Sign in with
Sign up | Sign in
Your question

Roaming Profile Not Staying Mandatory

Last response: in Windows 2000/NT
Share
February 28, 2005 10:31:03 AM

Archived from groups: microsoft.public.win2000.setup (More info?)

I have a network where the users login using a mandatory profile. I have
changed the ntuser.dat to ntuser.man, but
when the users login and log out it creates a new ntuser.dat and ignores the
..man change. I have used mandatory roaming profiles for years and this is
the first problem that I've had. Any suggestions you have will be greatly
appreciated.
Thanks, Tom
Anonymous
February 28, 2005 9:13:57 PM

Archived from groups: microsoft.public.win2000.setup (More info?)

Hi Tom,

What network OS? What client OS?

What permissions are given to the share point on the server?

Do you mean the .dat is written on the server?

--
Scott Baldridge
Windows Server MVP, MCSE

"Tom"
>I have a network where the users login using a mandatory profile. I have
> changed the ntuser.dat to ntuser.man, but
> when the users login and log out it creates a new ntuser.dat and ignores
> the
> .man change. I have used mandatory roaming profiles for years and this is
> the first problem that I've had. Any suggestions you have will be greatly
> appreciated.
> Thanks, Tom
March 1, 2005 10:17:03 AM

Archived from groups: microsoft.public.win2000.setup (More info?)

The server is Windows 2003 with Windows 2000 and XP Pro Clients. The
permissions at the share point location are not restricted. They are set
default with everyone able to do anything. Also the share point location is
on a secondary windows 2000 server, but I've tested having the share the
primary 2003 server with the same results. The users are not domain admins
either. Once I create the profile on a client and then save it to the
location on the server I rename the ntuser.dat to ntuser.man, but once any
client machine logs on and logs off using the profile a new ntuser.dat is
created and the changes that were made to the profile are saved to the share.
So there is nothing manditory about it. I've never had this happen. I'm
getting frustrated. Thanks for the response. Tom

"NIC Student" wrote:

> Hi Tom,
>
> What network OS? What client OS?
>
> What permissions are given to the share point on the server?
>
> Do you mean the .dat is written on the server?
>
> --
> Scott Baldridge
> Windows Server MVP, MCSE
>
> "Tom"
> >I have a network where the users login using a mandatory profile. I have
> > changed the ntuser.dat to ntuser.man, but
> > when the users login and log out it creates a new ntuser.dat and ignores
> > the
> > .man change. I have used mandatory roaming profiles for years and this is
> > the first problem that I've had. Any suggestions you have will be greatly
> > appreciated.
> > Thanks, Tom
>
>
>
Related resources
Anonymous
March 1, 2005 11:07:45 AM

Archived from groups: microsoft.public.win2000.setup (More info?)

Hi Tom,

Thanks for the info. Set your permissions at the share point to "read &
execute" for authenticated users or your target group, nothing more.

--
Scott Baldridge
Windows Server MVP, MCSE

"Tom"
> The server is Windows 2003 with Windows 2000 and XP Pro Clients. The
> permissions at the share point location are not restricted. They are set
> default with everyone able to do anything. Also the share point location
> is
> on a secondary windows 2000 server, but I've tested having the share the
> primary 2003 server with the same results. The users are not domain
> admins
> either. Once I create the profile on a client and then save it to the
> location on the server I rename the ntuser.dat to ntuser.man, but once any
> client machine logs on and logs off using the profile a new ntuser.dat is
> created and the changes that were made to the profile are saved to the
> share.
> So there is nothing manditory about it. I've never had this happen. I'm
> getting frustrated. Thanks for the response. Tom
>
> "NIC Student" wrote:
>
>> Hi Tom,
>>
>> What network OS? What client OS?
>>
>> What permissions are given to the share point on the server?
>>
>> Do you mean the .dat is written on the server?
>>
>> --
>> Scott Baldridge
>> Windows Server MVP, MCSE
>>
>> "Tom"
>> >I have a network where the users login using a mandatory profile. I
>> >have
>> > changed the ntuser.dat to ntuser.man, but
>> > when the users login and log out it creates a new ntuser.dat and
>> > ignores
>> > the
>> > .man change. I have used mandatory roaming profiles for years and this
>> > is
>> > the first problem that I've had. Any suggestions you have will be
>> > greatly
>> > appreciated.
>> > Thanks, Tom
>>
>>
>>
March 1, 2005 11:33:06 AM

Archived from groups: microsoft.public.win2000.setup (More info?)

