Windows DevCenter    
 Published on Windows DevCenter (http://www.windowsdevcenter.com/)
 See this if you're having trouble printing code examples


Implementing Mandatory Roaming Profiles

by Mitch Tulloch, Chris Sanders
10/10/2006

Microsoft IntelliMirror technologies have been around since Windows 2000 was released, yet it's surprising how many network administrators fail to use these technologies to make their jobs easier. IntelliMirror is a set of features for configuration and change management that is designed to ensure the availability of users' personal data files, applications, and desktop settings whenever they log onto a computer on the corporate network. IntelliMirror is built upon the following technologies of Windows 2000 and later:

Learning how to properly implement these technologies is worth the effort, so let's take a detailed look at one of them: implementing mandatory roaming profiles. To learn about this technology, let's talk to someone who has it on the network he supports. Chris Sanders is the network administrator for one of the largest public school systems in Kentucky, and he shows us how he uses mandatory user profiles to make his job easier.

"User profile management can be a complete nightmare for a network administrator. There are literally dozens of ways to manage profiles based on the needs of your particular organization or department. One of the most complicated scenarios to properly administer is a typical lab environment in which you do not want user profiles to be modified at all. This being said, how exactly can we provide an effective means of managing user profiles so that all users are presented with the same profile, allowed to make changes as necessary, but are then presented with a copy of the original unmodified profile when they log back in? The answer to this lies with mandatory profiles.

"In our sample network we have several lab environments, which a multitude of students access via their own unique user accounts. The issue that is arising is that these students have a tendency to change various profile settings and leave files lying around the desktop. Our goal is to present each and every student user with the same profile settings, and disregard all profile changes when a user logs out so that they are presented with the same profile as everyone else when they log back in.

Setting Up the Base Profile

"The first thing you will want to do is set up a model profile on a workstation (preferably an identical one to the workstations in the lab) that will serve as the profile that everyone sees when they log into a computer. Here you will want to make sure you have configured all desktop settings, shortcut icons, and installed printers correctly as to how they will appear on all other workstations.

Copying the Profile to a Server

"Once you have your profile set up how you want it, the next step is to copy the profile to a server. It is important that you set the permissions on the folder holding the profile so that all users accessing it will have complete read-and-write access to it. Once set up, the workstations will pull each user profile from this location. In order to properly copy this profile to a server, there are a few steps you need to complete. Logging in as a user other than the one used to make your model profile, you will need to right-click "My Computer" and then select "Properties." Navigate to the "Advanced" tab and click "Settings" under User Profiles (Figure 1):

Figure 1
Figure 1: Accessing the User Profiles settings

"In the User Profiles dialog box that opens, select your model profile in the list and click the "Copy to" button. You will then be prompted to select the location where you want to store the profile (Figure 2). After you have done this, you must click the "Change" button and add the Authenticated Users group to the profile's ACL. This ensures that all domain users who are authenticated will have rights to access the profile. Proceed to "OK" out of any remaining dialog boxes.

Figure 2
Figure 2: Copying the base profile to a server

Making the Profile Mandatory

"The next step in creating your profile is the actual process of making it mandatory and therefore unchangeable. This can be done by browsing to the location of your saved profile on the server and locating the NTUSER.dat file (make sure hidden files are set to be visible). Once you have located this file, you can simply rename it to NTUSER.man to make it mandatory.

Configuring the User Accounts

"The last remaining step is to configure your user accounts to utilize the mandatory profile we have set up. In order to accomplish this, we must begin in the Active Directory Users and Computers MMC snap-in. Once you have this open, navigate to one of the user accounts you want to utilize the mandatory profile. Once you have located this user, right-click on their name and select "Properties." Navigate to the "Profile" tab and locate the "Profile Path" box, and type the UNC path to the folder where the mandatory profile is located and click "OK" (Figure 3). You can then proceed to do this to every account that will be accessing this profile.

Figure 3
Figure 3: Setting a user account to point to the mandatory profile

"With those steps completed, you have successfully set up mandatory profiles for your user population. You should now no longer have to worry about users changing their profile settings.

Mandatory Profile Best Practices

"When dealing with mandatory profiles, there is a common misconception that they are often more trouble than they are worth. The problem lies in the fact that so many things can have an effect on your mandatory profile setup. This being said, there are some practices you will want to keep in mind when managing your network to make sure your mandatory profile implementation works without a hitch.

"The problem that most network administrators commonly see is slow performance when loading a user's mandatory profile. The main cause of this is usually a bloated base profile. If you load up your base profile with tons of files and data, this will cause the profile to grow in size, which can cause a large time delay when transferring the profile from server to client. If you must have this much data available to users, it is best to find another method of delivery, such as a mapped network drive to a shared storage location.

"Along with the concerns of performance, sometimes administrators can be thrown for a loop when previously utilized features don't work or cause problems after implementing mandatory profiles. A good example of this is use of the Encrypted File System (EFS). EFS is something that is not supported for use with mandatory or roaming profiles.

"Finally, we need to consider security when implementing mandatory profiles. The main focus of security in this case is the folder storing the mandatory profile. This folder contains the data that will be transferred to every workstation a mandatory profile user logs into. Therefore, it is extremely important that it be secure. The best way to secure this folder, as with any other network resource, is through NTFS permissions. You should make sure that your base profile folder resides on a server that utilizes NTFS, and develop a strong permissions policy for these folders."

Additional Resources

Here are some additional resources you may want to review before implementing mandatory roaming profiles in your own networking environment:

Mitch Tulloch is the author of Windows 2000 Administration in a Nutshell, Windows Server 2003 in a Nutshell, and Windows Server Hacks.

Chris Sanders is the network administrator for one of the largest public school systems in the state of Kentucky. For more about Chris, you can view his personal blog at http://www.chrissanders.org.


Return to the Windows DevCenter.

Copyright © 2009 O'Reilly Media, Inc.