Roaming Profile Not Staying Mandatory

Archived from groups: microsoft.public.win2000.setup (More info?)

I have a network where the users login using a mandatory profile. I have
changed the ntuser.dat to ntuser.man, but
when the users login and log out it creates a new ntuser.dat and ignores the
..man change. I have used mandatory roaming profiles for years and this is
the first problem that I've had. Any suggestions you have will be greatly
appreciated.
Thanks, Tom
11 answers Last reply
More about roaming profile staying mandatory
  1. Archived from groups: microsoft.public.win2000.setup (More info?)

    Hi Tom,

    What network OS? What client OS?

    What permissions are given to the share point on the server?

    Do you mean the .dat is written on the server?

    --
    Scott Baldridge
    Windows Server MVP, MCSE

    "Tom"
    >I have a network where the users login using a mandatory profile. I have
    > changed the ntuser.dat to ntuser.man, but
    > when the users login and log out it creates a new ntuser.dat and ignores
    > the
    > .man change. I have used mandatory roaming profiles for years and this is
    > the first problem that I've had. Any suggestions you have will be greatly
    > appreciated.
    > Thanks, Tom
  2. Archived from groups: microsoft.public.win2000.setup (More info?)

    The server is Windows 2003 with Windows 2000 and XP Pro Clients. The
    permissions at the share point location are not restricted. They are set
    default with everyone able to do anything. Also the share point location is
    on a secondary windows 2000 server, but I've tested having the share the
    primary 2003 server with the same results. The users are not domain admins
    either. Once I create the profile on a client and then save it to the
    location on the server I rename the ntuser.dat to ntuser.man, but once any
    client machine logs on and logs off using the profile a new ntuser.dat is
    created and the changes that were made to the profile are saved to the share.
    So there is nothing manditory about it. I've never had this happen. I'm
    getting frustrated. Thanks for the response. Tom

    "NIC Student" wrote:

    > Hi Tom,
    >
    > What network OS? What client OS?
    >
    > What permissions are given to the share point on the server?
    >
    > Do you mean the .dat is written on the server?
    >
    > --
    > Scott Baldridge
    > Windows Server MVP, MCSE
    >
    > "Tom"
    > >I have a network where the users login using a mandatory profile. I have
    > > changed the ntuser.dat to ntuser.man, but
    > > when the users login and log out it creates a new ntuser.dat and ignores
    > > the
    > > .man change. I have used mandatory roaming profiles for years and this is
    > > the first problem that I've had. Any suggestions you have will be greatly
    > > appreciated.
    > > Thanks, Tom
    >
    >
    >
  3. Archived from groups: microsoft.public.win2000.setup (More info?)

    Hi Tom,

    Thanks for the info. Set your permissions at the share point to "read &
    execute" for authenticated users or your target group, nothing more.

    --
    Scott Baldridge
    Windows Server MVP, MCSE

    "Tom"
    > The server is Windows 2003 with Windows 2000 and XP Pro Clients. The
    > permissions at the share point location are not restricted. They are set
    > default with everyone able to do anything. Also the share point location
    > is
    > on a secondary windows 2000 server, but I've tested having the share the
    > primary 2003 server with the same results. The users are not domain
    > admins
    > either. Once I create the profile on a client and then save it to the
    > location on the server I rename the ntuser.dat to ntuser.man, but once any
    > client machine logs on and logs off using the profile a new ntuser.dat is
    > created and the changes that were made to the profile are saved to the
    > share.
    > So there is nothing manditory about it. I've never had this happen. I'm
    > getting frustrated. Thanks for the response. Tom
    >
    > "NIC Student" wrote:
    >
    >> Hi Tom,
    >>
    >> What network OS? What client OS?
    >>
    >> What permissions are given to the share point on the server?
    >>
    >> Do you mean the .dat is written on the server?
    >>
    >> --
    >> Scott Baldridge
    >> Windows Server MVP, MCSE
    >>
    >> "Tom"
    >> >I have a network where the users login using a mandatory profile. I
    >> >have
    >> > changed the ntuser.dat to ntuser.man, but
    >> > when the users login and log out it creates a new ntuser.dat and
    >> > ignores
    >> > the
    >> > .man change. I have used mandatory roaming profiles for years and this
    >> > is
    >> > the first problem that I've had. Any suggestions you have will be
    >> > greatly
    >> > appreciated.
    >> > Thanks, Tom
    >>
    >>
    >>
  4. Archived from groups: microsoft.public.win2000.setup (More info?)

