Creating a Mandatory Profile Recipe
Article ID: CTX225373
Updated On:
Description
Windows profiles include the user registry and the file system under c:\users\%username%. Windows profiles are where application vendors store setting information particular to a user. What is stored here can be anything the vendors need to store for their applications to work. Many application run specific setup code the first time an application is launched by a new user on a desktop. Windows supports a process called ActiveSetup that allows vendors to hook code into the user logon for this setup purpose. The first time a user logs in to any desktop the settings in Windows Active Setup are run.
This process can take a very long time to complete. The actions performed by the application can include many things including:
- Create Shortcuts
- Create Folders
- Define Application Settings
- Obtain input from users and store it somewhere
- Etc.
Another benefit of a predefined profile is that standard settings can be configured for each user logging in to a desktop. These settings can often be configured by script or GPO but desktop admins sometimes prefer a direct modification of the windows default profile.
In Windows XP and earlier these modifications were often performed on any profile then copied over the default profile or copied to create a mandatory profile.
When Windows 7 was released Microsoft determined this process was too dangerous and now they only support modifying the default profile or creating a mandatory profile using the “copyprofile” command as part of the sysprep process as outlined in this KB article.
http://support.microsoft.com/kb/973289
In this recipe we will discuss two methods for creating a mandatory profile that can be used to both speed up user logons and configure user settings. One is the Microsoft method using copyprofile. The other uses a free utility from ForensiT (http://www.forensit.com/ ), called defprof, that provides a mechanism to copy a local user profile over a computers default profile. Be aware this second method is not supported by Microsoft but seems to work in our testing on Windows 7 and Windows 8. Defprof has not yet been updated for Windows 10. So for Windows 10 you must use the copyprofile method.
Using either of these methods will require some trial and error as well as in depth understanding of what settings applications store in the profile. Many applications are not compatible with utilizing a mandatory profile because the information they store in the profile is specific to a single user. For example an application can store a user name or even an encryption key, hashed to the username of the user creating the profile. If these were deployed to a desktop with a different user logging on, the application would at best have the wrong user defined and at worst not be able to unencrypt the application information stored with the key.
Often these types of limitation are found only after testing the application when using a mandatory profile.
The advantage of the defprof method is that we can keep a profile template desktop in our environment and use it to test and modify the default template we use as the basis of our mandatory profile. When using the copyprofile method we must create a new profile from scratch every time a change is desired. This can be quite tedious.
Instructions
Windows 8 and 10In Windows 8 Microsoft introduced” Metro-Style” or “Modern” Apps. These apps are not installed for all users on the system but instead for particular users with their files often stored in the Windows profile in AppData\Local. These apps cannot be included in a Mandatory profile and for this whole process to be successful they must be removed from the desktop during build. The Unidesk Optimizer has settings to remove these apps as the desktop is being built. You can set these settings in the OS layer or in the Man Profile Layer depending on if you want to remove the apps for all desktops or just non-persistent desktops.
Another Critical performance related tweak required to get good logon performance for Windows 8 and 10 is also supported by the optimizing. You must use the optimizers autologon feature so that a network user will be logged on to the desktop during build. This process copies a set of system files from the SO layer to the desktops UEP during build. If the files are not copied before the desktop is converted from persistent to non-persistent then they will have to be copied every logon adding approximately 80-90 seconds to the logon process. See the “Increase NP Desktop Performance Recipe” for more details.
The section in the optimizer used for this is shown below.
Lastly you cannot include setting up start menu Tiles in your mandatory profile because these are not stored under AppData\Roaming they are stored in AppData\Local which is not included in the Man profile.
This means that after logging in the start menu will look like this.
CopyProfile Method
If using this approach a layer is created using all of the desired applications as prerequisite layers when creating the layer. The administrator’s account settings are then modified as desired and the layer is finalized. Then this layer is used to create a desktop using the copyprofile=true flag in the unattend.xml file. This will create a default profile with all the settings included in the administrator profile on the layer. Then this profile is copied to a server share so that it can be copied down into a new layer that will be used to apply the mandatory profile to desktops.
