Windows OS Hub
  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu

 Windows OS Hub / Windows 10 / Using Mandatory (Read-Only) User Profiles in Windows 10

March 12, 2019 Windows 10

Using Mandatory (Read-Only) User Profiles in Windows 10

A mandatory user profile is a special pre-configured type of roaming user profile than can be changed only by administrators. Users who have been assigned a mandatory profile can work in Windows as usual during the login session, but no changes are saved to the profile after user logoff. At the next logon, the mandatory profile is loaded unchanged.

A directory with the mandatory profile can be located on the network shared folder and assigned to multiple domain users at once: for example, to terminal server (RDS) users, information kiosks, or users who don’t need a personal profile (schoolchildren, students, visitors). The administrator can configure folder redirection for mandatory profiles and users can keep personal files on the file servers (of course, it is recommended to enable disk quotas using the NTFS or the FSRM) in order to prevent users from storing unimportant files in the redirected folders).

Contents:
  • Types of Mandatory User Profiles in Windows
  • How to Create a Mandatory User Profile in Windows 10
  • How to Assign a Mandatory Profile to Users

Types of Mandatory User Profiles in Windows

There are two types of mandatory user profiles in Windows:

  • A normal mandatory user profile – an administrator renames the file NTuser.dat (contains the user registry hive HKEY_CURRENT_USER) into NTuser.man. When using Ntuser.man, the system assumes that this profile is read-only and doesn’t save any changes to it. If the mandatory profile is stored on a remote server and the server becomes unavailable, users can logon using cached version of the mandatory profile;
  • A super-mandatory user profile – when using this type of profile, the directory that contains the user profile is renamed, and the extension .man is added to the end of the folder name. Users with this profile type won’t be able to logon if the server, on which their profile is stored, is unavailable.

Some scenarios allow using mandatory profiles for local users as well, for example on public computers (kiosks, meeting rooms, etc.) instead of using an UWF filter. Any user can work in the same environment and no changes are saved when a user logs off.

Now we’ll show how to create a normal mandatory profile in Windows 10 and assign it to a user. In this example we’ll consider how to create a mandatory user profile on a local computer (the profile will be stored on the local drive), however, we’ll explain how to assign a mandatory user profile to domain accounts.

How to Create a Mandatory User Profile in Windows 10

  1. Log on to a computer under the administrator account and start Local Users and Groups console (lusrmgr.msc);
  2. Create a new account, for example, ConfRoom;configuring mandatory users' profiles in windows 10
  3. Now you need to copy the default profile to a separate directory with a certain extension. Since we are using Windows 10 1703, this folder must have V6 suffix. For example, the name of the folder will be C:\ConfRoom.V6;
  4. Open the System Properties (SystemPropertiesAdvanced.exe);
  5. In User Profiles section, click Settings;
  6. Select the Default Profile and click Copy To;
  7. Select C:\ConfRoom.V6 as a folder to copy the profile to (or you can copy the profile template to the network shared folder on the file server by specifying a UNC path, for example, \\lon-fs01\profiles\ConfRoom.V6).
  8. Select NT AUTHORITY\Authenticated Users in the permissions. copy user profile folder
Tip. In Windows 10 1709 or newer builds there is a separate “Mandatory Profile” option when you are trying to copy a profile template. When using this option, a selected group of users automatically gets read-only NTFS permissions on the folder.

How to Assign a Mandatory Profile to Users

Now you can assign the mandatory profile to the user you want.

If you are using a local mandatory profile, go to Profile tab of the user properties and specify the path to the C:\ConfRoom.v6 directory in the Profile Path field.

set mandatory profile path in windows

If you configure a roaming mandatory user profile in the AD domain, you need to specify the UNC path to the directory with the profile in the account properties in the ADUC console.

setting profile path in the Active Directory user's settings

Then login to the system with the new user account and make all necessary settings (select the appearance, place the shortcuts, necessary files, configure the software, etc.).

Tip. You cannot use XML files to configure the Start Layout and the Taskbar for roaming profiles.