    Thanks for the help. I'll reset the permissions and give it a try. Tom

    "NIC Student" wrote:

    > Hi Tom,
    >
    > Thanks for the info. Set your permissions at the share point to "read &
    > execute" for authenticated users or your target group, nothing more.
    >
    > --
    > Scott Baldridge
    > Windows Server MVP, MCSE
    >
    > "Tom"
    > > The server is Windows 2003 with Windows 2000 and XP Pro Clients. The
    > > permissions at the share point location are not restricted. They are set
    > > default with everyone able to do anything. Also the share point location
    > > is
    > > on a secondary windows 2000 server, but I've tested having the share the
    > > primary 2003 server with the same results. The users are not domain
    > > admins
    > > either. Once I create the profile on a client and then save it to the
    > > location on the server I rename the ntuser.dat to ntuser.man, but once any
    > > client machine logs on and logs off using the profile a new ntuser.dat is
    > > created and the changes that were made to the profile are saved to the
    > > share.
    > > So there is nothing manditory about it. I've never had this happen. I'm
    > > getting frustrated. Thanks for the response. Tom
    > >
    > > "NIC Student" wrote:
    > >
    > >> Hi Tom,
    > >>
    > >> What network OS? What client OS?
    > >>
    > >> What permissions are given to the share point on the server?
    > >>
    > >> Do you mean the .dat is written on the server?
    > >>
    > >> --
    > >> Scott Baldridge
    > >> Windows Server MVP, MCSE
    > >>
    > >> "Tom"
    > >> >I have a network where the users login using a mandatory profile. I
    > >> >have
    > >> > changed the ntuser.dat to ntuser.man, but
    > >> > when the users login and log out it creates a new ntuser.dat and
    > >> > ignores
    > >> > the
    > >> > .man change. I have used mandatory roaming profiles for years and this
    > >> > is
    > >> > the first problem that I've had. Any suggestions you have will be
    > >> > greatly
    > >> > appreciated.
    > >> > Thanks, Tom
    > >>
    > >>
    > >>
    >
    >
    >
  5. Archived from groups: microsoft.public.win2000.setup (More info?)

    Tom wrote:
    > The server is Windows 2003 with Windows 2000 and XP Pro Clients. The
    > permissions at the share point location are not restricted. They are
    > set default with everyone able to do anything. Also the share point
    > location is on a secondary windows 2000 server, but I've tested
    > having the share the primary 2003 server with the same results. The
    > users are not domain admins either. Once I create the profile on a
    > client and then save it to the location on the server

    ....by this I presume you mean:

    1. Each user's ADUC settings specify \\server\parentshare\%username% in the
    profile field [a]
    2. You log into the domain as this user on a workstation, modify the
    profile, and then log out so that the profile is automatically uploaded to
    that user's profile folder on the server
    3. Then on the server, while this user is *not* logged in anywhere, you
    rename the ntuser.dat to ntuser.man
    4. And you do this for all your user profiles.

    All this should work fine. I do it all the time.

    [a] And on the parent profile directory, the share permissions are set to
    everyone=full control, and the NTFS permissions are set to grant everyone
    (not necessarily that group - could use authenticated users) full control as
    well. This will be adjusted when the profile is uploaded for the first time.
    I recommend making the parent profile share a hidden one - as in,
    PROFILES$ - so it can't be browsed. So then you can use
    \\server\profiles$\%username%

    Of course, you need to have permissions to open the profile folder - if
    you don't have them, you'll have to take ownership as Administrators (the
    group) and reset the NTFS permissions. Or you can use the option in GP (?)
    to automatically grant administrators access to user profiles.


    > I rename the
    > ntuser.dat to ntuser.man, but once any client machine logs on and
    > logs off using the profile a new ntuser.dat is created and the
    > changes that were made to the profile are saved to the share. So
    > there is nothing manditory about it. I've never had this happen. I'm
    > getting frustrated. Thanks for the response. Tom
    >
    > "NIC Student" wrote:
    >
    >> Hi Tom,
    >>
    >> What network OS? What client OS?
    >>
    >> What permissions are given to the share point on the server?
    >>
    >> Do you mean the .dat is written on the server?
    >>
    >> --
    >> Scott Baldridge
    >> Windows Server MVP, MCSE
    >>
    >> "Tom"
    >>> I have a network where the users login using a mandatory profile.
    >>> I have changed the ntuser.dat to ntuser.man, but
    >>> when the users login and log out it creates a new ntuser.dat and
    >>> ignores the
    >>> .man change. I have used mandatory roaming profiles for years and
    >>> this is the first problem that I've had. Any suggestions you have
    >>> will be greatly appreciated.
    >>> Thanks, Tom
  6. Archived from groups: microsoft.public.win2000.setup (More info?)

