Jump to content

Group Policies & Mandatory Profile

ph03n!x

By ph03n!x
in Windows 2000/2003/NT4

 Share

Recommended Posts

ph03n!x

ph03n!x

Posted
Posted

Hi! I've been trying to fix this for 10 hrs at a stretch, but no goes till now...

I have applied a Group Policy for an OU, and that is working like it should. Recently I had to make my user's profiles mandatory. Here comes the problem: If I make a user's profile mandatory, the profile loads fine, but the group policy does not come into effect when the user logs in. If the mandatory profile is removed, all works fine again.

Now, as a part of my experiment, I logged in as a fresh user in a stand-alone XP system and created a local group policy for that system. After I had the profile as well as the group policy configured, I copied the profile on to my server and tried using it as the mandatory profile- the profile loads ok, but the policies dont, eventhough the profile path has the ntuser.pol file!

What am I doing wrong? Is what I am trying to do possible?


chilifrei64

chilifrei64

Posted
Posted

Are the original profiles roaming or local?

If roaming, when you log on to just a roaming profile, do the Group Policy's apply?

When you log off the computer, does the cached profile stay on the computer or does it get deleted?.

Windows 2000 GP or 2003 GP

Try logging on to the machine with a roaming user profile, run gpupdate /force then log off, change the ntuser.dat to ntuser.man.... delete local cached copy of profile, log back on as user. does the GP apply or still no beans?

Martin Zugec

Martin Zugec

Posted
Posted

BTW if you use AD, DONT use mandatory profiles. They are only for backward compatibility with NT! Instead use policy setting to not save changes (and you can use GP with this setting)

CrescendoBEAt

CrescendoBEAt

Posted
Posted

hey Martin,

you said don't use mandatory profiles when AD is running. i was wondering why? i mean what's ur point? u know

i test mandatory profiles while i had AD domain installed and i didn't saw any problem!!! and plz tell me what's ur solution for that in GPO or some thing else.

by the way >>> HAPPY 4th of JULY <<< i have a great weekend plan! ;)

Martin Zugec

Martin Zugec

Posted
Posted

It is quite simple - using mandatory profiles you are trying to force users to use the same profile all the time AND not allow them to change anything. However this is NT domain approach. In AD the more professional way is to create roaming profile AND disallow change to serevr-side roaming profiles. Using this, you will achieve the same results, however you will still have the ability to modify your centralized profile for all users. This setting is available in user profiles in group policy.

ph03n!x

ph03n!x

Posted
  • Author
Posted
Are the original profiles roaming or local?

If roaming, when you log on to just a roaming profile, do the Group Policy's apply?

When you log off the computer, does the cached profile stay on the computer or does it get deleted?.

Windows 2000 GP or 2003 GP

Try logging on to the machine with a roaming user profile, run gpupdate /force then log off, change the ntuser.dat to ntuser.man.... delete local cached copy of profile, log back on as user. does the GP apply or still no beans?

Hi All, Thanx for your replies!!! I've been posting this query elsewhere, and never got any help... This forum rocks :-)!!!

@chilifrei64, Here's what I did after I read your reply - I logged in as a normal user in a local system, created the profile and then copied it to the server's profile folder using the "Copy to" in User Profiles under System Properties. The folder on the server that holds all the profiles has read rights to everyone, while the individual profiles folder has full control for the owner of the profile.

Now, the roaming profile loads fine - but when I log off, I get the "Windows could not update the roaming profile..." error. Am sure there is no network problem. And I think the security settings I've said above should work fine (or aint they fine enuf?). And no, the Group Policy does not apply at all, even when the profile is a roaming profile!

So where is the error? Why is the system not able to update changes on the server when the profile is roaming? and why is the GP not applying???

chilifrei64

chilifrei64

Posted
Posted

eh .. you dont want to use the "copy to" ... i was thinking more along the lines or copy and past and assiging your permissions.

How many Group Policies are being applied to this computer/user?

Are you specifying any loopback processing?

Are your policy's mixed... User and Computer configuration in one policy?

Is the policy permissions set to the correct group?

