Educational ICT Virtualisation Specialist

Twitter LinkedIn E-mail
Precedence Technologies Ltd
Technology House, 36a Union Lane
Cambridge, CB4 1QB, United Kingdom
T: +44 (0)8456 446 800 / +44 (0)1223 359900
E: enquiries@precedence.co.uk
Profiles-New

Jump To: Support > KB > AD > Profiles > New

Creating Mandatory Windows Profiles

These notes assume familiarity with Windows and Active Directory. The steps listed are applicable to Windows Server 2003 to 2019 as well as Windows XP to Windows 10. Any operating system specific items will be noted clearly like this.

This documents explains the procedure used to manage profiles in a standard Precedence network.

To create a profile you need to follow the steps below:

Preliminaries (user management)

  • Ensure you have a user on your system called 'profileuser'. We would create this user as part of our installations so it should be there. To check this, load 'Active Directory Users and Computers' from 'Start Menu -> Programs -> Administrative Tools' when logged on as a domain administrator and either search for this user (by selecting the domain and choosing Find from the Action menu at the top) or browse through the various organisational units to find it (we would usually leave this user under the Users organisational unit). If this user does not appear to exist, please contact us.
  • From within Active Directory Users and Computers go in to the properties for this user by either double clicking on the username or right clicking on it and selecting Properties from the menu.
  • On the profileuser Properties window, click on the Profile tab. Here there should be no logon script set (if there is remove it)
  • Now click OK to close the properties window and save the settings.

Creating the raw profile

  1. On the same machine, log on as a domain administrator and right click on My Computer and then choose Properties.
  2. Click the Advanced tab and then click the Settings button under the User Profiles section (this window may take a little while to open if there are a lot of locally stored profiles).
  3. Once open, locate the Default User profile in the list and select it.
  4. Click the Copy To button
  5. On the Copy To window, enter the network or local path that you want the profile to be copied to. If you are re-creating a profile ensure that the old profile has been renamed before doing this or use an alternative name until you have finished. Remember to put the appropriate version number on the end of the path - see table below
  6. Click the Change button under the Permitted to use section and when prompted to enter the object name, enter Authenticated Users and click 'OK'.
  7. If on a recent operating system, tick the Mandatory profile box
  8. Now click OK on the Copy To window to copy the profile to the desired location.
  9. Go to the machine you have just copied the profile to (if not at it already) and log on as a domain administrator.
  10. Locate the profile on the disk and right click on the folder and choose Properties from the menu.
  11. From the Properties window, select the Security tab.
  12. Click Edit... button
  13. Select Authenticated Users from the list and click the Remove button.
  14. Click the Add.. button and add user Everyone. Tick the Read & Execute box and click Apply.
  15. Now click the Advanced button and on the Advanced window, tick the box labeled Replace all child object permission entries with inheritable permission entries from this object and click OK.
  16. Click OK on the Properties window. The profile is now created and usable. If you had a previous profile and have given the new profile a temporary name, you can now rename them as appropriate.
  17. N.B., the newly copied profile will have ntuser.dat in it, but this may be hidden. To make it visible, you can either alter the display options to untick Hide protected operating system files (which may unhide more than you want) or run the following at a command prompt (altering path as appropriate): attrib -h -s \\fileserver\profiles$\termserv.V2\ntuser.dat
  18. Rename ntuser.dat to ntuser.man
Client operating system versionServer operating system versionProfile extension
Windows XPWindows Server 2003, Windows Server 2003 R2none
Windows Vista, Windows 7Windows Server 2008, Windows Server 2008 R2v2
Windows 8Windows Server 2012v3
Windows 8.1Windows Server 2012 R2v4
Windows 10, versions 1507 and 1511N/Av5
Windows 10, versions 1607, 1703, 1709, 1803, 1809 and 1903Windows Server 2016, Windows Server 2019v6

e.g. for Windows Server 2008R2 use \\fileserver\profiles$\termserv.v2 if the profile path is set to \\fileserver\profiles$\termserv within Active Directory

Customising the profile

N.B. With Windows 10, you should leave the profile as the default as logging on as profileuser may break the Start Menu. See next section for Windows 10 customisations

  1. You now need to customise your new profile. To do this you will need to log on as profileuser. To create a workstation profile (for a desktop version of Windows), do this at a workstation that is joined to the domain. For a terminal services profile (for a server version of Windows), log on to a thin-client session as this user; do not log in at the console of an application server
  2. Once logged on, make any settings changes (e.g. program customisations) that you may require. Examples include:
    • Run Internet Explorer to run through initial set up and set search engines, etc.
    • Run Microsoft Office to run initial user registration
    • Run Windows Media Player for initial configuration
    • If you want classic start menu (Not available on Windows 7 or Server 2008R2, or newer), select this and arrange the desktop icons as required.
    • Run OpenOffice.org/Libreoffice to run initial installation and then a second time for user registration
    • Set icon type in Explorer windows using Tools > Folder Options.... Apply these to all folders.
  3. Log off when customisation is completed

Windows 10 Enterprise 2016 LTSB or newer

  1. Copy the default profile to the destination folder as above
  2. If it exists, remove the OneDrive setup link from the run key of the exported profile before the first login:
    reg load HKU\MANDATORY \\fileserver\profiles$\workstation.v6\ntuser.man
    reg delete HKU\MANDATORY\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v OneDriveSetup /f
    reg unload HKU\MANDATORY
  3. Using Group Policy
    • Remove read access for non-administrators on %AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\Administrative Tools
    • Enable Computer configuration\Administrative Templates\Windows Components\OneDrive\Prevent the usage of OneDrive for file storage
    • Enable Computer configuration\System\Logon\Disable Windows 10 first sign-in animation
  4. Edit file permissions on the profile files so that the BUILTIN principal ALL APPLICATION PACKAGES has Full Control and choose to Replace all child object permissions with inheritable permission entries from this object
  5. Load the registry file into regedit and change the permission on the root key
    • For the BUILTIN principal ALL APPLICATION PACKAGES change from Read to Full Control or add if not present.
    • Add Full Control access for Authenticated Users
    • Remove the permissions for the unresolvable SID value (if present)
    • Remove the permissions for RESTRICTED group (if present)
    • Choose to Replace all child object permissions with inheritable permission entries from this object
    • Ignore the error Unable to set security in some keys
  6. Unload the registry file

Windows 10 Store Apps

To enable store apps to run, also enable the following Group Policy setting:

Computer Configuration / Administrative Templates / Windows Components / App Package Deployment / Allow deployment operations in special profiles

Using this profile

profileuser should be the only user able to update the profile. You will need to ensure that no other users are domain administrators and have either of the profile paths set. This is a common mistake and can easily break the profile.

Disclaimer: Precedence Technologies does not offer any support for profiles that have not been created by ourselves.

© Copyright Precedence Technologies 1999-2024
Page last modified on August 16, 2023, at 01:20 PM by sborrill