    Your presumption is correct. Except I have all users use the same profile.
    The parent profile share is hidden with the name mprofile$. Ex.
    \\student\mprofile$\user. I use this same setup almost all the time as well,
    which is why I'm confused as to what is going on. The roaming profile is
    working correctly besides the mandatory part. If it doesn't mandatory then
    the profile gets to big to be mandatory. I may have to setup a group policy
    to work around it. Thanks for the help. Tom

    "Lanwench [MVP - Exchange]" wrote:

    > Tom wrote:
    > > The server is Windows 2003 with Windows 2000 and XP Pro Clients. The
    > > permissions at the share point location are not restricted. They are
    > > set default with everyone able to do anything. Also the share point
    > > location is on a secondary windows 2000 server, but I've tested
    > > having the share the primary 2003 server with the same results. The
    > > users are not domain admins either. Once I create the profile on a
    > > client and then save it to the location on the server
    >
    > ....by this I presume you mean:
    >
    > 1. Each user's ADUC settings specify \\server\parentshare\%username% in the
    > profile field [a]
    > 2. You log into the domain as this user on a workstation, modify the
    > profile, and then log out so that the profile is automatically uploaded to
    > that user's profile folder on the server
    > 3. Then on the server, while this user is *not* logged in anywhere, you
    > rename the ntuser.dat to ntuser.man
    > 4. And you do this for all your user profiles.
    >
    > All this should work fine. I do it all the time.
    >
    > [a] And on the parent profile directory, the share permissions are set to
    > everyone=full control, and the NTFS permissions are set to grant everyone
    > (not necessarily that group - could use authenticated users) full control as
    > well. This will be adjusted when the profile is uploaded for the first time.
    > I recommend making the parent profile share a hidden one - as in,
    > PROFILES$ - so it can't be browsed. So then you can use
    > \\server\profiles$\%username%
    >
    > Of course, you need to have permissions to open the profile folder - if
    > you don't have them, you'll have to take ownership as Administrators (the
    > group) and reset the NTFS permissions. Or you can use the option in GP (?)
    > to automatically grant administrators access to user profiles.
    >
    >
    >
    > > I rename the
    > > ntuser.dat to ntuser.man, but once any client machine logs on and
    > > logs off using the profile a new ntuser.dat is created and the
    > > changes that were made to the profile are saved to the share. So
    > > there is nothing manditory about it. I've never had this happen. I'm
    > > getting frustrated. Thanks for the response. Tom
    > >
    > > "NIC Student" wrote:
    > >
    > >> Hi Tom,
    > >>
    > >> What network OS? What client OS?
    > >>
    > >> What permissions are given to the share point on the server?
    > >>
    > >> Do you mean the .dat is written on the server?
    > >>
    > >> --
    > >> Scott Baldridge
    > >> Windows Server MVP, MCSE
    > >>
    > >> "Tom"
    > >>> I have a network where the users login using a mandatory profile.
    > >>> I have changed the ntuser.dat to ntuser.man, but
    > >>> when the users login and log out it creates a new ntuser.dat and
    > >>> ignores the
    > >>> .man change. I have used mandatory roaming profiles for years and
    > >>> this is the first problem that I've had. Any suggestions you have
    > >>> will be greatly appreciated.
    > >>> Thanks, Tom
    >
    >
    >
  7. Archived from groups: microsoft.public.win2000.setup (More info?)

    Tom wrote:
    > Your presumption is correct. Except I have all users use the same
    > profile. The parent profile share is hidden with the name mprofile$.
    > Ex. \\student\mprofile$\user. I use this same setup almost all the
    > time as well, which is why I'm confused as to what is going on. The
    > roaming profile is working correctly besides the mandatory part. If
    > it doesn't mandatory then the profile gets to big to be mandatory. I
    > may have to setup a group policy to work around it. Thanks for the
    > help. Tom

    All right - why do you have multiple user accounts, then? What benefit does
    this provide, given that they won't have any custom settings whatsoever -
    why can't everyone use the same account (and not be permitted to change the
    password)? Is it only for auditing logins/logouts?