Thanks for the help. I'll reset the permissions and give it a try. Tom

"NIC Student" wrote:

> Hi Tom,
>
> Thanks for the info. Set your permissions at the share point to "read &
> execute" for authenticated users or your target group, nothing more.
>
> --
> Scott Baldridge
> Windows Server MVP, MCSE
>
> "Tom"
> > The server is Windows 2003 with Windows 2000 and XP Pro Clients. The
> > permissions at the share point location are not restricted. They are set
> > default with everyone able to do anything. Also the share point location
> > is
> > on a secondary windows 2000 server, but I've tested having the share the
> > primary 2003 server with the same results. The users are not domain
> > admins
> > either. Once I create the profile on a client and then save it to the
> > location on the server I rename the ntuser.dat to ntuser.man, but once any
> > client machine logs on and logs off using the profile a new ntuser.dat is
> > created and the changes that were made to the profile are saved to the
> > share.
> > So there is nothing manditory about it. I've never had this happen. I'm
> > getting frustrated. Thanks for the response. Tom
> >
> > "NIC Student" wrote:
> >
> >> Hi Tom,
> >>
> >> What network OS? What client OS?
> >>
> >> What permissions are given to the share point on the server?
> >>
> >> Do you mean the .dat is written on the server?
> >>
> >> --
> >> Scott Baldridge
> >> Windows Server MVP, MCSE
> >>
> >> "Tom"
> >> >I have a network where the users login using a mandatory profile. I
> >> >have
> >> > changed the ntuser.dat to ntuser.man, but
> >> > when the users login and log out it creates a new ntuser.dat and
> >> > ignores
> >> > the
> >> > .man change. I have used mandatory roaming profiles for years and this
> >> > is
> >> > the first problem that I've had. Any suggestions you have will be
> >> > greatly
> >> > appreciated.
> >> > Thanks, Tom
> >>
> >>
> >>
>
>
>
Anonymous
March 1, 2005 2:37:03 PM

Archived from groups: microsoft.public.win2000.setup (More info?)

Tom wrote:
> The server is Windows 2003 with Windows 2000 and XP Pro Clients. The
> permissions at the share point location are not restricted. They are
> set default with everyone able to do anything. Also the share point
> location is on a secondary windows 2000 server, but I've tested
> having the share the primary 2003 server with the same results. The
> users are not domain admins either. Once I create the profile on a
> client and then save it to the location on the server

....by this I presume you mean:

1. Each user's ADUC settings specify \\server\parentshare\%username% in the
profile field [a]
2. You log into the domain as this user on a workstation, modify the
profile, and then log out so that the profile is automatically uploaded to
that user's profile folder on the server
3. Then on the server, while this user is *not* logged in anywhere, you
rename the ntuser.dat to ntuser.man
4. And you do this for all your user profiles.

All this should work fine. I do it all the time.

[a] And on the parent profile directory, the share permissions are set to
everyone=full control, and the NTFS permissions are set to grant everyone
(not necessarily that group - could use authenticated users) full control as
well. This will be adjusted when the profile is uploaded for the first time.
I recommend making the parent profile share a hidden one - as in,
PROFILES$ - so it can't be browsed. So then you can use
\\server\profiles$\%username%

Of course, you need to have permissions to open the profile folder - if
you don't have them, you'll have to take ownership as Administrators (the
group) and reset the NTFS permissions. Or you can use the option in GP (?)
to automatically grant administrators access to user profiles.



