I’m currently writing some content on advanced user management in Windows Server 2008 R2. It was previously written using Windows Server 2008 and Windows 7 but some timing complexities stuffed the publication. It was decided to update the content for Windows Server 2008 R2 and Windows 7.
Part of this chapter (my fourth in the book) is the creation of mandatory profiles. I’d previously written it based on MS guidelines for Vista and Windows Server 2008. It was pretty much the same in all versions of Windows I’d used going back to 1996. You log into a sample PC as a user and configure the profile – shortcuts, desktop, registry, etc. You log out and then log in as an administrator. You go into “Control panel – System – User Profiles”. You select the profile of the sample user and click on <Copy To> to copy the profile to a UNC path on a file server. Part of the dialog re-permissions the profile for a group such as Authenticated Users. That’s required to allow access to the registry hive contained in NTUSER.DAT. It’s not an NTFS permission but an internal one. Once the profile is copied you rename the NTUSER.DAT to NTUSER.MAN. You then configure the user objects in AD to use that profile.
I went to test this on Windows 7 yesterday afternoon. Up to then I was making great progress on my chapter which was already 2 days late. It looked like I would finish today. I set up my profile, logged out and logged in as admin. I selected the profile in the user profiles dialog and went to click on the <Copy To> button. It was greyed out. OK, profile files sometimes get locked even after a log out. I rebooted. It was still the same. I could select the Default profile but I wanted nothing to do with it. Something has changed!
I googled and the first result was a thread on TechNet. This was brought up earlier this May (2009) during pre-RTM testing. Microsoft acknowledged this but misunderstood the request. They believed people were trying to copy over the Default user profile. Some were – but not all were, e.g. I’m trying to copy 1 user profile to another user profile. The issue also exists on Windows Server 2008 R2.
My lab was an RC lab. I rebuilt the Windows 7 VM with an RTM release. It’s still got the same issue.
There appears to be a workaround. It should work but I’m not assuming that it does. I’ll be testing it out. It’s messy and slow … it requires folder deletion and registry editing. I’ll follow up this post a little later once my tests and writing are complete.
I’ve posted feedback on the Windows 7 newsgroups (microsoft.beta.win7.general) on Connect. Feel free to do the same if you have a problem with this change by MS.
EDIT #1:
I’ve tested the workaround on Windows 7 RTM and it works. It’s a bit more time consuming than clicking on <Copy To> but it does the same thing. What you are doing is:
- Manually copying the profile folder to the file server.
- Renaming it, e.g. Mandatory.V2 (the V2 is required for Vista, Windows 7, Windows Server 2008/2008 R2
- Deleting AppDataLocal and AppDataLocalLow from the new profile on the file server.
- Launching REGEDIT on the file server and loading the hive from NTUSER.DAT in the profile.
- Changing the permissions on the loaded hive: delete the old user and add in a group, e.g. authenticated users = full control.
- Unloading the hive.
- Renaming NTUSER.DAT in the mandatory profile to NTUSER.MAN
- Changing the user object(s) to use a roaming profile, e.g. \fileserverprofiles$mandatory. Note that .V2 is not specified here. It’s silent. Vista, etc know to add it. XP, etc won’t use it.
Yes, much slower than clicking on <Copy To> and renaming a folder and a file.
As much as your solution works, it is definitely a more complex and error-prone solution than using the COPY TO… button. In the TechNet thread you noted there is one nugget of gold in a free simple tool called Windows Enabler (http://www.angelfire.com/falcon/speedload/Enabler.htm). This does not install and can be run off a USB thumb drive and ‘enables’ locked menus and buttons. Basically you:
1) Download Windows Enabler
2) Save it to a thumb drive
3) Right-Click and choose "Run As Administrator" on the Windows Enabler EXE on the system you wish to copy the profile
4) Click the Notification Tray icon to turn Windows Enabler on
5) Open the USER PROFILES dialog and click on the greyed out COPY TO… button to see it become enabled.
6) Copy the profile as you used to in XP and Vista.
Hope this helps,
Chris
I am loking at creating mandatory profiles on Windows 7 for our public access PCs, on XP we use a custom gina to redirect the profile path which is specified in a registry key on the local system. This allows us to have different profiles on different client types and have a single authentication domain. How would I achive the same results using Windows 7. I believe that gina is not longer supported on Windows 7.
Louis, Have a look at group policy, filtering and loop back processing. You can configure alternative locations for roaming profiles using Active Directory GPO. You can then filter that GPO a number of ways. The simplest is by linking it to a specific OU(s) and it applies to only objects below it. Next is WMI filtering where it applies based on some setting/feature of the AD client. And then there is Loop Back Processing. A GPO might be inherited by an OU of containers. The GPO contains user configurations. The users are in a totally different OU. However, with loop back processing enabled the user configuration policy of the computer linked GPO will apply to users who log into those computers. That’s how I’ve set up dedicated roaming profiles for people who logged into Terminal Servers in the past … this isolated their TermSvcs profiles from their desktop profiles.
You will also need to do somethign similar if users are using both V1 profiles (XP and older) and V2 profies (Vista and newer).