Howto create a Windows Server 2012 / Windows 8 Mandatory Profile

imageIn this blog post I’m trying to explain how-to create a mandatory profile for Server 2012 and Windows 8. This is only for a clean windows installation. The Microsoft best practices are saying that you need to update the Mandatory profile after each software installation/update on the system.

The Test User

First we create a user named: Manny. This user is used to create the profile. You can name it any way you want. Don’t give it any profile. You can create a local user, but my test machine is also a domain controller, so I only can create an AD user.

image image

Login with Manny and customize the environment. (Don’t forget to remove the PowerShell and Server Manager pinned icons in the taskbar).

image

Now logoff Manny. (Click in the upper right corner on the user name Winking smile)

Create The Mandatory Profile Folder

Log back in with an Administrator. Copy the Manny profile to you profile share on the network. Rename the folder into: Mandatory.v2 (or any other name you like). The .v2 must be added because Windows Server 2012 and Windows 8 make use of the .v2 type profiles. (Like Windows 7 and 2008 R2)

Load The Profile Into The Registry To Edit It

Start regedit and open the: ntuser.dat from the profile.

image image

image image

Set The Registry Permissions

Open the permissions of the Manny profile. Remove Manny and the Administrators group. Add authenticated users, full control. The permissions would look like this:

image

I always check, under advanced, “replace all child object permissions entries with inheritable permissions”. Now, for VDI environments this works good. But in RDS environments the same users on the system could access the registry of other users. This can be locked down with subinacl.exe. This will be another blog post soon Winking smile

Registry Changes

Search the registry for Manny en clean those value’s or change the type from REG_SZ to REG_EXPAND_SZ and add the value %USERNAME%

Delete all policies: Manny\Software\Microsoft\Windows\CurrentVersion\Policies and Manny\Software\Policies

Check: Manny\Software\Microsoft\Windows\CurrentVerion\Run and RunOnce if they are empty. Things that have to start at logon must be started via other methods like logon script/RES WorkSpace Manager/AppSense

The value’s in Manny\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders should not be touched. Because on top of that key there is a line saying: DO NOT USE THIS REGISTRY KEY. But you can change this value’s to %USERPROFILE%\etc. I had some issue’s with applications which use this key and can’t handle the variable. Then you can try to change to REG_EXPAND_SZ or contact the vendor. Because applications should not use this key anymore. Read this blog: http://blogs.msdn.com/b/oldnewthing/archive/2003/11/03/55532.aspx

Unload The Profile

Unload the profile and close the registry editor.

Open explorer and navigate to the profile. Delete the log and TM files.

image

Rename the NTUSER.DAT file to NTUSER,MAN. The profile should look like this:

image

Delete Profile Files

Delete the Local and LocalLow directory from the AppData directory.

image

Windows Explorer Libraries

To get the Libraries working we have to edit some XML files. Open the following file in notepad: Mandatory.V2\AppData\Roaming\Microsoft\Windows\Libraries\Documents.library-ms

Remove the lines with ownerSID and serialized. The XML should look like this:

image

The last searchConnectorDescription is the public folder on a system. If you don’t want users to use this library simply remove that element. then the XML would look like this:

image

This link to the microsoft site will explain all folders: http://msdn.microsoft.com/en-us/library/windows/desktop/dd940483(v=vs.85).aspx

Do the same for Music.Library-ms, Pictures.Library-ms and Videos.Library-ms

Windows Explorer Favorites (Links)

Navigate to the Links folder in the root of the Mandatory profile. The Links folder contains Shortcuts which are presented at the top of the Windows Explorer window under Favorites. Don’t mix them with Internet Explorer Favorites.  Open the properties of the Desktop shortcut. Change the target to %USERPROFILE%\Desktop

image

Do the same for the Download. (Recent Places, can’t be edited).

Assign The Mandatory Profile To A Test User

Now open the properties of a test account and add the mandatory profile. Don’t add the .v2, Windows will add that automatically.

image

Of course in a real production environment you would set the mandatory profile with a GPO.

Taskbar Pinned Icons

The pinned icons in the taskbar are stored in the following locations:

File: %AppData%\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\Taskbar
Registry: HKCU\Sotware\Microsoft\Windows\CurrentVerion\Explorer\Taskband

That registry key is not easy editable. Use your profile management software to roam these settings. And remove the Server Management and PowerShell icons while creating the default profile Winking smile

Tips

These tricks also work on Windows 7 and Windows Server 2008 R2 Winking smile

The Active Setup is still in this profile. There will be a post update soon Winking smile

Posts created 130

20 thoughts on “Howto create a Windows Server 2012 / Windows 8 Mandatory Profile

  1. Hi, I followed this guide and my profile worked fine using the Windows 8 Enterprise Preview but since installing the final build as soon as I login I get signed back out.

    Any chance of an update one the post?

    Thanks

      1. Thanks for the guide!

        Anyway, i have the same problem as Callum and Jeroen.
        Windows 8.1 Enterprise + Windows Server 2012R2.

        1. I used this guide and got similar issues. Event log showed the warning message on user’s log off 4006: The Windows logon process has failed to spawn a user application. Application name: . Command line parameters: C:Windowssystem32userinit.exe.

          Fixed it by loading hive of NTUSER.MAN again and changing permissions for that hive in Advanced to replace it for all child entries.
          Authenticated Users permissions were not set on many subentries, that caused this problem.

  2. Looking forward into the Active Setup post.
    We’ve set IsInstalled to 0 for all keys, on both HKLM…InstalledComponents and HKCU…InstalledComponents. Except the Desktop Update keys. Looks like these are needed for the ‘Taskbar Pinned Icons’.

  3. Hi. I’ve tried this and although in general it appears to work I did not find any xml files in the appdata areas where you show in these instructions.
    I also found that when I log on as the user when I’ve finally got it all set up, I can only see the desktop, internet explorer and the store tiles. All the ones I setup for the profile have gone.
    I’m sure it’s something I’ve missed. Any ideas? Thanks
    Rol

  4. Hi Jeroen, I’ve distilled this from MS:

    to solve incompatibility issues with man or roaming profiles betw. win7 and win8/8.1

    you’ll need this KB “Windows8.1-KB2887595-v2-x64.msu” for a 64bit OS, install it then

    on the client add this reg.

    —-

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesProfSvcParameters]
    “UseProfilePathExtensionVersion”=dword:00000001

    —-

    reboot machine and use this machine and relevant user to build your man profile [you will see ‘Profile.V4’]

  5. Hey buddy,

    If you delete the AppdataLocal directory, keep in mind you might get into trouble if you want to create specific File Associations for your Mandatory User.

    These are normally stored in the registry, but also in the file UsrClass.dat which resides in the LocalMicrosoftWindows folder.

    Grtz, from !vent 😉

  6. Thanks for your great and helpfull blog.
    I got one issue, when i make a mandatory profile this way and we install Internet Explorer 11 after wards it wont start. It will only run As administrator
    have you ever seen it? Is there something i did wrong? I cant find out why its not working.

  7. The .v2 must be added because Windows Server 2012 and Windows 8 make use of the .v2 type profiles. (Like Windows 7 and 2008 R2)

    these are the profile extensions right?
    Windows 10: v5
    Windows 8.1,Windows Server 2012 R2: v4
    Windows 8,Windows Server 2012: v3
    Windows 7,Windows Server 2008 R2: v2
    Windows Vista,Windows Server 2008: v1

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Begin typing your search term above and press enter to search. Press ESC to cancel.

Back To Top