    That said: these users (ideally, a group rather than individuals) have
    exactly what NTFS permissions on this
    common profile subfolder?

    If you take ownership as Administrators (*not* Administrator), push those
    settings down to subitems, and then change the NTFS security to:

    a) remove inheritence from the parent folder, if it isn't correct (choose
    'copy', not remove) and
    b) grant administrators & system & users=full control, and push *those* down
    to subfolders as well

    ....any change?

    I think there is a GP that doesn't permit login if the roaming profile can't
    be loaded properly, but I'm damned if I know where it is.

    Another nice thing (probably won't help with your issue):
    http://www.microsoft.com/downloads/details.aspx?FamilyID=1b286e6d-8912-4e18-b570-42470e2f3582&displaylang=en

    >
    > "Lanwench [MVP - Exchange]" wrote:
    >
    >> Tom wrote:
    >>> The server is Windows 2003 with Windows 2000 and XP Pro Clients.
    >>> The permissions at the share point location are not restricted.
    >>> They are set default with everyone able to do anything. Also the
    >>> share point location is on a secondary windows 2000 server, but
    >>> I've tested having the share the primary 2003 server with the same
    >>> results. The users are not domain admins either. Once I create
    >>> the profile on a client and then save it to the location on the
    >>> server
    >>
    >> ....by this I presume you mean:
    >>
    >> 1. Each user's ADUC settings specify \\server\parentshare\%username%
    >> in the profile field [a]
    >> 2. You log into the domain as this user on a workstation, modify the
    >> profile, and then log out so that the profile is automatically
    >> uploaded to that user's profile folder on the server
    >> 3. Then on the server, while this user is *not* logged in anywhere,
    >> you rename the ntuser.dat to ntuser.man
    >> 4. And you do this for all your user profiles.
    >>
    >> All this should work fine. I do it all the time.
    >>
    >> [a] And on the parent profile directory, the share permissions are
    >> set to everyone=full control, and the NTFS permissions are set to
    >> grant everyone (not necessarily that group - could use authenticated
    >> users) full control as well. This will be adjusted when the profile
    >> is uploaded for the first time. I recommend making the parent
    >> profile share a hidden one - as in,
    >> PROFILES$ - so it can't be browsed. So then you can use
    >> \\server\profiles$\%username%
    >>
    >> Of course, you need to have permissions to open the profile
    >> folder - if you don't have them, you'll have to take ownership as
    >> Administrators (the group) and reset the NTFS permissions. Or you
    >> can use the option in GP (?) to automatically grant administrators
    >> access to user profiles.
    >>
    >>
    >>
    >>> I rename the
    >>> ntuser.dat to ntuser.man, but once any client machine logs on and
    >>> logs off using the profile a new ntuser.dat is created and the
    >>> changes that were made to the profile are saved to the share. So
    >>> there is nothing manditory about it. I've never had this happen.
    >>> I'm getting frustrated. Thanks for the response. Tom
    >>>
    >>> "NIC Student" wrote:
    >>>
    >>>> Hi Tom,
    >>>>
    >>>> What network OS? What client OS?
    >>>>
    >>>> What permissions are given to the share point on the server?
    >>>>
    >>>> Do you mean the .dat is written on the server?
    >>>>
    >>>> --
    >>>> Scott Baldridge
    >>>> Windows Server MVP, MCSE
    >>>>
    >>>> "Tom"
    >>>>> I have a network where the users login using a mandatory profile.
    >>>>> I have changed the ntuser.dat to ntuser.man, but
    >>>>> when the users login and log out it creates a new ntuser.dat and
    >>>>> ignores the
    >>>>> .man change. I have used mandatory roaming profiles for years and
    >>>>> this is the first problem that I've had. Any suggestions you have
    >>>>> will be greatly appreciated.
    >>>>> Thanks, Tom
  8. Archived from groups: microsoft.public.win2000.setup (More info?)

