imageIn this blog post I’m trying to explain how-to create a mandatory profile for Server 2012 and Windows 8. This is only for a clean windows installation. The Microsoft best practices are saying that you need to update the Mandatory profile after each software installation/update on the system.

The Test User

First we create a user named: Manny. This user is used to create the profile. You can name it any way you want. Don’t give it any profile. You can create a local user, but my test machine is also a domain controller, so I only can create an AD user.

image image

Login with Manny and customize the environment. (Don’t forget to remove the PowerShell and Server Manager pinned icons in the taskbar).

image

Now logoff Manny. (Click in the upper right corner on the user name Winking smile)

Create The Mandatory Profile Folder

Log back in with an Administrator. Copy the Manny profile to you profile share on the network. Rename the folder into: Mandatory.v2 (or any other name you like). The .v2 must be added because Windows Server 2012 and Windows 8 make use of the .v2 type profiles. (Like Windows 7 and 2008 R2)

Load The Profile Into The Registry To Edit It

Start regedit and open the: ntuser.dat from the profile.

image image

image image

Set The Registry Permissions

Open the permissions of the Manny profile. Remove Manny and the Administrators group. Add authenticated users, full control. The permissions would look like this:

image

I always check, under advanced, “replace all child object permissions entries with inheritable permissions”. Now, for VDI environments this works good. But in RDS environments the same users on the system could access the registry of other users. This can be locked down with subinacl.exe. This will be another blog post soon Winking smile

Registry Changes

Search the registry for Manny en clean those value’s or change the type from REG_SZ to REG_EXPAND_SZ and add the value %USERNAME%

Delete all policies: Manny\Software\Microsoft\Windows\CurrentVersion\Policies and Manny\Software\Policies

Check: Manny\Software\Microsoft\Windows\CurrentVerion\Run and RunOnce if they are empty. Things that have to start at logon must be started via other methods like logon script/RES WorkSpace Manager/AppSense

The value’s in Manny\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders should not be touched. Because on top of that key there is a line saying: DO NOT USE THIS REGISTRY KEY. But you can change this value’s to %USERPROFILE%\etc. I had some issue’s with applications which use this key and can’t handle the variable. Then you can try to change to REG_EXPAND_SZ or contact the vendor. Because applications should not use this key anymore. Read this blog: http://blogs.msdn.com/b/oldnewthing/archive/2003/11/03/55532.aspx

Unload The Profile

Unload the profile and close the registry editor.

Open explorer and navigate to the profile. Delete the log and TM files.

image

Rename the NTUSER.DAT file to NTUSER,MAN. The profile should look like this:

image

Delete Profile Files

Delete the Local and LocalLow directory from the AppData directory.

image

Windows Explorer Libraries

To get the Libraries working we have to edit some XML files. Open the following file in notepad: Mandatory.V2\AppData\Roaming\Microsoft\Windows\Libraries\Documents.library-ms

Remove the lines with ownerSID and serialized. The XML should look like this:

image

The last searchConnectorDescription is the public folder on a system. If you don’t want users to use this library simply remove that element. then the XML would look like this:

image

This link to the microsoft site will explain all folders: http://msdn.microsoft.com/en-us/library/windows/desktop/dd940483(v=vs.85).aspx

Do the same for Music.Library-ms, Pictures.Library-ms and Videos.Library-ms

Windows Explorer Favorites (Links)

Navigate to the Links folder in the root of the Mandatory profile. The Links folder contains Shortcuts which are presented at the top of the Windows Explorer window under Favorites. Don’t mix them with Internet Explorer Favorites.  Open the properties of the Desktop shortcut. Change the target to %USERPROFILE%\Desktop

image

Do the same for the Download. (Recent Places, can’t be edited).

Assign The Mandatory Profile To A Test User

Now open the properties of a test account and add the mandatory profile. Don’t add the .v2, Windows will add that automatically.

image

Of course in a real production environment you would set the mandatory profile with a GPO.

Taskbar Pinned Icons

The pinned icons in the taskbar are stored in the following locations:

File: %AppData%\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\Taskbar
Registry: HKCU\Sotware\Microsoft\Windows\CurrentVerion\Explorer\Taskband

That registry key is not easy editable. Use your profile management software to roam these settings. And remove the Server Management and PowerShell icons while creating the default profile Winking smile

Tips

These tricks also work on Windows 7 and Windows Server 2008 R2 Winking smile

The Active Setup is still in this profile. There will be a post update soon Winking smile


19 Comments

Callum · August 16, 2012 at 22:02

Hi, I followed this guide and my profile worked fine using the Windows 8 Enterprise Preview but since installing the final build as soon as I login I get signed back out.

