diff options
author | Gerald Carter <jerry@samba.org> | 2003-09-24 15:05:22 +0000 |
---|---|---|
committer | Gerald Carter <jerry@samba.org> | 2003-09-24 15:05:22 +0000 |
commit | 293421f3c64a2adff7dc15f7ad3adb6120c9fd16 (patch) | |
tree | b18b6e0cda6e04dac9f47ab9fdb661f1dfa65b7b /docs/docbook/projdoc/ProfileMgmt.xml | |
parent | 43004ba8830874a8ab02bc755b1e99160af982b5 (diff) | |
download | samba-293421f3c64a2adff7dc15f7ad3adb6120c9fd16.tar.gz samba-293421f3c64a2adff7dc15f7ad3adb6120c9fd16.tar.bz2 samba-293421f3c64a2adff7dc15f7ad3adb6120c9fd16.zip |
syncing up docs, examples, & packaging from 3.0
(This used to be commit dd1348c566b4700ea01bd89639e2d3330c878167)
Diffstat (limited to 'docs/docbook/projdoc/ProfileMgmt.xml')
-rw-r--r-- | docs/docbook/projdoc/ProfileMgmt.xml | 1472 |
1 files changed, 606 insertions, 866 deletions
diff --git a/docs/docbook/projdoc/ProfileMgmt.xml b/docs/docbook/projdoc/ProfileMgmt.xml index 37ae2d41e8..7171884410 100644 --- a/docs/docbook/projdoc/ProfileMgmt.xml +++ b/docs/docbook/projdoc/ProfileMgmt.xml @@ -10,22 +10,22 @@ <title>Features and Benefits</title> <para> -Roaming Profiles are feared by some, hated by a few, loved by many, and a Godsend for +Roaming profiles are feared by some, hated by a few, loved by many, and a Godsend for some administrators. </para> <para> -Roaming Profiles allow an administrator to make available a consistent user desktop +Roaming profiles allow an administrator to make available a consistent user desktop as the user moves from one machine to another. This chapter provides much information -regarding how to configure and manage Roaming Profiles. +regarding how to configure and manage roaming profiles. </para> <para> -While Roaming Profiles might sound like nirvana to some, they are a real and tangible +While roaming profiles might sound like nirvana to some, they are a real and tangible problem to others. In particular, users of mobile computing tools, where often there may not -be a sustained network connection, are often better served by purely Local Profiles. -This chapter provides information to help the Samba administrator to deal with those -situations also. +be a sustained network connection, are often better served by purely local profiles. +This chapter provides information to help the Samba administrator deal with those +situations. </para> </sect1> @@ -35,25 +35,25 @@ situations also. <warning> <para> -Roaming profiles support is different for Win9x / Me and Windows NT4/200x. +Roaming profiles support is different for Windows 9x/Me and Windows NT4/200x. </para> </warning> <para> Before discussing how to configure roaming profiles, it is useful to see how -Windows 9x / Me and Windows NT4/200x clients implement these features. +Windows 9x/Me and Windows NT4/200x clients implement these features. </para> <para> -Windows 9x / Me clients send a NetUserGetInfo request to the server to get the user's +Windows 9x/Me clients send a NetUserGetInfo request to the server to get the user's profiles location. However, the response does not have room for a separate -profiles location field, only the user's home share. This means that Win9X/Me +profiles location field, only the user's home share. This means that Windows 9x/Me profiles are restricted to being stored in the user's home directory. </para> <para> -Windows NT4/200x clients send a NetSAMLogon RPC request, which contains many fields, +Windows NT4/200x clients send a NetSAMLogon RPC request, which contains many fields including a separate field for the location of the user's profiles. </para> @@ -68,8 +68,7 @@ This section documents how to configure Samba for MS Windows client profile supp <title>NT4/200x User Profiles</title> <para> -To support Windows NT4/200x clients, in the [global] section of smb.conf set the -following (for example): +For example, to support Windows NT4/200x clients, set the followoing in the [global] section of the &smb.conf; file: </para> <para> @@ -77,68 +76,66 @@ following (for example): <smbconfoption><name>logon path</name><value>\\profileserver\profileshare\profilepath\%U\moreprofilepath</value></smbconfoption> </smbconfblock> - This is typically implemented like: +This is typically implemented like: <smbconfblock> <smbconfoption><name>logon path</name><value>\\%L\Profiles\%u</value></smbconfoption> </smbconfblock> -where %L translates to the name of the Samba server and %u translates to the user name +where <quote>%L</quote> translates to the name of the Samba server and <quote>%u</quote> translates to the user name. </para> <para> -The default for this option is <filename>\\%N\%U\profile</filename>, -namely <filename>\\sambaserver\username\profile</filename>. -The <filename>\\N%\%U</filename> service is created automatically by the [homes] service. If you are using -a samba server for the profiles, you _must_ make the share specified in the logon path +The default for this option is <filename>\\%N\%U\profile</filename>, namely <filename>\\sambaserver\username\profile</filename>. +The <filename>\\N%\%U</filename> service is created automatically by the [homes] service. If you are using +a Samba server for the profiles, you must make the share that is specified in the logon path browseable. Please refer to the man page for &smb.conf; in respect of the different -semantics of %L and %N, as well as %U and %u. +semantics of <quote>%L</quote> and <quote>%N</quote>, as well as <quote>%U</quote> and <quote>%u</quote>. </para> <note> <para> -MS Windows NT/2K clients at times do not disconnect a connection to a server -between logons. It is recommended to NOT use the <smbconfsection>homes</smbconfsection> -meta-service name as part of the profile share path. +MS Windows NT/200x clients at times do not disconnect a connection to a server between logons. It is recommended +to not use the <smbconfsection>homes</smbconfsection> meta-service name as part of the profile share path. </para> </note> </sect3> <sect3> -<title>Windows 9x / Me User Profiles</title> +<title>Windows 9x/Me User Profiles</title> <para> - To support Windows 9x / Me clients, you must use the <smbconfoption><name>logon home</name></smbconfoption> parameter. Samba has -now been fixed so that <userinput>net use /home</userinput> now works as well, and it, too, relies +To support Windows 9x/Me clients, you must use the <smbconfoption><name>logon home</name></smbconfoption> +parameter. Samba has been fixed so <userinput>net use /home</userinput> now works as well and it, too, relies on the <command>logon home</command> parameter. </para> <para> -By using the logon home parameter, you are restricted to putting Win9x / Me -profiles in the user's home directory. But wait! There is a trick you -can use. If you set the following in the <smbconfsection>[global]</smbconfsection> section of your &smb.conf; file: +By using the logon home parameter, you are restricted to putting Windows 9x/Me profiles in the user's home +directory. But wait! There is a trick you can use. If you set the following in the +<smbconfsection>[global]</smbconfsection> section of your &smb.conf; file: </para> <para><smbconfblock> <smbconfoption><name>logon home</name><value>\\%L\%U\.profiles</value></smbconfoption> </smbconfblock></para> <para> -then your Windows 9x / Me clients will dutifully put their clients in a subdirectory -of your home directory called <filename>.profiles</filename> (thus making them hidden). +then your Windows 9x/Me clients will dutifully put their clients in a subdirectory +of your home directory called <filename>.profiles</filename> (making them hidden). </para> <para> -Not only that, but <userinput>net use /home</userinput> will also work, because of a feature in -Windows 9x / Me. It removes any directory stuff off the end of the home directory area +Not only that, but <userinput>net use /home</userinput> will also work because of a feature in +Windows 9x/Me. It removes any directory stuff off the end of the home directory area and only uses the server and share portion. That is, it looks like you specified <filename>\\%L\%U</filename> for <smbconfoption><name>logon home</name></smbconfoption>. </para> </sect3> <sect3> -<title>Mixed Windows 9x / Me and Windows NT4/200x User Profiles</title> +<title>Mixed Windows 9x/Me and Windows NT4/200x User Profiles</title> <para> -You can support profiles for both Win9X and WinNT clients by setting both the +You can support profiles for Windows 9x and Windows NT clients by setting both the <smbconfoption><name>logon home</name></smbconfoption> and <smbconfoption><name>logon path</name></smbconfoption> parameters. For example: </para> @@ -152,250 +149,205 @@ You can support profiles for both Win9X and WinNT clients by setting both the <title>Disabling Roaming Profile Support</title> <para> - A question often asked is <quote>How may I enforce use of local profiles?</quote> or - <quote>How do I disable Roaming Profiles?</quote> +A question often asked is: <quote>How may I enforce use of local profiles?</quote> or +<quote>How do I disable roaming profiles?