    Well, this account is a school and they want to be able to track the
    students. They use symantec web security which also requires security.
    Also, they want them to use individual folders for data storage on the
    network. Is there a better way of doing it? I've setup many small schools
    this way and it works great for controlling printers, desktop icons and
    programs. It's easy to change as well. Thanks, Tom

    "Lanwench [MVP - Exchange]" wrote:

    > Tom wrote:
    > > Your presumption is correct. Except I have all users use the same
    > > profile. The parent profile share is hidden with the name mprofile$.
    > > Ex. \\student\mprofile$\user. I use this same setup almost all the
    > > time as well, which is why I'm confused as to what is going on. The
    > > roaming profile is working correctly besides the mandatory part. If
    > > it doesn't mandatory then the profile gets to big to be mandatory. I
    > > may have to setup a group policy to work around it. Thanks for the
    > > help. Tom
    >
    > All right - why do you have multiple user accounts, then? What benefit does
    > this provide, given that they won't have any custom settings whatsoever -
    > why can't everyone use the same account (and not be permitted to change the
    > password)? Is it only for auditing logins/logouts?
    >
    > That said: these users (ideally, a group rather than individuals) have
    > exactly what NTFS permissions on this
    > common profile subfolder?
    >
    > If you take ownership as Administrators (*not* Administrator), push those
    > settings down to subitems, and then change the NTFS security to:
    >
    > a) remove inheritence from the parent folder, if it isn't correct (choose
    > 'copy', not remove) and
    > b) grant administrators & system & users=full control, and push *those* down
    > to subfolders as well
    >
    > ....any change?
    >
    > I think there is a GP that doesn't permit login if the roaming profile can't
    > be loaded properly, but I'm damned if I know where it is.
    >
    > Another nice thing (probably won't help with your issue):
    > http://www.microsoft.com/downloads/details.aspx?FamilyID=1b286e6d-8912-4e18-b570-42470e2f3582&displaylang=en
    >
    > >
    > > "Lanwench [MVP - Exchange]" wrote:
    > >
    > >> Tom wrote:
    > >>> The server is Windows 2003 with Windows 2000 and XP Pro Clients.
    > >>> The permissions at the share point location are not restricted.
    > >>> They are set default with everyone able to do anything. Also the
    > >>> share point location is on a secondary windows 2000 server, but
    > >>> I've tested having the share the primary 2003 server with the same
    > >>> results. The users are not domain admins either. Once I create
    > >>> the profile on a client and then save it to the location on the
    > >>> server
    > >>
    > >> ....by this I presume you mean:
    > >>
    > >> 1. Each user's ADUC settings specify \\server\parentshare\%username%
    > >> in the profile field [a]
    > >> 2. You log into the domain as this user on a workstation, modify the
    > >> profile, and then log out so that the profile is automatically
    > >> uploaded to that user's profile folder on the server
    > >> 3. Then on the server, while this user is *not* logged in anywhere,
    > >> you rename the ntuser.dat to ntuser.man
    > >> 4. And you do this for all your user profiles.
    > >>
    > >> All this should work fine. I do it all the time.
    > >>
    > >> [a] And on the parent profile directory, the share permissions are
    > >> set to everyone=full control, and the NTFS permissions are set to
    > >> grant everyone (not necessarily that group - could use authenticated
    > >> users) full control as well. This will be adjusted when the profile
    > >> is uploaded for the first time. I recommend making the parent
    > >> profile share a hidden one - as in,
    > >> PROFILES$ - so it can't be browsed. So then you can use
    > >> \\server\profiles$\%username%
    > >>
    > >> Of course, you need to have permissions to open the profile
    > >> folder - if you don't have them, you'll have to take ownership as
    > >> Administrators (the group) and reset the NTFS permissions. Or you
    > >> can use the option in GP (?) to automatically grant administrators
    > >> access to user profiles.
    > >>
    > >>
    > >>
    > >>> I rename the
    > >>> ntuser.dat to ntuser.man, but once any client machine logs on and
    > >>> logs off using the profile a new ntuser.dat is created and the
    > >>> changes that were made to the profile are saved to the share. So
    > >>> there is nothing manditory about it. I've never had this happen.
    > >>> I'm getting frustrated. Thanks for the response. Tom
    > >>>
    > >>> "NIC Student" wrote:
    > >>>
    > >>>> Hi Tom,
    > >>>>
    > >>>> What network OS? What client OS?
    > >>>>
    > >>>> What permissions are given to the share point on the server?
    > >>>>
    > >>>> Do you mean the .dat is written on the server?
    > >>>>
    > >>>> --
    > >>>> Scott Baldridge
    > >>>> Windows Server MVP, MCSE
    > >>>>
    > >>>> "Tom"
    > >>>>> I have a network where the users login using a mandatory profile.
    > >>>>> I have changed the ntuser.dat to ntuser.man, but
    > >>>>> when the users login and log out it creates a new ntuser.dat and
    > >>>>> ignores the
    > >>>>> .man change. I have used mandatory roaming profiles for years and
    > >>>>> this is the first problem that I've had. Any suggestions you have
    > >>>>> will be greatly appreciated.
    > >>>>> Thanks, Tom
    >
    >
    >
    >
  9. Archived from groups: microsoft.public.win2000.setup (More info?)

