Mandatory profile-XP problem
Last response: in Windows XP
Archived from groups: microsoft.public.windowsxp.configuration_manage (More info?)
Hello,
I really would like to find an answer to this question. I've
exhausted all the resources I have access to- Microsoft Knowledge
Base, Windows XP Resource Kit documentation, newsgroups...etc.
Microsoft wants $35 to talk to me about this, and I don't think I
should have to pay for an answer to this question.
My question is this:
I use mandatory profiles as part of how I lock down workstations in a
university computer lab. The mandatory profiles work differently with
Windows XP than they did with Windows 2000. The difference is that in
Windows XP the locally cached profile on the workstation is deleted
every time the computer is rebooted. This did not happen in Windows
2000. In Windows 2000, the locally cached profile would stay on the
workstation.
This new behavior in Windows XP is NOT desirable. If someone removes
the network cable from the workstation after a reboot, when they log
in they will get a profile based on the Default User which will not
have necessary group policy settings applied. This gives the user
access to parts of the file system we do not want them to access.
I would really like to find a way to make Windows XP NOT delete the
locally cached mandatory profile, in other words, the same behavior as
in Windows 2000. I know about the group policy setting available in
Computer Configuration\Administrative Templates\System\User Profiles
"Delete cached copies of roaming profiles" I have set that to
disabled, but apparently it doesn't work with mandatory profiles.
I know Microsoft people monitor this newsgroup, and I would really
appreciate if someone could let me know how to make the locally cached
profile not be removed at reboot.
Thanks.
Pat
--
To reply by email, remove the zzz from my email address.
Hello,
I really would like to find an answer to this question. I've
exhausted all the resources I have access to- Microsoft Knowledge
Base, Windows XP Resource Kit documentation, newsgroups...etc.
Microsoft wants $35 to talk to me about this, and I don't think I
should have to pay for an answer to this question.
My question is this:
I use mandatory profiles as part of how I lock down workstations in a
university computer lab. The mandatory profiles work differently with
Windows XP than they did with Windows 2000. The difference is that in
Windows XP the locally cached profile on the workstation is deleted
every time the computer is rebooted. This did not happen in Windows
2000. In Windows 2000, the locally cached profile would stay on the
workstation.
This new behavior in Windows XP is NOT desirable. If someone removes
the network cable from the workstation after a reboot, when they log
in they will get a profile based on the Default User which will not
have necessary group policy settings applied. This gives the user
access to parts of the file system we do not want them to access.
I would really like to find a way to make Windows XP NOT delete the
locally cached mandatory profile, in other words, the same behavior as
in Windows 2000. I know about the group policy setting available in
Computer Configuration\Administrative Templates\System\User Profiles
"Delete cached copies of roaming profiles" I have set that to
disabled, but apparently it doesn't work with mandatory profiles.
I know Microsoft people monitor this newsgroup, and I would really
appreciate if someone could let me know how to make the locally cached
profile not be removed at reboot.
Thanks.
Pat
--
To reply by email, remove the zzz from my email address.
More about : mandatory profile problem
Archived from groups: microsoft.public.windowsxp.configuration_manage (More info?)
Pat,
You're fighting this problem since May, right? I believe you've lost more
than $35 already.
Anyway, run 'gpresult.exe' from any XP station. Upload XP group policy
templates onto W2k servers. Ensure both local and network NTFS and share
permissions are set properly.
Pat,
You're fighting this problem since May, right? I believe you've lost more
than $35 already.
Anyway, run 'gpresult.exe' from any XP station. Upload XP group policy
templates onto W2k servers. Ensure both local and network NTFS and share
permissions are set properly.
Archived from groups: microsoft.public.windowsxp.configuration_manage (More info?)
On Mon, 19 Jul 2004 16:31:52 -0400, "Jetro" <ik9480@spam.rogers.com>
wrote:
>Pat,
>
>You're fighting this problem since May, right? I believe you've lost more
>than $35 already.
>
>Anyway, run 'gpresult.exe' from any XP station. Upload XP group policy
>templates onto W2k servers. Ensure both local and network NTFS and share
>permissions are set properly.
>
>
You're probably right about the $35, but I don't see what gpresult.exe
will do for me in relation to mandatory profiles....
My group policies are working fine, the mandatory profile is
downloading correctly from the server, everything is good except that
the locally cached profiles gets deleted everytime the pc is rebooted.
If I log off, the locally cached profile is still there, it only gets
removed on a reboot. This happens in XP, it didn't happen in Win2000.
In an open computer lab environment, for several reasons, it is
desirable to have the locally cached profile not be deleted at reboot.
--
To reply by email, remove the zzz from my email address.
On Mon, 19 Jul 2004 16:31:52 -0400, "Jetro" <ik9480@spam.rogers.com>
wrote:
>Pat,
>
>You're fighting this problem since May, right? I believe you've lost more
>than $35 already.
>
>Anyway, run 'gpresult.exe' from any XP station. Upload XP group policy
>templates onto W2k servers. Ensure both local and network NTFS and share
>permissions are set properly.
>
>
You're probably right about the $35, but I don't see what gpresult.exe
will do for me in relation to mandatory profiles....
My group policies are working fine, the mandatory profile is
downloading correctly from the server, everything is good except that
the locally cached profiles gets deleted everytime the pc is rebooted.
If I log off, the locally cached profile is still there, it only gets
removed on a reboot. This happens in XP, it didn't happen in Win2000.
In an open computer lab environment, for several reasons, it is
desirable to have the locally cached profile not be deleted at reboot.
--
To reply by email, remove the zzz from my email address.
Archived from groups: microsoft.public.windowsxp.configuration_manage (More info?)
Pat,
Only you have an access to the systems, you are everyone's eyes and hands in
this community. You wouldn't ask if everything would work fine. Moreover,
everyone would lose his job if setup and network work fine, G-d forbid![:o]( ":o")
)
I would emphasis gpresult in super-verbose mode using /z key.
Pat,
Only you have an access to the systems, you are everyone's eyes and hands in
this community. You wouldn't ask if everything would work fine. Moreover,
everyone would lose his job if setup and network work fine, G-d forbid
)I would emphasis gpresult in super-verbose mode using /z key.
Related ressources
- Problem with Mandatory Profile - Forum
- Do PCIe motherboards require mandatory PCIe graphics cards to run? - Forum
- Enable mandatory password login WIN XP HOME - Forum
- Mandatory profile/Desktop Redirection - Forum
- Roaming Profile Not Staying Mandatory - Forum
Archived from groups: microsoft.public.windowsxp.configuration_manage (More info?)
On Mon, 19 Jul 2004 21:10:07 -0400, "Jetro" <ik9480@spam.rogers.com>
wrote:
>Pat,
>
>Only you have an access to the systems, you are everyone's eyes and hands in
>this community. You wouldn't ask if everything would work fine. Moreover,
>everyone would lose his job if setup and network work fine, G-d forbid![:o]( ":o")
)
>I would emphasis gpresult in super-verbose mode using /z key.
>
>
Perhaps I'm not being clear-
I can take a freshly installed Windows XP computer, log in with a
domain user account, set the desktop to look how I want. Then I can
log in as an administrator, copy the profile of the domain user to a
server share. I then set the domain user's account in Active
Directory Users and Computers so that it will get it's profile from
the server share. If I set it up to be a mandatory profile
(ntuser.man on both the server share and in the locally cached
profile) when the domain user logs in, he gets the mandatory profile.
When the computer is *rebooted* the locally cached profile is
*removed* If the user logs in again, the mandatory profile is
downloaded just like it is supposed to. If the domain user logs off,
the locally cached profile remains. It is only removed upon reboot.
This did not happen in Windows 2000. This has nothing to do with
group policy.
There is a group policy setting- Computer Configuration\Administrative
Templates\System\User Profiles "Delete cached copies of roaming
profiles" This works fine if I set up a *roaming* profile (ntuser.dat
on the server share and in the locally cached profile). This group
policy setting has *no* effect on the mandatory profile.
I would simply like to know how to stop the locally cached mandatory
profile from being deleted upon reboot- the same behavior as in
Windows 2000. There's got to be an undocumented registry setting that
would accomplish this.
So, I really don't understand what gpresult is going to do for
me........
Cheers,
Pat
--
To reply by email, remove the zzz from my email address.
On Mon, 19 Jul 2004 21:10:07 -0400, "Jetro" <ik9480@spam.rogers.com>
wrote:
>Pat,
>
>Only you have an access to the systems, you are everyone's eyes and hands in
>this community. You wouldn't ask if everything would work fine. Moreover,
>everyone would lose his job if setup and network work fine, G-d forbid
)>I would emphasis gpresult in super-verbose mode using /z key.
>
>
Perhaps I'm not being clear-
I can take a freshly installed Windows XP computer, log in with a
domain user account, set the desktop to look how I want. Then I can
log in as an administrator, copy the profile of the domain user to a
server share. I then set the domain user's account in Active
Directory Users and Computers so that it will get it's profile from
the server share. If I set it up to be a mandatory profile
(ntuser.man on both the server share and in the locally cached
profile) when the domain user logs in, he gets the mandatory profile.
When the computer is *rebooted* the locally cached profile is
*removed* If the user logs in again, the mandatory profile is
downloaded just like it is supposed to. If the domain user logs off,
the locally cached profile remains. It is only removed upon reboot.
This did not happen in Windows 2000. This has nothing to do with
group policy.
There is a group policy setting- Computer Configuration\Administrative
Templates\System\User Profiles "Delete cached copies of roaming
profiles" This works fine if I set up a *roaming* profile (ntuser.dat
on the server share and in the locally cached profile). This group
policy setting has *no* effect on the mandatory profile.
I would simply like to know how to stop the locally cached mandatory
profile from being deleted upon reboot- the same behavior as in
Windows 2000. There's got to be an undocumented registry setting that
would accomplish this.
So, I really don't understand what gpresult is going to do for
me........
Cheers,
Pat
--
To reply by email, remove the zzz from my email address.
Archived from groups: microsoft.public.windowsxp.configuration_manage (More info?)
Pat,
This was the real challenge!
The error is reproduced easily - just change the extention from .dat to .man
and voila! - the locally cached profile is deleted during the system boot.
Believe me or not, the solution is as easy as the error reproducing: leave
the .dat extention and implement Computer Configuration/Administrative
Templates/System/User Profiles policy "Prevent Roaming profile changes from
propagating to the server". If computer is disconnected from network, a user
can bend and rig her cached profile as she wants indeed, but everything
returns to normal after the real network logon.
Certainly it took some time parsing the userenv.log and digging the
Internet, and finally I found out a funny feature named Super-mandatory
profiles
(http://msdn.microsoft.com/library/default.asp?url=/libr...
icy/mandatory_user_profiles.asp). The article states that "Super-mandatory
user profiles are similar to normal mandatory profiles, with the exception
that users who have super-mandatory profiles cannot log on when the server
that stores the mandatory profile is unavailable." User profiles become
super-mandatory when the folder name of the profile path ends in .man. Neat,
huh? Unfortunately the feature didn't work for me when I immediately tried
it (the system just hung up after logon to the super-duper profile). I am
only guessing now that XP treats the ntuser.man file as something relevant
and marks the locally cached mandatory profile for deleting exactly as we
observe.
P.S. I hope Microsoft will forgive me for $35![:o]( ":o")
)
Pat,
This was the real challenge!
The error is reproduced easily - just change the extention from .dat to .man
and voila! - the locally cached profile is deleted during the system boot.
Believe me or not, the solution is as easy as the error reproducing: leave
the .dat extention and implement Computer Configuration/Administrative
Templates/System/User Profiles policy "Prevent Roaming profile changes from
propagating to the server". If computer is disconnected from network, a user
can bend and rig her cached profile as she wants indeed, but everything
returns to normal after the real network logon.
Certainly it took some time parsing the userenv.log and digging the
Internet, and finally I found out a funny feature named Super-mandatory
profiles
(http://msdn.microsoft.com/library/default.asp?url=/libr...
icy/mandatory_user_profiles.asp). The article states that "Super-mandatory
user profiles are similar to normal mandatory profiles, with the exception
that users who have super-mandatory profiles cannot log on when the server
that stores the mandatory profile is unavailable." User profiles become
super-mandatory when the folder name of the profile path ends in .man. Neat,
huh? Unfortunately the feature didn't work for me when I immediately tried
it (the system just hung up after logon to the super-duper profile). I am
only guessing now that XP treats the ntuser.man file as something relevant
and marks the locally cached mandatory profile for deleting exactly as we
observe.
P.S. I hope Microsoft will forgive me for $35
)
Archived from groups: microsoft.public.windowsxp.configuration_manage (More info?)
On Tue, 20 Jul 2004 18:38:41 -0400, "Jetro" <ik9480@spam.rogers.com>
wrote:
>Pat,
>This was the real challenge!
>The error is reproduced easily - just change the extention from .dat to .man
>and voila! - the locally cached profile is deleted during the system boot.
>Believe me or not, the solution is as easy as the error reproducing: leave
>the .dat extention and implement Computer Configuration/Administrative
>Templates/System/User Profiles policy "Prevent Roaming profile changes from
>propagating to the server". If computer is disconnected from network, a user
>can bend and rig her cached profile as she wants indeed, but everything
>returns to normal after the real network logon.
>
>Certainly it took some time parsing the userenv.log and digging the
>Internet, and finally I found out a funny feature named Super-mandatory
>profiles
>(http://msdn.microsoft.com/library/default.asp?url=/libr...
>icy/mandatory_user_profiles.asp). The article states that "Super-mandatory
>user profiles are similar to normal mandatory profiles, with the exception
>that users who have super-mandatory profiles cannot log on when the server
>that stores the mandatory profile is unavailable." User profiles become
>super-mandatory when the folder name of the profile path ends in .man. Neat,
>huh? Unfortunately the feature didn't work for me when I immediately tried
>it (the system just hung up after logon to the super-duper profile). I am
>only guessing now that XP treats the ntuser.man file as something relevant
>and marks the locally cached mandatory profile for deleting exactly as we
>observe.
>
>P.S. I hope Microsoft will forgive me for $35![:o]( ":o")
)
>
>
>
Well, I know about the super-mandatory profiles, they worked for NT4.
Knowledge base article 307800 states that the folder name should not
contain .usr or .man extensions. There is a group policy setting that
would appear to provide the super-mandatory profile functionality
(Computer Configuration\Administrative Templates\System\User Profiles
"Log users off when roaming profile fails."
In any case I need to use mandatory profiles, not roaming profiles.
There has got to be an undocumented registry setting that will prevent
XP from deleting the local cached mandatory profile at reboot.....
Just gotta find the person who knows what it is....
--
To reply by email, remove the zzz from my email address.
On Tue, 20 Jul 2004 18:38:41 -0400, "Jetro" <ik9480@spam.rogers.com>
wrote:
>Pat,
>This was the real challenge!
>The error is reproduced easily - just change the extention from .dat to .man
>and voila! - the locally cached profile is deleted during the system boot.
>Believe me or not, the solution is as easy as the error reproducing: leave
>the .dat extention and implement Computer Configuration/Administrative
>Templates/System/User Profiles policy "Prevent Roaming profile changes from
>propagating to the server". If computer is disconnected from network, a user
>can bend and rig her cached profile as she wants indeed, but everything
>returns to normal after the real network logon.
>
>Certainly it took some time parsing the userenv.log and digging the
>Internet, and finally I found out a funny feature named Super-mandatory
>profiles
>(http://msdn.microsoft.com/library/default.asp?url=/libr...
>icy/mandatory_user_profiles.asp). The article states that "Super-mandatory
>user profiles are similar to normal mandatory profiles, with the exception
>that users who have super-mandatory profiles cannot log on when the server
>that stores the mandatory profile is unavailable." User profiles become
>super-mandatory when the folder name of the profile path ends in .man. Neat,
>huh? Unfortunately the feature didn't work for me when I immediately tried
>it (the system just hung up after logon to the super-duper profile). I am
>only guessing now that XP treats the ntuser.man file as something relevant
>and marks the locally cached mandatory profile for deleting exactly as we
>observe.
>
>P.S. I hope Microsoft will forgive me for $35
)>
>
>
Well, I know about the super-mandatory profiles, they worked for NT4.
Knowledge base article 307800 states that the folder name should not
contain .usr or .man extensions. There is a group policy setting that
would appear to provide the super-mandatory profile functionality
(Computer Configuration\Administrative Templates\System\User Profiles
"Log users off when roaming profile fails."
In any case I need to use mandatory profiles, not roaming profiles.
There has got to be an undocumented registry setting that will prevent
XP from deleting the local cached mandatory profile at reboot.....
Just gotta find the person who knows what it is....
--
To reply by email, remove the zzz from my email address.
Archived from groups: microsoft.public.windowsxp.configuration_manage (More info?)
Whatever. BTW, the article 307800 talks about local user accounts and
produces the same effect. Super-mandatory profile information is fresh and
updated in May 2004.
Whatever. BTW, the article 307800 talks about local user accounts and
produces the same effect. Super-mandatory profile information is fresh and
updated in May 2004.
Archived from groups: microsoft.public.windowsxp.configuration_manage (More info?)
Thanks to Craig from one of the Microsoft XP newsgroups, I have a
partial answer....
There is a registry value called RefCount in
HKLM\software\microsoft\windows
NT\currentversion\ProfileList\some-long-assed-user-SID
When the RefCount DWORD value is set to 1, the locally cached
mandatory profile remains after a reboot. The problem is that whenever
the mandatory profile user logs off, the RefCount value is set to 0.
If RefCount is 0, the locally cached mandatory profile is deleted.
I also determined that the locally cached mandatory profile is removed
at system startup, not when the system shuts down. (I logged in using
the recovery console, and the locally cached mandatory profile was
still there; after I let the system boot up, it was gone).
I have no idea what the RefCount value is supposed to do....it appears
that normally it is a value of 1 when a user is logged in, and a value
of 0 when the user logs out. It doesn't look like it matters what
type of profile it is, when a user is logged in, the value is 1; when
the user is logged out, the value is 0.
In any case, it may be a possible workaround. I've been messing around
with a group policy shutdown script that will set the RefCount value
to 1 at system shutdown. I use a utility called regini.exe to do this.
It worked, but I'll need to set that value for three different user
accounts with mandatory profiles that all share the same group policy.
It still would be better to have some nice clean registry setting that
would stick and prevent the mandatory profile from being deleted!
--
To reply by email, remove the zzz from my email address.
Thanks to Craig from one of the Microsoft XP newsgroups, I have a
partial answer....
There is a registry value called RefCount in
HKLM\software\microsoft\windows
NT\currentversion\ProfileList\some-long-assed-user-SID
When the RefCount DWORD value is set to 1, the locally cached
mandatory profile remains after a reboot. The problem is that whenever
the mandatory profile user logs off, the RefCount value is set to 0.
If RefCount is 0, the locally cached mandatory profile is deleted.
I also determined that the locally cached mandatory profile is removed
at system startup, not when the system shuts down. (I logged in using
the recovery console, and the locally cached mandatory profile was
still there; after I let the system boot up, it was gone).
I have no idea what the RefCount value is supposed to do....it appears
that normally it is a value of 1 when a user is logged in, and a value
of 0 when the user logs out. It doesn't look like it matters what
type of profile it is, when a user is logged in, the value is 1; when
the user is logged out, the value is 0.
In any case, it may be a possible workaround. I've been messing around
with a group policy shutdown script that will set the RefCount value
to 1 at system shutdown. I use a utility called regini.exe to do this.
It worked, but I'll need to set that value for three different user
accounts with mandatory profiles that all share the same group policy.
It still would be better to have some nice clean registry setting that
would stick and prevent the mandatory profile from being deleted!
--
To reply by email, remove the zzz from my email address.
Archived from groups: microsoft.public.windowsxp.configuration_manage (More info?)
You could find everything yourself and faster if you'd look into
userenv.log.
As M.Russinovich explains in his article
http://www.winntmag.com/Articles/Index.cfm?IssueID=24&A... Inside
NT's Object Manager,
"Regardless of whether resources are physical resources (such as disk drives
and keyboards) or logical resources (such as files and shared virtual
memory), NT represents them as object data structures, which the Object
Manager defines... Reference Count records the number of handles for an
object plus the number of active references that operating system components
make to the object. The Object Manager uses this count to determine when the
system no longer needs an object. When Reference Count drops to zero,
nothing in the system is using the object, so the system can remove the
object's state and storage. The Object Manager will call an object type's
Delete Procedure (which eliminates the object, not the resource the object
represents) with the object as a parameter."
Put simply, everything in NT is an object and every object has its RefCount.
You could find everything yourself and faster if you'd look into
userenv.log.
As M.Russinovich explains in his article
http://www.winntmag.com/Articles/Index.cfm?IssueID=24&A... Inside
NT's Object Manager,
"Regardless of whether resources are physical resources (such as disk drives
and keyboards) or logical resources (such as files and shared virtual
memory), NT represents them as object data structures, which the Object
Manager defines... Reference Count records the number of handles for an
object plus the number of active references that operating system components
make to the object. The Object Manager uses this count to determine when the
system no longer needs an object. When Reference Count drops to zero,
nothing in the system is using the object, so the system can remove the
object's state and storage. The Object Manager will call an object type's
Delete Procedure (which eliminates the object, not the resource the object
represents) with the object as a parameter."
Put simply, everything in NT is an object and every object has its RefCount.
Related ressources:
- ForumMandatory profile and GPO
- ForumMandatory Profile under Group Policy.
- ForumIs SLI mandatory for surround gaming?
- ForumMandatory Auto Update
- ForumSURVERY: Absolutely Mandatory "Optional" Techs
- ForumB.S. Mandatory Registration for Whistler
- ForumMandatory Upgrade XP Gold?
- ForumUpgread the gpu and get problem
- ForumCasual Conversation Thread Mk III
- ForumHELP!!! Please with Windows XP
- Forumhelp! how do I fix this problem?
- ForumComputer Management Problem
- ForumAdvanced Networking problem (STEVE WINOGRAD?)
- ForumServices & Startup problem
- ForumStart up Problem
- More resources
Read discussions in other Windows XP categories
!
