Mandatory Profile and Group Policy

[wilow]

I have applied a couple of group policies for an OU to lock down the desktop (eg, remove My Network Places and Proxy Settings). These work correctly for the users in that OU.

I have created a mandatory profile (as in Q323368) and assigned selected users a mandatory profile (within User Policy in AD) for some desktop shortcuts. The mandatory policy for shortcuts works but the group policy is not applied to those users, but is for the rest of the users in the OU.

I remove the mandatory profile from the user settings and the group policy works again.

It appears as though group policy does not work if a mandatory profile is used. Is this correct behaviour or is there any way that both settings can be applied?

I am setting these options on Windows 2000 Server for Windows 2000 Professional desktops.

Has anyone else experienced this situation?

Any help much appreciated.

 

[bofhrevenge2]

Did you apply the group policy then create the MAN profile or the other way around?

Anything on the desktop when you create the desktop profile will be added as the desktop is applied after the group policy. I know this is the case for proxy settings, you will have to set the proxy address before you create the desktop so it becomes part of the profile.


Hope this helps.

 

[wilow]

Thanks for your reply. This is the second forum I've joined with this question and you're the first to respond!

I applied created the mandatory profile AFTER the GPO. GResult states the following results:
*******************************************************
Microsoft (R) Windows (R) 2000 Operating System Group Policy Result tool
Copyright (C) Microsoft Corp. 1981-1999


Created on 14 July 2004 at 10:23:28


Operating System Information:

Operating System Type: Professional
Operating System Version: 5.0.2195.Service Pack 4
Terminal Server Mode: Not supported

###############################################################

User Group Policy results for:

CN=May1,OU=CVTelesales,OU=Coventry,DC=MYCOMPANY,DC=Ltd

Domain Name: MYCOMPANYLTD
Domain Type: Windows 2000
Site Name: Coventry

Roaming profile: \\BUCV\MANDATORY1
Local profile: C:\Documents and Settings\may1

The user is a member of the following security groups:



###############################################################

Failed to open key with 2



###############################################################

Computer Group Policy results for:

CN=COMPUTER870,CN=Computers,DC=MYCOMPANY,DC=Ltd

Domain Name: MYCOMPANYLTD
Domain Type: Windows 2000
Site Name: Coventry


The computer is a member of the following security groups:

BUILTIN\Administrators
\Everyone
BUILTIN\Users
MYCOMPANYLTD\COMPUTER870$
MYCOMPANYLTD\Domain Computers
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users

###############################################################

Last time Group Policy was applied: 14 July 2004 at 10:12:01
Group Policy was applied from: bucv.MYCOMPANY.Ltd


===============================================================


The computer received "Registry" settings from these GPOs:

Local Group Policy
Default Domain Policy


===============================================================
The computer received "Security" settings from these GPOs:

Local Group Policy
Default Domain Policy


===============================================================
The computer received "EFS recovery" settings from these GPOs:

Local Group Policy
Default Domain Policy
*********************************************************
I don't know what the 'Failed with key 2' means but I don't get that in the result when I run this tool on the original user settings after I change their profile to .man

 

[bofhrevenge2]

So you logged onto a station with a user that is affected by the policy and there was no network neighbourhood icon and no proxy set then you created the profile using that users profile?

This is the key as i said if any of this is in the profile it will override GP settings, i had no end of trouble at the last place i worked, as you said above the GP is working when you remove the profile but anew setting is applied with the profile.

 

[wilow]

Hi
Thanks again for your response.

Yes to the first part. I originally set up the profile whilst logged in as a user with a roaming profile who was affected by Group Policy (no Network Places etc) and created the mandatory profile.

I've just tried blocked policy inheritance for the test users' group and created another mandatory profile. I reapplied the GPO and still the same results (ie, mandatory profile applied but no GPOs)!!!

Did you manage to get a result in the end? I would have thought that many large organisations would use these two features together but it's difficult finding any information on which order to apply the policies and get them working correctly.

 

[bofhrevenge2]

This is a very tricky area i'm afraid.

What isn't working still do you still have network places on your desktop or is it proxy settings that you are having problems with?

What settings are you trying to acheive?

 

[wilow]

Thanks for confirming that it's tricky - it's driving me insania!

I want to lockdown the desktop mainly. My policy for other users with non-mandatory profiles removes certain control panel options, ability to run regedit, browse the network and applies proxy settings.

The mandatory profile is for a department with high staff turnover that 'hotdesk'. These users require certain program shortcuts on the desktop and printers. I don't want to give each user a new roaming profile as the staff turnover is so high. Also, if additional shortcuts are required, I want to apply it in one, central location.

If there is an alternative way to achieve these requirements, that would be okay too.

 

[bofhrevenge2]

I don't think there is a good alternative.

I'm surprised that you can't lock down the desktop using a .MAN profile, i always just used to remove what i didn't want then set the proxy settings and other settings then create the profile.

I can't really help more than that as i no longer use then in my current workplace , more fiddling required i'm afraid.

 

[wilow]

I'm surprised too. I will admit defeat on this.

To get round it I've done the following:

1. Created the required amount of standard roaming profiles for a user (not %username%)
2. Do not allow desktop settings to be saved in GPO (in addition to other lockdowns)

This same profile applies when I rename the accounts and change the login name. I will therefore rename standard accounts as staff come and go. At least the profiles won't have to be created each time. Only problem is when shortcuts etc change, I'll have to change them in each standard profile. Hopefully that won’t happen too often!

Thanks for your correspondence none the less.

 

[NickJackson]

Hey - Dont know if anyones still having problems with this but the answer lies in your ntuser.man file already defining the policies that you wanted to push out through group policy.

Open Regedit and select Local Machine. Right click and load hive and load in your ntuser.man from your mandatory profile. You will probably see about a megs worth of reg keys and you only need a small handful here. Delete everything that you want to push out through policy and keep the rest. So for example keep references to Office and Keyboard layout etc. Ditch references to command prompts and proxy settings. Delete EVERYTHING you dont NEED to define here.

Unload the hive and place it back in to the mandatory profile share.

If you want a step by step email back this thread.

Cheers (btw - took me about 12 hours to work out this)

 

[bofhrevenge2]

It might be an idea to post a bit more info on this as i have tried this in the past and it never seemed to pan out the way i wanted it too.

If this works it could be very handy for people using .MAN profiles.

Cheers.

 

[NickJackson]

ok no problem but exactly what information do you require theres a very big list of keys here? Should i assume you have successfully loaded the ntuser.man hive in to regedit and you are happy with deleting reg keys this way??

if you're really desperate i could export an example reg fragment and email it to you. That would of course mean you have a similar software set up.

Basically though, remove the keys that reference classes, Explorer, Internet and proxy settings, and then dont forget to actually unload the hive after as it isnt live like local registry editing.

 

[Zebis]

I have the exact same problem. I tried editing the ntuser.nam file in regedit, deleted alot of keys, however the mandatory profile settings are still applied instead of the gpo...

Very fustrating.

There must be a way around this... roaming profiles worked fine by the way, its just mandatory ones that seem to ignore GPO settings.