The high level process is as follows:
1. Create an application layer used to build a desktop with the modified default profile. I called this Build Man Profile.
a. Assign any application layer that you want to set settings for or any application layer that you want to run ActiveSetup for as a pre-requisite.
b. Run any applications that you wish to run active setup for.
c. Modify the administrator profile with desired changes to settings for the desktop or applications
d. Add the copyprofile equals true to the unattend.xml
b. Run any applications that you wish to run active setup for.
c. Modify the administrator profile with desired changes to settings for the desktop or applications
d. Add the copyprofile equals true to the unattend.xml
2. Build a temporary desktop using the Build Man Profile layer created in 1
a. When this desktop builds it will copy the administrator profile to the default profile using sysprep as would happen using the commands defined in Microsoft’s KB. This will transform the default profile to be a multiuser profile removing specific user entries.
b. Note: if the build fails it is likely that one of the applications caused a problem in the copyprofile process. Unfortunately finding which application is a problem takes a lot of trial and error. If you have this issue try the defprof method instead.
c. Remember that for copyprofile to work there can only be one administrative account defined on the OS layer and it must be the built in Administrator. Use the unattended setup to configure an alternate administrator if your design requires one.
b. Note: if the build fails it is likely that one of the applications caused a problem in the copyprofile process. Unfortunately finding which application is a problem takes a lot of trial and error. If you have this issue try the defprof method instead.
c. Remember that for copyprofile to work there can only be one administrative account defined on the OS layer and it must be the built in Administrator. Use the unattended setup to configure an alternate administrator if your design requires one.
3. Use the desktop built in 2 to copy the default profile to a network share with security
a. Now the profile can be used as a roaming mandatory profile or a local mandatory profile
4. To create a local Mandatory profile. Create an Application Layer to hold and apply the Mandatory Profile.
a. Copy the profile from the network share to a local path like c:\windows\manprofile\manprofile.v2
b. Note the v2 at the end of the profile, that is required for a Windows 7 profile. Note: Windows 7 profiles end in .v2, Windows 8.1 profiles end in .v4 and windows 10 profiles end in .v5. Use the appropriate string.
c. Permission the manprofile folder and its sub files to full control for authenticated users.
d. Use an OU and a GPO to make this profile the profile to be used by all users logging in to the desktop.
b. Note the v2 at the end of the profile, that is required for a Windows 7 profile. Note: Windows 7 profiles end in .v2, Windows 8.1 profiles end in .v4 and windows 10 profiles end in .v5. Use the appropriate string.
c. Permission the manprofile folder and its sub files to full control for authenticated users.
d. Use an OU and a GPO to make this profile the profile to be used by all users logging in to the desktop.
5. To create a roaming mandatory profile follow the same steps for all users but point to the network location or use the profile path in AD to define the profile location of each user. See the Microsoft KB for more information.
Detailed Directions
These steps are an example. Use the process to work out the best way to achieve your desired results.
1. Create an application layer called “Build ManProfile” Include desired apps to configure as pre-requisites.
a. As an aside Office customizations seem to be removed for the most part by this process when the profile is created.
b. OS settings seem to work much better.
c. Logon as Administrator and modify profile as desired.
d. Run the desired Applications to ensure ActiveSetup runs for these.
e. Run the Unidesk Unattend Builder version 4.2 or later (seethe section upgrading to the Unattend Builder version 4.2 or later) i. Check the enable copyprofile=true ii. Save the unattend.xnl file.
f. Finalize the layer
b. OS settings seem to work much better.
c. Logon as Administrator and modify profile as desired.
d. Run the desired Applications to ensure ActiveSetup runs for these.
e. Run the Unidesk Unattend Builder version 4.2 or later (seethe section upgrading to the Unattend Builder version 4.2 or later) i. Check the enable copyprofile=true ii. Save the unattend.xnl file.
f. Finalize the layer
2. Create New Temporary Desktop (I called mine ManProfile) using the layer from step 1 and apps that were included when creating the layer in step 1.
a. Logon to new desktop using an AD admin account.
b. Copy the default profile to a windows share using the User Profile Settings in Advanced System Settings accessed from the properties of My Computer. Copy as shown below. Change permissions to everyone.
b. Copy the default profile to a windows share using the User Profile Settings in Advanced System Settings accessed from the properties of My Computer. Copy as shown below. Change permissions to everyone.
c. Change ntuser.dat to ntuser.man.