</quote> </para> <para> +<indexterm><primary>roaming profiles</primary></indexterm> There are three ways of doing this: +<indexterm><primary>windows registry settings</primary><secondary>roaming profiles</secondary></indexterm> </para> + <variablelist> <varlistentry> <term>In &smb.conf;</term> <listitem><para> - Affect the following settings and ALL clients - will be forced to use a local profile: - <smbconfblock> - <smbconfoption><name>logon home</name></smbconfoption> - <smbconfoption><name>logon path</name></smbconfoption> - </smbconfblock> + Affect the following settings and ALL clients will be forced to use a local profile: + <smbconfoption><name>logon home</name></smbconfoption> and <smbconfoption><name>logon path</name></smbconfoption> </para></listitem> </varlistentry> <varlistentry> - <term>MS Windows Registry:</term> + <term>MS Windows Registry</term> <listitem><para> - By using the Microsoft Management Console gpedit.msc to instruct your MS Windows XP machine to use only a local profile. This of course modifies registry settings. The full path to the option is: - <!-- FIXME: Diagram for this ? --> - <!-- FIXME: Yes, a diagram will help - JHT --> - <programlisting> - Local Computer Policy\ - Computer Configuration\ - Administrative Templates\ - System\ - User Profiles\ - - Disable: Only Allow Local User Profiles - Disable: Prevent Roaming Profile Change from Propagating to the Server - </programlisting> - </para> </listitem> + By using the Microsoft Management Console gpedit.msc to instruct your MS Windows XP + machine to use only a local profile. This, of course, modifies registry settings. The full + path to the option is: +<screen> +Local Computer Policy\ + Computer Configuration\ + Administrative Templates\ + System\ + User Profiles\ + +Disable: Only Allow Local User Profiles +Disable: Prevent Roaming Profile Change from Propagating to the Server +</screen> + </para> </listitem> </varlistentry> <varlistentry> <term>Change of Profile Type:</term> - <listitem><para> - From the start menu right click on the - My Computer icon, select <guimenuitem>Properties</guimenuitem>, click on the <guilabel>User Profiles</guilabel> - tab, select the profile you wish to change from Roaming type to Local, click <guibutton>Change Type</guibutton>. + <listitem><para>From the start menu right-click on <guiicon>My Computer icon</guiicon>, + select <guimenuitem>Properties</guimenuitem>, click on the <guilabel>User Profiles</guilabel> + tab, select the profile you wish to change from + <guimenu>Roaming</guimenu> type to <guimenu>Local</guimenu>, and click on + <guibutton>Change Type</guibutton>. </para></listitem> </varlistentry> </variablelist> <para> -Consult the MS Windows registry guide for your particular MS Windows version for more -information about which registry keys to change to enforce use of only local user -profiles. +Consult the MS Windows registry guide for your particular MS Windows version for more information +about which registry keys to change to enforce use of only local user profiles. </para> <note><para> The specifics of how to convert a local profile to a roaming profile, or a roaming profile -to a local one vary according to the version of MS Windows you are running. Consult the -Microsoft MS Windows Resource Kit for your version of Windows for specific information. +to a local one vary according to the version of MS Windows you are running. Consult the Microsoft MS +Windows Resource Kit for your version of Windows for specific information. </para></note> -</sect3> -</sect2> +</sect3> </sect2> -<sect2> -<title>Windows Client Profile Configuration Information</title> +<sect2> <title>Windows Client Profile Configuration Information</title> -<sect3> -<title>Windows 9x / Me Profile Setup</title> +<sect3> <title>Windows 9x/Me Profile Setup</title> <para> -When a user first logs in on Windows 9X, the file user.DAT is created, -as are folders <filename>Start Menu</filename>, <filename>Desktop</filename>, -<filename>Programs</filename> and <filename>Nethood</filename>. -These directories and their contents will be merged with the local -versions stored in <filename>c:\windows\profiles\username</filename> on subsequent logins, -taking the most recent from each. You will need to use the <smbconfsection>[global]</smbconfsection> -options <smbconfoption><name>preserve case</name><value>yes</value></smbconfoption>, <smbconfoption><name>short preserve case</name><value>yes</value></smbconfoption> and -<smbconfoption><name>case sensitive</name><value>no</value></smbconfoption> in order to maintain capital letters in shortcuts -in any of the profile folders. +When a user first logs in on Windows 9X, the file user.DAT is created, as are folders +<filename>Start Menu</filename>, <filename>Desktop</filename>, <filename>Programs</filename>, and +<filename>Nethood</filename>. These directories and their contents will be merged with the local +versions stored in <filename>c:\windows\profiles\username</filename> on subsequent logins, taking the +most recent from each. You will need to use the <smbconfsection>[global]</smbconfsection> options +<smbconfoption><name>preserve case</name><value>yes</value></smbconfoption>, +<smbconfoption><name>short preserve case</name><value>yes</value></smbconfoption> and +<smbconfoption><name>case sensitive</name><value>no</value></smbconfoption> +in order to maintain capital letters in shortcuts in any of the profile folders. </para> <para> -The user.DAT file contains all the user's preferences. If you wish to -enforce a set of preferences, rename their user.DAT file to user.MAN, -and deny them write access to this file. +The <filename>user.DAT</filename> file contains all the user's preferences. If you wish to enforce a set of preferences, +rename their <filename>user.DAT</filename> file to <filename>user.MAN</filename>, and deny them write access to this file. </para> <orderedlist> - <listitem> - <para> - On the Windows 9x / Me machine, go to <guimenu>Control Panel</guimenu> -> <guimenuitem>Passwords</guimenuitem> and - select the <guilabel>User Profiles</guilabel> tab. Select the required level of - roaming preferences. Press <guibutton>OK</guibutton>, but do _not_ allow the computer - to reboot. - </para> - </listitem> - - <listitem> - <para> - On the Windows 9x / Me machine, go to <guimenu>Control Panel</guimenu> -> <guimenuitem>Network</guimenuitem> -> - <guimenuitem>Client for Microsoft Networks</guimenuitem> -> <guilabel>Preferences</guilabel>. Select <guilabel>Log on to - NT Domain</guilabel>. Then, ensure that the Primary Logon is <guilabel>Client for - Microsoft Networks</guilabel>. Press <guibutton>OK</guibutton>, and this time allow the computer - to reboot. - </para> - </listitem> + <listitem> <para> + On the Windows 9x/Me machine, go to <guimenu>Control Panel</guimenu> -> + <guimenuitem>Passwords</guimenuitem> and select the <guilabel>User Profiles</guilabel> tab. + Select the required level of roaming preferences. Press <guibutton>OK</guibutton>, but do not + allow the computer to reboot. + </para> </listitem> + + <listitem> <para> + On the Windows 9x/Me machine, go to <guimenu>Control Panel</guimenu> -> + <guimenuitem>Network</guimenuitem> -> <guimenuitem>Client for Microsoft Networks</guimenuitem> + -> <guilabel>Preferences</guilabel>. Select <guilabel>Log on to NT Domain</guilabel>. Then, + ensure that the Primary Logon is <guilabel>Client for Microsoft Networks</guilabel>. Press + <guibutton>OK</guibutton>, and this time allow the computer to reboot. + </para> </listitem> </orderedlist> -<para> -Under Windows 9x / Me Profiles are downloaded from the Primary Logon. -If you have the Primary Logon as 'Client for Novell Networks', then -the profiles and logon script will be downloaded from your Novell -Server. If you have the Primary Logon as 'Windows Logon', then the -profiles will be loaded from the local machine - a bit against the -concept of roaming profiles, it would seem! -</para> +<para> Under Windows 9x/ME, profiles are downloaded from the Primary Logon. If you have the Primary Logon +as <quote>Client for Novell Networks</quote>, then the profiles and logon script will be downloaded from +your Novell Server. If you have the Primary Logon as <quote>Windows Logon</quote>, then the profiles will +be loaded from the local machine &smbmdash; a bit against the concept of roaming profiles, it would seem! </para> <para> -You will now find that the Microsoft Networks Login box contains -[user, password, domain] instead of just [user, password]. Type in -the samba server's domain name (or any other domain known to exist, -but bear in mind that the user will be authenticated against this -domain and profiles downloaded from it, if that domain logon server -supports it), user name and user's password. +You will now find that the Microsoft Networks Login box contains <constant>[user, password, domain]</constant> instead +of just <constant>[user, password]</constant>. Type in the Samba server's domain name (or any other domain known to exist, +but bear in mind that the user will be authenticated against this domain and profiles downloaded from it, +if that domain logon server supports it), user name and user's password. </para> -<para> -Once the user has been successfully validated, the Windows 9x / Me machine -will inform you that <computeroutput>The user has not logged on before</computeroutput> and asks you -<computeroutput>Do you wish to save the user's preferences?