Updating Mandatory Profiles Part 2

Having seen that our original Updating Mandatory Profiles post is quite popular, I thought I’d follow it up with an update. The process described in the first post is quite labourious and error prone. I’d like to make people aware of how quick and easy the Profile Update Utility (PuU) makes updating a mandatory profile with ActiveSetup keys.

Here’s the new process:

  1. Obviously you’ll need to have downloaded (it’s free) and installed VET.
  2. Once installed, simply launch the Profile Update Utility.
  3. Select your mandatory profile by clicking the “Browse” button (step 1).
  4. Check the “Merge HKEY_CURRENT_USER ActiveSetup keys” checkbox (step 2).
  5. Click the “Go” button (step 3).

It doesn’t get much simpler than that! Note: This will merge the ActiveSetup keys from the currently logged on user. Therefore, you need to perform this action on a machine that you’ll be using the mandatory profile on.


The “Output Options” at the bottom of the PuU windows could probably do with some explaination as there is sometimes some confustion.

  1. Update Original Profile: Overwrites the source (Step 1) profile.
  2. Backup Profile: Copies the source profile (in Step 1) to a .bak file and then updates the original.
  3. Create New Profile: Copies the source profile (in Step 1), renames the original (in Step 1) to a .bak file and then updates the new copy.

Which option you use is up to you depending on how you manage the lifecycle of your mandatory profiles.

Enjoy – Iain

Active Setup – Stubpath Command Lines

I spend a lot time working with mandatory profiles and RES Workspace Manager, especially when using Citrix XenApp or Remote Desktop Services. One of the key elements to creating a slick mandatory profile is to ensure the Active Setup keys are added to the mandatory profile or you will forever see the annoying “Personaliz(s)ing Settings” message. We have covered how to do this in a previous post here by using our great free tool the Virtual Engine Profile Update Utility (PuU).

image

While you can merge these Active Setup Keys to stop the message box appearing; this isn’t actually where the story ends. Behind some Active Setup Components there is a command line (Stubpath) that needs to run once per user i.e. for new users logging on for the first time (for a great explanation of Active Setup, check out Helge Klein’s write up here). The drawback of just merging these keys will be that the command line (Stubpath) will not run for any user. This could have undesirable results as mentioned in the RES Blog post here and Andrew Morgan’s Blog post here.

So the purpose of this blog is really for informational purposes above anything else and to detail the most common Active Setup components containing Stubpaths, by OS. Should you need this information, it’s here for reference. For example, if you disable the ActiveSetup option within RES Workspace Manager or merge the ActiveSetup keys using the Profile Update Utility (PuU), you may have to reinstate a particular action if it causes issues (like Andy’s issue). The command line (Stubpath) is highlighted in yellow and can be used to remedy the situation if necessary:

UPDATE : Windows 8 Consumer Preview (Subject to Change) – Yes ActiveSetup is still here!

{2C7339CF-2B09-4501-B3F3-F3508C9228ED}
Themes Setup
%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

{44BBA840-CC51-11CF-AAFA-00AA00B6015C}
Microsoft Windows (MailNews)
"%ProgramFiles%\Windows Mail\WinMail.exe" OCInstallUserConfigOE

{6BF52A52-394A-11d3-B153-00C04F79FAA6}
Microsoft Windows Media Player
%SystemRoot%\system32\unregmp2.exe /FirstLogon

{89820200-ECBD-11cf-8B85-00AA005B4340}
Windows Desktop Update
regsvr32.exe /s /n /i:U %SystemRoot%\System32\shell32.dll

{89820200-ECBD-11cf-8B85-00AA005B4383}
Web Platform Customizations
C:\Windows\System32\ie4uinit.exe -BaseSettings

{89B4C1CD-B018-4511-B0A1-5476DBF70820}
DOTNETFRAMEWORKS
C:\Windows\System32\Rundll32.exe C:\Windows\System32\mscories.dll,Install

>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}
Microsoft Windows Media Player
%SystemRoot%\system32\unregmp2.exe /ShowWMP

>{26923b43-4d38-484f-9b9e-de460746276c}
Internet Explorer
C:\Windows\System32\ie4uinit.exe -UserIconConfig