> I rename the
> ntuser.dat to ntuser.man, but once any client machine logs on and
> logs off using the profile a new ntuser.dat is created and the
> changes that were made to the profile are saved to the share. So
> there is nothing manditory about it. I've never had this happen. I'm
> getting frustrated. Thanks for the response. Tom
>
> "NIC Student" wrote:
>
>> Hi Tom,
>>
>> What network OS? What client OS?
>>
>> What permissions are given to the share point on the server?
>>
>> Do you mean the .dat is written on the server?
>>
>> --
>> Scott Baldridge
>> Windows Server MVP, MCSE
>>
>> "Tom"
>>> I have a network where the users login using a mandatory profile.
>>> I have changed the ntuser.dat to ntuser.man, but
>>> when the users login and log out it creates a new ntuser.dat and
>>> ignores the
>>> .man change. I have used mandatory roaming profiles for years and
>>> this is the first problem that I've had. Any suggestions you have
>>> will be greatly appreciated.
>>> Thanks, Tom
March 1, 2005 2:37:04 PM

Archived from groups: microsoft.public.win2000.setup (More info?)

Your presumption is correct. Except I have all users use the same profile.
The parent profile share is hidden with the name mprofile$. Ex.
\\student\mprofile$\user. I use this same setup almost all the time as well,
which is why I'm confused as to what is going on. The roaming profile is
working correctly besides the mandatory part. If it doesn't mandatory then
the profile gets to big to be mandatory. I may have to setup a group policy
to work around it. Thanks for the help. Tom

"Lanwench [MVP - Exchange]" wrote:

> Tom wrote:
> > The server is Windows 2003 with Windows 2000 and XP Pro Clients. The
> > permissions at the share point location are not restricted. They are
> > set default with everyone able to do anything. Also the share point
> > location is on a secondary windows 2000 server, but I've tested
> > having the share the primary 2003 server with the same results. The
> > users are not domain admins either. Once I create the profile on a
> > client and then save it to the location on the server
>
> ....by this I presume you mean:
>
> 1. Each user's ADUC settings specify \\server\parentshare\%username% in the
> profile field [a]
> 2. You log into the domain as this user on a workstation, modify the
> profile, and then log out so that the profile is automatically uploaded to
> that user's profile folder on the server
> 3. Then on the server, while this user is *not* logged in anywhere, you
> rename the ntuser.dat to ntuser.man
> 4. And you do this for all your user profiles.
>
> All this should work fine. I do it all the time.
>
> [a] And on the parent profile directory, the share permissions are set to
> everyone=full control, and the NTFS permissions are set to grant everyone
> (not necessarily that group - could use authenticated users) full control as
> well. This will be adjusted when the profile is uploaded for the first time.
> I recommend making the parent profile share a hidden one - as in,
> PROFILES$ - so it can't be browsed. So then you can use
> \\server\profiles$\%username%
>
> Of course, you need to have permissions to open the profile folder - if
> you don't have them, you'll have to take ownership as Administrators (the
> group) and reset the NTFS permissions. Or you can use the option in GP (?)
> to automatically grant administrators access to user profiles.
>
>
>
> > I rename the
> > ntuser.dat to ntuser.man, but once any client machine logs on and
> > logs off using the profile a new ntuser.dat is created and the
> > changes that were made to the profile are saved to the share. So
> > there is nothing manditory about it. I've never had this happen. I'm
> > getting frustrated. Thanks for the response. Tom
> >
> > "NIC Student" wrote:
> >
> >> Hi Tom,
> >>
> >> What network OS? What client OS?
> >>
> >> What permissions are given to the share point on the server?
> >>
> >> Do you mean the .dat is written on the server?
> >>
> >> --
> >> Scott Baldridge
> >> Windows Server MVP, MCSE
> >>
> >> "Tom"
> >>> I have a network where the users login using a mandatory profile.
> >>> I have changed the ntuser.dat to ntuser.man, but
> >>> when the users login and log out it creates a new ntuser.dat and
> >>> ignores the
> >>> .man change. I have used mandatory roaming profiles for years and
> >>> this is the first problem that I've had. Any suggestions you have
> >>> will be greatly appreciated.
> >>> Thanks, Tom
>
>
>
Anonymous
March 1, 2005 5:02:04 PM

Archived from groups: microsoft.public.win2000.setup (More info?)