</computeroutput>. Select <guibutton>yes</guibutton>. -</para> +<para> Once the user has been successfully validated, the Windows 9x/Me machine will inform you that +<computeroutput>The user has not logged on before</computeroutput> and asks you <computeroutput>Do you +wish to save the user's preferences?</computeroutput> Select <guibutton>Yes</guibutton>. </para> -<para> -Once the Windows 9x / Me client comes up with the desktop, you should be able -to examine the contents of the directory specified in the <smbconfoption><name>logon path</name></smbconfoption> -on the samba server and verify that the <filename>Desktop</filename>, <filename>Start Menu</filename>, -<filename>Programs</filename> and <filename>Nethood</filename> folders have been created. -</para> +<para> Once the Windows 9x/Me client comes up with the desktop, you should be able to examine the +contents of the directory specified in the <smbconfoption><name>logon path</name></smbconfoption> on +the Samba server and verify that the <filename>Desktop</filename>, <filename>Start Menu</filename>, +<filename>Programs</filename> and <filename>Nethood</filename> folders have been created. </para> -<para> -These folders will be cached locally on the client, and updated when -the user logs off (if you haven't made them read-only by then). -You will find that if the user creates further folders or short-cuts, -that the client will merge the profile contents downloaded with the -contents of the profile directory already on the local client, taking -the newest folders and short-cuts from each set. -</para> +<para> These folders will be cached locally on the client, and updated when the user logs off (if +you haven't made them read-only by then). You will find that if the user creates further folders or +shortcut, that the client will merge the profile contents downloaded with the contents of the profile +directory already on the local client, taking the newest folders and shortcut from each set. </para> -<para> -If you have made the folders / files read-only on the samba server, -then you will get errors from the Windows 9x / Me machine on logon and logout, as -it attempts to merge the local and the remote profile. Basically, if -you have any errors reported by the Windows 9x / Me machine, check the UNIX file -permissions and ownership rights on the profile directory contents, -on the samba server. -</para> +<para> If you have made the folders/files read-only on the Samba server, then you will get errors from +the Windows 9x/Me machine on logon and logout as it attempts to merge the local and remote profile. +Basically, if you have any errors reported by the Windows 9x/Me machine, check the UNIX file permissions +and ownership rights on the profile directory contents, on the Samba server. </para> -<para> -If you have problems creating user profiles, you can reset the user's -local desktop cache, as shown below. When this user then next logs in, -they will be told that they are logging in "for the first time". -</para> - - <warning> - <para> - Before deleting the contents of the - directory listed in the ProfilePath (this is likely to be - <filename>c:\windows\profiles\username)</filename>, ask them if they - have any important files stored on their desktop or in their start menu. - Delete the contents of the directory ProfilePath (making a backup if any - of the files are needed). - </para> +<para> If you have problems creating user profiles, you can reset the user's local desktop cache, as +shown below. When this user next logs in, the user will be told that he/she is logging in <quote>for + the first time</quote>. + +<indexterm><primary>windows registry settings</primary><secondary>profile path</secondary></indexterm> + </para> - <para> - This will have the effect of removing the local (read-only hidden - system file) user.DAT in their profile directory, as well as the - local "desktop", "nethood", "start menu" and "programs" folders. - </para> - </warning> +<orderedlist> + <listitem><para> + Instead of logging in under the [user, password, domain] dialog, press <guibutton>escape</guibutton>. + </para> </listitem> + <listitem><para> + Run the <command>regedit.exe</command> program, and look in: + </para> -<orderedlist> - <listitem> - <para> - instead of logging in under the [user, password, domain] dialog, - press <guibutton>escape</guibutton>. - </para> - </listitem> - - <listitem> - <para> - run the <command>regedit.exe</command> program, and look in: - </para> - - <para> - <filename>HKEY_LOCAL_MACHINE\Windows\CurrentVersion\ProfileList</filename> - </para> - - <para> - you will find an entry, for each user, of ProfilePath. Note the - contents of this key (likely to be <filename>c:\windows\profiles\username</filename>), - then delete the key ProfilePath for the required user. - </para> - - <para>[Exit the registry editor].</para> - </listitem> - - <listitem> - <para> - search for the user's .PWL password-caching file in the <filename>c:\windows</filename> - directory, and delete it. - </para> - </listitem> - - <listitem> - <para> - log off the windows 9x / Me client. - </para> - </listitem> - - <listitem> - <para> - check the contents of the profile path (see <smbconfoption><name>logon path</name></smbconfoption> described - above), and delete the <filename>user.DAT</filename> or <filename>user.MAN</filename> file for the user, - making a backup if required. - </para> - </listitem> + <para> + <filename>HKEY_LOCAL_MACHINE\Windows\CurrentVersion\ProfileList</filename> + </para> + <para> + You will find an entry for each user of ProfilePath. Note the contents of this key + (likely to be <filename>c:\windows\profiles\username</filename>), then delete the key + <parameter>ProfilePath</parameter> for the required user. + </para></listitem> + + <listitem><para> + Exit the registry editor. + </para></listitem> + + <listitem><para> + Search for the user's .PWL password-caching file in the <filename>c:\windows</filename> directory, and delete it. + </para></listitem> + + <listitem><para> + Log off the Windows 9x/Me client. + </para></listitem> + + <listitem><para> + Check the contents of the profile path (see <smbconfoption><name>logon path</name></smbconfoption> + described above) and delete the <filename>user.DAT</filename> or <filename>user.MAN</filename> + file for the user, making a backup if required. + </para></listitem> </orderedlist> -<para> -If all else fails, increase samba's debug log levels to between 3 and 10, -and / or run a packet trace program such as ethereal or <command>netmon.exe</command>, and -look for error messages. +<warning><para> +Before deleting the contents of the directory listed in the <parameter>ProfilePath</parameter> +(this is likely to be <filename>c:\windows\profiles\username)</filename>, ask the owner if they have +any important files stored on their desktop or in their start menu. Delete the contents of the +directory <parameter>ProfilePath</parameter> (making a backup if any of the files are needed). </para> <para> -If you have access to an Windows NT4/200x server, then first set up roaming profiles -and / or netlogons on the Windows NT4/200x server. Make a packet trace, or examine -the example packet traces provided with Windows NT4/200x server, and see what the -differences are with the equivalent samba trace. +This will have the effect of removing the local (read-only hidden system file) <filename>user.DAT</filename> +in their profile directory, as well as the local <quote>desktop,</quote> <quote>nethood,</quote> +<quote>start menu,</quote> and <quote>programs</quote> folders. +</para></warning> + +<para> +If all else fails, increase Samba's debug log levels to between 3 and 10, and/or run a packet +sniffer program such as ethereal or <command>netmon.exe</command>, and look for error messages. +</para> + +<para> If you have access to an Windows NT4/200x server, then first set up roaming profiles and/or +netlogons on the Windows NT4/200x server. Make a packet trace, or examine the example packet traces +provided with Windows NT4/200x server, and see what the differences are with the equivalent Samba trace. </para> </sect3> @@ -403,272 +355,206 @@ differences are with the equivalent samba trace. <sect3> <title>Windows NT4 Workstation</title> -<para> -When a user first logs in to a Windows NT Workstation, the profile -NTuser.DAT is created. The profile location can be now specified -through the <smbconfoption><name>logon path</name></smbconfoption> parameter. +<para> When a user first logs in to a Windows NT Workstation, the profile NTuser.DAT is created. The profile +location can be now specified through the <smbconfoption><name>logon