Discussion:
can you make a local profile into a mandatory profile?
(too old to reply)
Tadashi Inayama
2005-05-06 21:38:03 UTC
Permalink
or does a mandatory profile need to be a roaming profile?

how can I lock down a shared local profile?

my problem is that there is shared acct running on both win2k and win2k3
terminal servers
and the acct need to be locked down, roaming profiles do not work well going
from win2k and win2k3
servers, so it seemed easier to lock down the local profile for that acct on
all of the win2k and win2k3
terminal servers

Thanks,
Tadashi
Vera Noest [MVP]
2005-05-07 18:12:36 UTC
Permalink
I haven't tested this, so be careful (make a copy of the profile
before changing anything).

The usual way to make a profile mandatory is to rename ntuser.dat
to ntuser.man. You can also make the profile folder read-only.

But watch your EventLog, I'm not sure if this (read-only profile
folder) is going to cause problems when logging off.

Note also that making a profile mandatory doesn't help much in
locking down a user account. The user will still be able to change
all kinds of settings during a session, he will only be unable to
save the changes.

If you want to lock down your TS users, Group Policy is the way to
go:

Locking Down Windows Server 2003 Terminal Server Sessions
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/tech
nologies/terminal/trmlckd.mspx

--
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
--- please respond in newsgroup, NOT by private email ---
Post by Tadashi Inayama
or does a mandatory profile need to be a roaming profile?
how can I lock down a shared local profile?
my problem is that there is shared acct running on both win2k
and win2k3 terminal servers
and the acct need to be locked down, roaming profiles do not
work well going from win2k and win2k3
servers, so it seemed easier to lock down the local profile for
that acct on all of the win2k and win2k3
terminal servers
Thanks,
Tadashi
Loading...