windows 10: create local mandatory (unchangeable) user profile

Question

We have a stand alone (not in a domain) desktop computer running Windows 10 x64 Pro that is connected to a projector.

This computer is used by various teachers for teaching purpose using programs like Autocad, Archicad, Office 2013, Visual Studio and so on.

It often happens that teachers customize the environment moving bars, palettes, changing colors, and other stuff and this annoys the other teachers that have to restore the normal configuration of the environment manually.

So we'd like to create a local mandatory user profile so that every change people do to the environment, every file copied to Desktop or Documents folder etc. , every customization will be lost at next logon. All the infos we found on the web don't work or only work for a domain environment. So, the question is:

Is it possible to create a local mandatory (i.e. unchangeable) profile for a stand alone computer running Windows 10 Pro just using the features offred by the operating system without using third party programs?

We found that forcing the account acting as a temporary account works for our needs but we are not able to remove the warning telling that all data will be lost at logoff: for us this approach can be useful if there is the possibility to eliminate these warnings and notices. Thanks.

Answer 1

I was stuck in similar situation like you. Here is my current solution: Overwrite the profile everytime shutdown using robocopy.

1. create an account with all default settings you want to use.
2. make a copy of that profile folder by robocopy. eg, robocopy c:\users\xxx c:\users\xxx_bak /mir /xj
3. create a bat. "echo d | robocopy c:\users\xxx_bak c:\users\xxx /mir /xj"
4. set shutdown script to run the bat

for my 10-year-old PC (Core2Duo + new SSD), it takes maybe 10-20 seconds to shutdown for profile with around 300MB.

it can't restore (until next shutdown) if power off suddenly / log out. I thought about using robocopy in start script, just not sure if windows will wait the bat to finish before login. you could try.

Answer 2

Yes it can be done easily:

Login with your local administrator account ( if not present enable it and set a password from local users groups by navigating to > right click on ThisPc > manage > local users and groups > users )

Navigate to C:\Users\YourUsername . Then show hidden files and folders from folder option and locate the file name NTUSER.dat and change its extension to .man > NTUSER.man .

Make sure you edit your settings before changing the extension file name .

Answer 3

I managed to do it with this method. After creating default profile :

    1. Go to control panel 》 system 》 advanced system properties 》 user
profiles settings 》
    2. Select Default Profile and press copy to, desktop address name it Mandatory.v6
    3. Below permitted to use, Press change and type "authenticated users" 
       ,press check names. Also DO NOT tick mandatory profile
    4. Right click on Mandatory folder we just created, Security > Edit > 
       Add > change location to your PC's name > type ALL
       APPLICATION PACKAGES and check names, give it full control
    5. On Security tab press advance, tick "replace all object permission 
       entries with inheritable permission entries from this object"
    6. Open regedit with administrator privilege, highlight HKEY_USERS, file > load hive > select ntuser.dat on mandatory.v6
folder we created earlier, name it mandatory
    7. Right click on that folder > permission > add user > Authenticated Users, check name and give it full control
    8. Right click on that folder > permission > add user > type ALL APPLICATION PACKAGES > check name and give it full control
    9. Still on regedit Create new key #Mandatory, and new text file mandatoryv6 on mandatory.v6 folder earlier
    10. Delete all occurences of Administrator using right click > find, keep pressing del and f3 (next result) careful only delete
occurences under mandatory folder.
    11. Right Mandatory folder and export keys, name it mandatory.v6
    12. Highlight mandatory folder, file > unload hive
    13. Rename ntuser.dat into ntuser.man in mandatory.v6 folder
    14. Open regedit with administrator privilege, highlight HKEY_USERS, file > load hive > select ntuser.man on mandatory.v6
folder we created earlier, name it mandatory
    15. Run mandatory.reg that we exported in step#22
    16. Unload mandatory hive!
    17. Repeat from step #1 according to how many profile you plan to make
    18. Win+ Run > lusrmgr.msc, then on profile tab give each user the address of mandatory profile folder (without v6!)
    19. Your Mandatory profile is now ready, test it by adding something on the desktop, logoff and logon, the changes should not
persist anymore

Modifying mandatory profile :

    1.  Login as admin
    2. Rename ntuser.man in mandatory folder with ntuser.dat
    3. login as any of the mandatory profile
    4. Make changes, enter admin pass when required
    5. Logout mandatory profile, login admin, rename ntuser.dat to ntuser.man again

But after a couple of reboot or so i noticed sometimes it fails to login.. I havent tested it on newer windows version though..

Answer 4

The following works with a standalone / personal Windows device, an Active Directory joined device, and an Azure AD joined device:

Create local "visitor" account in Windows:

• Logon as local administrator.
• Open Computer Management, Users
• Create local user, "visitor" for this example.
• Logoff, sign in as ".\visitor"
• Windows creates the default account settings, "please wait while we get things ready..."
• Do whatever you want to set up the account how you want it to work for everyone.

Make the user directory into a super-mandatory account, and read-only:

• Sign off, then logon as local administrator again.
• Open C:\Users, and rename "visitor" to "visitor.man"
• View properties for Visitor.man, Security, Advanced
• Delete user "visitor" from the object.
• Add principal, type visitor, accept default read-only permissions.
• Check box, Replace permissions on subfolders

Sign off, then logon as ".\visitor"

• Rather than making you sit through the initial account setup, this time it just says "preparing Windows" under the login message. It will quickly transition to the desktop.
• An error message appears on the desktop, "we could not sign you into your account" - ignore it, and click Close.
• A notification appears in the bottom right: "You have been logged on with a temporary profile. Any saved files will be deleted when you logout."
• If you look in C:\Users while logged on as visitor, you will see your user account is named TEMP.

If you need to make changes to the visitor account:

• Logon again as local administrator
• Assign user "visitor" Modify and Write privileges to "Visitor.man"
• Rename user directory from "visitor.man" back to "visitor"

Answer 5

Please Backup first and try this, go to

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

and create these 4 DWORDS there and set value 0 for all

ShowInfoTip
FolderContentsInfoTip
StartButtonBalloonTip
EnableBalloonTips