RE: Mandatory TS user profiles... Admin rights

Hello,

It has been a while, but give this a shot and let us know how you make out.

You can do this only in Windows 2003 Ad environment. The goal here is to
migrate your users to a mandatory profile without changing any of the AD user
properties you have in place now.

Configure a dummy profile path via the GPO.
Computer Config > Admin Templates > Windows Components > Terminal Services
Set the path for the TS roaming profile

Create a mandatory profile for the terminal server. Create a local account
(place the account into the local admin group). It is also preferrable that
you do this on a server with no domain affilliation or policies applied.
VMWare is good enough provided you are matching the OS and SP used in your
production environment. Log the account on and configure the environment the
way you like it. Log off.

Use the Computer Properties window to copy your user profile to a file share
you can get to. You want to be certain that you assign the Authenticated
Users group permission to access the profile. You will see input for this
security config within the Copy window of the My Computer > Properties >
Advanced > User Profiles > Copy Option window.

Refer to the following KB for creating the Mandatory Profile: MS KB323368

Refer to the following KB for configuring Folder Redirection within the
mandatory profile registry config. This is handy information. MS KB242557

This last KB references folder redirection within the ntuser.man registry
hive. Once you have created the mandatory profile, you must load the
ntuser.man file into regedit.exe HKEY_Users environment for cleaning. Be
sure to name the account something unique for searching qqqqqqq is good
enough. Once you have loaded the hive, search for any identity markers
associated with the account. Do not delete the key values, simply remove any
data associated with the account name.

While you are creating the account don't get into detailed configs, avoid
opening apps, this will better assure your mandatory profile is good to go.

Now...back to work.

Backup and empty the Default User profile. Be sure you can see hidden and
system files.

Copy the mandatory profile into the Default User folder environment. Be
sure you have hidden and system files available for viewing.

Rename the ntuser.man into ntuser.dat

Enable the following GPO setting

Computer Config > Admin Templates > System > User Profiles > Prevent Roaming
Profile Changes to propagate to the server

There you go, you have a mandatory profile environment, which utilizes the
ntuser.dat for certificates and that good roaming stuff, but you have no
folder propagation to the roaming environment.

This will not solve your Outlook config settings however. You will need to
lauch the app with a PRF file associated for user settings to be applied.
This will avoid setup for each launch. To get further into the mix on this
one, you should look into a Flex profiling environment. Do a search for Flex
Framework on google, and head in that direction.

Let us know how you make out!


"Noncentz303" wrote:

The lowdown- I have been tasked with setting up our TS enviorment so that
when a user logs on they have limited access to the desktop and startbar.
From what I have read this can be accomplished with TS user profiles.

We have a SBS and 2 TS "TS1 and TS2"

I am new at this but this is what i have accomplished so far:

I created a new GPO and a new OU for TS1 and 2
-I created a shared folder on TS1 called TSProfiles
-I created a test user and added it to the new GPO
-I enabled loopback processing
-I enabled admin security group to roaming profiles
-Set the path for TS roaming profiles :\\TS1\TSProfiles * appends username

Then I went to my test user and specified the following profile path:
\\TS1\TSProfile\%username%

- This is where I run into my issues. When I log in a seperate folder is
created in my share for each user. I would like to use 1 standard profile for
all users when they log in so that when I make changes the effect all users.

- Also when I log in as admin I cannot view the contents of the folders
because access is denied -- even though I have it set to add user admin when
folder is created

- I also am wondering will I have to set up a static path for every user
depending on what TS they use and specify different paths and redirects for
both servers?

Any help would be appreciated
Antony
.

Relevant Pages

  • Re: Ask EU: Firefox bookmarks
    ... Firefox profile folder. ... In it you see one folder for each profile. ... to view details in explorer window" etc. ...
    (uk.media.radio.archers)
  • Icon issue
    ... The next time I brought windows up, I could use my mouse to click icons on ... If I opened a folder, the window for the folder would open but when I ... Profile page comes up, I can click the profile, it highlights but will not ...
    (microsoft.public.windowsxp.configuration_manage)
  • Re: IE 6 wont create new index.dat
    ... Window" command with Internet Explorer 6 which caused it ... I deleted the "Content.IE5" folder from my own profile ... all the temporary internet files have been ...
    (microsoft.public.windowsxp.basics)
  • Re: Change Domain user profile and reconfigure Redirected My Documents
    ... So you can still log into the original profile, ... Windows Explorer and click Tools -> Folder Options and go to the Offline ... the files from that window to copy them to a different location on the PC. ... Documents folder on the temporary local profile to no avail. ...
    (microsoft.public.windows.server.sbs)
  • Re: Strange NDR
    ... Make sure that there is an outlook profile for the mailbox requiring repair ... On the next window "MDB Viewer Test Application" select MDB from the tool ... in Child Folders: ... Whenever Bob sends out any Calendar invite, ...
    (microsoft.public.exchange.admin)