>{60B49E34-C7CC-11D0-8953-00A0C90347FF}
Browser Customizations
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

>{ABB824FE-FBBE-464D-9AAA-FAFED848BF41}
IE History
C:\Windows\System32\ie4uinit.exe -UpgradeOldHistoryEntries

Windows XP

{2C7339CF-2B09-4501-B3F3-F3508C9228ED}
Themes Setup
%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

{44BBA842-CC51-11CF-AAFA-00AA00B6015B}
NetMeeting 3.01
rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

{5945c046-1e7d-11d1-bc44-00c04fd912be}
Windows Messenger 4.7
rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

{6BF52A52-394A-11d3-B153-00C04F79FAA6}
Microsoft Windows Media Player
rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp11.inf,PerUserStub

{7790769C-0471-11d2-AF11-00C04FA35D02}
Address Book 6
"%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

{89820200-ECBD-11cf-8B85-00AA005B4340}
Windows Desktop Update
regsvr32.exe /s /n /i:U shell32.dll

{89820200-ECBD-11cf-8B85-00AA005B4383}
Internet Explorer
C:\Windows\System32\ie4uinit.exe -BaseSettings

{89B4C1CD-B018-4511-B0A1-5476DBF70820}
DOTNETFRAMEWORKS
C:\Windows\system32\Rundll32.exe C:\Windows\system32\mscories.dll,Install

<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}
Internet Explorer Version Update
C:\WINDOWS\system32\ieudinit.exe

>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}
Microsoft Windows Media Player
C:\WINDOWS\inf\unregmp2.exe /ShowWMP

>{26923b43-4d38-484f-9b9e-de460746276c}
Internet Explorer
C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig

>{60B49E34-C7CC-11D0-8953-00A0C90347FF}
Browser Customizations
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS
Browser Customizations
RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}
Outlook Express
%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

Windows 7 32bit

{2C7339CF-2B09-4501-B3F3-F3508C9228ED}
Themes Setup
%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

{44BBA840-CC51-11CF-AAFA-00AA00B6015C}
Microsoft Windows (MailNews)
"%ProgramFiles%\Windows Mail\WinMail.exe" OCInstallUserConfigOE

{6BF52A52-394A-11d3-B153-00C04F79FAA6}
Microsoft Windows Media Player
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI

{89820200-ECBD-11cf-8B85-00AA005B4340}
Windows Desktop Update
regsvr32.exe /s /n /i:U shell32.dll

{89820200-ECBD-11cf-8B85-00AA005B4383}
Web Platform Customizations
C:\Windows\System32\ie4uinit.exe -BaseSettings

{89B4C1CD-B018-4511-B0A1-5476DBF70820}
DOTNETFRAMEWORKS
C:\Windows\system32\Rundll32.exe C:\Windows\system32\mscories.dll,Install

>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}
Microsoft Windows Media Player
%SystemRoot%\system32\unregmp2.exe /ShowWMP

>{26923b43-4d38-484f-9b9e-de460746276c}
Internet Explorer
C:\Windows\System32\ie4uinit.exe -UserIconConfig

>{60B49E34-C7CC-11D0-8953-00A0C90347FF}
Browser Customizations
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

Windows 2008 R2 SP1 with Desktop Experience Installed

{2C7339CF-2B09-4501-B3F3-F3508C9228ED}
Themes Setup
%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

{44BBA840-CC51-11CF-AAFA-00AA00B6015C}
Microsoft Windows (MailNews)
"%ProgramFiles%\Windows Mail\WinMail.exe" OCInstallUserConfigOE
"%ProgramFiles(x86)%\Windows Mail\WinMail.exe" OCInstallUserConfigOE

{6BF52A52-394A-11d3-B153-00C04F79FAA6}
Microsoft Windows Media Player
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI

{89820200-ECBD-11cf-8B85-00AA005B4340}
Windows Desktop Update
regsvr32.exe /s /n /i:U shell32.dll

{89820200-ECBD-11cf-8B85-00AA005B4383}
Web Platform Customizations
C:\Windows\System32\ie4uinit.exe -BaseSettings
C:\Windows\SysWOW64\ie4uinit.exe -BaseSettings

