Implementing Mandatory Roaming Profiles
Pages: 1, 2
Making the Profile Mandatory
"The next step in creating your profile is the actual process of making it mandatory and therefore unchangeable. This can be done by browsing to the location of your saved profile on the server and locating the NTUSER.dat file (make sure hidden files are set to be visible). Once you have located this file, you can simply rename it to NTUSER.man to make it mandatory.
Configuring the User Accounts
"The last remaining step is to configure your user accounts to utilize the mandatory profile we have set up. In order to accomplish this, we must begin in the Active Directory Users and Computers MMC snap-in. Once you have this open, navigate to one of the user accounts you want to utilize the mandatory profile. Once you have located this user, right-click on their name and select "Properties." Navigate to the "Profile" tab and locate the "Profile Path" box, and type the UNC path to the folder where the mandatory profile is located and click "OK" (Figure 3). You can then proceed to do this to every account that will be accessing this profile.
Figure 3: Setting a user account to point to the mandatory profile
"With those steps completed, you have successfully set up mandatory profiles for your user population. You should now no longer have to worry about users changing their profile settings.
Mandatory Profile Best Practices
"When dealing with mandatory profiles, there is a common misconception that they are often more trouble than they are worth. The problem lies in the fact that so many things can have an effect on your mandatory profile setup. This being said, there are some practices you will want to keep in mind when managing your network to make sure your mandatory profile implementation works without a hitch.
"The problem that most network administrators commonly see is slow performance when loading a user's mandatory profile. The main cause of this is usually a bloated base profile. If you load up your base profile with tons of files and data, this will cause the profile to grow in size, which can cause a large time delay when transferring the profile from server to client. If you must have this much data available to users, it is best to find another method of delivery, such as a mapped network drive to a shared storage location.
"Along with the concerns of performance, sometimes administrators can be thrown for a loop when previously utilized features don't work or cause problems after implementing mandatory profiles. A good example of this is use of the Encrypted File System (EFS). EFS is something that is not supported for use with mandatory or roaming profiles.
"Finally, we need to consider security when implementing mandatory profiles. The main focus of security in this case is the folder storing the mandatory profile. This folder contains the data that will be transferred to every workstation a mandatory profile user logs into. Therefore, it is extremely important that it be secure. The best way to secure this folder, as with any other network resource, is through NTFS permissions. You should make sure that your base profile folder resides on a server that utilizes NTFS, and develop a strong permissions policy for these folders."
Here are some additional resources you may want to review before implementing mandatory roaming profiles in your own networking environment:
- Using Preconfigured Roaming Profiles
- How to configure a user account to use a roaming user profile in Windows Server 2003, Windows 2000 Server, or Windows NT 4.0
- HOW TO: Switch Between a Local and Roaming User Profile on a Mobile Windows XP-Based Computer
- How To Create a Roaming User Profile in Windows Server 2003
- How to assign a mandatory user profile in Windows XP
Return to the Windows DevCenter.