I’ve used Mandatory Profiles for controlling a lab environment running Windows XP and Windows 7. Trying to do the same thing in Windows 8.1, did not work quite so straightforward, so I figured I would document the process. The step-by-step is at the end of this article.
Mandatory profiles (and super mandatory profiles) are pre-configured roaming user profiles where changes are not saved back up to the server. This allows you to create an environment that works similar to DeepFreeze without the heavy overhead. Microsoft has some documentation on the process but it’s a bit dated and leaves some questions when you are trying to utilize mandatory profiles in Windows 8.1 Update environments.
- Deploy Roaming User Profiles
- Mandatory User Profiles
- CopyProfile in Unattend.xml
- Configuring Standard User Accounts
- Creating a Mandatory Profile
- Incompatibility between Windows 8.1 roaming user profiles and those in earlier versions of Windows
Learning from those documents along with some trial-and-error, I came up with an 11 step process that worked very consistently for me. I did run into some snags when using an OEM product key where SysPrep would generate a fatal error message but with the volume license key, things seemed to work much better.
To begin, I used a computer with Windows 8.1 freshly installed. I used the updated Windows 8.1 Update install media and ran Windows Updates once installed. I also created an Unattend.xml file that simply had the CopyProfile=true setting.
[xml]
<?xml version="1.0" encoding="utf-8"?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
<settings pass="specialize">
<component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<CopyProfile>true</CopyProfile>
</component>
</settings>
</unattend>
[/xml]
If your roaming profiles will be floating across operating system versions like Windows 7 to Windows 8.1, update KB2887595 for Windows 8.1 addresses the profile service in Windows 8.1 (and is included in Windows 8.1 Update). This creates extensions for a fourth version of the Windows profile.
Operating system version | Roaming User Profile location |
---|---|
Windows XP and Windows Server 2003 | \<servername><fileshare><username> |
Windows Vista and Windows Server 2008 | \<servername><fileshare><username>.V2 |
Windows 7 and Windows Server 2008 R2 | \<servername><fileshare><username>.V2 |
Windows 8 and Windows Server 2012 | \<servername><fileshare><username>.V3 (after the software update and registry key are applied) \<servername><fileshare><username>.V2 (before the software update and registry key are applied) |
Windows 8.1 and Windows Server 2012 R2 | \<servername><fileshare><username>.V4 (after the software update and registry key are applied) \<servername><fileshare><username>.V2 (before the software update and registry key are applied) |
For the profile we export, you will rename the folder name to end in a ‘.v4’. Once we have the profile created, the computer also needs to be told to recognize the profile folder extensions. You do that by setting this registry key.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesProfSvcParameters]
“UseProfilePathExtensionVersion”=dword:00000001
After setting the registry key manually (or even better with a Group Policy Preference), the computer needs rebooted and the user should be able to log in using the new mandatory profile.
The Steps
Step 1. Create a local account that is a local administrator.
Step 2. Sign in as a local account and customize as needed.
Step 3. Run SysPrep with CopyProfile=true in the unattend.xml. (See above, I copied mine into a file called copyprofile.xml.)
This copies the account you are logged in as to the Default profile during the SysPrep process.
C:windowssystem32sysprepsysprep.exe /generalize /oobe /unattend:c:ITcopyprofile.xml
Step 4. Sign in as the local administrator account.
Step 5. Right click on This PC and go to Properties. Click Advanced system settings and then view User Accounts.
Step 6. Select the default profile and choose Copy To.
Step 7. Copy the profile to a local desktop folder with.v4 at the end and give Everyone access and hit OK.
Step 8. Copy this new folder up to your file share. Give it the appropriate file permissions for those using the profile. Rename NTUser.dat to NTUser.man.
Step 9. Assign the profile through Group Policy or Active Directory, as you prefer. \ServerNameShareNameFolderName
(Leave .v4 off) Set the reg key on the client computers to use profile extension paths.
Step 10. Sign in with an account that will have the profile assigned to it. To see how things look and test that objects are deleted upon a restart.
Step 11. Customize the profile as needed.
Repeat Steps 10 and 11 until the profile is perfect.