{89B4C1CD-B018-4511-B0A1-5476DBF70820}
DOTNETFRAMEWORKS
C:\Windows\system32\Rundll32.exe C:\Windows\system32\mscories.dll,Install
C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\mscories.dll,Install

{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}
Applying Enhanced Security Configuration (Admin)
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iesetup.dll",IEHardenAdmin
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\iesetup.dll",IEHardenAdmin

{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}
Applying Enhanced Security Configuration (User)
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iesetup.dll",IEHardenUser
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\iesetup.dll",IEHardenUser

>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}
Microsoft Windows Media Player
%SystemRoot%\system32\unregmp2.exe /ShowWMP

>{26923b43-4d38-484f-9b9e-de460746276c}
Internet Explorer
C:\Windows\System32\ie4uinit.exe -UserIconConfig
C:\Windows\SysWOW64\ie4uinit.exe -UserIconConfig

>{60B49E34-C7CC-11D0-8953-00A0C90347FF}
Browser Customizations
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\iedkcs32.dll",BrandIEActiveSetup SIGNUP

Should anyone wish to expand on what each Active Setup Component does please feel free to leave a comment I’ll update the blog accordingly; some are more obvious than others Winking smile.

Enjoy

Nathan

Workspace Manager, Aero Basic Theme and Mandatory Profiles

For those of you that have attempted to deploy RES Workspace Manager 2011 (or RES PowerFuse 2010) on Windows 7 and wanted to use Mandatory Profiles with the Windows Aero Basic experience, you might have come across this issue. If you utilise the standard .Default user profile as your starting point for the Mandatory profile, you may discover that users do not have the Aero theme enabled as expected. The user experience either on traditional physical or hosted virtual desktops may look something like this:

image

Note: This typically happens if you enable the “Disable Active Setup (skip first-time shell init)” option in Composition > Desktop > Lockdown and Behaviour section of the RES Workspace Manager management console. This presumably because by the time User Settings are loaded by RES Workspace Manager, the Themes service has already processed the required registry keys loading the (mandatory) profile.

The resolution to this is to enable the Aero theme when utilising the Mandatory profile and export the HKCU\Software\Microsoft\Windows\CurrentVersion\Themes and the HKCU\Software\Microsoft\Windows\CurrentVersion\ThemeManager registry keys. These can then be merged into the existing NTUSER.MAN registry hive to enable the Aero theme by default (see the Updating Mandatory Profiles post for further information on how to do this).

When you update the Mandatory profile with the Themes/ThemeManager settings you’ll end up with something like this:

image

Note: This process is also applicable for Windows 2008/R2 RDS servers with the Desktop Experience feature installed.

Easy when you know how! Iain

Updating Mandatory Profiles

[UPDATE 17/01/2012 – The process detailed in this post has been simplied in the Updating Mandatory Profiles Part 2 post]

In a RES Workspace Manager environment it’s is typical (although not required) to store Mandatory profiles within the RES Workspace Manager Custom Resources. By doing this, we remove any reliance on the network, avoid the typical profile error messages when logging on to laptops offline and reduce the network load on RDS/XenApp servers. Every once in a while there will be the need to update the NTUSER.MAN file with additional settings, e.g. the ActiveSetup keys when software is added to the RDS/XenApp servers.

In this example we will update the Mandatory profile with the ActiveSetup keys from our desktop image. We accomplish this by logging on to the desktop with our standard Mandatory profile (the Workspace Composer should not active at this point!). All being well, the ActiveSetup components should run on log in, populating the ActiveSetup registry keys.

After ActiveSetup has run we can launch REGEDIT from within the user session and export the required key(s) to a .REG file that we can import into the Mandatory profile later. To do this, navigate to HKCU\Software\Microsoft\ActiveSetup\InstalledComponents registry key and export to a .REG file.

image

In our example I’ve saved the file as ActiveSetup.REG. If we edit this file with Notepad we can see all the references point to HKEY_CURRENT_USER. Before we load the NTUSER.MAN registry hive, we need replace the HKEY_CURRENT_USER references with the hive name that we will mount it as with in REGEDIT. In our example, we’ll replace all references with HKEY_USERS\MANDATORY using Notepad’s “Find & Replace” functionality.

