Jump To: Support > KB > AD > Profiles > New
Creating Mandatory Windows Profiles
These notes assume familiarity with Windows and Active Directory. The steps listed are applicable to Windows Server 2003 to 2019 as well as Windows XP to Windows 10. Any operating system specific items will be noted clearly like this.
This documents explains the procedure used to manage profiles in a standard Precedence network.
To create a profile you need to follow the steps below:
Preliminaries (user management)
- Ensure you have a user on your system called 'profileuser'. We would create this user as part of our installations so it should be there. To check this, load 'Active Directory Users and Computers' from 'Start Menu -> Programs -> Administrative Tools' when logged on as a domain administrator and either search for this user (by selecting the domain and choosing Find from the Action menu at the top) or browse through the various organisational units to find it (we would usually leave this user under the Users organisational unit). If this user does not appear to exist, please contact us.
- From within Active Directory Users and Computers go in to the properties for this user by either double clicking on the username or right clicking on it and selecting Properties from the menu.
- On the profileuser Properties window, click on the Profile tab. Here there should be no logon script set (if there is remove it)
- Now click OK to close the properties window and save the settings.
Creating the raw profile
- On the same machine, log on as a domain administrator and right click on My Computer and then choose Properties.
- Click the Advanced tab and then click the Settings button under the User Profiles section (this window may take a little while to open if there are a lot of locally stored profiles).
- Once open, locate the Default User profile in the list and select it.
- Click the Copy To button
- On the Copy To window, enter the network or local path that you want the profile to be copied to. If you are re-creating a profile ensure that the old profile has been renamed before doing this or use an alternative name until you have finished. Remember to put the appropriate version number on the end of the path - see table below
- Click the Change button under the Permitted to use section and when prompted to enter the object name, enter Authenticated Users and click 'OK'.
- If on a recent operating system, tick the Mandatory profile box
- Now click OK on the Copy To window to copy the profile to the desired location.
- Go to the machine you have just copied the profile to (if not at it already) and log on as a domain administrator.
- Locate the profile on the disk and right click on the folder and choose Properties from the menu.
- From the Properties window, select the Security tab.
- Click Edit... button
- Select Authenticated Users from the list and click the Remove button.
- Click the Add.. button and add user Everyone. Tick the Read & Execute box and click Apply.
- Now click the Advanced button and on the Advanced window, tick the box labeled Replace all child object permission entries with inheritable permission entries from this object and click OK.
- Click OK on the Properties window. The profile is now created and usable. If you had a previous profile and have given the new profile a temporary name, you can now rename them as appropriate.
- N.B., the newly copied profile will have ntuser.dat in it, but this may be hidden. To make it visible, you can either alter the display options to untick Hide protected operating system files (which may unhide more than you want) or run the following at a command prompt (altering path as appropriate):
attrib -h -s \\fileserver\profiles$\termserv.V2\ntuser.dat
- Rename ntuser.dat to ntuser.man
Client operating system version | Server operating system version | Profile extension |
---|---|---|
Windows XP | Windows Server 2003, Windows Server 2003 R2 | none |
Windows Vista, Windows 7 | Windows Server 2008, Windows Server 2008 R2 | v2 |
Windows 8 | Windows Server 2012 | v3 |
Windows 8.1 | Windows Server 2012 R2 | v4 |
Windows 10, versions 1507 and 1511 | N/A | v5 |
Windows 10, versions 1607, 1703, 1709, 1803, 1809 and 1903 | Windows Server 2016, Windows Server 2019 | v6 |
e.g. for Windows Server 2008R2 use \\fileserver\profiles$\termserv.v2
if the profile path is set to \\fileserver\profiles$\termserv
within Active Directory
Customising the profile
N.B. With Windows 10, you should leave the profile as the default as logging on as profileuser may break the Start Menu. See next section for Windows 10 customisations
- You now need to customise your new profile. To do this you will need to log on as profileuser. To create a workstation profile (for a desktop version of Windows), do this at a workstation that is joined to the domain. For a terminal services profile (for a server version of Windows), log on to a thin-client session as this user; do not log in at the console of an application server
- Once logged on, make any settings changes (e.g. program customisations) that you may require. Examples include:
- Run Internet Explorer to run through initial set up and set search engines, etc.
- Run Microsoft Office to run initial user registration
- Run Windows Media Player for initial configuration
- If you want classic start menu (Not available on Windows 7 or Server 2008R2, or newer), select this and arrange the desktop icons as required.
- Run OpenOffice.org/Libreoffice to run initial installation and then a second time for user registration
- Set icon type in Explorer windows using Tools > Folder Options.... Apply these to all folders.
- Log off when customisation is completed
Windows 10 Enterprise 2016 LTSB or newer
- Copy the default profile to the destination folder as above
- If it exists, remove the OneDrive setup link from the run key of the exported profile before the first login:
reg load HKU\MANDATORY \\fileserver\profiles$\workstation.v6\ntuser.man
reg delete HKU\MANDATORY\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v OneDriveSetup /f
reg unload HKU\MANDATORY - Using Group Policy
- Remove read access for non-administrators on
%AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\Administrative Tools
- Enable
Computer configuration\Administrative Templates\Windows Components\OneDrive\Prevent the usage of OneDrive for file storage
- Enable
Computer configuration\System\Logon\Disable Windows 10 first sign-in animation
- Remove read access for non-administrators on
- Edit file permissions on the profile files so that the BUILTIN principal
ALL APPLICATION PACKAGES
has Full Control and choose to Replace all child object permissions with inheritable permission entries from this object - Load the registry file into regedit and change the permission on the root key
- For the BUILTIN principal ALL APPLICATION PACKAGES change from
Read
toFull Control
or add if not present. - Add Full Control access for Authenticated Users
- Remove the permissions for the unresolvable SID value (if present)
- Remove the permissions for RESTRICTED group (if present)
- Choose to Replace all child object permissions with inheritable permission entries from this object
- Ignore the error Unable to set security in some keys
- For the BUILTIN principal ALL APPLICATION PACKAGES change from
- Unload the registry file
Windows 10 Store Apps
To enable store apps to run, also enable the following Group Policy setting:
Computer Configuration / Administrative Templates / Windows Components / App Package Deployment / Allow deployment operations in special profiles
Using this profile
profileuser should be the only user able to update the profile. You will need to ensure that no other users are domain administrators and have either of the profile paths set. This is a common mistake and can easily break the profile.
Disclaimer: Precedence Technologies does not offer any support for profiles that have not been created by ourselves.