Mandatory Profiles + GPO´s = giving me problems

[rooky]

Hi

I am having some problems with the mandatory p´s and GPO combination for "very" restricted users.

When i create a mandatory profile, (tested only under XP with fastboot option) and apply a GPO with lets say proxy settings it looks like the mandatory profile or better to say the profile with the ntuser.man file isn´t reacting to any of the changes you make to a GPO (after a profile is set to mandatory).


So my question
Wich File in the profile keeps track of the Policy settings? and is it possible that a mandatory profile can become corrupt when applying GPO´s and changing those GPO´s?

[ph03n!x]

Hi! I've been trying to fix this for 10 hrs at a stretch, but no goes till now. I guess the answer would be the same for both mine and original poster's questions...

I have applied a Group Policy for an OU, and that is working like it should. Recently I had to make my user's profiles mandatory. Here comes the problem: If I make a user's profile mandatory, the profile loads fine, but the group policy does not come into effect when the user logs in. If the mandatory profile is removed, all works fine again.

Now, as a part of my experiment, I logged in as a fresh user in a stand-alone XP system and created a local group policy for that system. After I had the profile as well as the group policy configured, I copied the profile on to my server and tried using it as the mandatory profile- the profile loads ok, but the policies dont, eventhough the profile path has the ntuser.pol file!

What am I doing wrong? Is what I am trying to do possible?

[rooky]

Hi

Finally someone who is having similar problems.
I have tested a long time as well and have to confirm that when you delete/remove ntuser.man and NTUser.pol from the roaming profile the new GPO's are applied (very logical as a new hive is being created).
When you do not change ntuser.man and .pol no new GPO's will ever be taken in to the profile registry files.
The fun part,,, when you choose to save a local profile on the harddisk (documents and settings) the same problem occurs while attempting to apply new GPO's ... the old ones get stuck in the profile registry portion for the user and it looks like two profiles are doing their best to merge with a very freaky result for GPO's sometimes.

GPResult from the client command line shows double applied GPO settings and usually a few lines blanc and a few lines with actual statements from the new GPO's that do not get applied afterall.

GPO Result Wizard in the GPMC tool sometimes lets you choose between two of the same usernames (Local and Roaming aware?) that exist on a computer and gives different results for each user one result with local stuffed old GPO settings and one with the correct Roaming Profile GPO settings.
But the correct Roaming Profile GPO settings never get to the user.

My guess for the .Man problem is to not use mandatory profiles and GPO application at the same time, but use: or Group Policy and lock the profiles down using Policy settings, or use Mandatory profiles to lock the profile down after you have stuffed the registry of the client with the correct GPO settings that is first applie Group Policy in a ntuser.dat environment and lock the profile down by making the ntuser.dat file mandatory and reopen it when you need to apply a GPO change.

Haven't tested making a profile read only and applying new group policy to it yet??

Can someone help with this strange outcome?

[richie19rich77]

Hi Everyone,

Just chasing up this problem, been using Mandatory profiles for the last 4 years now, but have always modified the registry using scripts instead of Group Policies.

Trying to get back to the standard way of working, using Group Policies like Microsoft say we should, but I have hit the same problem of the above posts.

Any feedback is welcome.

Thanks

[rooky]

Hi,

After my frustrations with the Roaming profiles and Group Policy errors i haven't had time to fully test all issues, i am going to do so in a short time...

What i think is that logically the mandatory roaming profiles are forced to load a predefined profile discarding every change you make to it because the registry portion of the user is mandatory or read only.
Try to install or change something to the profile and logof will show you in many cases that the changes are discarded.
I think this is the same with the settings in the predefined Group Policy registry keys after a profile is made mandatory.

I think that when a change needs to be made to the profile you need to open the profile for editting, for example rename it back to mtuser.dat and log on as the user while applying a new Group Policy Object.
After the changes have succesfully been applied re-lock the Profile by renaming it back to ntuser.man and log back on to see if it still works.

in my production environment cases it crushed 90 % of all problems with roaming mandatory profiles.
But i have to be clear on the matter i havent tried other solutions yet that might work and still are searching for clear understandable answers.

[richie19rich77]

Hi,

I have to disagree abit, about 2 years ago we was using GP's within our domain enviroument which included mandatory profile and it worked fine.

Mandatory profiles work like you said discard all changes, but that has nothing to do with the group policy side, look in the registry for the changes that GP is meant to be making, they are all there but are not being executed.

I only changed to a scripted enviroument, because I felt it was running to slow when using more then 2 GP's. In the mean time I have updated the service pack and all latest patches.

It is nothing we are doing wrong, I will try and place a call with Microsoft.

Thanks

[rooky]

Hi,

I am wondering did you already place the call with Microsoft, and if yes did you receive an answer?

Thanks,