it shows me 'Local' type for his account.

I don't really understand why some users have '\\server02\Profiles\ourCitrixUsers.man' under 'Profile Path' while others don't. And does it mean ? is it ok to remove ? Thanks.
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 23685719

Are these users logging in by Terminal Services to a 2003 Server?

-Matt
0
Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

 

Author Comment

by:tinhnho
ID: 23685797
Hi Matt,

Yes, they are. We have Citrix enviroment on those servers.
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 23685814

In that case, the Terminal Services Profile Path in their User Properties was overriding the setting you made directly in their user profile. By removing the TS Roaming Profile Path, you would essentially stop them from having a Mandatory Profile.

It should be as simple as removing that path in their user account properties, then renaming C:\Documents and Settings\user\NTUser.man to NTUser.dat. There's no need for a new profile to be created.

-Matt
0
 

Author Comment

by:tinhnho
ID: 23774625
Hi Matt,

Sorry for the late reply, I was out of town last week.

I understand about the Terminal Services Profile Path but not sure whether to have it or not for my users. In your opinion, Is it good or bad to have '\\server02\Profiles\ourCitrixUsers.man'  in user Terminal Services Profile Path in their User Properties ?

I have about 700 users who currently have Terminal Services Profile Path in their users properties and about 20 servers, if I'd like to remove that path in the users account properties, what is the quickest way to remove that path and then rename the C:\Documents and Settings\user\NTUser.man to NTUser.dat ?

Thanks a lot.




0
 
LVL 58

Expert Comment

by:tigermatt
ID: 23775976

Is the path actually \\server02\Profiles\ourCitrixUsers.man? Is there any mention of each user's username in the path?

-Matt
0
 

Author Comment

by:tinhnho
ID: 23776443
>Is the path actually \\server02\Profiles\ourCitrixUsers.man?
Yes, it is the path.
I went to 'server02' ->'Profiles' folder-> 'ourCitrixUsers.man' folder->there are 'Desktop' and 'Start Menu' folder inside 'ourCitrixUsers.man' folder.

>is there any mention of each user's username in the path?
No, all the users get the same path which '\\server02\Profiles\ourCitrixUsers.man'





0
 
LVL 58

Assisted Solution

by:tigermatt
tigermatt earned 2000 total points
ID: 23797553

Based on the path you provided, that would indicate all users are currently making use of the same profile, rather than having their own profile folders. In this case, the profile they are using is a Mandatory Profile, and therefore no changes will be made to that profile at logoff, and all users will always receive a clean, fresh copy when they log back in.

This is OK, provided this is the configuration you want. If you want all users, when logging into the Terminal Server, to receive a clean profile from the 'template', then this is ideal. Personally, I prefer this configuration in order to keep from building up with unnecessary profiles on the Terminal server.

-Matt
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 24765627
I feel valid solutions were provided to the initial question.
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question