image

Once updated, we can save the ActiveSetup.REG file and launch REGEDIT once again. The Mandatory profile NTUSER.MAN hive can be loaded by clicking the HKEY_USERS hive and then clicking the File > Load Hive menu option.

image

Navigate to the Mandatory profile NTUSER.MAN file and when prompted for the Key Name we need to enter the same key we used in the File and Replace option earlier. In our instance, this needs to be MANDATORY, hence the HKEY_USERS\MANDATORY reference.

image

Once the hive is loaded we can import our modified ActiveSetup.REG file into the NTUSER.MAN hive. Once the import is complete you can confirm that the settings have been imported into the correct location:

image

Be sure to unload the registry hive by clicking the HKEY_USERS\MANDATORY key and then clicking File > Unload Hive. When prompted to save the changes make sure to click Yes. When you log off and back on again the ActiveSetup components should not run again. Note: if you install additional software on to the desktop image and it utilises ActiveSetup, you will need to perform this process again (unless you utilise the RES Workspace Manager “Disable Active Setup (skips first-time shell init)” option).

Good luck! Iain

HOW TO: Mandatory Profiles

I highly recommend using Mandatory Profiles with PowerFuse in Terminal Services and VDI deployments. There is some information around the Internet detailing how to do this, but none of it appears to be step-by-step and you’ll get various snippets of information from varying sources. Having set this up on numerous occasions and having to piece together the details each time from my notes I thought I’d share them. I’ll cover some PowerFuse specific recommendations and best practices in a future post. Enjoy!

Creating the Mandatory Profile:

  1. Create the mandatory profile on your file server. For example, create the ‘D:\MandatoryProfile’ folder.
  2. Copy the Default User profile directory to the ‘D:\MandatoryProfile’ folder.
  3. Rename the ‘Default User’ folder to ‘Mandatory’ (or whatever you wish).
  4. Rename the D:\MandatoryProfile\Mandatory\NTUSER.DAT file to NTUSER.MAN.
  5. Remove NTFS permission inheritance and copy the existing permissions.
  6. Remove all named ACEs for all non-“Well Known Groups” and users.
  7. Add ‘Authenticated Users’ with Read and Execute permissions.
  8. Change the Owner of the directory (and sub-directories/files) to the local ‘Administrators’ group.
  9. Share the ‘D:\MandatoryProfile’ folder as ‘Mandatory’.
  10. Add ‘Authenticated Users’ with Read permissions to the share permissions

Modifying the Profile:

  1. Delete the NTUSER.LOG file and any other files/shortcuts that you don’t want available to the users from the ‘D:\MandatoryProfile\Manadatory’ folder.
  2. Change the registry permissions in the HKCU registry hive:
    1. Open REGEDIT.
    2. Highlight the HKEY_USERS hive.
    3. Select ‘File > Load Hive‘.
    4. Browse to the ‘D:\MandatoryProfile\Mandatory\NTUSER.MAN‘ file.
    5. Enter a name for the hive. This is only a place holder whilst the HKCU hive is loaded and can be named anything you like, i.e. ‘MAND’.
    6. Edit the permissions (Right click > Permissions) on the loaded hive and;
      1. Remove any non-“Well Known Groups” or individual users.
      2. Add the local ‘Users’ group with Full Control.
    7. Make any specific registry changes required here, for example, disabling the default Windows Startup sound.
    8. Unload the registry hive by highlighting the ‘MAND’ key and selecting ‘File > Unload Hive‘ from the menu. If you don’t unload the registry hive users will not be able to load the mandatory profile and receive errors at log on.
  3. Add additional files and shortcuts that you want available to the users, e.g. desktop shortcuts.

Assign the Mandatory Profile to users:

  1. To assign the Mandatory Profile to Terminal Services users, specify the users ‘Profile Path‘ setting as ‘\\SERVER\Mandatory\Mandatory‘ on the ‘Terminal Services Profile‘ tab of their AD account(s).
  2. To assign the Mandatory Profile to desktop and laptop users, specify the users ‘Profile Path‘ setting as ‘\\SERVER\Mandatory\Mandatory‘ on the ‘Profile‘ tab of their AD account(s).
  3. To assign the Mandatory Profile to VDI users, assign the profile as per the ‘desktop and laptops’ option above.