Setting Up the Base Profile
"The first thing you will want to do is set up a model profile on a workstation (preferably an identical one to the workstations in the lab) that will serve as the profile that everyone sees when they log into a computer. Here you will want to make sure you have configured all desktop settings, shortcut icons, and installed printers correctly as to how they will appear on all other workstations.
Copying the Profile to a Server
"Once you have your profile set up how you want it, the next step is to copy the profile to a server. It is important that you set the permissions on the folder holding the profile so that all users accessing it will have complete read-and-write access to it. Once set up, the workstations will pull each user profile from this location. In order to properly copy this profile to a server, there are a few steps you need to complete. Logging in as a user other than the one used to make your model profile, you will need to right-click "My Computer" and then select "Properties." Navigate to the "Advanced" tab and click "Settings" under User Profiles (Figure 1):
Figure 1: Accessing the User Profiles settings
"In the User Profiles dialog box that opens, select your model profile in the list and click the "Copy to" button. You will then be prompted to select the location where you want to store the profile (Figure 2). After you have done this, you must click the "Change" button and add the Authenticated Users group to the profile's ACL. This ensures that all domain users who are authenticated will have rights to access the profile. Proceed to "OK" out of any remaining dialog boxes.
Figure 2: Copying the base profile to a server
Making the Profile Mandatory
"The next step in creating your profile is the actual process of making it mandatory and therefore unchangeable. This can be done by browsing to the location of your saved profile on the server and locating the NTUSER.dat file (make sure hidden files are set to be visible). Once you have located this file, you can simply rename it toNTUSER.man to make it mandatory.
Configuring the User Accounts
"The last remaining step is to configure your user accounts to utilize the mandatory profile we have set up. In order to accomplish this, we must begin in the Active Directory Users and Computers MMC snap-in. Once you have this open, navigate to one of the user accounts you want to utilize the mandatory profile. Once you have located this user, right-click on their name and select "Properties." Navigate to the "Profile" tab and locate the "Profile Path" box, and type the UNC path to the folder where the mandatory profile is located and click "OK" (Figure 3). You can then proceed to do this to every account that will be accessing this profile.
Figure 3: Setting a user account to point to the mandatory profile
"With those steps completed, you have successfully set up mandatory profiles for your user population. You should now no longer have to worry about users changing their profile settings.
Mandatory Profile Best Practices
"When dealing with mandatory profiles, there is a common misconception that they are often more trouble than they are worth. The problem lies in the fact that so many things can have an effect on your mandatory profile setup. This being said, there are some practices you will want to keep in mind when managing your network to make sure your mandatory profile implementation works without a hitch.
"The problem that most network administrators commonly see is slow performance when loading a user's mandatory profile. The main cause of this is usually a bloated base profile. If you load up your base profile with tons of files and data, this will cause the profile to grow in size, which can cause a large time delay when transferring the profile from server to client. If you must have this much data available to users, it is best to find another method of delivery, such as a mapped network drive to a shared storage location.
"Along with the concerns of performance, sometimes administrators can be thrown for a loop when previously utilized features don't work or cause problems after implementing mandatory profiles. A good example of this is use of the Encrypted File System (EFS). EFS is something that is not supported for use with mandatory or roaming profiles.
"Finally, we need to consider security when implementing mandatory profiles. The main focus of security in this case is the folder storing the mandatory profile. This folder contains the data that will be transferred to every workstation a mandatory profile user logs into. Therefore, it is extremely important that it be secure. The best way to secure this folder, as with any other network resource, is through NTFS permissions. You should make sure that your base profile folder resides on a server that utilizes NTFS, and develop a strong permissions policy for these folders.
No comments:
Post a Comment