path</name></smbconfoption> parameter. </para> -<para> -There is a parameter that is now available for use with NT Profiles: -<smbconfoption><name>logon drive</name></smbconfoption>. This should be set to <filename>H:</filename> or any other drive, and -should be used in conjunction with the new <smbconfoption><name>logon home</name></smbconfoption> parameter. -</para> +<para> There is a parameter that is now available for use with NT Profiles: <smbconfoption><name>logon drive</name></smbconfoption>. +This should be set to <filename>H:</filename> or any other drive, and should be used in conjunction with +the new <smbconfoption><name>logon home</name></smbconfoption> parameter. </para> -<para> -The entry for the NT4 profile is a _directory_ not a file. The NT -help on profiles mentions that a directory is also created with a .PDS -extension. The user, while logging in, must have write permission to -create the full profile path (and the folder with the .PDS extension -for those situations where it might be created.) -</para> +<para> The entry for the NT4 profile is a directory not a file. The NT help on Profiles mentions that a +directory is also created with a .PDS extension. The user, while logging in, must have write permission +to create the full profile path (and the folder with the .PDS extension for those situations where it +might be created.) </para> -<para> -In the profile directory, Windows NT4 creates more folders than Windows 9x / Me. -It creates <filename>Application Data</filename> and others, as well as <filename>Desktop</filename>, <filename>Nethood</filename>, -<filename>Start Menu</filename> and <filename>Programs</filename>. The profile itself is stored in a file -<filename>NTuser.DAT</filename>. Nothing appears to be stored in the .PDS directory, and -its purpose is currently unknown. -</para> +<para> In the profile directory, Windows NT4 creates more folders than Windows 9x/Me. It creates +<filename>Application Data</filename> and others, as well as <filename>Desktop</filename>, +<filename>Nethood</filename>, <filename>Start Menu,</filename> and <filename>Programs</filename>. +The profile itself is stored in a file <filename>NTuser.DAT</filename>. Nothing appears to be stored +in the .PDS directory, and its purpose is currently unknown. </para> -<para> -You can use the <application>System Control Panel</application> to copy a local profile onto -a samba server (see NT Help on profiles: it is also capable of firing -up the correct location in the <application>System Control Panel</application> for you). The -NT Help file also mentions that renaming <filename>NTuser.DAT</filename> to <filename>NTuser.MAN</filename> -turns a profile into a mandatory one. +<para> You can use the <application>System Control Panel</application> to copy a local profile onto +a Samba server (see NT Help on Profiles; it is also capable of firing up the correct location in the +<application>System Control Panel</application> for you). The NT Help file also mentions that renaming +<filename>NTuser.DAT</filename> to <filename>NTuser.MAN</filename> turns a profile into a mandatory one. </para> -<para> -The case of the profile is significant. The file must be called -<filename>NTuser.DAT</filename> or, for a mandatory profile, <filename>NTuser.MAN</filename>. -</para> -</sect3> +<para> The case of the profile is significant. The file must be called <filename>NTuser.DAT</filename> +or, for a mandatory profile, <filename>NTuser.MAN</filename>. </para> </sect3> -<sect3> -<title>Windows 2000/XP Professional</title> +<sect3> <title>Windows 2000/XP Professional</title> -<para> -You must first convert the profile from a local profile to a domain -profile on the MS Windows workstation as follows: -</para> +<para> You must first convert the profile from a local profile to a domain profile on the MS Windows +workstation as follows: </para> <procedure> - <step><para> - Log on as the <emphasis>LOCAL</emphasis> workstation administrator. - </para></step> - - <step><para> - Right click on the <guiicon>My Computer</guiicon> Icon, select <guimenuitem>Properties</guimenuitem> - </para></step> - - <step><para> - Click on the <guilabel>User Profiles</guilabel> tab - </para></step> - - <step><para> - Select the profile you wish to convert (click on it once) - </para></step> - - <step><para> - Click on the button <guibutton>Copy To</guibutton> - </para></step> - - <step><para> - In the <guilabel>Permitted to use</guilabel> box, click on the <guibutton>Change</guibutton> button. - </para></step> - - <step><para> - Click on the 'Look in" area that lists the machine name, when you click - here it will open up a selection box. Click on the domain to which the - profile must be accessible. - </para> + <step><para> Log on as the <emphasis>local</emphasis> workstation administrator. </para></step> + + <step><para> Right-click on the <guiicon>My Computer</guiicon> Icon, select + <guimenuitem>Properties</guimenuitem>.</para></step> + + <step><para> Click on the <guilabel>User Profiles</guilabel> tab.</para></step> + + <step><para> Select the profile you wish to convert (click it once).</para></step> + + <step><para> Click on the <guibutton>Copy To</guibutton> button.</para></step> + + <step><para> In the <guilabel>Permitted to use</guilabel> box, click on the + <guibutton>Change</guibutton> button. </para></step> - <note><para>You will need to log on if a logon box opens up. Eg: In the connect as: <replaceable>DOMAIN</replaceable>\root, password: <replaceable>mypassword</replaceable>.</para></note> - </step> + <step><para> Click on the <guilabel>Look in</guilabel> area that lists the machine name. When you click here, it will + open up a selection box. Click on the domain to which the profile must be accessible. </para> - <step><para> - To make the profile capable of being used by anyone select 'Everyone' - </para></step> + <note><para>You will need to log on if a logon box opens up. + For example, connect as <replaceable>DOMAIN</replaceable>\root, password: + <replaceable>mypassword</replaceable>.</para></note> </step> - <step><para> - Click <guibutton>OK</guibutton>. The Selection box will close. - </para></step> + <step><para> To make the profile capable of being used by anyone, select <quote>Everyone</quote>. </para></step> - <step><para> - Now click on the <guibutton>Ok</guibutton> button to create the profile in the path you - nominated. - </para></step> + <step><para> Click on <guibutton>OK</guibutton> and the Selection box will close. </para></step> + + <step><para> Now click on <guibutton>OK</guibutton> to create the profile in the path + you nominated. </para></step> </procedure> -<para> -Done. You now have a profile that can be edited using the samba -<command>profiles</command> tool. +<para> Done. You now have a profile that can be edited using the Samba <command>profiles</command> tool. </para> -<note> -<para> -Under NT/2K the use of mandatory profiles forces the use of MS Exchange -storage of mail data. That keeps desktop profiles usable. -</para> -</note> +<note><para> +Under Windows NT/200x, the use of mandatory profiles forces the use of MS Exchange storage of mail +data and keeps it out of the desktop profile. That keeps desktop profiles from becoming unusable. +</para> </note> -<procedure> - <title>Windows XP Service Pack 1</title> -<step><para> -This is a security check new to Windows XP (or maybe only -Windows XP service pack 1). It can be disabled via a group policy in -Active Directory. The policy is:</para> - -<para><filename>Computer Configuration\Administrative Templates\System\User -Profiles\Do not check for user ownership of Roaming Profile Folders</filename></para> - -<para>...and it should be set to <constant>Enabled</constant>. -Does the new version of samba have an Active Directory analogue? If so, -then you may be able to set the policy through this. -</para> +<sect4> +<title>Windows XP Service Pack 1</title> + <para> + There is a security check new to Windows XP (or maybe only Windows XP service pack 1). + It can be disabled via a group policy in the Active Directory. The policy is called: + </para> -<para> -If you cannot set group policies in samba, then you may be able to set -the policy locally on each machine. If you want to try this, then do -the following (N.B. I don't know for sure that this will work in the -same way as a domain group policy): -</para> + <para> + <filename>Computer Configuration\Administrative Templates\System\User Profiles\<?latex \linebreak ?>Do not check for + user ownership of Roaming Profile Folders</filename>i + </para> + + <para> + This should be set to <constant>Enabled</constant>. + </para> -</step> + <para> + Does the new version of Samba have an Active Directory analogue? If so, then you may be able to set the policy through this. + </para> -<step><para> -On the XP workstation log in with an Administrator account. -</para></step> + <para>If you cannot set group policies in Samba, then you may be able to set the policy locally on + each machine. If you want to try this, then do the following (N.B. I do not know for sure that this + will work in the same way as a domain group policy): + </para> - <step><para>Click: <guimenu>Start</guimenu>, <guimenuitem>Run</guimenuitem></para></step> - <step><para>Type: <userinput>mmc</userinput></para></step> - <step><para>Click: <guibutton>OK</guibutton></para></step> +<procedure> + <step><para>On the XP workstation, log in with an Administrative account.