Building mandatory profiles – Part two: Editing and Cleanup


Cleanup of files, path’s and other references in the mandatory profile.- I’m creating a mandatory profile to use in an environment where I’m going to use a workspace manager. Therefore my goal is minimize my mandatory profile because I will be managing all the user experience setting out of my workspace manager en GPO’s. If you’re not using a workspace manager you sometimes want to leave certain folders or files.


1. Let’s start by logging on to our reference machine with user: Administrator

2. Goto your Mandatory profile share, and select all the files and folders you don’t want in your mandatory profile.


3. This is the part you will as an admin repeat many times, rename your back to ntuser.dat


4. Now start the registry editor with admin credentials.


5. Presented with the console select users. Now goto the top menu and select File and next click Load Hive


6. Select the ntuser.dat from your mandatory profile


7. When presented with the question how you want to name the loaded hive, teach yourself to always choose a recognizable name. In my case it’s: .manprof


8. First point on the registry agenda: setting security rights make shure that everyone has full control


9. Now it is time to start the cleanup. First select the mandatory profile hive then select search. Enter the name of your mandatory profile and hit search.


10. Search the hive for the username of the user used to generate the hive and delete/replace the values as appropriate.

Note that there is no guarantee that changing a REG_SZ value to a REG_EXPAND_SZ and using “%Username%” or “%UserProfile%” in place of the actual username or locally cached profile folder respectively will work since it is up to the application that reads the value to implement environment variable expansion.
Don’t be tempted to delete a whole key unless you are prepared to test that no ill effects occur. A good example for this is action 11.





11.  Delete all the subkeys of : HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Because the key contains various path’s to the generated user’s local cached profile folder, it will cause issues when you delete the intire key, instead deleate all sub components.


12. Make shure you check the following locations for any unwanted autoruns.

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  • HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

13. Delete the following keys so you won’t have any interference with your companies GPO’s

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies
  • HKCU\Software\Policies

14. Go to the root of users, and select your “recognizable name” In my case this was .manprof and select from the file menu unload hive

14. Rename your ntuser.dat back to


15. You can delete all temp files, as shown in the image above.

You can read about how to deal with Windows Libraries in mandatory profiles in part three

Site Footer