Is this a Terminal Server you are working with or workstations?

Is this a 2003 GP.. if it is... run the group policy modeling wizard in the group policy management console and see if it gives you any errors.

Just out of curiosity.. why do you HAVE to use mandatory profiles now..

There is something in this equation we are missing here.

ph03n!x

ph03n!x

Posted
  • Author
Posted
eh .. you dont want to use the "copy to" ... i was thinking more along the lines or copy and past and assiging your permissions.

How many Group Policies are being applied to this computer/user?

Are you specifying any loopback processing?

Are your policy's mixed... User and Computer configuration in one policy?

Is the policy permissions set to the correct group?

Is this a Terminal Server you are working with or workstations?

Is this a 2003 GP.. if it is... run the group policy modeling wizard in the group policy management console and see if it gives you any errors.

Just out of curiosity.. why do you HAVE to use mandatory profiles now..

There is something in this equation we are missing here.

@chilifrei64 - I tried the 'copy n paste' first, and used the 'copy to' when I ran into this problem. There is jus one group policy that needs to be applied, which is a mix of comp and user policy. The permissions look fine. And it is for workstations, not Terminal Services. There aint any loopback processing.

My server is a Win2000, so GP modeling wizard is out.

As for the need of Man profiles, here is a problem - The people in my workplace wanted a particular wallpaper on all systems, and wanted a particular website to be opened when the system starts up - these two were done through user group policies. Their third requirement was a particular Icon that needs to be placed on all Desktops - I couldnt find any way other than creating a profile.

Am not really particular about Mandatory profiles, I could get away with a Roamin profile and, like some has said in this thread, prohibit changes to it. But the problem is that the policies aint getting applid on the Roaming profile / Mandatory Profile! Am sure it should be possible, and am sure I am making a mistake somewhere... but where??? I would be grateful for any help at all in solving my problem - I dont want to sit on all those darn workstations and putting a silly icon in the "All Users > Desktop" folder :-(!!!

chilifrei64

chilifrei64

Posted
Posted

Well the good news is Group Policies and roaming profiles do indeed work.. I have them set up at one of my clients right now.. I also needed to add a specific weblink to each of their desktops for my web based ticket system. All we did was ran a script that copied the files to the "All Users" desktop. Then we modified our workstation image to include this same icon in the all users profile.

Also, and this is just my opinion, I recommend when using Group Policy that you keep user and computer configurations in seperate policies. This decreases the complication on where to apply the policies and the need for loopbacks and what else. It also makes it much easier to troubleshoot and you can even be more granular with how you implement it.

try running this on the computer... http://www.microsoft.com/windows2000/techi.../gpresult-o.asp it is the Win2k version of group policy results.

ph03n!x

ph03n!x

Posted
  • Author
Posted

@chilifrei64 - It is reassuring indeed to know GP and Roaming profile does work :-). I havent been able to spend as much time as I can on the systems, as that is not my primary role... I shall follow ur suggestions / advices and figure out where I goofed-up... Thanks a lot for all those who perched in to help!!!

ph03n!x

ph03n!x

Posted
  • Author
Posted

All, I've done a simple workaround to resolve my issue - though I'd share it here...

Instead of using a Roaming / mandatory profile for putting in a couple of icons on the user's desktop, i set up a folder in my server with the necessary icons and redirected the user's desktop to the folder onthe server. The folder has read-only rights so I can rest assured that nothing will be changed, and the desktop will look as it should. I've already set up a wallpaper, and setup a couple of programs to launch through GP...

I thank all of you for putting in your time for this.

@chilifrei64, I am already applying different policies for computer and users - thanks for your suggestions!

now if only some one would tell me how to get rid of "Set as background" from IE's context menus... Even with the GP applied, which disables changing of wallpaper, if a user right clicks on a image in IE and sets it a background, the wallpaper gets changed! I couldnt get much luck in getting around this problem till now....

  • 1 year later...
Genie

Genie

Posted
Posted

Team

I also had the same issue but at last found the solution.

while copying the new profile make sure that you have allowed everyone group on the permitted to use option.

copytods3.jpg

Regards

Genie

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...