Microsoft

Stay in control with mandatory profiles in Windows NT

Microsoft's mandatory profiles enable admins to define settings that users can't permanently change. Learn more about mandatory profiles.

Profiles offer many user benefits, but they don't always solve the problems that administrators face. One such challenge is when working with a closed environment, in which administrators define the settings and lock them down to prevent users from making modifications. For example, say you want complete control over all computers and settings. You want each PC to have a blue background, five icons on the desktop, five programs on the Start menu, and the taskbar placed on the upper side of the screen. However, while you can configure these settings via the profiles, users can still change them.

To help you stay in control, Microsoft implemented mandatory profiles, which enable administrators to define settings that users can't permanently change. With mandatory profiles, a user can alter the settings, but the computer won't save the changes when the user logs off.

You can "convert" an existing profile to a mandatory profile by renaming the Ntuser.dat file to Ntuser.man. When the user logs on, he or she will then have a mandatory profile, and the computer can't save any changes that he or she makes to the environment.

Mandatory profiles are especially useful when you want to assign the same settings to several users. Instead of creating a profile for each user, you can create one profile, change it to a mandatory profile, and assign it to multiple users.

But there's a catch to using a mandatory profile. If the profile isn't available, the user can still log on because the system uses the cached information.

To prevent users from logging on when a mandatory profile isn't available, add the .man extension to the profile folder. For example, if the mandatory profile is \\server\share\mandatory, rename it to \\server\share\mandatory.man.

Editor's Picks

Free Newsletters, In your Inbox