Use mandatory profiles on the RD Session Host server
I want to configure my Windows Server 2008 servers like this. A user logs on, they load a profile that has been configured for that server and no changes can be made to the profile.
I want to do this is with a mandatory profile, and 2 policies: "Use mandatory profiles on the RD Session Host server" and "Set path for Remote Desktop Services User Profile"
So for each server, I log on, create a profile, save it as a mandatory profile, enable both policies, and in "Set path for Remote Desktop Services User Profile" I set the path to the previously saved mandatory profile.
I've tested this, and it doesn't work. When I log on to the server using RDP, it loads the local default profile. When I log off it saves the profile in the usual location, C:\Users, and I can make changes which are then saved to the profile. It's as if the policy setting hasn't been applied, but when I view rsop I can see that the policy IS applied. There are no errors when logging on or in event viewer.
Can anyone offer any ideas why it's not working?
Possible errors you made or missed
- The profile must be allowed to read by
Authenticated Users
(Apply file security reucrsively to profile folder) - The profile folder must be named
C:\Users\MandatoryUser.V2
( and theSet path for Remote Desktop Services User Profile
must beC:\Users\MandatoryUser
without.V2
for Windows Server 2008 and higher. -
MandatoryUser
is just an example username. - You must open RegEdit and Load Mandatory user's ntuser.dat file into (Click
HKEY_USERS
, ClickFile-Load Hive
), then set security on loaded hive toAuthenticated Users
:Full Control
- You must rename mandatory user
ntuser.dat
tontuser.man
-
(!) You need to delete users who previously logged on to server before let them use mandatory profile: delete
c:\users\username
, delete them from registry ( Delete hiveHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\<user's SID>
. Here you can look through all hives to findProfileImagePath
that corresponds to your user) - The mandatory profile is recreated when user makes LogOn! When user is logged on,and after user logs off, it acts like a normal profile.
- In
System Properties\Advanced\User Profiles
mandatory profiles are marked as Mandatory.
Here is one of the best guides about mandatory profiles. It has some security issues, but as a beginning is very good