Guest Will Sellers Posted February 6, 2008 Posted February 6, 2008 I have a mandatory profile setup for my student group. I have copied a common profile that all students will see when they log on. I renamed the ntuser.dat to ntuser.man. All students have the profile defined in their AD profile path. In my profile I have administrator and students defined in the security and permissions. When I look at the profile I can see the ntuser.man but somehow another ntuser.dat is being created. How can I prevent that from happening? Is there a way to prevent the creation of a local profile on the desktop?
Guest Lanwench [MVP - Exchange] Posted February 6, 2008 Posted February 6, 2008 Re: mandatory profile problem Will Sellers <willsellers@verizon.net> wrote: > I have a mandatory profile setup for my student group. > I have copied a common profile that all students will see when they > log on. I renamed the ntuser.dat to ntuser.man. > All students have the profile defined in their AD profile path. > > In my profile I have administrator and students defined in the > security and permissions. What permissions are they? Share permissions should be everyone=full control NTFS permissions should be Administrators, System, and <users>= full control > > When I look at the profile I can see the ntuser.man but somehow > another ntuser.dat is being created. Check out the event logs on the workstation. > How can I prevent that from happening? > > Is there a way to prevent the creation of a local profile on the > desktop? No - everyone will have a locally *cached* profile, even with a roaming/mandatory profile. But you can control whether it *stays* on the workstation via group policy.
Guest Will Sellers Posted February 6, 2008 Posted February 6, 2008 Re: mandatory profile problem I resolved all issues with mandatory profiles except the delete cached profile. I did enable "delete cached profiles" in the GPO for students. However, after I log off as a student I still see the student folder in the document and settings on the local machine. I verified that the GPO is functional via the gpresult /v. "Lanwench [MVP - Exchange]" <lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote in message news:%23c6yzuMaIHA.1212@TK2MSFTNGP05.phx.gbl... > Will Sellers <willsellers@verizon.net> wrote: >> I have a mandatory profile setup for my student group. >> I have copied a common profile that all students will see when they >> log on. I renamed the ntuser.dat to ntuser.man. >> All students have the profile defined in their AD profile path. >> >> In my profile I have administrator and students defined in the >> security and permissions. > > What permissions are they? > > Share permissions should be everyone=full control > NTFS permissions should be Administrators, System, and <users>= full > control > >> >> When I look at the profile I can see the ntuser.man but somehow >> another ntuser.dat is being created. > > Check out the event logs on the workstation. > >> How can I prevent that from happening? >> >> Is there a way to prevent the creation of a local profile on the >> desktop? > > No - everyone will have a locally *cached* profile, even with a > roaming/mandatory profile. But you can control whether it *stays* on the > workstation via group policy. > >
Guest Lanwench [MVP - Exchange] Posted February 7, 2008 Posted February 7, 2008 Re: mandatory profile problem Will Sellers <willsellers@verizon.net> wrote: > I resolved all issues with mandatory profiles except the delete cached > profile. > I did enable "delete cached profiles" in the GPO for students. > However, after I log off as a student I still see the student folder > in the document and settings on the local machine. > I verified that the GPO is functional via the gpresult /v. Try looking in rsop.msc and check the event logs for errors. .....but since this is a mandatory profile, and local changes will never be uploaded (because there aren't any), why bother with this? > > "Lanwench [MVP - Exchange]" > <lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote in > message news:%23c6yzuMaIHA.1212@TK2MSFTNGP05.phx.gbl... >> Will Sellers <willsellers@verizon.net> wrote: >>> I have a mandatory profile setup for my student group. >>> I have copied a common profile that all students will see when they >>> log on. I renamed the ntuser.dat to ntuser.man. >>> All students have the profile defined in their AD profile path. >>> >>> In my profile I have administrator and students defined in the >>> security and permissions. >> >> What permissions are they? >> >> Share permissions should be everyone=full control >> NTFS permissions should be Administrators, System, and <users>= full >> control >> >>> >>> When I look at the profile I can see the ntuser.man but somehow >>> another ntuser.dat is being created. >> >> Check out the event logs on the workstation. >> >>> How can I prevent that from happening? >>> >>> Is there a way to prevent the creation of a local profile on the >>> desktop? >> >> No - everyone will have a locally *cached* profile, even with a >> roaming/mandatory profile. But you can control whether it *stays* on >> the workstation via group policy.
