HOW TO: Mandatory Profiles

A VPN is an essential component of IT security, whether you’re just starting a business or are already up and running. Most business interactions and transactions happen online and VPN

I highly recommend using Mandatory Profiles with PowerFuse in Terminal Services and VDI deployments. There is some information around the Internet detailing how to do this, but none of it appears to be step-by-step and you’ll get various snippets of information from varying sources. Having set this up on numerous occasions and having to piece together the details each time from my notes I thought I’d share them. I’ll cover some PowerFuse specific recommendations and best practices in a future post. Enjoy!

Creating the Mandatory Profile:

  1. Create the mandatory profile on your file server. For example, create the ‘D:\MandatoryProfile’ folder.
  2. Copy the Default User profile directory to the ‘D:\MandatoryProfile’ folder.
  3. Rename the ‘Default User’ folder to ‘Mandatory’ (or whatever you wish).
  4. Rename the D:\MandatoryProfile\Mandatory\NTUSER.DAT file to NTUSER.MAN.
  5. Remove NTFS permission inheritance and copy the existing permissions.
  6. Remove all named ACEs for all non-“Well Known Groups” and users.
  7. Add ‘Authenticated Users’ with Read and Execute permissions.
  8. Change the Owner of the directory (and sub-directories/files) to the local ‘Administrators’ group.
  9. Share the ‘D:\MandatoryProfile’ folder as ‘Mandatory’.
  10. Add ‘Authenticated Users’ with Read permissions to the share permissions

Modifying the Profile:

  1. Delete the NTUSER.LOG file and any other files/shortcuts that you don’t want available to the users from the ‘D:\MandatoryProfile\Manadatory’ folder.
  2. Change the registry permissions in the HKCU registry hive:
    1. Open REGEDIT.
    2. Highlight the HKEY_USERS hive.
    3. Select ‘File > Load Hive‘.
    4. Browse to the ‘D:\MandatoryProfile\Mandatory\NTUSER.MAN‘ file.
    5. Enter a name for the hive. This is only a place holder whilst the HKCU hive is loaded and can be named anything you like, i.e. ‘MAND’.
    6. Edit the permissions (Right click > Permissions) on the loaded hive and;
      1. Remove any non-“Well Known Groups” or individual users.
      2. Add the local ‘Users’ group with Full Control.
    7. Make any specific registry changes required here, for example, disabling the default Windows Startup sound.
    8. Unload the registry hive by highlighting the ‘MAND’ key and selecting ‘File > Unload Hive‘ from the menu. If you don’t unload the registry hive users will not be able to load the mandatory profile and receive errors at log on.
  3. Add additional files and shortcuts that you want available to the users, e.g. desktop shortcuts.

Assign the Mandatory Profile to users:

  1. To assign the Mandatory Profile to Terminal Services users, specify the users ‘Profile Path‘ setting as ‘\\SERVER\Mandatory\Mandatory‘ on the ‘Terminal Services Profile‘ tab of their AD account(s).
  2. To assign the Mandatory Profile to desktop and laptop users, specify the users ‘Profile Path‘ setting as ‘\\SERVER\Mandatory\Mandatory‘ on the ‘Profile‘ tab of their AD account(s).
  3. To assign the Mandatory Profile to VDI users, assign the profile as per the ‘desktop and laptops’ option above.
siteadmin

siteadmin

Leave a Replay

Recent Posts

Sign up for our Newsletter

Click edit button to change this text. Lorem ipsum dolor sit amet, consectetur adipiscing elit