Create mandatory user profiles (2024)

A mandatory user profile is a roaming user profile that has been preconfigured by an administrator to specify settings for users. Settings commonly defined in a mandatory profile include (but aren't limited to) icons that appear on the desktop, desktop backgrounds, user preferences in Control Panel, printer selections, and more. Configuration changes made during a user's session that are normally saved to a roaming user profile aren't saved when a mandatory user profile is assigned.

Mandatory user profiles are useful when standardization is important, such as on a kiosk device or in educational settings. Only system administrators can make changes to mandatory user profiles.

When the server that stores the mandatory profile is unavailable, such as when the user isn't connected to the corporate network, users with mandatory profiles can sign in with the locally cached copy of the mandatory profile, if one exists. Otherwise, the user is signed in with a temporary profile.

User profiles become mandatory profiles when the administrator renames the NTuser.dat file (the registry hive) of each user's profile in the file system of the profile server from NTuser.dat to NTuser.man. The .man extension causes the user profile to be a read-only profile.

Profile extension for each Windows version

The name of the folder in which you store the mandatory profile must use the correct extension for the operating system it applies to. The following table lists the correct extension for each operating system version.

For more information, see Deploy Roaming User Profiles, Appendix B and Roaming user profiles versioning in Windows 10 and Windows Server Technical Preview.

Mandatory user profile

First, you create a default user profile with the customizations that you want, run Sysprep with CopyProfile set to True in the answer file, copy the customized default user profile to a network share, and then you rename the profile to make it mandatory.

How to create a default user profile

1. Sign in to a computer running Windows as a member of the local Administrator group. Don't use a domain account.

   Note

   Use a lab or extra computer running a clean installation of Windows to create a default user profile. Do not use a computer that is required for business (that is, a production computer). This process removes all domain accounts from the computer, including user profile folders.

   See Also

   Activating Roaming on Mobile Devices [2024]: Step-by-Step Guide | Global YO

2. Configure the computer settings that you want to include in the user profile. For example, you can configure settings for the desktop background, uninstall default apps, install line-of-business apps, and so on.

   Note

   Unlike previous versions of Windows, you cannot apply a Start and taskbar layout using a mandatory profile. For alternative methods for customizing the Start menu and taskbar, see Related topics.

3. Create an answer file (Unattend.xml) that sets the CopyProfile parameter to True. The CopyProfile parameter causes Sysprep to copy the currently signed-on user's profile folder to the default user profile. You can use Windows System Image Manager, which is part of the Windows Assessment and Deployment Kit (ADK) to create the Unattend.xml file.

4. Uninstall any application you don't need or want from the PC. For examples on how to uninstall Windows Application see Remove-AppxProvisionedPackage. For a list of uninstallable applications, see Understand the different apps included in Windows.

   Note

   It is highly recommended to uninstall unwanted or unneeded apps as it will speed up user sign-in times.

5. At a command prompt, type the following command and press ENTER.

   sysprep /oobe /reboot /generalize /unattend:unattend.xml

   (Sysprep.exe is located at: C:\Windows\System32\sysprep. By default, Sysprep looks for unattend.xml in the same folder.)

   Tip

   If you receive an error message that says "Sysprep was not able to validate your Windows installation", open %WINDIR%\System32\Sysprep\Panther\setupact.log and look for an entry like the following:

   

   Use the Remove-AppxProvisionedPackage and Remove-AppxPackage -AllUsers cmdlet in Windows PowerShell to uninstall the app that is listed in the log.

6. The sysprep process reboots the PC and starts at the first-run experience screen. Complete the setup, and then sign in to the computer using an account that has local administrator privileges.

7. Right-click Start, go to Control Panel (view by large or small icons) > System > Advanced system settings, and select Settings in the User Profiles section.

8. In User Profiles, select Default Profile, and then select Copy To.

   

9. In Copy To, under Permitted to use, select Change.

   

10. In Select User or Group, in the Enter the object name to select field, type everyone, select Check Names, and then select OK.

11. In Copy To, in the Copy profile to field, enter the path and folder name where you want to store the mandatory profile. The folder name must use the correct extension for the operating system version. For example, the folder name must end with .v6 to identify it as a user profile folder for Windows 10, version 1607 or later.

    • If the device is joined to the domain and you're signed in with an account that has permissions to write to a shared folder on the network, you can enter the shared folder path.

      

    • If the device isn't joined to the domain, you can save the profile locally, and then copy it to the shared folder location.

12. Select OK to copy the default user profile.

How to make the user profile mandatory

1. In File Explorer, open the folder where you stored the copy of the profile.

   Note

   If the folder is not displayed, click View > Options > Change folder and search options. On the View tab, select Show hidden files and folders, clear Hide protected operating system files, click Yes to confirm that you want to show operating system files, and then click OK to save your changes.

2. Rename Ntuser.dat to Ntuser.man.

Verify the correct owner for the mandatory profile folders

1. Open the properties of the "profile.v6" folder.
2. Select the Security tab and then select Advanced.
3. Verify the Owner of the folder. It must be the builtin Administrators group. To change the owner, you must be a member of the Administrators group on the file server, or have "Set owner" privilege on the server.
4. When you set the owner, select Replace owner on subcontainers and objects before you select OK.

Apply a mandatory user profile to users

In a domain, you modify properties for the user account to point to the mandatory profile in a shared folder residing on the server.

How to apply a mandatory user profile to users

1. Open Active Directory Users and Computers (dsa.msc).
2. Navigate to the user account that you want to assign the mandatory profile to.
3. Right-click the user name and open Properties.
4. On the Profile tab, in the Profile path field, enter the path to the shared folder without the extension. For example, if the folder name is \\server\share\profile.v6, you would enter \\server\share\profile.
5. Select OK.

It can take some time for this change to replicate to all domain controllers.

Apply policies to improve sign-in time

When a user is configured with a mandatory profile, Windows starts as though it was the first sign-in each time the user signs in. To improve sign-in performance for users with mandatory user profiles, apply the Group Policy settings shown in the following table.

Related articles

• Manage Windows 10 Start layout and taskbar options
• Lock down Windows 10 to specific apps
• Windows Spotlight on the lock screen
• Configure devices without MDM