Guest Will Sellers Posted February 7, 2008 Posted February 7, 2008 Re: mandatory profile problem "Lanwench [MVP - Exchange]" <lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote in message news:uPls68RaIHA.5784@TK2MSFTNGP03.phx.gbl... > Will Sellers <willsellers@verizon.net> wrote: >> I resolved all issues with mandatory profiles except the delete cached >> profile. >> I did enable "delete cached profiles" in the GPO for students. >> However, after I log off as a student I still see the student folder >> in the document and settings on the local machine. >> I verified that the GPO is functional via the gpresult /v. > > Try looking in rsop.msc and check the event logs for errors. > > ....but since this is a mandatory profile, and local changes will never be > uploaded (because there aren't any), why bother with this? Because everytime a new student logs on a local profile is created. So one computer will have 50 Plus profiles. > > >> >> "Lanwench [MVP - Exchange]" >> <lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote in >> message news:%23c6yzuMaIHA.1212@TK2MSFTNGP05.phx.gbl... >>> Will Sellers <willsellers@verizon.net> wrote: >>>> I have a mandatory profile setup for my student group. >>>> I have copied a common profile that all students will see when they >>>> log on. I renamed the ntuser.dat to ntuser.man. >>>> All students have the profile defined in their AD profile path. >>>> >>>> In my profile I have administrator and students defined in the >>>> security and permissions. >>> >>> What permissions are they? >>> >>> Share permissions should be everyone=full control >>> NTFS permissions should be Administrators, System, and <users>= full >>> control >>> >>>> >>>> When I look at the profile I can see the ntuser.man but somehow >>>> another ntuser.dat is being created. >>> >>> Check out the event logs on the workstation. >>> >>>> How can I prevent that from happening? >>>> >>>> Is there a way to prevent the creation of a local profile on the >>>> desktop? >>> >>> No - everyone will have a locally *cached* profile, even with a >>> roaming/mandatory profile. But you can control whether it *stays* on >>> the workstation via group policy. > > >
Guest Lanwench [MVP - Exchange] Posted February 7, 2008 Posted February 7, 2008 Re: mandatory profile problem Will Sellers <willsellers@verizon.net> wrote: > "Lanwench [MVP - Exchange]" > <lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote in > message news:uPls68RaIHA.5784@TK2MSFTNGP03.phx.gbl... >> Will Sellers <willsellers@verizon.net> wrote: >>> I resolved all issues with mandatory profiles except the delete >>> cached profile. >>> I did enable "delete cached profiles" in the GPO for students. >>> However, after I log off as a student I still see the student folder >>> in the document and settings on the local machine. >>> I verified that the GPO is functional via the gpresult /v. >> >> Try looking in rsop.msc and check the event logs for errors. >> >> ....but since this is a mandatory profile, and local changes will >> never be uploaded (because there aren't any), why bother with this? > > Because everytime a new student logs on a local profile is created. > So one computer will have 50 Plus profiles. But they're all using the same profile, aren't they? If not, I've misunderstood. Yes, you may want to purge the cached profiles then. I run delprof in a batch file as a scheduled task (specifying a list of computernames) daily, deleting old roaming profiles older than X days on all computers, on some of the networks I support. Login/logout is much easier when there's a cached copy already. You don't really need to be using roaming profiles (mandatory or no) at all, though, as mentioned prior. You can lock down many many things via GPO, etc., and not giving users anything other than limited user rights. > >> >> >>> >>> "Lanwench [MVP - Exchange]" >>> <lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote in >>> message news:%23c6yzuMaIHA.1212@TK2MSFTNGP05.phx.gbl... >>>> Will Sellers <willsellers@verizon.net> wrote: >>>>> I have a mandatory profile setup for my student group. >>>>> I have copied a common profile that all students will see when >>>>> they log on. I renamed the ntuser.dat to ntuser.man. >>>>> All students have the profile defined in their AD profile path. >>>>> >>>>> In my profile I have administrator and students defined in the >>>>> security and permissions. >>>> >>>> What permissions are they? >>>> >>>> Share permissions should be everyone=full control >>>> NTFS permissions should be Administrators, System, and <users>= >>>> full control >>>> >>>>> >>>>> When I look at the profile I can see the ntuser.man but somehow >>>>> another ntuser.dat is being created. >>>> >>>> Check out the event logs on the workstation. >>>> >>>>> How can I prevent that from happening? >>>>> >>>>> Is there a way to prevent the creation of a local profile on the >>>>> desktop? >>>> >>>> No - everyone will have a locally *cached* profile, even with a >>>> roaming/mandatory profile. But you can control whether it *stays* >>>> on the workstation via group policy.
