Creating Mandatory Windows Profiles
These notes assume familiarity with Windows and Active Directory. The steps listed are applicable to Windows Server 2003, 2008 and 2008 R2 as well as Windows XP, Vista and 7. Any operating system specific items will be noted clearly like this.
This documents explains the procedure used to manage profiles in a standard Precedence network.
To create a profile you need to follow the steps below:
Preliminaries (user management)
- Ensure you have a user on your system called 'profileuser'. We would create this user as part of our installations so it should be there. To check this, load 'Active Directory Users and Computers' from 'Start Menu -> Programs -> Administrative Tools' when logged on as a domain administrator and either search for this user (by selecting the domain and choosing Find from the Action menu at the top) or browse through the various organisational units to find it (we would usually leave this user under the Users organisational unit). If this user does not appear to exist, please contact us.
- From within Active Directory Users and Computers go in to the properties for this user by either double clicking on the username or right clicking on it and selecting Properties from the menu.
- On the profileuser Properties window, click on the Profile tab. Here there should be no logon script set (if there is remove it) and there may or may not be a profile path set. If there is a profile path configured, make a note of it and then delete it.
- Now click on the Terminal Services Profile tab. Again here, make a note of the profile path and remove it.
- Now click OK to close the properties window and save the settings.
Creating the raw profile
- You now need to create your new profile. To do this you will need to log on as profileuser. To create a workstation profile (XP, Vista and 7), do this at a workstation that is joined to the domain. For a terminal services profile (Server 2003, 2008 and 2008R2), log on to a thin-client session as this user.
- Once logged on, make any settings changes (e.g. program customisations) that you may require. Examples include:
- Run Internet Explorer to run through initial set up and set search engines, etc.
- Run Microsoft Office to run initial user registration
- Run Windows Media Player for initial configuration
- If you want classic start menu (Not available on Windows 7 or Server 2008R2), select this and arrange the desktop icons as required.
- Run OpenOffice.org/Libreoffice to run initial installation and then a second time for user registration
- Set icon type in Explorer windows using Tools > Folder Options.... Apply these to all folders.
- Log off when customisation is completed
Copying the profile
- On the same machine, log on as a domain administrator and right click on My Computer and then choose Properties.
- Click the Advanced tab and then click the Settings button under the User Profiles section (this window may take a little while to open if there are a lot of locally stored profiles).
- Once open, locate the profileuser profile in the list and select it.
- Click the Copy To button (On Windows 7 and 2008R2 the 'Copy To' icon will be greyed out - use Windows Enabler to hack round this).
- On the Copy To window, enter the network or local path that you want the profile to be copied to. If you are re-creating a profile ensure that the old profile has been renamed before doing this or use an alternative name until you have finished. For Vista, Windows 7, 2008 or 2008R2, remember to put .V2 on the end of the name when copying (e.g. \\fileserver\profiles$\termserv.V2 if the profile path is set to \\fileserver\profiles$\termserv within Active Directory)
- Click the Change button under the Permitted to use section and when prompted to enter the object name, enter Authenticated Users and click 'OK'.
- Now click OK on the Copy To window to copy the profile to the desired location.
- Go to the machine you have just copied the profile to (if not at it already) and log on as a domain administrator.
- Locate the profile on the disk and right click on the folder and choose Properties from the menu.
- From the Properties window, select the Security tab.
- Select Authenticated Users from the list and click the Remove button.
- Click the Add.. button and add user Everyone. Tick the Read & Execute box and click Apply.
- Now click the Advanced button and on the Advanced window, tick the box labeled Replace permission entries on all child objects with entries shown here that apply to child objects and click OK.
- Click OK on the Properties window. The profile is now created and usable. If you had a previous profile and have given the new profile a temporary name, you can now rename them as appropriate.
- On Vista, Windows 7, Server 2008 and 2008R2, the newly copied profile will have ntuser.dat in it, but this will be hidden. To make it visible, you can either alter the display options to untick Hide protected operating system files (which may unhide more than you want) or run the following at a command prompt (altering path as appropriate):
attrib -h -s \\fileserver\profiles$\termserv.V2\ntuser.dat
Windows 10 Enterprise 2016 LTSB
- Copy the default profile to the destination folder, for Windows 10 Enterprise 2016 LTSB this will have be be named workstation.v6
- Remove the OneDrive setup link from the run key of the exported profile before the first login
reg delete HKU\MANDATORY\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v OneDriveSetup /f
reg unload HKU\MANDATORY
- Group Policy
- remove read access for non-administrators on
%AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\Administrative Tools
Computer configuration\Administrative Templates\Windows Components\OneDrive\Prevent the usage of OneDrive for file storage
Computer configuration\System\Logon\Disable Windows 10 first sign-in animation
- remove read access for non-administrators on
Make users use this profile
- Now go back to Active Directory Users and Computers and re-enter the profile path and the Terminal Services profile path (if they were previously set) for profileuser and click 'OK' to save the settings.
profileuser should now be the only user able to update the profile. You will need to ensure that no other users are domain administrators and have either of the profile paths set. This is a common mistake and can easily break the profile.
Disclaimer: Precedence Technologies does not offer any support for profiles that have not been created by ourselves.