Profiles offer many user benefits, but they don’t always solve the
problems that administrators face. One such challenge is when working with a
closed environment, in which administrators define the settings and
lock them down to prevent users from making modifications. For
example, say you want complete control over all computers and
settings. You want each PC to have a blue background, five icons on
the desktop, five programs on the Start menu, and the taskbar
placed on the upper side of the screen. However, while you can
configure these settings via the profiles, users can still change
them.

To help you stay in control, Microsoft
implemented mandatory profiles, which enable administrators to
define settings that users can’t permanently change. With mandatory
profiles, a user can alter the settings, but the computer won’t
save the changes when the user logs off.

You can “convert” an existing profile to a
mandatory profile by renaming the Ntuser.dat file to Ntuser.man.
When the user logs on, he or she will then have a mandatory
profile, and the computer can’t save any changes that he or she
makes to the environment.

Mandatory profiles are especially useful when
you want to assign the same settings to several users. Instead of
creating a profile for each user, you can create one profile,
change it to a mandatory profile, and assign it to multiple
users.

But there’s a catch to using a mandatory
profile. If the profile isn’t available, the user can still log on
because the system uses the cached information.

To prevent users from logging on when a
mandatory profile isn’t available, add the .man extension to the
profile folder. For example, if the mandatory profile is
\\server\share\mandatory, rename it to
\\server\share\mandatory.man.