Guest Will Sellers Posted February 8, 2008 Posted February 8, 2008 Re: mandatory profile problem "Lanwench [MVP - Exchange]" <lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote in message news:OdS7lMZaIHA.5088@TK2MSFTNGP06.phx.gbl... > Will Sellers <willsellers@verizon.net> wrote: >> "Lanwench [MVP - Exchange]" >> <lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote in >> message news:uPls68RaIHA.5784@TK2MSFTNGP03.phx.gbl... >>> Will Sellers <willsellers@verizon.net> wrote: >>>> I resolved all issues with mandatory profiles except the delete >>>> cached profile. >>>> I did enable "delete cached profiles" in the GPO for students. >>>> However, after I log off as a student I still see the student folder >>>> in the document and settings on the local machine. >>>> I verified that the GPO is functional via the gpresult /v. >>> >>> Try looking in rsop.msc and check the event logs for errors. >>> >>> ....but since this is a mandatory profile, and local changes will >>> never be uploaded (because there aren't any), why bother with this? >> >> Because everytime a new student logs on a local profile is created. >> So one computer will have 50 Plus profiles. > > But they're all using the same profile, aren't they? If not, I've > misunderstood. Yes, you may want to purge the cached profiles then. The purpose of the mandatory profile is to present a desktop with icons etc that is common to all users. By default windows creates a profile for ever user that logons on to that machine, Which is the problem. I prefer to use the gpo to delete profiles , but that is not working. I am considering the use of the registry entry to make this happen. > > I run delprof in a batch file as a scheduled task (specifying a list of > computernames) daily, deleting old roaming profiles older than X days on > all computers, on some of the networks I support. Login/logout is much > easier when there's a cached copy already. > > You don't really need to be using roaming profiles (mandatory or no) at > all, though, as mentioned prior. You can lock down many many things via > GPO, etc., and not giving users anything other than limited user rights. >> >>> >>> >>>> >>>> "Lanwench [MVP - Exchange]" >>>> <lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote in >>>> message news:%23c6yzuMaIHA.1212@TK2MSFTNGP05.phx.gbl... >>>>> Will Sellers <willsellers@verizon.net> wrote: >>>>>> I have a mandatory profile setup for my student group. >>>>>> I have copied a common profile that all students will see when >>>>>> they log on. I renamed the ntuser.dat to ntuser.man. >>>>>> All students have the profile defined in their AD profile path. >>>>>> >>>>>> In my profile I have administrator and students defined in the >>>>>> security and permissions. >>>>> >>>>> What permissions are they? >>>>> >>>>> Share permissions should be everyone=full control >>>>> NTFS permissions should be Administrators, System, and <users>= >>>>> full control >>>>> >>>>>> >>>>>> When I look at the profile I can see the ntuser.man but somehow >>>>>> another ntuser.dat is being created. >>>>> >>>>> Check out the event logs on the workstation. >>>>> >>>>>> How can I prevent that from happening? >>>>>> >>>>>> Is there a way to prevent the creation of a local profile on the >>>>>> desktop? >>>>> >>>>> No - everyone will have a locally *cached* profile, even with a >>>>> roaming/mandatory profile. But you can control whether it *stays* >>>>> on the workstation via group policy. > > >
