10 Responses to Mandatory Profiles – The Good, the Bad and the Ugly

  1. Frank DeCelie March 2, 2009 at 14:24 #

    Hi, I enjoyed your notes about mandatory profiles and found it helpful. I would add to the list of “bad” parts of mandatory profiles: If you need to make a change later on, it can be very difficult to update. For example, when a Google update to their toolbar is processed on a computer, the Update Notifier window tells you about the update, and you click “OK” and it disappears. Except that, with a mandatory profile, those sorts of questions NEVER go away! You have to completely recreate the profile, you have to delete the Mandatory profile on the client (every single client!), and then the popup questiosn will stop. Very tedious!

  2. Brian May 18, 2009 at 04:25 #

    If I never have a user logon to a desktop – meaning they only launch a single app off our Citrix server – wouldn\’t a mandatory profile be perfect? The app is a front end to a database, so all data is stored in the DB.

    • Helge Klein May 18, 2009 at 08:31 #

      a mandatory profile might be perfect in your scenario if the application you are talking about does not store anything in the profile (either in the registry, HKCU, or in the file system) and if your users do not need general Windows settings like changing the mouse from right-hand to left hand.

  3. Brian May 18, 2009 at 13:09 #

    Would there be any issues with auto-created printers in a mandatory profile? Each thin client has a printer connected to it that is auto-created.

    As for settings, I’m checing with the vendor now. Thanks for the info!

    • Helge Klein May 18, 2009 at 14:52 #

      I do not think that auto-created client printers would pose a problem when used with a mandatory profile (MP). A MP basically is a roaming profile that is not written back to the file server during logoff, but discarded instead. What should happen during logon is that the MP gets copied to the TS, after which XenApp creates the client printers and the environment is set up. So that should work.
      Nevertheless, be sure to test the setup thoroughly and have the app “owner” test, too.

  4. David May 21, 2009 at 17:57 #

    I am trying to setup a manditory profile and I am having some problems making it work. We run in a Server2003 Domain environment.

    We want to use manditory profiles for our student labs. We don’t want them to change the desktop icons,backgrounds, or anything else. If they do find a way to change it, I want it reset after the machine is rebooted. (all labs log into a restricted account automatically.)

    The problem I am running into is that the local copy doesnt seem to be going away at log off. So if a person changes the background, then logs off, and logs back on the changes they made are still there.

    Any ideas??

    • Helge Klein May 22, 2009 at 09:38 #

      you should enable user environment debug logging to see what is going on.
      Additionally, if some application or service is not properly closing its handles to elements inside the profile during logoff, install UPHClean.

  5. Kurt Maurer August 1, 2012 at 10:28 #


    i want to create a mandatory profile for Windows 7 which will be used by only one user (userABC)
    in a Server 2008 R2-Domain.
    Can i avoid the complicated creation of the profile as described here http://support.microsoft.com/kb/973289 (section: How to turn the default user profile into a mandatory user profile in Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008 R2) if i do the following?:

    A. Create and customize a roaming profile for userABC.
    B. Rename ntuser.dat to ntuser.man
    C. Assign the appropriate share permissions for the mandatory profile
    D. Only use this mandatory profile with userABC, so there won´t be any problems with
    hardcoded usernames in HKCU, right? Because this seems to be the main problem…

    Thanks for your suggestions

    • Helge August 1, 2012 at 12:39 #

      That should work.

Leave a Reply