How to create a Mandatory profile with Folder Redirections

Mandatory profiles are increasingly being used. This is partly due the rise of user virtualizations software like AppSense, RES Software and Microsoft UE/V, which use a mandatory profile as a basis. Not surprising because with mandatory profiles in combination with user virtualization software, the user logon times are pretty reduced and there is less risk of profile corruption.

There are quite a few ways to create a mandatory profile, with this blog I want to explain my way of creating a mandatory profile and what I think is the most efficient.

Before you begin, go to the Folder Options and make sure “Show hidden files, folders, and drives” is selected and that “Hide extensions for known file types” and “Hide protected operating system files (Recommended)” is deselected.


Step 1 – Create a share for the Mandatory profile

On a central file server, create and share a folder that you want to use for the Mandatory profile. Apply the following share permissions;

Authenticated Users – Read
Administrators – Full Control

To provide better security, always create the share on a NTFS volume. Make sure you set the following NTFS access permissions (including child objects);

SYSTEM – Full Control
Administrators – Full Control
Authenticated Users – Read & Execute

Step 2 – Create a Share for the Folder Redirections

On a central file server, create and share a folder that you want to use for the folder redirections and apply the following share and NTFS permissions.

Share Permissions

Everyone – Change
Administrators – Full Control

NTFS Permissions

CREATOR OWNER (Subfolders and files only)
–        Full control
Authenticated Users (This folder only)
–        Traverse folder / execute files
–        List folder / read data
–        Read attributes
–        Read extended attributes
–        Create folders / append data
–        Read permissions
SYSTEM (This folder, subfolders and files)
–        Full control
Administrators (This folder, subfolders and files)
–        Full control

To configure that users only can see the files and folders they have access rights to, enable Access Based Enumeration on the share.


Step 3 – Create a Local Template user

On a Windows Server 2008 R2 (or Windows 7 client) create a Local non-administrative user account.

If you do create a Local administrator account you get the following unnecessary settings within the profile;

Software\Microsoft\Microsoft Management Console
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 (through 4)

The last registry hive has a lot of setting… and why should you’re creating an administrator account anyway?

For this guide I will create a Template user with the name “robinhobo-com”.

Step 4 – Login with the Template account you just created

Login with the local user account created in step 3 and do the necessary customizations. To keep the profile as clean as possible, customize only what is necessary. Mostly I customize the Pinned Items, the System Tray icons behaviour and some Start Menu properties.


I also remove all the public folders from the users Libraries. You can do this while customize the template user or afterwards by editing the library XML files (see step 5).

To clear the recently opened programs in the Start menu (as shown in the right image below), open the Taskbar and Start Menu Properties, open the Start Menu tab, unselect “Store and display recently opened programs in the Start menu” and “Store and display recently opened items in the Start menu and the taskbar” (as shown in the left image below), hit the Apply button. Now select both options again and click Apply.


When you’re done with the customization of the profile, log out.

Step 5 – Clean up the Template user

First of all, I will make a local backup copy of the profile (under an administrator account). As you can see in the picture below, all unnecessary shortcuts from the profile are automatically removed by this copy action.


I will use the backup copy to finish the Mandatory profile. The next step is to load the NTUSER.DAT in the Registry Editor.


Open the Registry Editor, select HKEY_LOCAL_MACHINE, open the File menu and select Load Hive..


Enter a key name, in this case I will give the key the name “robinhobo-com”.


Right click the Loaded Hive and select Permissions. Remove the template user and the administrators group. Add Authenticated Users and give this group Full Control permissions. Click OK.

Consider whether you can empty / delete the following registry keys in your environment;

–        <loaded hive>\Software\Microsoft\SoftGrid\4.5\Client\UserInfo\DataDirectory
–        <loaded hive>\Software\Microsoft\WAB\(Default)
–        <loaded hive>\Software\Policies
–        <loaded hive>\Software\Microsoft\CurrentVersion\Policies
–        <loaded hive>\Software\Microsoft\Windows\CurrentVersion\Run
–        <loaded hive>\Software\Microsoft\Windows\CurrentVersion\RunOnce

Within the <loaded hive> search for the template user name and replace it with %username%, except for Shell Folders.

Shell Folders

Shell Folders is a different story. Some people leave as it is, some people replaces the Template username with %username% and some people delete all the Shell Folder keys.
The problem is that some applications needs this keys to work well and they cannot handle with variables.

I will delete the keys except the “(default)”, “!Do not use this registry key” and “Fonts” and let Windows recreate the keys with the Active Setup at user logon.


To do that delete the following registry key;

–        <loaded hive>\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}

Now when the user logs on, the Active Setup will recreate the Shell Folders in the right way so that programs that need the Shell Folder keys will work well.


Select the <loaded hive>, go the File menu and click on Unload Hive. Close the registry editor.

Delete the following files and folders within the profile folder;

–        AppData\Local
–        AppData\LocalLow
–        Contacts\<username>.contact
–        The .LOG1, .LOG2, .blf and the .regtrans-ms files


Public Folders

As I mentioned in step 4 you can remove afterwards the public folders from the libraries.
To do so edit the following (hidden) files;

–        Documents.library-ms
–        Music.library-ms
–        Pictures.library-ms
–        Videos.library-ms

These files are located in the following location and are only visible through the command prompt;


Remove the last “searchConnectorDescription” element from the files to remove the Public folder as shown in the picture below.