Guest Lanwench [MVP - Exchange] Posted February 9, 2008 Posted February 9, 2008 Re: mandatory profile problem Will Sellers <willsellers@verizon.net> wrote: > "Lanwench [MVP - Exchange]" > <lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote in > message news:OdS7lMZaIHA.5088@TK2MSFTNGP06.phx.gbl... >> Will Sellers <willsellers@verizon.net> wrote: >>> "Lanwench [MVP - Exchange]" >>> <lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote in >>> message news:uPls68RaIHA.5784@TK2MSFTNGP03.phx.gbl... >>>> Will Sellers <willsellers@verizon.net> wrote: >>>>> I resolved all issues with mandatory profiles except the delete >>>>> cached profile. >>>>> I did enable "delete cached profiles" in the GPO for students. >>>>> However, after I log off as a student I still see the student >>>>> folder in the document and settings on the local machine. >>>>> I verified that the GPO is functional via the gpresult /v. >>>> >>>> Try looking in rsop.msc and check the event logs for errors. >>>> >>>> ....but since this is a mandatory profile, and local changes will >>>> never be uploaded (because there aren't any), why bother with this? >>> >>> Because everytime a new student logs on a local profile is created. >>> So one computer will have 50 Plus profiles. >> >> But they're all using the same profile, aren't they? If not, I've >> misunderstood. Yes, you may want to purge the cached profiles then. > The purpose of the mandatory profile is to present a desktop with > icons etc that is common to all users. > By default windows creates a profile for ever user that logons on to > that machine, Which is the problem. Not if you use roaming profiles & folder redirection - they needn't be mandatory ;) > > I prefer to use the gpo to delete profiles , but that is not working. OK. I suggest you post in microsoft.public.windows.group_policy and explain what's happening when you try. > I am considering the use of the registry entry to make this happen. > >> >> I run delprof in a batch file as a scheduled task (specifying a list >> of computernames) daily, deleting old roaming profiles older than X >> days on all computers, on some of the networks I support. >> Login/logout is much easier when there's a cached copy already. >> >> You don't really need to be using roaming profiles (mandatory or no) >> at all, though, as mentioned prior. You can lock down many many >> things via GPO, etc., and not giving users anything other than >> limited user rights. >>> >>>> >>>> >>>>> >>>>> "Lanwench [MVP - Exchange]" >>>>> <lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote >>>>> in message news:%23c6yzuMaIHA.1212@TK2MSFTNGP05.phx.gbl... >>>>>> Will Sellers <willsellers@verizon.net> wrote: >>>>>>> I have a mandatory profile setup for my student group. >>>>>>> I have copied a common profile that all students will see when >>>>>>> they log on. I renamed the ntuser.dat to ntuser.man. >>>>>>> All students have the profile defined in their AD profile path. >>>>>>> >>>>>>> In my profile I have administrator and students defined in the >>>>>>> security and permissions. >>>>>> >>>>>> What permissions are they? >>>>>> >>>>>> Share permissions should be everyone=full control >>>>>> NTFS permissions should be Administrators, System, and <users>= >>>>>> full control >>>>>> >>>>>>> >>>>>>> When I look at the profile I can see the ntuser.man but somehow >>>>>>> another ntuser.dat is being created. >>>>>> >>>>>> Check out the event logs on the workstation. >>>>>> >>>>>>> How can I prevent that from happening? >>>>>>> >>>>>>> Is there a way to prevent the creation of a local profile on the >>>>>>> desktop? >>>>>> >>>>>> No - everyone will have a locally *cached* profile, even with a >>>>>> roaming/mandatory profile. But you can control whether it *stays* >>>>>> on the workstation via group policy.
Recommended Posts