Home / Solution / Using Mandatory (Read-Only) User Profiles in Windows 10

Using Mandatory (Read-Only) User Profiles in Windows 10

A compulsory person profile is a particular pre-configured kind of roaming person profile than may be modified solely by directors. Users who’ve been assigned a compulsory profile can work in Windows as typical in the course of the login session, however no adjustments are saved to the profile after person logoff. At the following logon, the necessary profile is loaded unchanged.

A listing with the necessary profile may be situated on the community shared folder and assigned to a number of area customers without delay: for instance, to terminal server (RDS) customers, info kiosks, or customers who don’t want a private profile (schoolchildren, college students, guests). The administrator can configure folder redirection for necessary profiles and customers can preserve private information on the file servers (in fact, it is suggested to allow disk quotas utilizing the or the FSRM) in order to forestall customers from storing unimportant information in the redirected folders).

Types of Mandatory User Profiles in Windows

There are two varieties of necessary person profiles in Windows:

  • A standard necessary person profile – an administrator renames the file NTuser.dat (comprises the person registry hive HKEY_CURRENT_USER) into NTuser.man. When utilizing Ntuser.man, the system assumes that this profile is read-only and doesn’t save any adjustments to it. If the necessary profile is saved on a distant server and the server turns into unavailable, customers can logon utilizing cached model of the necessary profile;
  • An excellent-mandatory person profile – when utilizing this sort of profile, the listing that comprises the person profile is renamed, and the extension .man is added to the top of the folder identify. Users with this profile kind received’t be capable of logon if the server, on which their profile is saved, is unavailable.

Some eventualities enable utilizing necessary profiles for native customers as nicely, for instance on public computer systems (kiosks, assembly rooms, and so forth.) as an alternative of utilizing an . Any person can work in the identical surroundings and no adjustments are saved when a person logs off.

Now we’ll present the way to create a traditional necessary profile in Windows 10 and assign it to a person. In this instance we’ll contemplate the way to create a compulsory person profile on an area laptop (the profile shall be saved on the native drive), nonetheless, we’ll clarify the way to assign a compulsory person profile to area accounts.

How to Create a Mandatory User Profile in Windows 10

  1. Log on to a pc beneath the administrator account and begin Local Users and Groups console (lusrmgr.msc);
  2. Create a brand new account, for instance, ConfRoom;configuring mandatory users' profiles in windows 10
  3. Now you could copy the default profile to a separate listing with a sure extension. Since we’re utilizing Windows 10 1703, this folder will need to have V6 suffix. For instance, the identify of the folder shall be C:ConfRoom.V6;
  4. Open the System Properties (SystemPropertiesSuperior.exe);
  5. In User Profiles part, click on Settings;
  6. Select the Default Profile and click on Copy To;
  7. Select C:ConfRoom.V6 as a folder to repeat the profile to (or you’ll be able to copy the profile template to the community shared folder on the file server by specifying a UNC path, for instance, lon-fs01profilesConfRoom.V6).
  8. Select NT AUTHORITYAuthenticated Users in the permissions. copy user profile folder

Tip. In Windows 10 1709 or newer builds there’s a separate “Mandatory Profile” choice if you find yourself making an attempt to repeat a profile template. When utilizing this selection, a particular group of customers mechanically will get read-only NTFS permissions on the folder.

How to Assign a Mandatory Profile to Users

Now you’ll be able to assign the necessary profile to the person you need.

If you might be utilizing an area necessary profile, go to Profile tab of the person properties and specify the trail to the C:ConfRoom.v6 listing in the Profile Path subject.

set mandatory profile path in windows

If you configure a roaming necessary person profile in the AD area, you could specify the UNC path to the listing with the profile in the account properties in the ADUC console.

setting profile path in the Active Directory user's settings

Then login to the system with the brand new person account and make all vital settings (choose the looks, place the shortcuts, vital information, configure the software program, and so forth.).

Finish the person session and go surfing utilizing the administrator account. Then rename NTUSER.dat into NTUSER.man in the the person profile folder.

rename NTUSER.dat to NTUSER.man

Now attempt to logon to the system as a person with the necessary profile and guarantee that after you sign off no adjustments are saved in the profile.

If after logon with the necessary person profile you get the error:

The User Profile Service service failed the sign-in. User profile can't be loaded.

And the next occasion seems in the system log:

Windows couldn't load your roaming profile and is trying to log you on along with your native profile. Changes to the profile won't be copied to the server once you sign off. Windows couldn't load your profile as a result of a server copy of the profile folder already exists that doesn't have the proper safety. Either the present person or the Administrators group have to be the proprietor of the folder.

Make certain that the next permissions are assigned to the profile listing (with permissions inheritance to all little one objects):

  • ALL APPLICATION PACKAGES – Full Control (Start Menu doesn’t work right with out it);
  • Authenticated Users – Read and Execute;
  • SYSTEM – Full Control;
  • Administrators – Full Control.

The identical permissions have to be assigned to the person registry hive by loading ntuser.dat profile file utilizing File -> Load Hive in regedit.exe.

When utilizing roaming profiles, in order the Start menu to be displayed accurately on all units, you want set the REG_DWORD key with the identify ParticularRoamingOverrideAllowed and the worth 1 in the HKLMSoftwareMicrosoftWindowsCurrentVersionExplorer part of the registry.

If you could make adjustments to a compulsory profile, rename ntuser.man into ntuser.dat and configure the surroundings beneath the person account. Then rename the file once more.

When utilizing a compulsory profile on RDS servers, you should utilize the next Group Policies, in which you’ll specify the trail to the profile listing and allow utilizing necessary profiles. The corresponding GPO part is: Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Profiles.

  1. Use necessary profiles on the RD Session Host server = Enabled;
  2. Set path for Remote Desktop Services Roaming User Profile = Enabled + specify the UNC path.

Please, word that when you determined to make use of folder redirection along with the necessary profile, it isn’t advisable to redirect AppData (Roaming) folder.

Check Also

Configuring KMS Server for MS Office 2019/2016 Volume Activation

In this text we’ll take care of the peculiarities of MS Office 2019 and Office …

Leave a Reply

Your email address will not be published. Required fields are marked *