Step 6 – Copy the profile to the network share

 Copy the profile to the network share created in step 1. Rename the folder to a name so that it is recognizable as a mandatory profile and append the .V2 extension to it (for example “manprofw2k8.V2”).


Step 7 – Configure the Group Policies

Enable the Mandatory profile for Remote Desktop Services / Citrix XenApp

To enable a mandatory profile for Remote Desktop Services or Citrix XenApp, apply the following GPO settings for the RDS/XenApp OU: (mandatory profile will only be applied when connecting through RDP or ICA)

Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Profiles

–        Use mandatory profiles on the RD Session Host server – Enabled
–        Set path for Remote Desktop Services Roaming User Profile – Enabled

In the last setting specify the profile path in this form: “\\Computername or DFS namespace\Sharename\profile folder”. DO NOT INCLUDE THE .V2 OF THE PROFILE FOLDER. For example “\\hobo.lan\dfs\Mandatory\manprofw2k8”

Enable the Mandatory profile for Windows 7

To enable a mandatory profile for Windows 7, apply the following GPO settings for the Windows 7 OU:

Computer Configuration > Policies > Administrative Templates > System > User Profiles

–        Delete cached copies of roaming profiles – Enabled
–        Set roaming profile path for all users logging onto this computer – Enabled

In the last setting specify the profile path in this form: “\\Computername or DFS namespace\Sharename\profile folder”. DO NOT INCLUDE THE .V2 OF THE PROFILE FOLDER. For example “\\hobo.lan\dfs\Mandatory\manprofw7”.

Enable Folder Redirection

To enable user folder redirection, apply the following GPO settings for (domain) users:

User Configuration > Policies > Windows Settings > Folder Redirection

You can redirect the following folders;

–        AppData (Roaming) (Not recommended with a mandatory profile)
–        Desktop
–        Start Menu
–        Documents
–        Pictures
–        Music
–        Videos
–        Favorites
–        Contacts
–        Downloads
–        Links
–        Searches
–        Saved Games


On the Target tab select “Basic – Redirect everyone’s folder to the same location”. By Target folder location select “Create a folder for each user under the root path”. By Root Path fill in the share created in step 2. Make sure that “Grant the user exclusive rights to Documents” is deselected on the Settings tab.

To disable the message “Some library features are unavailable due to unsupported library locations” from appearing apply the following policy;

User Configuration > Policies > Administrative Templates > Windows Components > File Explorer

–        Turn off Windows Libraries features that rely on indexed file data – Enabled



  • Great artcle! Is it best to install all of your base apps first including Citrix?

  • Hi,

    I’m getting the messege: User’s profile cannot load but temp profile was loaded.
    do i need to set the .V2 in ADUC?

    • Probably has to do with incorrect user rights on file level or within the mandatory profile itself (registry).

  • Hi
    Great article, i realy appreciate it! But i have one question after reading this:
    Why do you say “AppData (Roaming) (Not recommended with a mandatory profile)”. What happens with settings like the Outlook-Profile or Software-Settings? They will not be persistent, won’t they?

    • It is not recommended by Microsoft, if you want to keep all the users settings you need to use roaming profiles or thirt party software like AppSense of RES.

  • Robin, great as reference, just used it for one of my customers. Some minor details for that reason;
    – the last setting for Windows libraries features that rely on indexed file data is located under User config\admin templates \ windows components\Windows Explorer (typo there, file explorer does not exist)
    – perhaps a word on ‘allow logon locally’ for the template user in local settings\security
    – a word on ‘no GPO’s assigned/block policy on OU of machine on which you create the manprof’ or maybe perform this instruction on not domain joined computer account
    – considerations for creating the profile on empty machine vs. machine with all apps of master image installed?
    – a link and word about the Microsoft articles on mandatory profile creation; kb973289 and cc786301

    Happy profiling!

    Roland van der Kruk

  • Hello,

    Thanks for your great and helpfull blog.
    I got one issue, when i make a mandatory profile this way and we install Internet Explorer 11 after wards it wont start. It will only run “As administrator”.

    have you ever seen it? Is there something i did wrong? I cant find out why its not working.

  • Hey Robin, you use the Server2012 policy setting for mandatory profile but that didn’t work for me untill I renamed my mandatory profile folder to TSmandatory.V2 and the profile path in the GPO to that without .V2 of course. Then I checked with a new logged on user and I could see the folder I added to the profile under appdata\roaming which proved I was now finally using the mandatory profile!

    Only then, the profile was also removed after logoff under c:\users with the setting to ‘delete cached copies of roaming profiles’ under system/user Profiles in the GPO Administrative templates

  • Hello,

    Thanks for your great and helpfull blog.
    I got one issue, when i make a mandatory profile this way .But Internet doesn’t work in the profile.If we right click the browser and run as administrator ,It works.

    have you ever seen it? Is there something i did wrong? I cant find out why its not working.


About Robin Hobo

I work as a Senior Solution Architect with focus on the Modern Workspace. I am specialized in Azure Virtual Desktop (AVD), Windows 365 and Microsoft EM+S (including Microsoft Endpoint Manager - Microsoft Intune).

For my full bio, check the About Me page.

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.