    Another question, If I setup a group policy in AD can I assign it
    specifically for the student users(student group)? I setup a policy for
    folder redirection that would probably solve a lot of our problems, but I
    don't want it for all users. Thanks, Tom

    "Tom" wrote:

    > Well, this account is a school and they want to be able to track the
    > students. They use symantec web security which also requires security.
    > Also, they want them to use individual folders for data storage on the
    > network. Is there a better way of doing it? I've setup many small schools
    > this way and it works great for controlling printers, desktop icons and
    > programs. It's easy to change as well. Thanks, Tom
    >
    > "Lanwench [MVP - Exchange]" wrote:
    >
    > > Tom wrote:
    > > > Your presumption is correct. Except I have all users use the same
    > > > profile. The parent profile share is hidden with the name mprofile$.
    > > > Ex. \\student\mprofile$\user. I use this same setup almost all the
    > > > time as well, which is why I'm confused as to what is going on. The
    > > > roaming profile is working correctly besides the mandatory part. If
    > > > it doesn't mandatory then the profile gets to big to be mandatory. I
    > > > may have to setup a group policy to work around it. Thanks for the
    > > > help. Tom
    > >
    > > All right - why do you have multiple user accounts, then? What benefit does
    > > this provide, given that they won't have any custom settings whatsoever -
    > > why can't everyone use the same account (and not be permitted to change the
    > > password)? Is it only for auditing logins/logouts?
    > >
    > > That said: these users (ideally, a group rather than individuals) have
    > > exactly what NTFS permissions on this
    > > common profile subfolder?
    > >
    > > If you take ownership as Administrators (*not* Administrator), push those
    > > settings down to subitems, and then change the NTFS security to:
    > >
    > > a) remove inheritence from the parent folder, if it isn't correct (choose
    > > 'copy', not remove) and
    > > b) grant administrators & system & users=full control, and push *those* down
    > > to subfolders as well
    > >
    > > ....any change?
    > >
    > > I think there is a GP that doesn't permit login if the roaming profile can't
    > > be loaded properly, but I'm damned if I know where it is.
    > >
    > > Another nice thing (probably won't help with your issue):
    > > http://www.microsoft.com/downloads/details.aspx?FamilyID=1b286e6d-8912-4e18-b570-42470e2f3582&displaylang=en
    > >
    > > >
    > > > "Lanwench [MVP - Exchange]" wrote:
    > > >
    > > >> Tom wrote:
    > > >>> The server is Windows 2003 with Windows 2000 and XP Pro Clients.
    > > >>> The permissions at the share point location are not restricted.
    > > >>> They are set default with everyone able to do anything. Also the
    > > >>> share point location is on a secondary windows 2000 server, but
    > > >>> I've tested having the share the primary 2003 server with the same
    > > >>> results. The users are not domain admins either. Once I create
    > > >>> the profile on a client and then save it to the location on the
    > > >>> server
    > > >>
    > > >> ....by this I presume you mean:
    > > >>
    > > >> 1. Each user's ADUC settings specify \\server\parentshare\%username%
    > > >> in the profile field [a]
    > > >> 2. You log into the domain as this user on a workstation, modify the
    > > >> profile, and then log out so that the profile is automatically
    > > >> uploaded to that user's profile folder on the server
    > > >> 3. Then on the server, while this user is *not* logged in anywhere,
    > > >> you rename the ntuser.dat to ntuser.man
    > > >> 4. And you do this for all your user profiles.
    > > >>
    > > >> All this should work fine. I do it all the time.
    > > >>
    > > >> [a] And on the parent profile directory, the share permissions are
    > > >> set to everyone=full control, and the NTFS permissions are set to
    > > >> grant everyone (not necessarily that group - could use authenticated
    > > >> users) full control as well. This will be adjusted when the profile
    > > >> is uploaded for the first time. I recommend making the parent
    > > >> profile share a hidden one - as in,
    > > >> PROFILES$ - so it can't be browsed. So then you can use
    > > >> \\server\profiles$\%username%
    > > >>
    > > >> Of course, you need to have permissions to open the profile
    > > >> folder - if you don't have them, you'll have to take ownership as
    > > >> Administrators (the group) and reset the NTFS permissions. Or you
    > > >> can use the option in GP (?) to automatically grant administrators
    > > >> access to user profiles.
    > > >>
    > > >>
    > > >>
    > > >>> I rename the
    > > >>> ntuser.dat to ntuser.man, but once any client machine logs on and
    > > >>> logs off using the profile a new ntuser.dat is created and the
    > > >>> changes that were made to the profile are saved to the share. So
    > > >>> there is nothing manditory about it. I've never had this happen.
    > > >>> I'm getting frustrated. Thanks for the response. Tom
    > > >>>
    > > >>> "NIC Student" wrote:
    > > >>>
    > > >>>> Hi Tom,
    > > >>>>
    > > >>>> What network OS? What client OS?
    > > >>>>
    > > >>>> What permissions are given to the share point on the server?
    > > >>>>
    > > >>>> Do you mean the .dat is written on the server?
    > > >>>>
    > > >>>> --
    > > >>>> Scott Baldridge
    > > >>>> Windows Server MVP, MCSE
    > > >>>>
    > > >>>> "Tom"
    > > >>>>> I have a network where the users login using a mandatory profile.
    > > >>>>> I have changed the ntuser.dat to ntuser.man, but
    > > >>>>> when the users login and log out it creates a new ntuser.dat and
    > > >>>>> ignores the
    > > >>>>> .man change. I have used mandatory roaming profiles for years and
    > > >>>>> this is the first problem that I've had. Any suggestions you have
    > > >>>>> will be greatly appreciated.
    > > >>>>> Thanks, Tom
    > >
    > >
    > >
    > >
  10. Archived from groups: microsoft.public.win2000.setup (More info?)

