Building mandatory profiles – Part one: Initial setup

My lab setup:

1. Referance machine in my case a Windows Server 2008 r2 with XenApp installed on it.

Be aware: in case of policies: the setting “delete cached copies of roaming profiles” must be disabled,
if you use a referance machine where mandatory profiles are already used you can disable the mandatory profile by disabling the setting:
“use mandatory profiles on the RD session host server”

2. Administrator account ( local or domain )

3. Local account (throughout my lab mine will be called “Manprof”)

4. Windows Enabler V1 (downloads)

5. Share to store the mandatory profile

– I’m creating a mandatory profile to use in an environment where I’m going to use a workspace manager. Therefore my goal is minimize my mandatory profile because I will be managing all the user experience setting out of my workspace manager en GPO’s. If you’re not using a workspace manager pay attention to step 6 this is where you want to customize you profile for user experience.

– It is important that your reference machine is up to date on patches, and software update. Especially software which uses active setup.

If you allready have a mandatory profile and you want to update or start cleaning up please skip part one and go directly to part two, keep in mind: it’s recommended to build your mandatory profile on the same platform where you’re intended to use the mandatory profile.

Start

1. Let’s start by logging on to our reference machine with user: Administrator

2. Start local users an groups

the easiest way to start this console is by opening a run box and launching: lusrmgr.msc

3. Select new user and create your .\manprof account

4. Grant the user local administrator rights.

5. And you’re done, logoff en log back on using .\Manprof (or hostname\Manprof)

6. Customization

This is the point where you customize your profile. You can predefine all sorts of settings for your users: Internet Explorer settings, Wallpapers, StartMenu changes etc. Remember it’s important to plan ahead, if you are also going to use policies or an additional workspace manager don’t set settings twice! So if for example: you’re going to set a wallpaper in a GPO don’t bother setting one in your mandatory profile.

Tip
If you’re using Citrix XenApp like me, set the theme to: Citrix Enhanced Desktop

7. When you’re done customizing logoff en log back on with the administrator account

8. Create a share on your file server. Grant everyone read rights.

9. Select security tab, Set NTFS permissions for Authenticated Users and grant them Read & Execute rights (see example)
Also make shure you check if inheretance is enabled,

10. Go to your download folder and open Windows Enabler v1

11. Check your system tray and click on the enabler icon so it reads:

12. Open system properties

the easiest way to start this console is by opening a run box and launching: Sysdm.cpl

13. In the overview you will see all the locally stored profiles. You will also see that the copy to button is greyed out, click on it anyway

14. After your second click the copy to button will be selectable, now copy the profile to your created share. You can use the settings from the screenshot, or apply your own.

You do however have to add the .V2 at the end of your folder name. Newer operating systems like: Windows Vista, Windows 7, Windows Server 2008 and 2008 R2 and also Server2012 use a newer profile type.