Finish the user session and log on using the administrator account. Then rename NTUSER.dat into NTUSER.man in the the user profile folder.

rename NTUSER.dat to NTUSER.man

Now try to logon to the system as a user with the mandatory profile and make sure that after you log off no changes are saved in the profile.

If after logon with the mandatory user profile you get the error:

The User Profile Service service failed the sign-in. User profile cannot be loaded.

And the following event appears in the system log:

Windows could not load your roaming profile and is attempting to log you on with your local profile. Changes to the profile will not be copied to the server when you log off. Windows could not load your profile because a server copy of the profile folder already exists that does not have the correct security. Either the current user or the Administrators group must be the owner of the folder.

Make sure that the following permissions are assigned to the profile directory (with permissions inheritance to all child objects):

  • ALL APPLICATION PACKAGES – Full Control (Start Menu does not work correct without it);
  • Authenticated Users – Read and Execute;
  • SYSTEM – Full Control;
  • Administrators – Full Control.

The same permissions must be assigned to the user registry hive by loading ntuser.dat profile file using File -> Load Hive in regedit.exe.

When using roaming profiles, in order the Start menu to be displayed correctly on all devices, you need set the REG_DWORD key with the name SpecialRoamingOverrideAllowed and the value 1 in the HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ section of the registry.

If you need to make changes to a mandatory profile, rename ntuser.man into ntuser.dat and configure the environment under the user account. Then rename the file again.

When using a mandatory profile on RDS servers, you can use the following Group Policies, in which you can specify the path to the profile directory and enable using mandatory profiles. The corresponding GPO section is: Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Profiles.

  1. Use mandatory profiles on the RD Session Host server = Enabled;
  2. Set path for Remote Desktop Services Roaming User Profile = Enabled + specify the UNC path.

Please, note that if you decided to use folder redirection together with the mandatory profile, it is not recommended to redirect AppData (Roaming) folder.

0 comment
1
Facebook Twitter Google + Pinterest
previous post
Windows 10 Upgrade Error: Windows Might be Installed in Unsupported Directory
next post
Invalid State of a Virtual Machine on VMWare ESXi

Related Reading

Using Previous Command History in PowerShell Console

January 31, 2023

How to Install the PowerShell Active Directory Module...

January 31, 2023

Enable Internet Explorer (IE) Compatibility Mode in Microsoft...

January 27, 2023

How to Disable or Uninstall Internet Explorer (IE)...

January 26, 2023

How to Delete Old User Profiles in Windows?

January 25, 2023

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • PowerShell
  • VMWare
  • Hyper-V
  • Linux
  • MS Office

Recent Posts

  • Using Previous Command History in PowerShell Console

    January 31, 2023
  • How to Install the PowerShell Active Directory Module and Manage AD?

    January 31, 2023
  • Finding Duplicate E-mail (SMTP) Addresses in Exchange

    January 27, 2023
  • How to Delete Old User Profiles in Windows?

    January 25, 2023
  • How to Install Free VMware Hypervisor (ESXi)?

    January 24, 2023
  • How to Enable TLS 1.2 on Windows?

    January 18, 2023
  • Allow or Prevent Non-Admin Users from Reboot/Shutdown Windows

    January 17, 2023
  • Fix: Can’t Extend Volume in Windows

    January 12, 2023
  • Wi-Fi (Internet) Disconnects After Sleep or Hibernation on Windows 10/11

    January 11, 2023
  • Adding Trusted Root Certificates on Linux

    January 9, 2023

Follow us

woshub.com
  • Facebook
  • Twitter
  • RSS
Popular Posts
  • Booting Windows 7 / 10 from GPT Disk on BIOS (non-UEFI) systems
  • Error Code: 0x80070035 “The Network Path was not found” after Windows 10 Update
  • Removable USB Flash Drive as Local HDD in Windows 10 / 7
  • How to Disable UAC Prompt for Specific Applications in Windows 10?
  • How to increase KMS current count (count is insufficient)
  • Managing Printers and Drivers with PowerShell in Windows 10 / Server 2016
  • Configuring L2TP/IPSec VPN Connection Behind a NAT, VPN Error Code 809
Footer Logo

@2014 - 2023 - Windows OS Hub. All about operating systems for sysadmins


Back To Top