    There are over 100 users and I'm too lazy to give each of them there own
    mandatory profile when they need the same thing. I appreciate your help.
    I'm going there tomorrow and hopefully your information will help me resolve
    this problem. Thanks, Tom

    "Tom" wrote:

    > I have a network where the users login using a mandatory profile. I have
    > changed the ntuser.dat to ntuser.man, but
    > when the users login and log out it creates a new ntuser.dat and ignores the
    > .man change. I have used mandatory roaming profiles for years and this is
    > the first problem that I've had. Any suggestions you have will be greatly
    > appreciated.
    > Thanks, Tom
  11. Archived from groups: microsoft.public.win2000.setup (More info?)

    Tom wrote:
    > Well, this account is a school and they want to be able to track the
    > students. They use symantec web security which also requires
    > security. Also, they want them to use individual folders for data
    > storage on the network. Is there a better way of doing it? I've
    > setup many small schools this way and it works great for controlling
    > printers, desktop icons and programs. It's easy to change as well.
    > Thanks, Tom

    I'd set them up with their own individual, roaming, mandatory profiles. This
    isn't tough to do. That way, their settings are unique to their login, but
    cannot be changed. Redirect My Documents to the user's home directory via
    group policy.
    >
    > "Lanwench [MVP - Exchange]" wrote:
    >
    >> Tom wrote:
    >>> Your presumption is correct. Except I have all users use the same
    >>> profile. The parent profile share is hidden with the name mprofile$.
    >>> Ex. \\student\mprofile$\user. I use this same setup almost all the
    >>> time as well, which is why I'm confused as to what is going on. The
    >>> roaming profile is working correctly besides the mandatory part. If
    >>> it doesn't mandatory then the profile gets to big to be mandatory.
    >>> I may have to setup a group policy to work around it. Thanks for
    >>> the help. Tom
    >>
    >> All right - why do you have multiple user accounts, then? What
    >> benefit does this provide, given that they won't have any custom
    >> settings whatsoever - why can't everyone use the same account (and
    >> not be permitted to change the password)? Is it only for auditing
    >> logins/logouts?
    >>
    >> That said: these users (ideally, a group rather than individuals)
    >> have exactly what NTFS permissions on this
    >> common profile subfolder?
    >>
    >> If you take ownership as Administrators (*not* Administrator), push
    >> those settings down to subitems, and then change the NTFS security
    >> to:
    >>
    >> a) remove inheritence from the parent folder, if it isn't correct
    >> (choose 'copy', not remove) and
    >> b) grant administrators & system & users=full control, and push
    >> *those* down to subfolders as well
    >>
    >> ....any change?
    >>
    >> I think there is a GP that doesn't permit login if the roaming
    >> profile can't be loaded properly, but I'm damned if I know where it
    >> is.
    >>
    >> Another nice thing (probably won't help with your issue):
    >>
    http://www.microsoft.com/downloads/details.aspx?FamilyID=1b286e6d-8912-4e18-b570-42470e2f3582&displaylang=en
    >>
    >>>
    >>> "Lanwench [MVP - Exchange]" wrote:
    >>>
    >>>> Tom wrote:
    >>>>> The server is Windows 2003 with Windows 2000 and XP Pro Clients.
    >>>>> The permissions at the share point location are not restricted.
    >>>>> They are set default with everyone able to do anything. Also the
    >>>>> share point location is on a secondary windows 2000 server, but
    >>>>> I've tested having the share the primary 2003 server with the same
    >>>>> results. The users are not domain admins either. Once I create
    >>>>> the profile on a client and then save it to the location on the
    >>>>> server
    >>>>
    >>>> ....by this I presume you mean:
    >>>>
    >>>> 1. Each user's ADUC settings specify
    >>>> \\server\parentshare\%username% in the profile field [a]
    >>>> 2. You log into the domain as this user on a workstation, modify
    >>>> the profile, and then log out so that the profile is automatically
    >>>> uploaded to that user's profile folder on the server
    >>>> 3. Then on the server, while this user is *not* logged in anywhere,
    >>>> you rename the ntuser.dat to ntuser.man
    >>>> 4. And you do this for all your user profiles.
    >>>>
    >>>> All this should work fine. I do it all the time.
    >>>>
    >>>> [a] And on the parent profile directory, the share permissions are
    >>>> set to everyone=full control, and the NTFS permissions are set to
    >>>> grant everyone (not necessarily that group - could use
    >>>> authenticated users) full control as well. This will be adjusted
    >>>> when the profile is uploaded for the first time. I recommend
    >>>> making the parent profile share a hidden one - as in,
    >>>> PROFILES$ - so it can't be browsed. So then you can use
    >>>> \\server\profiles$\%username%
    >>>>
    >>>> Of course, you need to have permissions to open the profile
    >>>> folder - if you don't have them, you'll have to take ownership as
    >>>> Administrators (the group) and reset the NTFS permissions. Or you
    >>>> can use the option in GP (?) to automatically grant administrators
    >>>> access to user profiles.
    >>>>
    >>>>
    >>>>
    >>>>> I rename the
    >>>>> ntuser.dat to ntuser.man, but once any client machine logs on and
    >>>>> logs off using the profile a new ntuser.dat is created and the
    >>>>> changes that were made to the profile are saved to the share. So
    >>>>> there is nothing manditory about it. I've never had this happen.
    >>>>> I'm getting frustrated. Thanks for the response. Tom
    >>>>>
    >>>>> "NIC Student" wrote:
    >>>>>
    >>>>>> Hi Tom,
    >>>>>>
    >>>>>> What network OS? What client OS?
    >>>>>>
    >>>>>> What permissions are given to the share point on the server?
    >>>>>>
    >>>>>> Do you mean the .dat is written on the server?
    >>>>>>
    >>>>>> --
    >>>>>> Scott Baldridge
    >>>>>> Windows Server MVP, MCSE
    >>>>>>
    >>>>>> "Tom"
    >>>>>>> I have a network where the users login using a mandatory
    >>>>>>> profile. I have changed the ntuser.dat to ntuser.man, but
    >>>>>>> when the users login and log out it creates a new ntuser.dat and
    >>>>>>> ignores the
    >>>>>>> .man change. I have used mandatory roaming profiles for years
    >>>>>>> and this is the first problem that I've had. Any suggestions
    >>>>>>> you have will be greatly appreciated.
    >>>>>>> Thanks, Tom
Ask a new question

Read More

Login Roaming Profiles Microsoft Windows