Now there is a decision to make. The profile now on the file share can be used as a roaming profile loaded from the share or we can create an application layer and access the profile from the desktop directly. I believe that the later design will have faster load times for the profile.
DefProf Method
Note: At the time of writing Defprof did not yet support Windows 10. The copyprofile method must be used for Windows 10.
This approach is much easier than the copyprofile method. Again be aware it is not supported by Microsoft. It is however much easier to create and maintain the mandatory profile using this method.
If using this approach a desktop is created with all the applications that you want to include settings for or that you want to pre-run in order to run the ActiveSetup tasks.
Then you will create a local account to configure the profile. Logon as that account and open the applications you want to pre-run and define any settings you want to set. Then you will reboot, log on as administrator and run the defprof utility from ForensIT. This copies the profile you created over the default profile for the desktop. You then can export the default profile to use as a mandatory profile in a “manprofile” layer.
In this way anytime you want to change the profile you would just logon to the local account. Make the desired changes. Reboot, logon as Administrator and run defprof, then export again.
The high level process is as follows:
1. Create a desktop to create and manage the mandatory profile. I called mine ManProfile.
a. Assign any application layer that you want to set settings for or any application layer that you want to run ActiveSetup to the desktop.
b. Create a local account to use to create the profile. I used an account called “profile”.
c. Create a folder off the root called DefProf. Copy the DefProf.exe utility there. Get the utility from www.Forensit.com in the Free Downloads>Utilities section.
b. Create a local account to use to create the profile. I used an account called “profile”.
c. Create a folder off the root called DefProf. Copy the DefProf.exe utility there. Get the utility from www.Forensit.com in the Free Downloads>Utilities section.
2. Create the Mandatory Profile.
a. Login as the profile user.
b. Run any applications that you wish to run active setup for.
c. Modify any settings for the desktop or applications.
d. Reboot.
e. Logon as Administrator and run defprof.exe.
f. Export the default profile to a network share.
b. Run any applications that you wish to run active setup for.
c. Modify any settings for the desktop or applications.
d. Reboot.
e. Logon as Administrator and run defprof.exe.
f. Export the default profile to a network share.
3. To create a local Mandatory profile. Create an Application Layer to hold and apply the Mandatory Profile.
a. Copy the profile from the network share to a local path like c:\users\manprofile\manprofile.v2.
b. Note the v2 at the end of the profile, that is required for a Windows 7 profile.
c. Permission the manprofile folder and its sub files to full control for authenticated users.
d. Use an OU and a GPO to make this profile the profile to be used by all users logging in to the desktop.
b. Note the v2 at the end of the profile, that is required for a Windows 7 profile.
c. Permission the manprofile folder and its sub files to full control for authenticated users.
d. Use an OU and a GPO to make this profile the profile to be used by all users logging in to the desktop.
4. To create a roaming mandatory profile follow the same steps for all users but point to the network location or use the profile path in AD to define the profile location of each user. See the Microsoft KB for more information.
Detailed Directions
These steps are an example. Use the process to work out the best way to achieve your desired results.
1. Create a desktop called “ManProfile” Include desired apps to configure as pre-requisites.
a. Logon as Administrator.
b. Create a local account called “profile”. Give the account a password.
c. Create a folder off the root called DefProf. Copy the DefProf.exe utility there. Get the utility from www.Foresnsit.com in the Free Downloads>Utilities section.
d. logout.
b. Create a local account called “profile”. Give the account a password.
c. Create a folder off the root called DefProf. Copy the DefProf.exe utility there. Get the utility from www.Foresnsit.com in the Free Downloads>Utilities section.
d. logout.
