In this two-part blog-post series, we discuss:
- Creating a mandatory user profile using an Unattend.xml file with the CopyFile parameter for Windows 7, 8.1, and 10.
- Combining the strengths of mandatory user profiles with the flexibility of VMware User Environment Manager to improve the end-user experience.
It is no secret that Microsoft Windows profiles grow as end users use and customize their PCs. Granting users the ability to customize all components of the profile expedites this growth. Over time, this can lead to excessive Windows login times, causing lost productivity for end users and extra work for IT administrators. However, locking down the profile to prevent all changes leads to end-user frustration and complaints.
Over the years, Microsoft has developed a number of profile types, one of which is a mandatory user profile. According to the Microsoft website on Mandatory User Profiles:
A mandatory user profile is a special type of pre-configured roaming user profile that administrators can use to specify settings for users. With mandatory user profiles, a user can modify his or her desktop, but the changes are not saved when the user logs off. The next time the user logs on, the mandatory user profile created by the administrator is downloaded.
As you can see, the mandatory profile was created to prevent excessive profile growth by discarding user changes, but is limited by the fact that end users cannot customize their profiles.
In February 2015, VMware acquired Immidio, and has since released new versions of this technology under the name VMware User Environment Manager. With VMware User Environment Manager, organizations get the best for everyone. End users receive a personalized and dynamic Windows desktop, while IT controls profile growth and ensures short login times.
Implementing Mandatory User Profiles
Some of you may already be using mandatory profiles in your environment. We have provided links to additional information about VMware User Environment Manager that you can peruse while waiting for Part 2 of this blog-post series. For those of you who are not familiar with or are not yet using mandatory profiles, this section will help you get started.
We offer multiple ways to create a customized default user profile to be used as a mandatory profile. Some common practices may not be supported by Microsoft. If you do not use the method outlined here, be sure to follow Microsoft’s best practices to avoid long-term issues with your user profiles.
For detailed instructions about creating mandatory user profiles for your Windows versions, refer to Microsoft documentation. We found the following links to be helpful:
- Windows 7, 8.1:
- Windows 10:
Note: Be sure you have the proper profile extension for the versions of Windows you are using. For example, Windows 10 uses v5 profiles, but the Anniversary Update (1607) uses v6 profiles.
For a list of Windows profile versions, see the TechNet article Create mandatory user profiles.
We found a few documentation gaps while working through the various guides from Microsoft. The following is an overview of the process used to successfully create a mandatory profile, along with some additional detail not found in the previous links.
1. Log in to a clean Windows system with a local account.
Important: Microsoft recommends using the local administrator account, and specifically not a domain account, for this process.
2. Customize the profile to your organization’s standards.
Note: Minimal customization is required during this step because VMware User Environment Manager provides dynamic customization capabilities for all aspects of the user profile. This is covered in more detail in Part 2 of this blog-post series. For now, know you do not need to create a highly customized default profile.Customization of the Start Menu can be accomplished by following the steps outlined in Managing Windows 10 with VMware User Environment Manager.
3. Create an Unattend.xml file that uses the CopyProfile parameter to copy your custom profile to the default user profile during Sysprep.
Use the Windows System Image Manager (SIM) tool to create the custom Unattend.xml file.
4. Run Sysprep and reference the Unattend.xmlfile to create a default user profile. The following is a sample command line:
sysprep /oobe /reboot /generalize /unattend:unattend.xml
5. Create a network share and set the necessary permissions for users to access the mandatory user profile. Following is a sample list of permissions that worked for us, but always use Microsoft documentation for best practices about setting folder permissions.
- System – Full control, this folder, subfolders, files
- Builtin/Administrators – Full control, this folder, subfolders, files, Owner
- Authenticated Users – Read & Execute, this folder, subfolder, files
- Builtin\Administrators – Full control
- Authenticated Users – Read
6. Copy the default user profile created in Step 4 to the network share created in Step 5.
7. Open the default profile, and rename Ntuser.dat to Ntuser.man.
8. Apply the mandatory user profile to individual accounts by way of AD Users and Computers, or to many users by way of Group Policy.
After you have completed the previous steps, the mandatory profile should be loaded each time the users you configured log in to Windows. Any changes to the profile will be discarded at logout.
The next step is to configure VMware User Environment Manager to manage application configurations, printer mappings, drive mappings, and other user customizations. In Part 2 of this series, we combine mandatory profiles with User Environment Manager and explore the benefits to both IT and end users.
Cannot Wait for More Technical Detail about VMware User Environment Manager?
Look at the User Environment Manager video series to learn more today!
By Stéphane Asselin and Josh Spencer, architect for VMware EUC Technical Marketing, with significant contributions from Jim Yanik, senior manager of VMware EUC Technical Marketing