</para></step> + + <step><para>Click on <guimenu>Start</guimenu> -> <guimenuitem>Run</guimenuitem>.</para></step> + <step><para>Type <command>mmc</command>.</para></step> + <step><para>Click on <guibutton>OK</guibutton>.</para></step> <step><para>A Microsoft Management Console should appear.</para></step> - <step><para>Click: <guimenu>File</guimenu>, <guimenuitem>Add/Remove Snap-in...</guimenuitem>, <guimenuitem>Add</guimenuitem></para></step> - <step><para>Double-Click: <guiicon>Group Policy</guiicon></para></step> - <step><para>Click: <guibutton>Finish</guibutton>, <guibutton>Close</guibutton></para></step> - <step><para>Click: <guibutton>OK</guibutton></para></step> - - <step><para>In the "Console Root" window:</para></step> - <step><para>Expand: <guiicon>Local Computer Policy</guiicon>, <guiicon>Computer Configuration</guiicon>, - <guiicon>Administrative Templates</guiicon>, <guiicon>System</guiicon>, <guiicon>User Profiles</guiicon></para></step> - <step><para>Double-Click: <guilabel>Do not check for user ownership of Roaming Profile Folders</guilabel></para></step> - <step><para>Select: <guilabel>Enabled</guilabel></para></step> - <step><para>Click: <guibutton>OK</guibutton></para></step> - - <step><para>Close the whole console. You do not need to save the settings (this - refers to the console settings rather than the policies you have - changed).</para></step> - - <step><para>Reboot</para></step> + <step><para>Click on <guimenu>File</guimenu> -> <guimenuitem>Add/Remove Snap-in</guimenuitem> -> <guimenuitem>Add</guimenuitem>.</para></step> + <step><para>Double-click on <guiicon>Group Policy</guiicon>.</para></step> + <step><para>Click on <guibutton>Finish</guibutton> -> <guibutton>Close</guibutton>.</para></step> + <step><para>Click on <guibutton>OK</guibutton>.</para></step> + <step><para>In the <quote>Console Root</quote> window expand <guiicon>Local Computer Policy</guiicon> -> + <guiicon>Computer Configuration</guiicon> -> <guiicon>Administrative Templates</guiicon> -> <guiicon>System</guiicon> -> <guiicon>User Profiles</guiicon>.</para></step> + <step><para>Double-click on <guilabel>Do not check for user ownership of Roaming Profile Folders</guilabel>.</para></step> + <step><para>Select <guilabel>Enabled</guilabel>.</para></step> + <step><para>Click on <guibutton>OK</guibutton>.</para></step> + <step><para>Close the whole console. You do not need to save the settings (this refers to the + console settings rather than the policies you have changed).</para></step> + <step><para>Reboot.</para></step> </procedure> +</sect4> </sect3> </sect2> <sect2> -<title>Sharing Profiles between W9x/Me and NT4/200x/XP workstations</title> + <title>Sharing Profiles between W9x/Me and NT4/200x/XP <?latex \linebreak ?>Workstations</title> -<para> -Sharing of desktop profiles between Windows versions is NOT recommended. -Desktop profiles are an evolving phenomenon and profiles for later versions -of MS Windows clients add features that may interfere with earlier versions -of MS Windows clients. Probably the more salient reason to NOT mix profiles -is that when logging off an earlier version of MS Windows the older format -of profile contents may overwrite information that belongs to the newer -version resulting in loss of profile information content when that user logs -on again with the newer version of MS Windows. -</para> +<para> Sharing of desktop profiles between Windows versions is not recommended. Desktop profiles are an +evolving phenomenon and profiles for later versions of MS Windows clients add features that may interfere +with earlier versions of MS Windows clients. Probably the more salient reason to not mix profiles is +that when logging off an earlier version of MS Windows, the older format of profile contents may overwrite +information that belongs to the newer version resulting in loss of profile information content when that +user logs on again with the newer version of MS Windows. </para> -<para> -If you then want to share the same Start Menu / Desktop with W9x/Me, you will -need to specify a common location for the profiles. The &smb.conf; parameters -that need to be common are <smbconfoption><name>logon path</name></smbconfoption> and -<smbconfoption><name>logon home</name></smbconfoption>. -</para> +<para> If you then want to share the same Start Menu/Desktop with W9x/Me, you will need to specify a common +location for the profiles. The &smb.conf; parameters that need to be common are <smbconfoption><name>logon path</name></smbconfoption> and <smbconfoption><name>logon home</name></smbconfoption>. </para> -<para> -If you have this set up correctly, you will find separate <filename>user.DAT</filename> and -<filename>NTuser.DAT</filename> files in the same profile directory. -</para> +<para> If you have this set up correctly, you will find separate <filename>user.DAT</filename> and +<filename>NTuser.DAT</filename> files in the same profile directory. </para> </sect2> <sect2> <title>Profile Migration from Windows NT4/200x Server to Samba</title> -<para> -There is nothing to stop you specifying any path that you like for the -location of users' profiles. Therefore, you could specify that the -profile be stored on a samba server, or any other SMB server, as long as -that SMB server supports encrypted passwords. -</para> +<para> There is nothing to stop you from specifying any path that you like for the location of users' profiles. +Therefore, you could specify that the profile be stored on a Samba server, or any other SMB server, +as long as that SMB server supports encrypted passwords. </para> <sect3> <title>Windows NT4 Profile Management Tools</title> -<para> -Unfortunately, the Resource Kit information is specific to the version of MS Windows -NT4/200x. The correct resource kit is required for each platform. -</para> +<para> Unfortunately, the Resource Kit information is specific to the version of MS Windows NT4/200x. The +correct resource kit is required for each platform. </para> -<para> -Here is a quick guide: -</para> +<para>Here is a quick guide:</para> <procedure> + <step><para> On your NT4 Domain Controller, right click on <guiicon>My Computer</guiicon>, then select the + tab labeled <guilabel>User Profiles</guilabel>. </para></step> -<step><para> -On your NT4 Domain Controller, right click on <guiicon>My Computer</guiicon>, then -select the tab labelled <guilabel>User Profiles</guilabel>. -</para></step> + <step><para> Select a user profile you want to migrate and click on it. </para> -<step><para> -Select a user profile you want to migrate and click on it. -</para> - -<note><para>I am using the term "migrate" loosely. You can copy a profile to -create a group profile. You can give the user 'Everyone' rights to the -profile you copy this to. That is what you need to do, since your samba -domain is not a member of a trust relationship with your NT4 PDC.</para></note> -</step> + <note><para>I am using the term <quote>migrate</quote> loosely. You can copy a profile to create a group + profile. You can give the user <parameter>Everyone</parameter> rights to the profile you copy this to. That + is what you need to do, since your Samba domain is not a member of a trust relationship with your NT4 + PDC.</para></note></step> -<step><para>Click the <guibutton>Copy To</guibutton> button.</para></step> + <step><para>Click on the <guibutton>Copy To</guibutton> button.</para></step> - <step><para>In the box labelled <guilabel>Copy Profile to</guilabel> add your new path, eg: + <step><para>In the box labeled <guilabel>Copy Profile to</guilabel> add your new path, e.g., <filename>c:\temp\foobar</filename></para></step> - <step><para>Click on the button <guibutton>Change</guibutton> in the <guilabel>Permitted to use</guilabel> box.</para></step> + <step><para>Click on <guibutton>Change</guibutton> in the <guilabel>Permitted to use</guilabel> box.</para></step> - <step><para>Click on the group 'Everyone' and then click <guibutton>OK</guibutton>. This closes the - 'choose user' box.</para></step> + <step><para>Click on the group <quote>Everyone</quote>, click on <guibutton>OK</guibutton>. This + closes the <quote>choose user</quote> box.</para></step> - <step><para>Now click <guibutton>OK</guibutton>.</para></step> + <step><para>Now click on <guibutton>OK</guibutton>.</para></step> </procedure> -<para> -Follow the above for every profile you need to migrate. -</para> +<para> Follow the above for every profile you need to migrate. </para> </sect3> <sect3> -<title>Side bar Notes</title> +<title>Side Bar Notes</title> + <para> -You should obtain the SID of your NT4 domain. You can use smbpasswd to do -this. Read the man page.