2. Create the profile.
a. Login as Profile.
b. Modify the profile as desired.
c. Run the desired Applications to ensure ActiveSetup runs for these.
d. Reboot.
e. Logon as Administrator.
f. Run DefProf.exe
b. Modify the profile as desired.
c. Run the desired Applications to ensure ActiveSetup runs for these.
d. Reboot.
e. Logon as Administrator.
f. Run DefProf.exe
i. Open a CMD prompt.
ii. Change to c:\defprof iii. Run defprof profile (assuming profile is the name of the profile user you used).
ii. Change to c:\defprof iii. Run defprof profile (assuming profile is the name of the profile user you used).
g. Export the Profile.
i. Open Properties on My Computer.
ii. Access Advanced System Settings.
iii. Then User Profile Settings.
iv. Click on Default Profile and click CopyTo.
v. Enter the unc path for your profile to be copied to. The path must end in “.v2” for Win7 .v4 for Win81 and .v5 for Win10. I used manprofile.v2 Note any share can be used to store this profile as long as its NTFS.
vi. Change permissions for the profile to everyone before copying.
ii. Access Advanced System Settings.
iii. Then User Profile Settings.
iv. Click on Default Profile and click CopyTo.
v. Enter the unc path for your profile to be copied to. The path must end in “.v2” for Win7 .v4 for Win81 and .v5 for Win10. I used manprofile.v2 Note any share can be used to store this profile as long as its NTFS.
vi. Change permissions for the profile to everyone before copying.
h. After copying change ntuser.dat to ntuser.man on the share.
Now there is a decision to make. The profile now on the file share can be used as a roaming profile loaded from the share or we can create an application layer and access the profile from the desktop directly. I believe that the later design will have faster load times for the profile.
Upgrading to the Unattend Builder 4.2
To upgrade the unattend builder which includes startup and build scripts, add a version to your OS layer. Go to the c:\windows\setup\scripts folder and remove the old unattend builder and optimizer. Leave the optimizations.cmd as that holds all the currently defined desktop optimizations. Also delete the entire kmsdir folder. Then from the download replace the utilities and the entire kmsdir folder. The run the unattend builder and save the unattend file. Do not set the copyprofile true here. That will be added in the Build Man Profile layer.
Create a “local” Mandatory Profile Layer
In this case the profile will load from the c; drive instead of the network. One interesting option with this method is that using the same GPO one can apply different profiles for different desktops based on the profile layer that’s applied to a desktop.
1. Create a new application layer called something like ManProfile Lab 422 Win7x32.
a. Copy the profile from your share to a known location in the Install Machine. For example c:\users\manprofile\manprofile.v2.
b. Change permissions on the ManProfile folder to “authenticated users” full control and update all sub directories and files.
c. Run gpedit.msc.
b. Change permissions on the ManProfile folder to “authenticated users” full control and update all sub directories and files.
c. Run gpedit.msc.
i. Then create a local GPO: Computer Configuration\Administrative Templates\System\User Profiles\Set roaming profile path for all users logging in to the computer.
1. In the path enter c:\manprofile\manprofile.
2. Remember to leave out the v2. Windows will use the v2 directory.
2. Remember to leave out the v2. Windows will use the v2 directory.
ii. Then set Computer Configuration\Administrative Templates\System\User Profiles\Do Not check for ownership of roaming profile folders to enabled
d. Finalize the layer.
2. The just add this application layer to your desktops.
To Setup a “network” Mandatory Profile
The profile can also be loaded over the network from the network share created in an earlier step. The profile can be applied in either of two ways.
1. Change the users account profile path in Active Directory to point to the network mandatory profile.
2. Use the same GPO setting in step 3 above to point to the network based mandatory profile instead of the local profile.
2. Use the same GPO setting in step 3 above to point to the network based mandatory profile instead of the local profile.
Note if this method is used you must change the ntuser.dat file to ntuser.man in the network share or the profile will be modified by all the users that load it.
Licensing Considerations
None
Layering Naming and versioning
Unidesk recommends including the OS Type and OS bit level in the name, for Example “ManProfile Lab 422 Win7x32”. For versions remember that when choosing a layer you can see the version name but not the version description. Use naming that will allow you to differentiate versions appropriately. For example while still in development/testing “1.0 12-12-14-2012 QA ONLY”, but when ready for production “1.0 12-12-2012”.
Installation Steps
This section includes the steps to create the mandatory profile and then to deploy it as either a local or network based profile.
Updates
If using the copyprofile method to update the profile you must redo the entire set of tasks prior to creating the mandatory profile layer. Then create a new version of the mandatory profile layer using the updated profile. If using the defprof version you will just need to modify the local profile, then export it again to the share and use that to update the mandatory profile later.
Was this article helpful?
Yes
No
Powered by
