Mandatory profile-XP problem

Archived from groups: microsoft.public.windowsxp.configuration_manage (More info?)

Hello,

I really would like to find an answer to this question. I've
exhausted all the resources I have access to- Microsoft Knowledge
Base, Windows XP Resource Kit documentation, newsgroups...etc.
Microsoft wants $35 to talk to me about this, and I don't think I
should have to pay for an answer to this question.
My question is this:

I use mandatory profiles as part of how I lock down workstations in a
university computer lab. The mandatory profiles work differently with
Windows XP than they did with Windows 2000. The difference is that in
Windows XP the locally cached profile on the workstation is deleted
every time the computer is rebooted. This did not happen in Windows
2000. In Windows 2000, the locally cached profile would stay on the
workstation.
This new behavior in Windows XP is NOT desirable. If someone removes
the network cable from the workstation after a reboot, when they log
in they will get a profile based on the Default User which will not
have necessary group policy settings applied. This gives the user
access to parts of the file system we do not want them to access.

I would really like to find a way to make Windows XP NOT delete the
locally cached mandatory profile, in other words, the same behavior as
in Windows 2000. I know about the group policy setting available in
Computer Configuration\Administrative Templates\System\User Profiles
"Delete cached copies of roaming profiles" I have set that to
disabled, but apparently it doesn't work with mandatory profiles.

I know Microsoft people monitor this newsgroup, and I would really
appreciate if someone could let me know how to make the locally cached
profile not be removed at reboot.

Thanks.
Pat

--
To reply by email, remove the zzz from my email address.
9 answers Last reply
More about mandatory profile problem
  1. Archived from groups: microsoft.public.windowsxp.configuration_manage (More info?)

    Pat,

    You're fighting this problem since May, right? I believe you've lost more
    than $35 already.

    Anyway, run 'gpresult.exe' from any XP station. Upload XP group policy
    templates onto W2k servers. Ensure both local and network NTFS and share
    permissions are set properly.
  2. Archived from groups: microsoft.public.windowsxp.configuration_manage (More info?)

    On Mon, 19 Jul 2004 16:31:52 -0400, "Jetro" <ik9480@spam.rogers.com>
    wrote:

    >Pat,
    >
    >You're fighting this problem since May, right? I believe you've lost more
    >than $35 already.
    >
    >Anyway, run 'gpresult.exe' from any XP station. Upload XP group policy
    >templates onto W2k servers. Ensure both local and network NTFS and share
    >permissions are set properly.
    >
    >

    You're probably right about the $35, but I don't see what gpresult.exe
    will do for me in relation to mandatory profiles....
    My group policies are working fine, the mandatory profile is
    downloading correctly from the server, everything is good except that
    the locally cached profiles gets deleted everytime the pc is rebooted.
    If I log off, the locally cached profile is still there, it only gets
    removed on a reboot. This happens in XP, it didn't happen in Win2000.
    In an open computer lab environment, for several reasons, it is
    desirable to have the locally cached profile not be deleted at reboot.


    --
    To reply by email, remove the zzz from my email address.
  3. Archived from groups: microsoft.public.windowsxp.configuration_manage (More info?)

    Pat,

    Only you have an access to the systems, you are everyone's eyes and hands in
    this community. You wouldn't ask if everything would work fine. Moreover,
    everyone would lose his job if setup and network work fine, G-d forbid :o)
    I would emphasis gpresult in super-verbose mode using /z key.
  4. Archived from groups: microsoft.public.windowsxp.configuration_manage (More info?)

    On Mon, 19 Jul 2004 21:10:07 -0400, "Jetro" <ik9480@spam.rogers.com>
    wrote:

    >Pat,
    >
    >Only you have an access to the systems, you are everyone's eyes and hands in
    >this community. You wouldn't ask if everything would work fine. Moreover,
    >everyone would lose his job if setup and network work fine, G-d forbid :o)
    >I would emphasis gpresult in super-verbose mode using /z key.
    >
    >

    Perhaps I'm not being clear-
    I can take a freshly installed Windows XP computer, log in with a
    domain user account, set the desktop to look how I want. Then I can
    log in as an administrator, copy the profile of the domain user to a
    server share. I then set the domain user's account in Active
    Directory Users and Computers so that it will get it's profile from
    the server share. If I set it up to be a mandatory profile
    (ntuser.man on both the server share and in the locally cached
    profile) when the domain user logs in, he gets the mandatory profile.
    When the computer is *rebooted* the locally cached profile is
    *removed* If the user logs in again, the mandatory profile is
    downloaded just like it is supposed to. If the domain user logs off,
    the locally cached profile remains. It is only removed upon reboot.
    This did not happen in Windows 2000. This has nothing to do with
    group policy.

    There is a group policy setting- Computer Configuration\Administrative
    Templates\System\User Profiles "Delete cached copies of roaming
    profiles" This works fine if I set up a *roaming* profile (ntuser.dat
    on the server share and in the locally cached profile). This group
    policy setting has *no* effect on the mandatory profile.

    I would simply like to know how to stop the locally cached mandatory
    profile from being deleted upon reboot- the same behavior as in
    Windows 2000. There's got to be an undocumented registry setting that
    would accomplish this.

    So, I really don't understand what gpresult is going to do for
    me........

    Cheers,
    Pat

    --
    To reply by email, remove the zzz from my email address.
  5. Archived from groups: microsoft.public.windowsxp.configuration_manage (More info?)

    Pat,
    This was the real challenge!
    The error is reproduced easily - just change the extention from .dat to .man
    and voila! - the locally cached profile is deleted during the system boot.
    Believe me or not, the solution is as easy as the error reproducing: leave
    the .dat extention and implement Computer Configuration/Administrative
    Templates/System/User Profiles policy "Prevent Roaming profile changes from
    propagating to the server". If computer is disconnected from network, a user
    can bend and rig her cached profile as she wants indeed, but everything
    returns to normal after the real network logon.

    Certainly it took some time parsing the userenv.log and digging the
    Internet, and finally I found out a funny feature named Super-mandatory
    profiles
    (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/policy/pol
    icy/mandatory_user_profiles.asp). The article states that "Super-mandatory
    user profiles are similar to normal mandatory profiles, with the exception
    that users who have super-mandatory profiles cannot log on when the server
    that stores the mandatory profile is unavailable." User profiles become
    super-mandatory when the folder name of the profile path ends in .man. Neat,
    huh? Unfortunately the feature didn't work for me when I immediately tried
    it (the system just hung up after logon to the super-duper profile). I am
    only guessing now that XP treats the ntuser.man file as something relevant
    and marks the locally cached mandatory profile for deleting exactly as we
    observe.

    P.S. I hope Microsoft will forgive me for $35 :o)
  6. Archived from groups: microsoft.public.windowsxp.configuration_manage (More info?)

    On Tue, 20 Jul 2004 18:38:41 -0400, "Jetro" <ik9480@spam.rogers.com>
    wrote:

    >Pat,
    >This was the real challenge!
    >The error is reproduced easily - just change the extention from .dat to .man
    >and voila! - the locally cached profile is deleted during the system boot.
    >Believe me or not, the solution is as easy as the error reproducing: leave
    >the .dat extention and implement Computer Configuration/Administrative
    >Templates/System/User Profiles policy "Prevent Roaming profile changes from
    >propagating to the server". If computer is disconnected from network, a user
    >can bend and rig her cached profile as she wants indeed, but everything
    >returns to normal after the real network logon.
    >
    >Certainly it took some time parsing the userenv.log and digging the
    >Internet, and finally I found out a funny feature named Super-mandatory
    >profiles
    >(http://msdn.microsoft.com/library/default.asp?url=/library/en-us/policy/pol
    >icy/mandatory_user_profiles.asp). The article states that "Super-mandatory
    >user profiles are similar to normal mandatory profiles, with the exception
    >that users who have super-mandatory profiles cannot log on when the server
    >that stores the mandatory profile is unavailable." User profiles become
    >super-mandatory when the folder name of the profile path ends in .man. Neat,
    >huh? Unfortunately the feature didn't work for me when I immediately tried
    >it (the system just hung up after logon to the super-duper profile). I am
    >only guessing now that XP treats the ntuser.man file as something relevant
    >and marks the locally cached mandatory profile for deleting exactly as we
    >observe.
    >
    >P.S. I hope Microsoft will forgive me for $35 :o)
    >
    >
    >

    Well, I know about the super-mandatory profiles, they worked for NT4.
    Knowledge base article 307800 states that the folder name should not
    contain .usr or .man extensions. There is a group policy setting that
    would appear to provide the super-mandatory profile functionality
    (Computer Configuration\Administrative Templates\System\User Profiles
    "Log users off when roaming profile fails."

    In any case I need to use mandatory profiles, not roaming profiles.
    There has got to be an undocumented registry setting that will prevent
    XP from deleting the local cached mandatory profile at reboot.....
    Just gotta find the person who knows what it is....


    --
    To reply by email, remove the zzz from my email address.
  7. Archived from groups: microsoft.public.windowsxp.configuration_manage (More info?)

    Whatever. BTW, the article 307800 talks about local user accounts and
    produces the same effect. Super-mandatory profile information is fresh and
    updated in May 2004.
  8. Archived from groups: microsoft.public.windowsxp.configuration_manage (More info?)

    Thanks to Craig from one of the Microsoft XP newsgroups, I have a
    partial answer....
    There is a registry value called RefCount in
    HKLM\software\microsoft\windows
    NT\currentversion\ProfileList\some-long-assed-user-SID

    When the RefCount DWORD value is set to 1, the locally cached
    mandatory profile remains after a reboot. The problem is that whenever
    the mandatory profile user logs off, the RefCount value is set to 0.
    If RefCount is 0, the locally cached mandatory profile is deleted.

    I also determined that the locally cached mandatory profile is removed
    at system startup, not when the system shuts down. (I logged in using
    the recovery console, and the locally cached mandatory profile was
    still there; after I let the system boot up, it was gone).

    I have no idea what the RefCount value is supposed to do....it appears
    that normally it is a value of 1 when a user is logged in, and a value
    of 0 when the user logs out. It doesn't look like it matters what
    type of profile it is, when a user is logged in, the value is 1; when
    the user is logged out, the value is 0.

    In any case, it may be a possible workaround. I've been messing around
    with a group policy shutdown script that will set the RefCount value
    to 1 at system shutdown. I use a utility called regini.exe to do this.
    It worked, but I'll need to set that value for three different user
    accounts with mandatory profiles that all share the same group policy.


    It still would be better to have some nice clean registry setting that
    would stick and prevent the mandatory profile from being deleted!


    --
    To reply by email, remove the zzz from my email address.
  9. Archived from groups: microsoft.public.windowsxp.configuration_manage (More info?)

    You could find everything yourself and faster if you'd look into
    userenv.log.

    As M.Russinovich explains in his article
    http://www.winntmag.com/Articles/Index.cfm?IssueID=24&ArticleID=299 Inside
    NT's Object Manager,
    "Regardless of whether resources are physical resources (such as disk drives
    and keyboards) or logical resources (such as files and shared virtual
    memory), NT represents them as object data structures, which the Object
    Manager defines... Reference Count records the number of handles for an
    object plus the number of active references that operating system components
    make to the object. The Object Manager uses this count to determine when the
    system no longer needs an object. When Reference Count drops to zero,
    nothing in the system is using the object, so the system can remove the
    object's state and storage. The Object Manager will call an object type's
    Delete Procedure (which eliminates the object, not the resource the object
    represents) with the object as a parameter."

    Put simply, everything in NT is an object and every object has its RefCount.
Ask a new question

Read More

Configuration Microsoft Windows XP