</para> +<indexterm><primary>SID</primary></indexterm> +You should obtain the SID of your NT4 domain. You can use smbpasswd to do this. Read the man +page.</para> </sect3> -<sect3> -<title>moveuser.exe</title> +<sect3> <title>moveuser.exe</title> + +<para> The Windows 200x professional resource kit has <command>moveuser.exe</command>. <command>moveuser.exe</command> changes the security of a profile +from one user to another. This allows the account domain to change, and/or the user name to change.</para> <para> -The W2K professional resource kit has moveuser.exe. moveuser.exe changes -the security of a profile from one user to another. This allows the account -domain to change, and/or the user name to change. +This command is like the Samba <command>profiles</command> tool. </para> </sect3> @@ -677,83 +563,61 @@ domain to change, and/or the user name to change. <title>Get SID</title> <para> -You can identify the SID by using GetSID.exe from the Windows NT Server 4.0 -Resource Kit. -</para> +<indexterm><primary>SID</primary></indexterm> +You can identify the SID by using <command>GetSID.exe</command> from the Windows NT Server 4.0 Resource Kit. </para> -<para> -Windows NT 4.0 stores the local profile information in the registry under -the following key: -<filename>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList</filename> -</para> +<para> Windows NT 4.0 stores the local profile information in the registry under the following key: +<filename>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList</filename> </para> -<para> -Under the ProfileList key, there will be subkeys named with the SIDs of the -users who have logged on to this computer. (To find the profile information -for the user whose locally cached profile you want to move, find the SID for -the user with the GetSID.exe utility.) Inside of the appropriate user's -subkey, you will see a string value named ProfileImagePath. -</para> +<para> Under the ProfileList key, there will be subkeys named with the SIDs of the users who have logged +on to this computer. (To find the profile information for the user whose locally cached profile you want +to move, find the SID for the user with the <command>GetSID.exe</command> utility.) Inside the appropriate user's subkey, +you will see a string value named <parameter>ProfileImagePath</parameter>. </para> -</sect3> -</sect2> -</sect1> +</sect3> </sect2> </sect1> -<sect1> -<title>Mandatory profiles</title> +<sect1> <title>Mandatory Profiles</title> <para> -A Mandatory Profile is a profile that the user does NOT have the ability to overwrite. -During the user's session it may be possible to change the desktop environment, but -as the user logs out all changes made will be lost. If it is desired to NOT allow the -user any ability to change the desktop environment then this must be done through -policy settings. See previous chapter. -</para> +<indexterm><primary>mandatory profiles</primary></indexterm> +A Mandatory Profile is a profile that the user does not have the ability to overwrite. During the +user's session, it may be possible to change the desktop environment, however, as the user logs out all changes +made will be lost. If it is desired to not allow the user any ability to change the desktop environment, +then this must be done through policy settings. See the previous chapter. </para> -<note> -<para> -Under NO circumstances should the profile directory (or it's contents) be made read-only -as this may render the profile un-usable. -</para> -</note> +<note><para> +Under NO circumstances should the profile directory (or its contents) be made read-only +as this may render the profile un-usable. Where it is essential to make a profile read-only +within the UNIX file system, this can be done but then you absolutely must use the <command>fake-permissions</command> +VFS module to instruct MS Windows NT/200x/XP clients that the Profile has write permission for the user. See <link linkend="fakeperms"/>. +</para></note> -<para> -For MS Windows NT4/200x/XP the above method can be used to create mandatory profiles -also. To convert a group profile into a mandatory profile simply locate the NTUser.DAT -file in the copied profile and rename it to NTUser.MAN. -</para> +<para> For MS Windows NT4/200x/XP, the above method can also be used to create mandatory profiles. To +convert a group profile into a mandatory profile, simply locate the <filename>NTUser.DAT</filename> file in the copied profile +and rename it to <filename>NTUser.MAN</filename>. </para> -<para> -For MS Windows 9x / Me it is the <filename>User.DAT</filename> file that must be renamed to <filename>User.MAN</filename> to -affect a mandatory profile. -</para> +<para> For MS Windows 9x/ME, it is the <filename>User.DAT</filename> file that must be renamed to +<filename>User.MAN</filename> to effect a mandatory profile. </para> </sect1> <sect1> -<title>Creating/Managing Group Profiles</title> +<title>Creating and Managing Group Profiles</title> <para> -Most organisations are arranged into departments. There is a nice benefit in -this fact since usually most users in a department will require the same desktop -applications and the same desktop layout. MS Windows NT4/200x/XP will allow the -use of Group Profiles. A Group Profile is a profile that is created firstly using -a template (example) user. Then using the profile migration tool (see above) the -profile is assigned access rights for the user group that needs to be given access -to the group profile. -</para> +<indexterm><primary>group profiles</primary></indexterm> +Most organizations are arranged into departments. There is a nice benefit in this fact since usually +most users in a department require the same desktop applications and the same desktop layout. MS +Windows NT4/200x/XP will allow the use of Group Profiles. A Group Profile is a profile that is created +first using a template (example) user. Then using the profile migration tool (see above), the profile is +assigned access rights for the user group that needs to be given access to the group profile. </para> -<para> -The next step is rather important. <emphasis>Please note:</emphasis> Instead of assigning a group profile -to users (ie: Using User Manager) on a "per user" basis, the group itself is assigned -the now modified profile. -</para> +<para> The next step is rather important. Instead of assigning a group profile to users (Using User Manager) +on a <quote>per user</quote> basis, the group itself is assigned the now modified profile. </para> <note> - <para> - Be careful with group profiles, if the user who is a member of a group also - has a personal profile, then the result will be a fusion (merge) of the two. - </para> +<para> Be careful with Group Profiles. If the user who is a member of a group also has a personal +profile, then the result will be a fusion (merge) of the two. </para> </note> </sect1> @@ -762,175 +626,147 @@ the now modified profile. <title>Default Profile for Windows Users</title> <para> -MS Windows 9x / Me and NT4/200x/XP will use a default profile for any user for whom -a profile does not already exist. Armed with a knowledge of where the default profile -is located on the Windows workstation, and knowing which registry keys affect the path -from which the default profile is created, it is possible to modify the default profile -to one that has been optimised for the site. This has significant administrative -advantages. -</para> +<indexterm><primary>default profile</primary></indexterm> +MS Windows 9x/Me and NT4/200x/XP will use a default profile for any user for whom a profile +does not already exist. Armed with a knowledge of where the default profile is located on the Windows +workstation, and knowing which registry keys effect the path from which the default profile is created, +it is possible to modify the default profile to one that has been optimized for the site. This has +significant administrative advantages. </para> <sect2> <title>MS Windows 9x/Me</title> -<para> -To enable default per use profiles in Windows 9x / Me you can either use the <application>Windows 98 System -Policy Editor</application> or change the registry directly. -</para> +<para> To enable default per use profiles in Windows 9x/ME, you can either use the <application>Windows +98 System Policy Editor</application> or change the registry directly. </para> -<para> -To enable default per user profiles in Windows 9x / Me, launch the <application>System Policy Editor</application>, then -select <guimenu>File</guimenu> -> <guimenuitem>Open Registry</guimenuitem>, then click on the -<guiicon>Local Computer</guiicon> icon, click on <guilabel>Windows 98 System</guilabel>, -select <guilabel>User Profiles</guilabel>, click on the enable box. Do not forget to save the registry changes. -</para> +<para> To enable default per user profiles in Windows 9x/ME, launch the <application>System Policy +Editor</application>, then select <guimenu>File</guimenu> -> <guimenuitem>Open Registry</guimenuitem>, +next click on the <guiicon>Local Computer</guiicon> icon, click on <guilabel>Windows 98 System</guilabel>, +select <guilabel>User Profiles</guilabel>, and click on the enable box. Remember to save the registry +changes. </para> -<para> -To modify the registry directly, launch the <application>Registry Editor</application> (<command>regedit.exe</command>), select the hive -<filename>HKEY_LOCAL_MACHINE\Network\Logon</filename>. Now add a DWORD type key with the name -"User Profiles", to enable user profiles set the value to 1, to disable user profiles set it to 0. -</para> +<para> To modify the registry directly, launch the <application>Registry Editor</application> +(<command>regedit.exe</command>) and select the hive <filename>HKEY_LOCAL_MACHINE\Network\Logon</filename>. Now +add a DWORD type key with the name <quote>User Profiles,</quote> to +enable user profiles to set the value +to 1; to disable user profiles set it to 0. </para> <sect3> -<title>How User Profiles Are Handled in Windows 9x / Me?