Tom wrote:
> Your presumption is correct. Except I have all users use the same
> profile. The parent profile share is hidden with the name mprofile$.
> Ex. \\student\mprofile$\user. I use this same setup almost all the
> time as well, which is why I'm confused as to what is going on. The
> roaming profile is working correctly besides the mandatory part. If
> it doesn't mandatory then the profile gets to big to be mandatory. I
> may have to setup a group policy to work around it. Thanks for the
> help. Tom

All right - why do you have multiple user accounts, then? What benefit does
this provide, given that they won't have any custom settings whatsoever -
why can't everyone use the same account (and not be permitted to change the
password)? Is it only for auditing logins/logouts?

That said: these users (ideally, a group rather than individuals) have
exactly what NTFS permissions on this
common profile subfolder?

If you take ownership as Administrators (*not* Administrator), push those
settings down to subitems, and then change the NTFS security to:

a) remove inheritence from the parent folder, if it isn't correct (choose
'copy', not remove) and
b) grant administrators & system & users=full control, and push *those* down
to subfolders as well

....any change?

I think there is a GP that doesn't permit login if the roaming profile can't
be loaded properly, but I'm damned if I know where it is.

Another nice thing (probably won't help with your issue):
http://www.microsoft.com/downloads/details.aspx?FamilyI...

>
> "Lanwench [MVP - Exchange]" wrote:
>
>> Tom wrote:
>>> The server is Windows 2003 with Windows 2000 and XP Pro Clients.
>>> The permissions at the share point location are not restricted.
>>> They are set default with everyone able to do anything. Also the
>>> share point location is on a secondary windows 2000 server, but
>>> I've tested having the share the primary 2003 server with the same
>>> results. The users are not domain admins either. Once I create
>>> the profile on a client and then save it to the location on the
>>> server
>>
>> ....by this I presume you mean:
>>
>> 1. Each user's ADUC settings specify \\server\parentshare\%username%
>> in the profile field [a]
>> 2. You log into the domain as this user on a workstation, modify the
>> profile, and then log out so that the profile is automatically
>> uploaded to that user's profile folder on the server
>> 3. Then on the server, while this user is *not* logged in anywhere,
>> you rename the ntuser.dat to ntuser.man
>> 4. And you do this for all your user profiles.
>>
>> All this should work fine. I do it all the time.
>>
>> [a] And on the parent profile directory, the share permissions are
>> set to everyone=full control, and the NTFS permissions are set to
>> grant everyone (not necessarily that group - could use authenticated
>> users) full control as well. This will be adjusted when the profile
>> is uploaded for the first time. I recommend making the parent
>> profile share a hidden one - as in,
>> PROFILES$ - so it can't be browsed. So then you can use
>> \\server\profiles$\%username%
>>
>> Of course, you need to have permissions to open the profile
>> folder - if you don't have them, you'll have to take ownership as
>> Administrators (the group) and reset the NTFS permissions. Or you
>> can use the option in GP (?) to automatically grant administrators
>> access to user profiles.
>>
>>
>>
>>> I rename the
>>> ntuser.dat to ntuser.man, but once any client machine logs on and
>>> logs off using the profile a new ntuser.dat is created and the
>>> changes that were made to the profile are saved to the share. So
>>> there is nothing manditory about it. I've never had this happen.
>>> I'm getting frustrated. Thanks for the response. Tom
>>>
>>> "NIC Student" wrote:
>>>
>>>> Hi Tom,
>>>>
>>>> What network OS? What client OS?
>>>>
>>>> What permissions are given to the share point on the server?
>>>>
>>>> Do you mean the .dat is written on the server?
>>>>
>>>> --
>>>> Scott Baldridge
>>>> Windows Server MVP, MCSE
>>>>
>>>> "Tom"
>>>>> I have a network where the users login using a mandatory profile.
>>>>> I have changed the ntuser.dat to ntuser.man, but
>>>>> when the users login and log out it creates a new ntuser.dat and
>>>>> ignores the
>>>>> .man change. I have used mandatory roaming profiles for years and
>>>>> this is the first problem that I've had. Any suggestions you have
>>>>> will be greatly appreciated.
>>>>> Thanks, Tom
March 1, 2005 5:02:05 PM

Archived from groups: microsoft.public.win2000.setup (More info?)

