Precedence web site

Wiki Home

Support-KB-AD >> Profiles-Newv2

Jump To: Support > KB > AD > Profiles > Newv2

Creating v2 Mandatory Windows Profiles for Windows Vista, 7, Server 2008 and Server 2008R2

These notes assume familiarity with Windows and Active Directory. The steps listed are applicable to Windows Server 2008 and 2008 R2 as well as Windows Vista and 7. For XP or Windows Server 2003 please read this page instead. Any operating system specific items will be noted clearly like this.

This documents explains the procedure used to manage profiles in a standard Precedence network.

To create a profile you need to follow the steps below:

Creating the raw profile

  • Log onto a machine as the domain administrator. To create a workstation profile (Vista and 7), do this at a workstation that is joined to the domain. For a terminal services profile (Server 2008 and 2008R2), log on to a thin-client session as this user.
  • Open the Start Menu, right-click on Computer (or whatever it is named as) and choose Properties
  • Click on Advanced System Settings
  • In the User Profiles section, click on the Settings... button
  • Click on Default Profile and then click Copy To...
  • On the Copy To window, enter the network or local path that you want the profile to be copied to. If you are re-creating a profile ensure that the old profile has been renamed before doing this or use an alternative name until you have finished. Remember to put .V2 on the end of the name when copying (e.g. \\fileserver\profiles$\termserv.V2 if the profile path is set to \\fileserver\profiles$\termserv within Active Directory)
  • Click the Change button under the Permitted to use section and when prompted to enter the object name, enter Authenticated Users and click 'OK'.
  • Now click OK on the Copy To window to copy the profile to the desired location.
  • Go to the machine you have just copied the profile to and log on as a domain administrator.
  • Locate the profile on the disk and right click on the folder and choose Properties from the menu.
  • From the Properties window, select the Security tab.
  • Click Edit...
  • Select Authenticated Users from the list and click the Remove button.
  • Click the Add.. button and add user Everyone. Tick the Read & Execute box and click Apply.
  • Now click the Advanced button and on the Advanced window, tick the box labeled Replace permission entries on all child objects with entries shown here that apply to child objects and click OK.
  • Click OK on the Properties window. The profile is now created. If you had a previous profile and have given the new profile a temporary name, you can now rename them as appropriate.
  • The newly copied profile will have ntuser.dat in it, but this will be hidden. To make it visible, you can either alter the display options to untick Hide protected operating system files (which may unhide more than you want) or run the following at a command prompt (altering path as appropriate): attrib -h -s \\fileserver\profiles$\termserv.V2\ntuser.dat

Preliminaries (user management)

  • Ensure you have a user on your system called 'profileuser'. We would create this user as part of our installations so it should be there. To check this, load 'Active Directory Users and Computers' from 'Start Menu -> Programs -> Administrative Tools' when logged on as a domain administrator and either search for this user (by selecting the domain and choosing Find from the Action menu at the top) or browse through the various organisational units to find it (we would usually leave this user under the Users organisational unit). If this user does not appear to exist, please contact us.
  • From within Active Directory Users and Computers go in to the properties for this user by either double clicking on the username or right clicking on it and selecting Properties from the menu.
  • On the profileuser Properties window, click on the Profile tab (for Windows vista and 7 profiles) or the 'Remote Desktop Services Profile' tab (for Windows Server 2008 and 2008 R2).
  • Set the profile path for this user to the profile path you have just created from the default user profile.
  • Now click OK to close the properties window and save the settings.

Customising profile

  • Log onto workstation or thin-client session as profileuser
  • Once logged on, make any settings changes (e.g. program customisations) that you may require. Examples include:
    • Set Windows 7 Basic theme
    • Right-click on Computer in Start Menu and choose Show on Desktop
    • Remove items pinned to the Start Menu such as Notepad and Command Prompt
    • Run Internet Explorer to run through initial set up and set search engines, etc. (may need to set up proxy server settings to do this)
    • Run Microsoft Office to run initial user registration
    • Run Windows Media Player for initial configuration
    • Run OpenOffice.org/Libreoffice to run initial installation and then a second time for user registration
    • Set icon type in Explorer windows using Tools > Folder Options.... Apply these to all folders.
    • Unpin PowerShell, Server Manager and Explorer from Start Menu
  • Log off when customisation is completed
  • Importing this .reg file as profileuser will stop profile folder named as user being put on the desktop:
    REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu]
"{59031A47-3F72-44A7-89C5-5595FE6B30EE}"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel]
"{59031A47-3F72-44A7-89C5-5595FE6B30EE}"=dword:00000001

Recommended machine registry changes

  • You may want to remove the following registry keys to remove Control Panel and Libraries icons from the desktop:
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{031E4825-7B94-4dc3-B131-E946B44C8DD5}]
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{26EE0668-A00A-44D7-9371-BEB064C98683}]
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}]
  • This .reg file will stop Java updates. Also this .reg file if you are running 32-bit Java on a 64-bit system.
  • Remove the Network link from Windows Explorer by setting Attributes to b0940064 in these locations:
    • HKEY_CLASSES_ROOT\CLSID\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\ShellFolder
    • HKEY_Local_Machine\Software\Wow6432Node\Classes\CLSID\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\ShellFolder
  • To stop Windows Mail databases being created for new users set isInstalled to 0 in these locations:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}
  • Remove the Favorites link from Windows Explorer by setting Attributes to a9400100 in these locations:
    • HKEY_CLASSES_ROOT\CLSID\{323CA680-C24D-4099-B94D-446DD2D7249E}\ShellFolder
    • HKEY_Local_Machine\Software\Wow6432Node\Classes\CLSID\{323CA680-C24D-4099-B94D-446DD2D7249E}\ShellFolder

Make users use this profile

  • Now go back to Active Directory Users and Computers and re-enter the profile path and the Terminal Services profile path (if they were previously set) for profileuser and click 'OK' to save the settings.

profileuser should now be the only user able to update the profile. You will need to ensure that no other users are domain administrators and have either of the profile paths set. This is a common mistake and can easily break the profile.

Disclaimer: Precedence Technologies does not offer any support for profiles that have not been created by ourselves.

Precedence Technologies Ltd, Technology House, 36a Union Lane, Cambridge, UK | Tel: 08456 446 800
Edit - History - Print - Recent Changes - Search
Page last modified on April 11, 2012, at 11:43 AM by preeves