How to Create Mandatory Profiles with Windows NT 4.0

This article was previously published under Q168476
This article has been archived. It is offered "as is" and will no longer be updated.
This article describes how to create mandatory profiles forWindows NT version 4.0.
To create a mandatory profile for Windows NT 4.0, perform the followingsteps:
  1. Create a user called "Template" who will have the same privileges and rights as the users in the group for which you are creating the mandatory profile. (This step is very important so that you do not have conflicting permissions while setting up shares, programs, and so on.)
  2. Log on to the computer running Windows NT Workstation as the new Template user and set up the profile (set up the desktop, install applications, and so on) to your specifications and log off the computer. The profile will not be created until you log off.
  3. Log back on to the computer running Windows NT Workstation as a user with administrator privileges on the local workstation as well as on the domain and start the System tool in Control Panel. Select the User Profiles tab.
  4. Highlight the profile for your Template user and select Copy To. In the Copy To dialog box, you will need to specify where you want to copy the profile and who is permitted to use it.
    1. Under the Permitted To Use section of this dialog box, click Change and select the user or group who will be permitted to use this profile.
    2. Next, you will need to specify where you want to COPY PROFILE TO. For a server based mandatory profile, you will need to specify the following information:
      \\ServerName\Sharename\Name of Profile
      For example, \\PENDRAGON1\Profiles\mandatory.

    If you are using mandatory profiles, go to step 5; otherwise, go to step 6.

  5. Windows NT 4.0 has implemented two levels of security in mandatory profiles.

    The first level is to rename the Ntuser.dat file to .man. This will allow the users of a mandatory profile to log on to the domain using cached information, if the profile is unavailable on the central server.
    1. The steps to implement the first level of mandatory security: Change the user's profile path in user manager to reflect the mandatory profile.
      Rename the Ntuser.dat to under the profile directory

      The second level is to add a .MAN extension on the directory name. When using the .man extension, if the profile is unavailable, the workstation will not log the user on and it will return to the CTRL+ALT+DELETE logon screen.

    2. The steps in getting the second level of security are:
      1. Add .man extension to profile path in user manager:
      2. Add .man extension to server based profile DIRECTORY and the Ntuser.dat file needs to be renamed to
  6. Click OK to copy the profile to where you have specified. Open Windows NT explorer and connect to the path where you have copied the profile. Open the directory and rename the Ntuser.dat to This will prevent users from being able to modify the profile. If this is not renamed, it will not function as a mandatory profile.
  7. In User Manager for Domains, select the users you want to use the mandatory profile and in the properties for each user, select Profile and specify the path to where the mandatory profile exists in the User Profile Path box. This must be a UNC path so it must be in the form of \\Server\Share\Profile (all users who are going to be using this profile must have at least read access to the root share and the profile folder).
  8. Test by logging on to the workstation as another user who has just been granted the mandatory profile.

Article ID: 168476 - Last Review: 01/11/2015 01:29:46 - Revision: 1.1

  • Microsoft Windows NT Workstation 4.0 Developer Edition
  • Microsoft Windows NT Server 4.0 Standard Edition
  • kbnosurvey kbarchive kbinfo kbnetwork KB168476