Modifying mandatory profiles in Windows 7

profilewindows 7

In a Windows AD environment with Windows 7 clients I am looking for ways of providing departmental admins with means to maintain mandatory profiles for their respective users. As settings required within the mandatory profile are going to change with every new client application installation, I need to find a mode where mandatory profiles could be changed effortlessly on demand.

On from Windows Vista, the procedure of creating a mandatory profile has changed substantially. The official documentation mandates the creation of a default user profile, which in turn requires a run of

sysprep /oobe /reboot /generalize /unattend: unattend.xml

to create the default user profile. It also states

Other methods of creating default user profiles exist. […] However, the steps that this section describes are the only steps that Microsoft supports for customizing a default user profile. These steps clean the source user profile so that it supports multiple users.

As I cannot burden the mentioned admins with running sysprep on every profile change, I would need the details about the "cleaning" of the source user profile done by the WAIK's CopyProfile so I could mimic this procedure through scripting.

Another approach might be to create the profile with the sysprep method once and export settings changes from another template profile on demand by scripting. For this to work reliably, I would need to know which keys in the mandatory profile must not be overwritten.

In the past, I have done something similar with Windows XP workstations by simply exporting the registry of a (special) user logged on with the mandatory profile using a reg export call directly to the respective .MAN file. With the latest changes in profile handling, I am all but sure that this still would be a sane way to handle it.

Insight and references much appreciated.

Best Answer

According to a Technet blog entry about the Default user profile these seem to be the points CopyProfile is addressing in a user's profile when sysprep is run:

  • Their list of most frequently run programs is not cleared
  • Whether the user has been introduced to the Start menu (will be set to TRUE for the source account, but should be FALSE for new users). Windows Explorer does some special things the first time you log on to introduce you to the Start menu and other new features.
  • Whether the user is an administrator (and should therefore see the Administrative Tools, etc).
  • The personalized name for “My Documents” will be incorrect. All users documents folders will be called “Administrator's Documents”. This is documented in the Knowledge Base article “The Desktop.ini File Does Not Work Correctly When You Create a Custom Default Profile” (http://support.microsoft.com/?id=321281).
  • The default download directory for IE will be set to the Administrator's Desktop folder.
  • The default Save and Open locations for some application with point to the Administrator's documents folder.
  • Windows 7 Libraries are broken.

Also, a scripted method of changing the profile is proposed:

Identify the needed Registry changes. Then use a tool like Reg.exe or KiXtart to load the Default User hive into a temporary location into the Registry, write only the needed settings, and then unload the hive.

[...]

You should exercise caution using this method. Try to keep all changes limited to only the individual Registry or file system changes needed for a particular desired result (e.g., a Windows or application setting). Do not do wholesale export and import of Registry keys or folder trees. This can potentially lead to the same problems as a manual profile copy.

The challenge for a generic approach if the changes done to the registry are unknown would be identifying the problematic locations which must not be copied over and excluding them from a settings copy. Creating a profile, copying it, going through the CopyProfile operation and comparing both (e.g. by using RegShot) should help finding the settings changed by CopyProfile.

Related Topic