Well, this account is a school and they want to be able to track the
students. They use symantec web security which also requires security.
Also, they want them to use individual folders for data storage on the
network. Is there a better way of doing it? I've setup many small schools
this way and it works great for controlling printers, desktop icons and
programs. It's easy to change as well. Thanks, Tom

"Lanwench [MVP - Exchange]" wrote:

> Tom wrote:
> > Your presumption is correct. Except I have all users use the same
> > profile. The parent profile share is hidden with the name mprofile$.
> > Ex. \\student\mprofile$\user. I use this same setup almost all the
> > time as well, which is why I'm confused as to what is going on. The
> > roaming profile is working correctly besides the mandatory part. If
> > it doesn't mandatory then the profile gets to big to be mandatory. I
> > may have to setup a group policy to work around it. Thanks for the
> > help. Tom
>
> All right - why do you have multiple user accounts, then? What benefit does
> this provide, given that they won't have any custom settings whatsoever -
> why can't everyone use the same account (and not be permitted to change the
> password)? Is it only for auditing logins/logouts?
>
> That said: these users (ideally, a group rather than individuals) have
> exactly what NTFS permissions on this
> common profile subfolder?
>
> If you take ownership as Administrators (*not* Administrator), push those
> settings down to subitems, and then change the NTFS security to:
>
> a) remove inheritence from the parent folder, if it isn't correct (choose
> 'copy', not remove) and
> b) grant administrators & system & users=full control, and push *those* down
> to subfolders as well
>
> ....any change?
>
> I think there is a GP that doesn't permit login if the roaming profile can't
> be loaded properly, but I'm damned if I know where it is.
>
> Another nice thing (probably won't help with your issue):
> http://www.microsoft.com/downloads/details.aspx?FamilyI...
>
> >
> > "Lanwench [MVP - Exchange]" wrote:
> >
> >> Tom wrote:
> >>> The server is Windows 2003 with Windows 2000 and XP Pro Clients.
> >>> The permissions at the share point location are not restricted.
> >>> They are set default with everyone able to do anything. Also the
> >>> share point location is on a secondary windows 2000 server, but
> >>> I've tested having the share the primary 2003 server with the same
> >>> results. The users are not domain admins either. Once I create
> >>> the profile on a client and then save it to the location on the
> >>> server
> >>
> >> ....by this I presume you mean:
> >>
> >> 1. Each user's ADUC settings specify \\server\parentshare\%username%
> >> in the profile field [a]
> >> 2. You log into the domain as this user on a workstation, modify the
> >> profile, and then log out so that the profile is automatically
> >> uploaded to that user's profile folder on the server
> >> 3. Then on the server, while this user is *not* logged in anywhere,
> >> you rename the ntuser.dat to ntuser.man
> >> 4. And you do this for all your user profiles.
> >>
> >> All this should work fine. I do it all the time.
> >>
> >> [a] And on the parent profile directory, the share permissions are
> >> set to everyone=full control, and the NTFS permissions are set to
> >> grant everyone (not necessarily that group - could use authenticated
> >> users) full control as well. This will be adjusted when the profile
> >> is uploaded for the first time. I recommend making the parent
> >> profile share a hidden one - as in,
> >> PROFILES$ - so it can't be browsed. So then you can use
> >> \\server\profiles$\%username%
> >>
> >> Of course, you need to have permissions to open the profile
> >> folder - if you don't have them, you'll have to take ownership as
> >> Administrators (the group) and reset the NTFS permissions. Or you
> >> can use the option in GP (?) to automatically grant administrators
> >> access to user profiles.
> >>
> >>
> >>
> >>> I rename the
> >>> ntuser.dat to ntuser.man, but once any client machine logs on and
> >>> logs off using the profile a new ntuser.dat is created and the
> >>> changes that were made to the profile are saved to the share. So
> >>> there is nothing manditory about it. I've never had this happen.
> >>> I'm getting frustrated. Thanks for the response. Tom
> >>>
> >>> "NIC Student" wrote:
> >>>
> >>>> Hi Tom,
> >>>>
> >>>> What network OS? What client OS?
> >>>>
> >>>> What permissions are given to the share point on the server?
> >>>>
> >>>> Do you mean the .dat is written on the server?
> >>>>
> >>>> --
> >>>> Scott Baldridge
> >>>> Windows Server MVP, MCSE
> >>>>
> >>>> "Tom"
> >>>>> I have a network where the users login using a mandatory profile.
> >>>>> I have changed the ntuser.dat to ntuser.man, but
> >>>>> when the users login and log out it creates a new ntuser.dat and
> >>>>> ignores the
> >>>>> .man change. I have used mandatory roaming profiles for years and
> >>>>> this is the first problem that I've had. Any suggestions you have
> >>>>> will be greatly appreciated.
> >>>>> Thanks, Tom
>
>
>
>
March 1, 2005 5:02:06 PM