Any chance of an update one the post?

Thanks

    Jeroen · August 21, 2012 at 08:04

    It is on my to do list 😉 Thanks for mention.

    Jeroen · February 25, 2013 at 18:48

    Hello Callum, did you solve the problem with the login with the final build?

    best regards

      Marian · August 4, 2014 at 14:48

      Thanks for the guide!

      Anyway, i have the same problem as Callum and Jeroen.
      Windows 8.1 Enterprise + Windows Server 2012R2.

        Oleh Demchenko · October 20, 2014 at 21:10

        I used this guide and got similar issues. Event log showed the warning message on user’s log off 4006: The Windows logon process has failed to spawn a user application. Application name: . Command line parameters: C:Windowssystem32userinit.exe.

        Fixed it by loading hive of NTUSER.MAN again and changing permissions for that hive in Advanced to replace it for all child entries.
        Authenticated Users permissions were not set on many subentries, that caused this problem.

Bart · January 2, 2013 at 14:04

Looking forward into the Active Setup post.
We’ve set IsInstalled to 0 for all keys, on both HKLM…InstalledComponents and HKCU…InstalledComponents. Except the Desktop Update keys. Looks like these are needed for the ‘Taskbar Pinned Icons’.

Roland · April 6, 2013 at 19:48

Hi. I’ve tried this and although in general it appears to work I did not find any xml files in the appdata areas where you show in these instructions.
I also found that when I log on as the user when I’ve finally got it all set up, I can only see the desktop, internet explorer and the store tiles. All the ones I setup for the profile have gone.
I’m sure it’s something I’ve missed. Any ideas? Thanks
Rol

Jeroen Tielen · April 11, 2013 at 07:48

Guys, I’m currently very busy so don’t have much time doing research/playing around. Hope you understand this.

eyecantw8 · December 19, 2013 at 07:05

Hi Jeroen, I’ve distilled this from MS:

to solve incompatibility issues with man or roaming profiles betw. win7 and win8/8.1

you’ll need this KB “Windows8.1-KB2887595-v2-x64.msu” for a 64bit OS, install it then

on the client add this reg.

—-

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesProfSvcParameters]
“UseProfilePathExtensionVersion”=dword:00000001

—-

reboot machine and use this machine and relevant user to build your man profile [you will see ‘Profile.V4’]

beranmuden · January 22, 2015 at 13:50

Hey buddy,

If you delete the AppdataLocal directory, keep in mind you might get into trouble if you want to create specific File Associations for your Mandatory User.

These are normally stored in the registry, but also in the file UsrClass.dat which resides in the LocalMicrosoftWindows folder.

Grtz, from !vent 😉

Bart · March 5, 2015 at 10:06

Thanks for your great and helpfull blog.
I got one issue, when i make a mandatory profile this way and we install Internet Explorer 11 after wards it wont start. It will only run As administrator
have you ever seen it? Is there something i did wrong? I cant find out why its not working.

Jeroen Tielen · March 5, 2015 at 10:08

Hi Bart,

Don’t forget to include the IE11 registry keys and (maybe) the profile files in the mandatory profile.

percetakan murah jakarta · January 10, 2016 at 11:29

Fine way of explaining, aand pleasant article to
take information on the topic of my presentation topic, which i am going to convey in university.

Kraig · January 25, 2016 at 13:37

You ought to be a par of a contest for one of thhe greatest blogs oon the web.
I’m going to highly recommend this blog!

arjan · March 1, 2016 at 16:01

The .v2 must be added because Windows Server 2012 and Windows 8 make use of the .v2 type profiles. (Like Windows 7 and 2008 R2)

these are the profile extensions right?
Windows 10: v5
Windows 8.1,Windows Server 2012 R2: v4
Windows 8,Windows Server 2012: v3
Windows 7,Windows Server 2008 R2: v2
Windows Vista,Windows Server 2008: v1

Is there a way to avoid the installing of apps every time a new user logs in? · January 31, 2014 at 08:17

[…] it is doing nothing! How do you set up your user profiles? We use the method described here Howto create a Windows Server 2012 / Windows 8 Mandatory Profile | Jeroen Tielen and our logon time is 20-40 seconds. We have profile saved on the local computer and use GPO to […]

Win8 Mandatory Profile - Copy · March 19, 2014 at 11:32

[…] came across this the other week whilst trying to setup RDS on 2012 for staff Howto create a Windows Server 2012 / Windows 8 Mandatory Profile | Jeroen Tielen but lost my way with it so gave up! From what I could see there was not much information on how to […]

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: