A mandatory user profile is a special pre-configured type of roaming user profile than can be changed only by administrators. Users who have been assigned a mandatory profile can work in Windows as usual during the login session, but no changes are saved to the profile after user logoff. At the next logon, the mandatory profile is loaded unchanged.
A directory with the mandatory profile can be located on the network shared folder and assigned to multiple domain users at once: for example, to terminal server (RDS) users, information kiosks, or users who don’t need a personal profile (schoolchildren, students, visitors). The administrator can configure folder redirection for mandatory profiles and users can keep personal files on the file servers (of course, it is recommended to enable disk quotas using the NTFS or the FSRM) in order to prevent users from storing unimportant files in the redirected folders).
Types of Mandatory User Profiles in Windows
There are two types of mandatory user profiles in Windows:
- A normal mandatory user profile – an administrator renames the file NTuser.dat (contains the user registry hive HKEY_CURRENT_USER) into NTuser.man. When using Ntuser.man, the system assumes that this profile is read-only and doesn’t save any changes to it. If the mandatory profile is stored on a remote server and the server becomes unavailable, users can logon using cached version of the mandatory profile;
- A super-mandatory user profile – when using this type of profile, the directory that contains the user profile is renamed, and the extension .man is added to the end of the folder name. Users with this profile type won’t be able to logon if the server, on which their profile is stored, is unavailable.
Some scenarios allow using mandatory profiles for local users as well, for example on public computers (kiosks, meeting rooms, etc.) instead of using an UWF filter. Any user can work in the same environment and no changes are saved when a user logs off.
Now we’ll show how to create a normal mandatory profile in Windows 10 and assign it to a user. In this example we’ll consider how to create a mandatory user profile on a local computer (the profile will be stored on the local drive), however, we’ll explain how to assign a mandatory user profile to domain accounts.
How to Create a Mandatory User Profile in Windows 10
- Log on to a computer under the administrator account and start Local Users and Groups console (lusrmgr.msc);
- Create a new account, for example, ConfRoom;
- Now you need to copy the default profile to a separate directory with a certain extension. Since we are using Windows 10 1703, this folder must have V6 suffix. For example, the name of the folder will be C:\ConfRoom.V6;
- Open the System Properties (SystemPropertiesAdvanced.exe);
- In User Profiles section, click Settings;
- Select the Default Profile and click Copy To;
- Select C:\ConfRoom.V6 as a folder to copy the profile to (or you can copy the profile template to the network shared folder on the file server by specifying a UNC path, for example, \\lon-fs01\profiles\ConfRoom.V6).
- Select NT AUTHORITY\Authenticated Users in the permissions.
How to Assign a Mandatory Profile to Users
Now you can assign the mandatory profile to the user you want.
If you are using a local mandatory profile, go to Profile tab of the user properties and specify the path to the C:\ConfRoom.v6 directory in the Profile Path field.
If you configure a roaming mandatory user profile in the AD domain, you need to specify the UNC path to the directory with the profile in the account properties in the ADUC console.
Then login to the system with the new user account and make all necessary settings (select the appearance, place the shortcuts, necessary files, configure the software, etc.).
Finish the user session and log on using the administrator account. Then rename NTUSER.dat into NTUSER.man in the the user profile folder.
Now try to logon to the system as a user with the mandatory profile and make sure that after you log off no changes are saved in the profile.
The User Profile Service service failed the sign-in. User profile cannot be loaded.
And the following event appears in the system log:
Windows could not load your roaming profile and is attempting to log you on with your local profile. Changes to the profile will not be copied to the server when you log off. Windows could not load your profile because a server copy of the profile folder already exists that does not have the correct security. Either the current user or the Administrators group must be the owner of the folder.
Make sure that the following permissions are assigned to the profile directory (with permissions inheritance to all child objects):
- ALL APPLICATION PACKAGES – Full Control (Start Menu does not work correct without it);
- Authenticated Users – Read and Execute;
- SYSTEM – Full Control;
- Administrators – Full Control.
The same permissions must be assigned to the user registry hive by loading ntuser.dat profile file using File -> Load Hive in regedit.exe.
When using roaming profiles, in order the Start menu to be displayed correctly on all devices, you need set the REG_DWORD key with the name SpecialRoamingOverrideAllowed and the value 1 in the HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ section of the registry.
If you need to make changes to a mandatory profile, rename ntuser.man into ntuser.dat and configure the environment under the user account. Then rename the file again.
When using a mandatory profile on RDS servers, you can use the following Group Policies, in which you can specify the path to the profile directory and enable using mandatory profiles. The corresponding GPO section is: Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Profiles.
- Use mandatory profiles on the RD Session Host server = Enabled;
- Set path for Remote Desktop Services Roaming User Profile = Enabled + specify the UNC path.
Please, note that if you decided to use folder redirection together with the mandatory profile, it is not recommended to redirect AppData (Roaming) folder.