Use mandatory profiles on the RD Session Host server

remote-desktop profile windows-server-2008-r2

I want to configure my Windows Server 2008 servers like this. A user logs on, they load a profile that has been configured for that server and no changes can be made to the profile.

I want to do this is with a mandatory profile, and 2 policies: "Use mandatory profiles on the RD Session Host server" and "Set path for Remote Desktop Services User Profile"

So for each server, I log on, create a profile, save it as a mandatory profile, enable both policies, and in "Set path for Remote Desktop Services User Profile" I set the path to the previously saved mandatory profile.

I've tested this, and it doesn't work. When I log on to the server using RDP, it loads the local default profile. When I log off it saves the profile in the usual location, C:\Users, and I can make changes which are then saved to the profile. It's as if the policy setting hasn't been applied, but when I view rsop I can see that the policy IS applied. There are no errors when logging on or in event viewer.

Can anyone offer any ideas why it's not working?


Possible errors you made or missed

  1. The profile must be allowed to read by Authenticated Users (Apply file security reucrsively to profile folder)
  2. The profile folder must be named C:\Users\MandatoryUser.V2 ( and the Set path for Remote Desktop Services User Profile must be C:\Users\MandatoryUser without .V2 for Windows Server 2008 and higher.
  3. MandatoryUser is just an example username.
  4. You must open RegEdit and Load Mandatory user's ntuser.dat file into (Click HKEY_USERS, Click File-Load Hive), then set security on loaded hive to Authenticated Users:Full Control
  5. You must rename mandatory user ntuser.dat to ntuser.man
  6. (!) You need to delete users who previously logged on to server before let them use mandatory profile: delete c:\users\username, delete them from registry ( Delete hive HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\<user's SID>. Here you can look through all hives to find ProfileImagePath that corresponds to your user)
  7. The mandatory profile is recreated when user makes LogOn! When user is logged on,and after user logs off, it acts like a normal profile.
  8. In System Properties\Advanced\User Profiles mandatory profiles are marked as Mandatory.

Here is one of the best guides about mandatory profiles. It has some security issues, but as a beginning is very good

Related

How do I enable SAML Passive Authentication in ADFS 3.0?
nginx reverse proxy not passing requests
POST of MTU + ~798 bytes gets lost
Puppet: Can't manually generate cert and issue cert request over API
Linux Authentication by Active Directory without joining to domain
What should an s3 end point look like when configuring an ALIAS record in Route53?
How to Configure A Software Update Baseline in SCCM 2012
BITS policies to limit bandwitdth usage is not taking effect
How to detect virtual machines freezes
vSphere/ESX How to log migration event to guest Windows OS
Load balancing network traffic using iptables
Which kjournald process belongs to which filesystem?