It’s been a little while since I had to create a mandatory profile. I have done it on Windows XP computers at previous organizations and clients but with a new organization actually using Windows 7, the situation has finally come about for a lab/kiosk environment that could make use of a mandatory profile. To refresh myself, I gathered a few resources on the topic.
Microsoft’s TechNet Library has an entry called “Creating a Mandatory User Profile”. It sounds like it should be a one-stop shop for the information needed. Unfortunately, it redirects you to other steps and the whole process feels unrefined.
Before you can create a mandatory profile, you have to follow another Microsoft TechNet entry Configuring Standard User Accounts. Specifically, a subsection of the article covers “To create a default user profile”. Be sure you are doing this process on a new Windows 7 test machine, not something you expect to use in production. The process involves running the command:
c:Windowssystem32sysprepsysprep.exe /oobe /reboot /generalize /unattend: c:unattend.xml
Before you can run the command, you have to create the unattend.xml file and place it at C: (or update the command accordingly). To create the unattend.xml file with the CopyProfile attribute set to true, Microsoft points users to the Windows Automated Installation Kit. Instead of that route, it’s easier to copy the appropriate (32-bit or 64-bit) files from this TechNet blog and create an unattend.xml file at the root of C drive.
x86
<?xml version=”1.0″ encoding=”utf-8″?>
<unattend xmlns=”urn:schemas-microsoft-com:unattend”>
<settings pass=”specialize”>
<component name=”Microsoft-Windows-Shell-Setup” processorArchitecture=”x86″ publicKeyToken=”31bf3856ad364e35″ language=”neutral” versionScope=”nonSxS” xmlns:wcm=”http://schemas.microsoft.com/WMIConfig/2002/State” xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance”>
<CopyProfile>true</CopyProfile>
</component>
</settings>
</unattend>x64
<?xml version=”1.0″ encoding=”utf-8″?>
<unattend xmlns=”urn:schemas-microsoft-com:unattend”>
<settings pass=”specialize”>
<component name=”Microsoft-Windows-Shell-Setup” processorArchitecture=”amd64″ publicKeyToken=”31bf3856ad364e35″ language=”neutral” versionScope=”nonSxS” xmlns:wcm=”http://schemas.microsoft.com/WMIConfig/2002/State” xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance”>
<CopyProfile>true</CopyProfile>
</component>
</settings>
</unattend>
Now you can run the sysprep command. It will restart the computer and copy over the profile you are logged into to the default profile. As I did not have much customization to do, instead trying to use Group Policy to control the experience, this was sufficient for me. If you need to customize the profile more before gathering it, this blog presents a further approach with putting the computer in audit mode by hitting Ctrl+Shift+F3.
With sysprep re-activating the out-of-box experience, you will have to setup a user with a password. They will be an administrator by default and you will be automatically logged into the machine and disconnected from a domain if you were previously connected.
Once logged in, you can copy the profile to a local or server location. The Microsoft TechNet article says to type ‘user profile’ at Start and then open “Configure advanced user profile properties”. This didn’t work for me as it only showed the current profile as available. Instead, I took the route of right-clicking on Computer and going to Properties. From there, you click ‘Advanced system settings’. Under the ‘Advanced’ tab, a section for User Profiles has a ‘Settings…’ button. This opens the User Profiles window and I could see the other local accounts.
Click on the Default Profile and click the ‘Copy To…’ button. In the dialog that pops up, choose a location to save the file and under Permitted to use click ‘Change’ and type ‘Everyone’. Click OK on that dialog and the Copy To dialog to copy the profile.
You now have a profile that can be used for the Creating a Mandatory User Profile article. Browse to the profile’s copy to location that you chose in Windows Explorer. Hit the Alt key to see the menu bar and go to Tools, Folder options. Uncheck the box ‘Hide protected operating system files’ and hit Ok to close the dialog boxes. You should now see an ntuser.dat file in Explorer. This is the equivalent to the HKEY Current User in the registry. Rename the file from ntuser.dat to ntuser.man. Go up a level in the folder structure and rename the profile folder to [anything].v2.
There’s your mandatory profile. You can assign it through Active Directory Users and Computers and continue setting up the user experience.