Creating v2 Mandatory Windows Profiles for Windows Vista, 7, Server 2008 and Server 2008R2
These notes assume familiarity with Windows and Active Directory. The steps listed are applicable to Windows Server 2008 and 2008 R2 as well as Windows Vista and 7. For XP or Windows Server 2003 please read this page instead. Any operating system specific items will be noted clearly like this.
This documents explains the procedure used to manage profiles in a standard Precedence network.
To create a profile you need to follow the steps below:
Creating the raw profile
- Log onto a machine as the domain administrator. To create a workstation profile (Vista and 7), do this at a workstation that is joined to the domain. For a terminal services profile (Server 2008 and 2008R2), log on to a thin-client session as this user.
- Open the Start Menu, right-click on Computer (or whatever it is named as) and choose Properties
- Click on Advanced System Settings
- In the User Profiles section, click on the Settings... button
- Click on Default Profile and then click Copy To...
- On the Copy To window, enter the network or local path that you want the profile to be copied to. If you are re-creating a profile ensure that the old profile has been renamed before doing this or use an alternative name until you have finished. Remember to put .V2 on the end of the name when copying (e.g. \\fileserver\profiles$\termserv.V2 if the profile path is set to \\fileserver\profiles$\termserv within Active Directory)
- Click the Change button under the Permitted to use section and when prompted to enter the object name, enter Authenticated Users and click 'OK'.
- Now click OK on the Copy To window to copy the profile to the desired location.
- Go to the machine you have just copied the profile to and log on as a domain administrator.
- Locate the profile on the disk and right click on the folder and choose Properties from the menu.
- From the Properties window, select the Security tab.
- Click Edit...
- Select Authenticated Users from the list and click the Remove button.
- Click the Add.. button and add user Everyone. Tick the Read & Execute box and click Apply.
- Now click the Advanced button and on the Advanced window, tick the box labeled Replace permission entries on all child objects with entries shown here that apply to child objects and click OK.
- Click OK on the Properties window. The profile is now created. If you had a previous profile and have given the new profile a temporary name, you can now rename them as appropriate.
- The newly copied profile will have ntuser.dat in it, but this will be hidden. To make it visible, you can either alter the display options to untick Hide protected operating system files (which may unhide more than you want) or run the following at a command prompt (altering path as appropriate):
attrib -h -s \\fileserver\profiles$\termserv.V2\ntuser.dat
Preliminaries (user management)
- Ensure you have a user on your system called 'profileuser'. We would create this user as part of our installations so it should be there. To check this, load Active Directory Users and Computers from Start Menu -> Programs -> Administrative Tools when logged on as a domain administrator and either search for this user (by selecting the domain and choosing Find from the Action menu at the top) or browse through the various organisational units to find it (we would usually leave this user under the Users organisational unit). If this user does not appear to exist, please contact us.
- From within Active Directory Users and Computers go in to the properties for this user by either double-clicking on the username or right-clicking on it and selecting Properties from the menu.
- On the profileuser Properties window, click on the Profile tab (for Windows Vista and 7 profiles) or the 'Remote Desktop Services Profile' tab (for Windows Server 2008 and 2008 R2).
- Set the profile path for this user to the profile path you have just created from the default user profile, removing the .V2 at the end.
- Now click OK to close the properties window and save the settings.
- Log onto workstation or thin-client session as profileuser
- Once logged on, make any settings changes (e.g. program customisations) that you may require. Examples include:
- Set Windows 7 Basic theme
- Right-click on Computer in Start Menu and choose Show on Desktop
- Remove items pinned to the Start Menu such as Notepad and Command Prompt
- Run Internet Explorer to run through initial set up and set search engines, etc. (may need to set up proxy server settings to do this)
- Run Microsoft Office to run initial user registration and then run again to switch off autoupdates
- Run Windows Media Player for initial configuration
- Run OpenOffice.org/Libreoffice to run initial installation and then a second time for user registration
- Set icon type in Explorer windows using Organize > Folder and Search Options.... Apply these to all folders.
- Unpin PowerShell, Server Manager and Explorer from Task Bar
- Edit Start Menu settings (right-click on Task Bar, choose Properties, Start Menu tab then Customize) and switch off display of Administrative Tools. Untick Highlight newly installed programs
- Right-click on Profile User at top of Start Menu and choose Show on desktop. Go to desktop and delete Profile User icon
- Log off when customisation is completed
Make users use this profile
profileuser should now be the only user able to update the profile (except for other Domain Admins). You will need to ensure that no other users that have either of the profile paths set are domain administrators. This is a common mistake and can easily break the profile.
Disclaimer: Precedence Technologies does not offer any support for profiles that have not been created by ourselves.