GrinchyNet
I strive to bring you nothing of importance

How to Lock Down a User Profile Using Group Policy

Creating the User Account

  1. Open up Active Directory Users and Computers
  2. Create a new Organizational Unit for your new user
    1. Right click the Domain Name
    2. Select New -> Organizational Unit
    3. Type in the name of the OU and click the OK button
  3. Create a new user account
    1. Highlight the new OU
    2. Right click and select New -> User
    3. The only information needed here is First Name and User logon Name. Click the Next button.
    4. Type in the Password and confirm it. Ensure the password comforms with the password requirements for the organization. Uncheck User must change password at next logon. Place a check next to User cannot change password and Password never expires. Click the Next button.
    5. Click the Finish button if no changes need to be made

Initial Profile Setup

  1. Logon to a Windows XP workstation with the new user account
  2. Delete unnecessary icons from the desktop
  3. Right click the Start button and select properties
  4. Ensure Start Menu is selected and click the Customize button
  5. On the General tab click the Clear List button and Uncheck Internet and E-mail.
  6. Click the Advanced Tab
  7. Any settings can be changed here but the one we uncheck is Printers and faxes. Leave this checked if your profile will have access to printers. Click the OK button.
  8. If there are any programs the user needs to access you can add them to the start menu by clicking Start -> All Programs and right clicking the application and selecting Pin to Start Menu.

Making the Profile Mandatory

  1. Logoff the user account and log back in with an Administrator account.
  2. Navigate to C:\Documents and Settings\Name-of-new-user
  3. Make sure Show Hidden Files and Folders is enabled. Select all files and copy
  4. Navigate to the network share the profile will be stored in. For example \\server\profiles\lockdown.
  5. Paste the files you copied in the last step.
  6. Right click NTUSER.DAT and select Rename. Change the extension to .MAN. You must have Hide extensions for known file types disabled to change the extension.
  7. Open up Active Directory Users and Computers
  8. Right click the new user account and select properties
  9. Click the profile tab and enter in the path to the profile and click the OK button. As an example \\server\profiles\lockdown
  10. On the workstation delete the profile from C:\Documents and Settings
  11. Logoff and log back on with the user account. The profile information will be pulled from the network share. If you receive any errors make sure the permissions are correct for the shared folder.

    12. <- Previous | Next ->