Mandatory Profiles

You could have a unique mandatory profile for every user but in most cases this would require extra work and disk space. Since most users will be sharing the same mandatory profile. (For example all students would share the same mandatory profile called "student_profile" and all staff would share a mandatory profile called "staff_profile")


It is strongly recommended that you make the following registry change on all of the NT workstations before you start using the mandatory or roaming profiles. This registry entry will insure that the workstation uses the mandatory profile from the server instead of a copy of the mandatory profile stored on the workstation.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Edit or add the value DeleteRoamingCache as type REG_DWORD. Set it to 1.

You should also manually delete any profiles that have already been created on the workstations.


  1. Create a generic user account (for example a user named #student_template) that will correspond to the mandatory profile. Give this user the ability to Log on locally to the server.

  2. Logon to the server using the template account (#student_template). A new directory with the same name as the user name will be created in the %systemroot%\Profiles directory when you first log on. For example, if the user name is #student_template, the resulting directory name will be C:\winnt\Profiles\#student_template.

  3. Log off, and then log back on to the same computer using an account with administrative privileges.

  4. Create a directory on the server where the profiles will be stored (I recommend creating a new directory like c:\profiles instead of using the existing c:\winnt\profiles) The user accounts who will have mandatory profiles need only Read permissions to the shared directory.

  5. Establish this directory as a network share. This can be accomplished by going into windows explorer, highlighting the directory and right clicking the mouse button and then going into the sharing option. Select Shared as to enable sharing. Then click Ok.

  6. In the \\server\share from the previous step, create the directory that will contain the student profile information. (For example create a directory called student_profile under the profiles share. So the entire path would be c:\profiles\student_profile)

  7. From the Control Panel, click System. (You have to be logged on as a user with administrative privledges for this step to work) From the User Profiles page, select the template profile and use the Copy To option to enter the path of the directory you created to hold the student profile information (in this example it is c:\profiles\student_profile).

  8. Modify the permissions to allow the user or group to use the profile. To do this, click the Change button, select the account, and click OK. You can select any group or specific user when setting the permissions; I recommend making it readable by Everyone. The profile including the folder trees and the NTuser.xxx file originally included with the profile—is written to the location you designated. The permissions are also encoded into the binary NTuser.xxx file. (In some situations, like if you have Internet Explorer 4.X installed, this step may fail. If this happens you will need to do a few extra steps which are explained in the document Solving the Copy Profile Problem)

  9. Use User Manager to modify template profile. Enter the new profile path for example: \\server_name\share_name\student_profile

  10. Using an NT workstation log onto the Domain as the template user.

  11. Modify any items that need to differ from the current default. You may want to load the applications and modifity the settings in the applications. For example you may want to set the default document location in Microsoft Word to the users home directory.

  12. Log off the workstation

  13. Back on the server go to the directory that the profile was copied to, check the NTUSER.xxx file for the .man extension. If the extension is .dat, the profile will be a roaming profile that can be modified by the user. Change the extension to .man in order to make it mandatory and unmodifiable.

    At this time you should probably set the permissions on this profile directory and everything below it to read only for everyone as well.

  14. Use User Manager to modify the profile of the accounts that will use this account. Use the Control key in conjuction with the mouse to select multiple users. Enter the User Profile path for example: \\server_name\share_name\student_profile