Archived from groups: microsoft.public.win2000.setup (More info?)

Another question, If I setup a group policy in AD can I assign it
specifically for the student users(student group)? I setup a policy for
folder redirection that would probably solve a lot of our problems, but I
don't want it for all users. Thanks, Tom

"Tom" wrote:

> Well, this account is a school and they want to be able to track the
> students. They use symantec web security which also requires security.
> Also, they want them to use individual folders for data storage on the
> network. Is there a better way of doing it? I've setup many small schools
> this way and it works great for controlling printers, desktop icons and
> programs. It's easy to change as well. Thanks, Tom
>
> "Lanwench [MVP - Exchange]" wrote:
>
> > Tom wrote:
> > > Your presumption is correct. Except I have all users use the same
> > > profile. The parent profile share is hidden with the name mprofile$.
> > > Ex. \\student\mprofile$\user. I use this same setup almost all the
> > > time as well, which is why I'm confused as to what is going on. The
> > > roaming profile is working correctly besides the mandatory part. If
> > > it doesn't mandatory then the profile gets to big to be mandatory. I
> > > may have to setup a group policy to work around it. Thanks for the
> > > help. Tom
> >
> > All right - why do you have multiple user accounts, then? What benefit does
> > this provide, given that they won't have any custom settings whatsoever -
> > why can't everyone use the same account (and not be permitted to change the
> > password)? Is it only for auditing logins/logouts?
> >
> > That said: these users (ideally, a group rather than individuals) have
> > exactly what NTFS permissions on this
> > common profile subfolder?
> >
> > If you take ownership as Administrators (*not* Administrator), push those
> > settings down to subitems, and then change the NTFS security to:
> >
> > a) remove inheritence from the parent folder, if it isn't correct (choose
> > 'copy', not remove) and
> > b) grant administrators & system & users=full control, and push *those* down
> > to subfolders as well
> >
> > ....any change?
> >
> > I think there is a GP that doesn't permit login if the roaming profile can't
> > be loaded properly, but I'm damned if I know where it is.
> >
> > Another nice thing (probably won't help with your issue):
> > http://www.microsoft.com/downloads/details.aspx?FamilyI...
> >
> > >
> > > "Lanwench [MVP - Exchange]" wrote:
> > >
> > >> Tom wrote:
> > >>> The server is Windows 2003 with Windows 2000 and XP Pro Clients.
> > >>> The permissions at the share point location are not restricted.
> > >>> They are set default with everyone able to do anything. Also the
> > >>> share point location is on a secondary windows 2000 server, but
> > >>> I've tested having the share the primary 2003 server with the same
> > >>> results. The users are not domain admins either. Once I create
> > >>> the profile on a client and then save it to the location on the
> > >>> server
> > >>
> > >> ....by this I presume you mean:
> > >>
> > >> 1. Each user's ADUC settings specify \\server\parentshare\%username%
> > >> in the profile field [a]
> > >> 2. You log into the domain as this user on a workstation, modify the
> > >> profile, and then log out so that the profile is automatically
> > >> uploaded to that user's profile folder on the server
> > >> 3. Then on the server, while this user is *not* logged in anywhere,
> > >> you rename the ntuser.dat to ntuser.man
> > >> 4. And you do this for all your user profiles.
> > >>
> > >> All this should work fine. I do it all the time.
> > >>
> > >> [a] And on the parent profile directory, the share permissions are
> > >> set to everyone=full control, and the NTFS permissions are set to
> > >> grant everyone (not necessarily that group - could use authenticated
> > >> users) full control as well. This will be adjusted when the profile
> > >> is uploaded for the first time. I recommend making the parent
> > >> profile share a hidden one - as in,
> > >> PROFILES$ - so it can't be browsed. So then you can use
> > >> \\server\profiles$\%username%
> > >>
> > >> Of course, you need to have permissions to open the profile
> > >> folder - if you don't have them, you'll have to take ownership as
> > >> Administrators (the group) and reset the NTFS permissions. Or you
> > >> can use the option in GP (?) to automatically grant administrators
> > >> access to user profiles.
> > >>
> > >>
> > >>
> > >>> I rename the
> > >>> ntuser.dat to ntuser.man, but once any client machine logs on and
> > >>> logs off using the profile a new ntuser.dat is created and the
> > >>> changes that were made to the profile are saved to the share. So
> > >>> there is nothing manditory about it. I've never had this happen.
> > >>> I'm getting frustrated. Thanks for the response. Tom
> > >>>
> > >>> "NIC Student" wrote:
> > >>>
> > >>>> Hi Tom,
> > >>>>
> > >>>> What network OS? What client OS?
> > >>>>
> > >>>> What permissions are given to the share point on the server?
> > >>>>
> > >>>> Do you mean the .dat is written on the server?
> > >>>>
> > >>>> --
> > >>>> Scott Baldridge
> > >>>> Windows Server MVP, MCSE
> > >>>>
> > >>>> "Tom"
> > >>>>> I have a network where the users login using a mandatory profile.
> > >>>>> I have changed the ntuser.dat to ntuser.man, but
> > >>>>> when the users login and log out it creates a new ntuser.dat and
> > >>>>> ignores the
> > >>>>> .man change. I have used mandatory roaming profiles for years and
> > >>>>> this is the first problem that I've had. Any suggestions you have
> > >>>>> will be greatly appreciated.
> > >>>>> Thanks, Tom
> >
> >
> >
> >
March 1, 2005 10:23:05 PM

