AppSense

How to create a Microsoft Windows 7 or Server 2008 R2 mandatory profile for AppSense

on

You really just want a clean mandatory profile if you are deploying AppSense on Windows 7 or Server 2008 R2. The vast majority of companies don’t need to customize it. When you get into customization, you’re going to go through a lot of trouble trying to clean up the profile. Save yourself the trouble. The best thing to do is have a clean and slim mandatory profile that can be applied to any server or desktop in your environment and leverage AppSense itself to do everything else.

So to build a clean mandatory profile:

1. Login to your Windows 7 or Server 2008 R2 box with a local admin account or an domain administrator account, doesn’t matter. I’m going to use Server 2008 R2 for these screenshots.

2. Start > Control Panel > click User Accounts > click Configure advanced user profile properties

3. Click the Default Profile and hit Copy Too…

4. Copy the profile anywhere you like, I chose “c:\mandatoryprofile.v2“. Usually you want your mandatory profile on a file server or DFS share where it is easily accessible but I am just leaving it local for this example. I specified v2 since I am creating a profile for Server 2008 R2. I changed the “Permitted to use” to “Everyone” so all users get NTFS rights to use it.

5. Navigate to c:\mandatoryprofile.v2 and go to Folder and search options

6. Uncheck “Hide protected operating system files”

7. Now you will 5 temp files you do not need in the mandatory profile. Delete them.


8. The ntuser.dat should be around 512 KB on a clean Server 2008 R2 box

9. Now rename ntuser.dat to ntuser.man

10. From here, you would normally setup a domain level group policy and apply it to the OU that has the servers or desktops you want to use the mandatory profile on. Since this is an example, I am going to edit the local group policy instead.

Go to Start > Run > and type gpedit.msc.

Then navigate to:

Local Computer Policy > Computer Configuration > Administrative Templates > System > User Profiles

There will be 3 items we need to change to “Enabled”:

-Delete cached copies of roaming profiles
-Set roaming profile path for all users logging on this computer
-Prevent Roaming Profile changes from propagating to the server

11. For “Set roaming profile path for all users logging on this computer”, you need to put a UNC path to the share that holds your mandatory profile. So since it’s on the local server in this example, I will do:

\\servername\mandatoryprofile

Notice I did not add “.v2” at the end. Windows will automatically look for it as the users login.

12. Once you’ve made your changes, it should look like this:

13. Now navigate to:

Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Profiles

There will be 2 items we need to change to “Enabled”:

-Use mandatory profiles on the RD Session Host server
-Set path for Remote Desktop Services Roaming User Profile

14. For “Set path for Remote Desktop Services Roaming User Profile”, you need to put a UNC path to the share that holds your mandatory profile just like the previous setting.

\\servername\mandatoryprofile

Notice again I did not add “.v2” at the end. Windows will automatically look for it as the users login.

15. Once you’ve made your changes, it should look like this:

16. Now navigate to the mandatory profiles desktop and add a text file. So in this example “c:\mandatoryprofile.v2\Desktop“. I’ve created a file called “This is a mandatory profile in action.txt”.

17. Now right click on the mandatoryprofile.v2 folder and share it out. Make sure “Everyone” has access:

18. Now RDP into the server using any account you like. You will get the mandatory profile and you will see the text file we had created earlier on the desktop.

About Jason Samuel

Jason Samuel lives in Houston, TX with a primary focus on strategic advisory and architecture of end-user computing, security, enterprise mobility, virtualization, and cloud technologies from Citrix, Microsoft, & VMware. He also has an extensive background in web architecture and networking over his 20+ year career in IT. He is an Author, Speaker, and Local User Group Community Leader. He is certified in several technologies and is 1 of 63 people globally that is a recipient of the prestigious Citrix Technology Professional (CTP) award. He is 1 of 42 people in the world that has been awarded as a VMware EUC Champion and VMware vExpert. He is a featured author on DABCC which provides the latest IT Community News on Cloud, Data Center, Desktop, Mobility, Security, Storage, & Virtualization. In his spare time Jason enjoys writing how-to articles and evangelizing the technologies he works with. Disclaimer: The content and opinions expressed in articles and posts are his own and are by no means associated with his employer.

Recommended for you

2 Comments

  1. cliff

    August 21, 2013 at 7:48 PM

    ok, I’m doing this on Server 2012/Windows 8 and I am assuming it’s the same process, but I need to tweak my profile (install software, printers, desktop, delete some stuff) and then make it mandatory. When do I do that?

    Thanks

    Cliff

  2. Dylan

    January 14, 2015 at 11:40 AM

    I always check the User Profile section under the Properties section of the server. It will say there whether its Manadatory or not.

Leave a Reply

Your email address will not be published.