|Subject:||Mandatory Profile and GPO|
|Posted by:||Ken Lizotte (KenLizot…@discussions.microsoft.com)|
|Date:||Fri, 9 Jun 2006|
I hope this is appropriate for this group.
I have a type of employee that I would like to give mandatory desktop and
security settings. I have Server 2003 on 1 DC (DC1) and several XP Pro
I created an OU called 'Estimators' and created a GPO called 'Estimator
Group Policy' for this OU. For testing, the only setting I Enabled was
'Remove and Prevent Access to the Shutdown Command'. I then created a shared
folder called 'Profiles' on DC1.
I created a user called est1 in 'Estimators' OU. I logged on a workstation
with user 'est1' and, for testing, added a desktop shortcut to calc.exe. I
restarted the workstation and logged in as administrator. From
system/Advanced/User Profiles settings, I copied est1 profile to
\\dc1\profiles\ManProfile and added est1 in 'permitted to use'.
On DC1, I went to \profiles\ManProfile and changed ntuser.dat to ntuser.man.
In Domain Users and Computers, I opened est1 and entered
'\\Dc1\Profiles\ManProfile' under user profile/profile path.
Mandatory profile is working. Now my objective is to add new users in the
'Estimators' OU and assign them the mandatory profile. I add user 'est2' in
the 'Estimators' OU, and enter '\\Dc1\Profiles\ManProfile' under user
profile/profile path. I give est2 full control to the ManProfile folder (same
Here is problem: When I log in as est2, I get the shortcut to clac.exe, but
I also get the shutdown function. If I remove the profile path from 'est2',
then a log in creates a local profile and shutdown is not available. It
seems that any new user in the 'Estimators' OU that is directed to the
mandatory profile, loses the GPO for the OU.
I hope I was not too detailed, but wanted to portay an accurate step-by-step.