Archived from groups: microsoft.public.win2000.setup (More info?)

There are over 100 users and I'm too lazy to give each of them there own
mandatory profile when they need the same thing. I appreciate your help.
I'm going there tomorrow and hopefully your information will help me resolve
this problem. Thanks, Tom

"Tom" wrote:

> I have a network where the users login using a mandatory profile. I have
> changed the ntuser.dat to ntuser.man, but
> when the users login and log out it creates a new ntuser.dat and ignores the
> .man change. I have used mandatory roaming profiles for years and this is
> the first problem that I've had. Any suggestions you have will be greatly
> appreciated.
> Thanks, Tom
Anonymous
March 2, 2005 12:46:18 AM

Archived from groups: microsoft.public.win2000.setup (More info?)

Tom wrote:
> Well, this account is a school and they want to be able to track the
> students. They use symantec web security which also requires
> security. Also, they want them to use individual folders for data
> storage on the network. Is there a better way of doing it? I've
> setup many small schools this way and it works great for controlling
> printers, desktop icons and programs. It's easy to change as well.
> Thanks, Tom

I'd set them up with their own individual, roaming, mandatory profiles. This
isn't tough to do. That way, their settings are unique to their login, but
cannot be changed. Redirect My Documents to the user's home directory via
group policy.
>
> "Lanwench [MVP - Exchange]" wrote:
>
>> Tom wrote:
>>> Your presumption is correct. Except I have all users use the same
>>> profile. The parent profile share is hidden with the name mprofile$.
>>> Ex. \\student\mprofile$\user. I use this same setup almost all the
>>> time as well, which is why I'm confused as to what is going on. The
>>> roaming profile is working correctly besides the mandatory part. If
>>> it doesn't mandatory then the profile gets to big to be mandatory.
>>> I may have to setup a group policy to work around it. Thanks for
>>> the help. Tom
>>
>> All right - why do you have multiple user accounts, then? What
>> benefit does this provide, given that they won't have any custom
>> settings whatsoever - why can't everyone use the same account (and
>> not be permitted to change the password)? Is it only for auditing
>> logins/logouts?
>>
>> That said: these users (ideally, a group rather than individuals)
>> have exactly what NTFS permissions on this
>> common profile subfolder?
>>
>> If you take ownership as Administrators (*not* Administrator), push
>> those settings down to subitems, and then change the NTFS security
>> to:
>>
>> a) remove inheritence from the parent folder, if it isn't correct
>> (choose 'copy', not remove) and
>> b) grant administrators & system & users=full control, and push
>> *those* down to subfolders as well
>>
>> ....any change?
>>
>> I think there is a GP that doesn't permit login if the roaming
>> profile can't be loaded properly, but I'm damned if I know where it
>> is.
>>
>> Another nice thing (probably won't help with your issue):
>>
http://www.microsoft.com/downloads/details.aspx?FamilyI...
