Force domain users to a single profile in a local machine

windows-7 login user-accounts window
12,267

Solution 1

What you are looking for is called a mandatory profile. There is an MSDN article and an MS KB article on it. The latter has an explanation for exactly how to create and implement it.

Solution 2

Non-Sysprep Method

  1. Create "Test" or "Setup" account
  2. Make group policy changes Computer Config > Administrative Templates > System > User Profiles >
    • Only Allow User Profiles = Enabled
    • Set Roaming Profile Path for all users logging onto this computer = Disabled
    • Prevent Roaming Profile changes from propagating to the server = Enabled
  3. Customize the Test or Setup account
  4. Enable built-in Administrator account
  5. Log on as Administrator
  6. Install RichCopy from Technet
  7. Use Explorer to unhide system files and folders
  8. Use RichCopy to copy the profile from the account used to implement customizations to "Default User"
  9. Join machine to the domain
  10. Reboot
  11. Log on domain user and all customizations should be applied to the users' profile

Sysprep Method - We may want to use this method because this method should be fully supported by MS

  1. Login as the setup account
  2. Enable Administrator Account
  3. Log on as Administrator
  4. Go to Manage Users

  5. Delete Setup account andany other accounts that have a profile folder and choose "delete files"

  6. Make group policy changes

    • Computer Config > Administrative Templates > System > User Profiles >
    • Only Allow User Profiles = Enabled
    • Set Roaming Profile Path for all users logging onto this computer = Disabled
    • Prevent Roaming Profile changes from propagating to the server = Enabled

  7. Complete all customizations

  8. Copy validated answer file to C: root
  9. Go to windows\system32\sysprep
  10. Right click while holding shift and choose "open command window here"
  11. run "sysprep.exe /oobe /generalize /unattend:c:\yourunattendfile.xml
  12. Once the system reboots go through whatever portion of mini-setup your answer file dictates
  13. Join machine to the domain
  14. Log on as a domain user
  15. Basic look and feel customizations should have been applied from the local Defaul User profile

I have tested this method in a non AD environment and a bare AD virtual environment. If your organization uses Domain level gpo's you may need to make sure there are no gpo's that will over-write the local policies above.

Also, if you have a Network default profile in the Netlogon share you may need to set the permissions on that folder to deny all. I haven't tested yet to see the behavior if that share exists. So I still need to verify that the 3 local policies mentioned above will stop the profile search of the local machine from going to the network to trying to pull the Default Network Profile.

If you try that before I have posted an update please feel free to post your results here.

Share:
12,267

Related videos on Youtube

Anatoli
Author by

Anatoli

I LOVE DYNO NUGGETS!!!! Yum...

Updated on September 17, 2022

Comments

  • Anatoli
    Anatoli over 1 year

    In Windows XP, there is a way to configure it so that it would force every single domain users to a single profile in an local machine upon log in.

    However I can't find the way to do this in Windows 7.

    Does anyone have any recommendations?

  • Anatoli
    Anatoli almost 14 years
    Is there any way to store the mandatory profile in local machines not a file server?
  • nhinkle
    nhinkle almost 14 years
    Yes. I believe there are two ways to do this. Because the local machine is the logon server, you could create a NETLOGON share on it, and place it there. The other (probably better way) is to just rename the NTUSER.DAT file in the user's profile (likely under `C:\users\username`) to NTUSER.MAN, and then remove the NTUSER.DAT file. I believe that will work too, but have not tested myself.
  • Anatoli
    Anatoli almost 14 years
    Could you possible explain in step by step on how to do it if possible?
  • Thalys
    Thalys about 12 years
    There's a few things that seem specific to your install - step 6 and step 8 of your systprep method.
  • Rod Echols
    Rod Echols about 12 years
    Yeah, I got excited. I found the edit button and took out anything related to my specific environment.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to restore default logon screen in Windows 7?
Logging in to Windows 7 with one specific user account is very slow. Why?
How to avoid the login screen when returning from standby?
Windows 7 domain logon takes too long
Windows 7 user login fails even with correct password
automatically start a session at Windows 7 startup
User-account missing from "Manage Accounts" in windows-7 64bit
Hide account from login screen but can be used in UAC
Trying to trace down user account that SVCHOST.exe is using
How to hide user account from Windows 7 welcome screen, without changing registry manually?