AppSense

How to create a Microsoft Windows 7 or Server 2008 R2 mandatory profile for AppSense

You really just want a clean mandatory profile if you are deploying AppSense on Windows 7 or Server 2008 R2. The vast majority of companies don’t need to customize it. When you get into customization, you’re going to go through a lot of trouble trying to clean up the profile. Save yourself the trouble. The best thing to do is have a clean and slim mandatory profile that can be applied to any server or desktop in your environment and leverage AppSense itself to do everything else.

So to build a clean mandatory profile:

1. Login to your Windows 7 or Server 2008 R2 box with a local admin account or an domain administrator account, doesn’t matter. I’m going to use Server 2008 R2 for these screenshots.

2. Start > Control Panel > click User Accounts > click Configure advanced user profile properties

3. Click the Default Profile and hit Copy Too…

4. Copy the profile anywhere you like, I chose “c:\mandatoryprofile.v2“. Usually you want your mandatory profile on a file server or DFS share where it is easily accessible but I am just leaving it local for this example. I specified v2 since I am creating a profile for Server 2008 R2. I changed the “Permitted to use” to “Everyone” so all users get NTFS rights to use it.

5. Navigate to c:\mandatoryprofile.v2 and go to Folder and search options

6. Uncheck “Hide protected operating system files”

7. Now you will 5 temp files you do not need in the mandatory profile. Delete them.


8. The ntuser.dat should be around 512 KB on a clean Server 2008 R2 box

9. Now rename ntuser.dat to ntuser.man

10. From here, you would normally setup a domain level group policy and apply it to the OU that has the servers or desktops you want to use the mandatory profile on. Since this is an example, I am going to edit the local group policy instead.

Go to Start > Run > and type gpedit.msc.

Then navigate to:

Local Computer Policy > Computer Configuration > Administrative Templates > System > User Profiles

There will be 3 items we need to change to “Enabled”:

-Delete cached copies of roaming profiles
-Set roaming profile path for all users logging on this computer
-Prevent Roaming Profile changes from propagating to the server

11. For “Set roaming profile path for all users logging on this computer”, you need to put a UNC path to the share that holds your mandatory profile. So since it’s on the local server in this example, I will do:

\\servername\mandatoryprofile

Notice I did not add “.v2” at the end. Windows will automatically look for it as the users login.

12. Once you’ve made your changes, it should look like this:

13. Now navigate to:

Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Profiles

There will be 2 items we need to change to “Enabled”:

-Use mandatory profiles on the RD Session Host server
-Set path for Remote Desktop Services Roaming User Profile

14. For “Set path for Remote Desktop Services Roaming User Profile”, you need to put a UNC path to the share that holds your mandatory profile just like the previous setting.

\\servername\mandatoryprofile

Notice again I did not add “.v2” at the end. Windows will automatically look for it as the users login.

15. Once you’ve made your changes, it should look like this:

16. Now navigate to the mandatory profiles desktop and add a text file. So in this example “c:\mandatoryprofile.v2\Desktop“. I’ve created a file called “This is a mandatory profile in action.txt”.

17. Now right click on the mandatoryprofile.v2 folder and share it out. Make sure “Everyone” has access:

18. Now RDP into the server using any account you like. You will get the mandatory profile and you will see the text file we had created earlier on the desktop.

2 Comments

  1. cliff

    August 21, 2013 at 7:48 PM

    ok, I’m doing this on Server 2012/Windows 8 and I am assuming it’s the same process, but I need to tweak my profile (install software, printers, desktop, delete some stuff) and then make it mandatory. When do I do that?

    Thanks

    Cliff

  2. Dylan

    January 14, 2015 at 11:40 AM

    I always check the User Profile section under the Properties section of the server. It will say there whether its Manadatory or not.

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Apache

Today I would like to go over proper URL redirection when using SSL but first I would like to preface this by describing what...

Citrix Workspace

You can use FIDO2 hardware security keys plugged into your physical desktop over the Citrix HDX remoting protocol for use with virtualized Windows Desktop...

Exchange 2003

A useful Exchange 2003 guide I wrote for a friend’s blog originally but I am posting it here on mine now for your viewing...

Cloud Design Architecture

The community-driven paperback book initiated by my friends Bas van Kaam and Christiaan Brinkhoff is available for sale on Amazon. If you haven’t picked...

JasonSamuel.com began in 2008 as a way for me to give back to the IT community. This website features the latest news and how-to's on enterprise mobility, security, virtualization, cloud architecture, and other technologies I work with. This website has evolved over time to become a go-to reference hub for these technologies. It receives hundreds of thousands of unique visitors from all over the world each month. More details on the About Me page.
Copyright © 2008-2023 JasonSamuel.com

Exit mobile version