>>
>>>
>>> "Lanwench [MVP - Exchange]" wrote:
>>>
>>>> Tom wrote:
>>>>> The server is Windows 2003 with Windows 2000 and XP Pro Clients.
>>>>> The permissions at the share point location are not restricted.
>>>>> They are set default with everyone able to do anything. Also the
>>>>> share point location is on a secondary windows 2000 server, but
>>>>> I've tested having the share the primary 2003 server with the same
>>>>> results. The users are not domain admins either. Once I create
>>>>> the profile on a client and then save it to the location on the
>>>>> server
>>>>
>>>> ....by this I presume you mean:
>>>>
>>>> 1. Each user's ADUC settings specify
>>>> \\server\parentshare\%username% in the profile field [a]
>>>> 2. You log into the domain as this user on a workstation, modify
>>>> the profile, and then log out so that the profile is automatically
>>>> uploaded to that user's profile folder on the server
>>>> 3. Then on the server, while this user is *not* logged in anywhere,
>>>> you rename the ntuser.dat to ntuser.man
>>>> 4. And you do this for all your user profiles.
>>>>
>>>> All this should work fine. I do it all the time.
>>>>
>>>> [a] And on the parent profile directory, the share permissions are
>>>> set to everyone=full control, and the NTFS permissions are set to
>>>> grant everyone (not necessarily that group - could use
>>>> authenticated users) full control as well. This will be adjusted
>>>> when the profile is uploaded for the first time. I recommend
>>>> making the parent profile share a hidden one - as in,
>>>> PROFILES$ - so it can't be browsed. So then you can use
>>>> \\server\profiles$\%username%
>>>>
>>>> Of course, you need to have permissions to open the profile
>>>> folder - if you don't have them, you'll have to take ownership as
>>>> Administrators (the group) and reset the NTFS permissions. Or you
>>>> can use the option in GP (?) to automatically grant administrators
>>>> access to user profiles.
>>>>
>>>>
>>>>
>>>>> I rename the
>>>>> ntuser.dat to ntuser.man, but once any client machine logs on and
>>>>> logs off using the profile a new ntuser.dat is created and the
>>>>> changes that were made to the profile are saved to the share. So
>>>>> there is nothing manditory about it. I've never had this happen.
>>>>> I'm getting frustrated. Thanks for the response. Tom
>>>>>
>>>>> "NIC Student" wrote:
>>>>>
>>>>>> Hi Tom,
>>>>>>
>>>>>> What network OS? What client OS?
>>>>>>
>>>>>> What permissions are given to the share point on the server?
>>>>>>
>>>>>> Do you mean the .dat is written on the server?
>>>>>>
>>>>>> --
>>>>>> Scott Baldridge
>>>>>> Windows Server MVP, MCSE
>>>>>>
>>>>>> "Tom"
>>>>>>> I have a network where the users login using a mandatory
>>>>>>> profile. I have changed the ntuser.dat to ntuser.man, but
>>>>>>> when the users login and log out it creates a new ntuser.dat and
>>>>>>> ignores the
>>>>>>> .man change. I have used mandatory roaming profiles for years
>>>>>>> and this is the first problem that I've had. Any suggestions
>>>>>>> you have will be greatly appreciated.
>>>>>>> Thanks, Tom
!