1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Roaming mandatory profile via GPO

Discussion in 'Windows Server 2003 / 2008 / 2012 / 2016' started by Modey, May 20, 2006.

  1. Modey

    Modey Terabyte Poster

    Hey all,

    I had a question on Transcender the other day to do with setting up a mandatory roaming profile for all users on a particular server.

    I got the answer to the question wrong because the answer I picked was close to the way I knew to do it (ie, use a network share, copy the profile in there, rename user.dat to user.man etc).

    The correct answer was to use group policy on the network share that had been setup and configure the 'Prevent Roaming Profile changes from propagating to the server'. Which is apparently the recommended way by MS to setup mandatory roaming profiles - according to Transcender anyway.

    So after that preamble, I have a couple of questions if anyone can help.

    Is that in fact the MS recommended way? I can't find any hard evidence for this. In fact the help within Server 2003 actually suggests the method I thought was correct, ie renaming user.dat. The only other hint that MS give that GPO is the correct way is a line in the same help that says 'Profile management should be done - preferentially by policy'.

    So, I thought fine, I will set this up in my lab and test out the way suggested in the answer from Transcender, ie to use the policy that prevents roaming profile changes to be propagated to the server. It doesn't seem to work. I have two PC's in the same OU as well as the user I am testing. They are getting the policy in question as I used GP result to check. But ... I can make changes to the wallpaper, create & delete files on the desktop etc... I can also make changes to the general look and feel of the profile and they stay.

    The user is definitely getting the roaming profile from the server, as I am testing this on two PC's with the same user, it's just not mandatory.

    I'm not going to spend too long gnashing my teeth on this issue, it's just irratating that I can't seem to get it working as it should be.

    I think I'll put the setting to prevent propagation into the default domain policy and see if that helps. Hmmm ...
    Certifications: A+, N+, MCP, MCDST, MCSA 2K3, MCTS, MOS, MTA, MCT, MCITP:EDST7, MCSA W7, Citrix CCA, ITIL Foundation
    WIP: Nada
  2. d-Faktor
    Honorary Member

    d-Faktor R.I.P - gone but never forgotten.

    keep in mind, this is a computer gpo. it is meant for configuring the behaviour of roaming profiles on specific workstations, and it is often used together with the 'only allow local user profiles' gpo. yes, the side effect is a sort of mandatory profile, (when the user logs on to one of the affected computers), but that is not the purpose.
  3. Modey

    Modey Terabyte Poster

    Yeah, well it's not the way I would have done things personally. I did think it odd that a policy that is meant to be affecting a user's profile was in the computer section of the policy.

    The thing that stood out to me was the fact Transcender was implying that this was the recommended method of implementing mandatory roaming profiles.

    It suggests the renaming of NTuser.dat is an alternative way to create a mandatory profile, and that using a GPO is the recommended way of preventing users from changing a roaming profile.

    I have managed to get it working now by the way, using the GPO. It would seem that setting the 'No Override' option for the new policy object ( I set one up just to enforce the mandatory profile) did the trick.

    edit: It seems to work if the clients are XP. If you modify settings relating to the profile with 2k, then it makes changes to the roaming profile on the server.
    Certifications: A+, N+, MCP, MCDST, MCSA 2K3, MCTS, MOS, MTA, MCT, MCITP:EDST7, MCSA W7, Citrix CCA, ITIL Foundation
    WIP: Nada

Share This Page