</title> +<title>User Profile Handling with Windows 9x/Me</title> -<para> -When a user logs on to a Windows 9x / Me machine, the local profile path, +<para> When a user logs on to a Windows 9x/Me machine, the local profile path, <filename>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ProfileList</filename>, is checked -for an existing entry for that user: -</para> +for an existing entry for that user. </para> -<para> -If the user has an entry in this registry location, Windows 9x / Me checks for a locally cached -version of the user profile. Windows 9x / Me also checks the user's home directory (or other -specified directory if the location has been modified) on the server for the User Profile. -If a profile exists in both locations, the newer of the two is used. If the User Profile exists -on the server, but does not exist on the local machine, the profile on the server is downloaded -and used. If the User Profile only exists on the local machine, that copy is used. -</para> +<para> If the user has an entry in this registry location, Windows 9x/Me checks for a locally cached +version of the user profile. Windows 9x/Me also checks the user's home directory (or other specified +directory if the location has been modified) on the server for the User Profile. If a profile exists +in both locations, the newer of the two is used. If the User Profile exists on the server, but does not +exist on the local machine, the profile on the server is downloaded and used. If the User Profile only +exists on the local machine, that copy is used. </para> -<para> -If a User Profile is not found in either location, the Default User Profile from the Windows 9x / Me -machine is used and is copied to a newly created folder for the logged on user. At log off, any -changes that the user made are written to the user's local profile. If the user has a roaming -profile, the changes are written to the user's profile on the server. -</para> +<para> If a User Profile is not found in either location, the Default User Profile from the Windows +9x/Me machine is used and copied to a newly created folder for the logged on user. At log off, any +changes that the user made are written to the user's local profile. If the user has a roaming profile, +the changes are written to the user's profile on the server. </para> -</sect3> -</sect2> +</sect3> </sect2> <sect2> <title>MS Windows NT4 Workstation</title> -<para> -On MS Windows NT4 the default user profile is obtained from the location +<para> On MS Windows NT4, the default user profile is obtained from the location <filename>%SystemRoot%\Profiles</filename> which in a default installation will translate to -<filename>C:\WinNT\Profiles</filename>. Under this directory on a clean install there will be -three (3) directories: <filename>Administrator</filename>, <filename>All Users</filename>, <filename>Default User</filename>. -</para> +<filename>C:\Windows NT\Profiles</filename>. Under this directory on a clean install there will be three +(3) directories: <filename>Administrator</filename>, <filename>All +Users,</filename> and <filename>Default +User</filename>. </para> -<para> -The <filename>All Users</filename> directory contains menu settings that are common across all -system users. The <filename>Default User</filename> directory contains menu entries that are -customisable per user depending on the profile settings chosen/created. -</para> +<para> The <filename>All Users</filename> directory contains menu settings that are common across all +system users. The <filename>Default User</filename> directory contains menu entries that are customizable +per user depending on the profile settings chosen/created. </para> -<para> -When a new user first logs onto an MS Windows NT4 machine a new profile is created from: -</para> +<para> When a new user first logs onto an MS Windows NT4 machine, a new profile is created from: </para> <itemizedlist> - <listitem><para>All Users settings</para></listitem> - <listitem><para>Default User settings (contains the default NTUser.DAT file)</para></listitem> + <listitem><para>All Users settings.</para></listitem> + <listitem><para>Default User settings (contains the default <filename>NTUser.DAT</filename> file).</para></listitem> </itemizedlist> -<para> -When a user logs onto an MS Windows NT4 machine that is a member of a Microsoft security domain -the following steps are followed in respect of profile handling: -</para> - -<procedure> - <step> - <para> - The users' account information which is obtained during the logon process contains - the location of the users' desktop profile. The profile path may be local to the - machine or it may be located on a network share. If there exists a profile at the location - of the path from the user account, then this profile is copied to the location - <filename>%SystemRoot%\Profiles\%USERNAME%</filename>. This profile then inherits the - settings in the <filename>All Users</filename> profile in the <filename>%SystemRoot%\Profiles</filename> - location. - </para> - </step> - - <step> - <para> - If the user account has a profile path, but at it's location a profile does not exist, - then a new profile is created in the <filename>%SystemRoot%\Profiles\%USERNAME%</filename> - directory from reading the <filename>Default User</filename> profile. - </para> - </step> - - <step> - <para> - If the NETLOGON share on the authenticating server (logon server) contains a policy file - (<filename>NTConfig.POL</filename>) then it's contents are applied to the <filename>NTUser.DAT</filename> - which is applied to the <filename>HKEY_CURRENT_USER</filename> part of the registry. - </para> - </step> - - <step> - <para> - When the user logs out, if the profile is set to be a roaming profile it will be written - out to the location of the profile. The <filename>NTuser.DAT</filename> file is then - re-created from the contents of the <filename>HKEY_CURRENT_USER</filename> contents. - Thus, should there not exist in the NETLOGON share an <filename>NTConfig.POL</filename> at the - next logon, the effect of the previous <filename>NTConfig.POL</filename> will still be held - in the profile. The effect of this is known as <emphasis>tatooing</emphasis>. - </para> - </step> -</procedure> +<para> When a user logs onto an MS Windows NT4 machine that is a member of a Microsoft security domain, + the following steps are followed in respect of profile handling: -<para> -MS Windows NT4 profiles may be <emphasis>Local</emphasis> or <emphasis>Roaming</emphasis>. A Local profile -will stored in the <filename>%SystemRoot%\Profiles\%USERNAME%</filename> location. A roaming profile will -also remain stored in the same way, unless the following registry key is created: +<indexterm><primary>NTConfig.POL</primary></indexterm> </para> -<para> -<programlisting> -HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\Windows NT\CurrentVersion\ -winlogon\"DeleteRoamingCache"=dword:00000001 -</programlisting> -In which case, the local copy (in <filename>%SystemRoot%\Profiles\%USERNAME%</filename>) will be -deleted on logout. -</para> - -<para> -Under MS Windows NT4 default locations for common resources (like <filename>My Documents</filename> -may be redirected to a network share by modifying the following registry keys. These changes may be affected -via use of the System Policy Editor (to do so may require that you create your owns template extension -for the policy editor to allow this to be done through the GUI. Another way to do this is by way of first -creating a default user profile, then while logged in as that user, run regedt32 to edit the key settings. -</para> - -<para> -The Registry Hive key that affects the behaviour of folders that are part of the default user profile -are controlled by entries on Windows NT4 is: -</para> - -<para> -<filename>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\</filename> -</para> - -<para> -The above hive key contains a list of automatically managed folders. The default entries are: -</para> +<procedure> + <step> <para> The users' account information that is obtained during the logon process + contains the location of the users' desktop profile. The profile path may be local to + the machine or it may be located on a network share. If there exists a profile at the + location of the path from the user account, then this profile is copied to the location + <filename>%SystemRoot%\Profiles\%USERNAME%</filename>. This profile then inherits the settings + in the <filename>All Users</filename> profile in the <filename>%SystemRoot%\Profiles</filename> + location. </para> </step> + + <step> <para> If the user account has a profile path, but at its location a profile does not + exist, then a new profile is created in the <filename>%SystemRoot%\Profiles\%USERNAME%</filename> + directory from reading the <filename>Default User</filename> profile. </para> </step> + + <step> <para> If the NETLOGON share on the authenticating server (logon server) contains + a policy file (<filename>NTConfig.POL</filename>), then its contents are applied to the + <filename>NTUser.DAT</filename> which is applied to the <filename>HKEY_CURRENT_USER</filename> + part of the registry. + </para> </step> + + <step> <para> When the user logs out, if the profile is set to be a roaming profile it will be + written out to the location of the profile. The <filename>NTuser.DAT</filename> file is then + recreated from the contents of the <filename>HKEY_CURRENT_USER</filename> contents. Thus, + should there not exist in the NETLOGON share an <filename>NTConfig.POL</filename> at the next + logon, the effect of the previous <filename>NTConfig.POL</filename> will still be held in the + profile. The effect of this is known as tattooing. + </para> </step> +</procedure> -<para> -<table frame="all"> - <title>User Shell Folder registry keys default values</title> +<para> MS Windows NT4 profiles may be <emphasis>local</emphasis> or <emphasis>roaming</emphasis>. A local +profile will stored in the <filename>%SystemRoot%\Profiles\%USERNAME%</filename> location. A roaming +profile will also remain stored in the same way, unless the following registry key is created as shown: </para> + +<para><screen> HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\Windows NT\CurrentVersion\ +winlogon\"DeleteRoamingCache"=dword:0000000 + </screen> +In this case, the local copy (in <filename>%SystemRoot%\Profiles\%USERNAME%</filename>) will be deleted +on logout.</para> + +<para> Under MS Windows NT4, default locations for common resources like <filename>My Documents</filename> +may be redirected to a network share by modifying the following registry keys. These changes may be +affected via use of the System Policy Editor. To do so may require that you create your own template +extension for the policy editor to allow this to be done through the GUI. Another way to do this is by +way of first creating a default user profile, then while logged in as that user, run <command>regedt32</command> to edit +the key settings. </para> + +<para> +The Registry Hive key that affects the behavior of folders that are part of the default user +profile are controlled by entries on Windows NT4 is: +<screen> +HKEY_CURRENT_USER + \Software + \Microsoft + \Windows + \CurrentVersion + \Explorer + \User Shell Folders +</screen> +<indexterm><primary>windows registry settings</primary><secondary>default profile locations</secondary></indexterm> +</para> + +<para> The above hive key contains a list of automatically managed folders. The default entries are shown in <link linkend="ProfileLocs"/>. </para> + +<table frame="all" id="ProfileLocs"> + <title>User Shell Folder Registry Keys Default Values</title> <tgroup cols="2"> + <colspec align="left"/> + <colspec align="left"/> <thead> <row><entry>Name</entry><entry>Default Value</entry></row> </thead> @@ -948,22 +784,19 @@ The above hive key contains a list of automatically managed folders. The default </tbody> </tgroup> </table> -</para> -<para> -The registry key that contains the location of the default profile settings is: -</para> +<para> The registry key that contains the location of the default profile settings is: </para> -<para> -<filename>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders</filename> -</para> +<para> <filename>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\<?latex \linebreak ?> +User Shell Folders</filename> </para> -<para> -The default entries are: +<para> The default entries are shown in <link linkend="regkeys"/>.</para> -<table frame="all"> - <title>Defaults of profile settings registry keys</title> +<table frame="all" id="regkeys"> + <title>Defaults of Profile Settings Registry Keys</title> <tgroup cols="2"> + <colspec align="left"/> + <colspec align="left"/> <tbody> <row><entry>Common Desktop</entry><entry>%SystemRoot%\Profiles\All Users\Desktop</entry></row> <row><entry>Common Programs</entry><entry>%SystemRoot%\Profiles\All Users\Programs</entry></row> @@ -972,104 +805,78 @@ The default entries are: </tbody> </tgroup> </table> -</para> </sect2> -<sect2> -<title>MS Windows 200x/XP</title> +<sect2> <title>MS Windows 200x/XP</title> - <note> - <para> - MS Windows XP Home Edition does use default per user profiles, but can not participate - in domain security, can not log onto an NT/ADS style domain, and thus can obtain the profile - only from itself. While there are benefits in doing this the beauty of those MS Windows - clients that CAN participate in domain logon processes allows the administrator to create - a global default profile and to enforce it through the use of Group Policy Objects (GPOs). - </para> - </note> +<note><para> +<indexterm><primary>GPOs</primary></indexterm> +MS Windows XP Home Edition does use default per user profiles, but cannot participate +in domain security, cannot log onto an NT/ADS-style domain, and thus can obtain the profile only +from itself. While there are benefits in doing this, the beauty of those MS Windows clients that +can participate in domain logon processes allows the administrator to create a global default +profile and enforce it through the use of Group Policy Objects (GPOs). +</para></note> -<para> -When a new user first logs onto MS Windows 200x/XP machine the default profile is obtained from -<filename>C:\Documents and Settings\Default User</filename>. The administrator can modify (or change -the contents of this location and MS Windows 200x/XP will gladly use it. This is far from the optimum -arrangement since it will involve copying a new default profile to every MS Windows 200x/XP client -workstation. -</para> +<para> When a new user first logs onto an MS Windows 200x/XP machine, the default profile is obtained from +<filename>C:\Documents and Settings\Default User</filename>. The administrator can modify or change the +contents of this location and MS Windows 200x/XP will gladly use it. This is far from the optimum arrangement +since it will involve copying a new default profile to every MS Windows 200x/XP client workstation. </para> -<para> -When MS Windows 200x/XP participate in a domain security context, and if the default user -profile is not found, then the client will search for a default profile in the NETLOGON share -of the authenticating server. ie: In MS Windows parlance: -<filename>%LOGONSERVER%\NETLOGON\Default User</filename> and if one exits there it will copy this -to the workstation to the <filename>C:\Documents and Settings\</filename> under the Windows -login name of the user. -</para> +<para> When MS Windows 200x/XP participates in a domain security context, and if the default user profile is + not found, then the client will search for a default profile in the NETLOGON share of the authenticating + server. In MS Windows parlance,<?latex \linebreak ?><filename>%LOGONSERVER%\NETLOGON\Default User,</filename> and if one +exists there it will copy this to the workstation to the <filename>C:\Documents and Settings\</filename> +under the Windows login name of the user. </para> - <note> - <para> - This path translates, in Samba parlance, to the &smb.conf; <smbconfsection>[NETLOGON]</smbconfsection> share. The directory - should be created at the root of this share and must be called <filename>Default Profile</filename>. - </para> - </note> +<note> <para> This path translates, in Samba parlance, to the &smb.conf; +<smbconfsection>[NETLOGON]</smbconfsection> share. The directory should be created at the root +of this share and must be called <filename>Default Profile</filename>. </para> </note> -<para> -If a default profile does not exist in this location then MS Windows 200x/XP will use the local -default profile. -</para> +<para> If a default profile does not exist in this location, then MS Windows 200x/XP will use the local +default profile. </para> -<para> -On logging out, the users' desktop profile will be stored to the location specified in the registry -settings that pertain to the user. If no specific policies have been created, or passed to the client -during the login process (as Samba does automatically), then the user's profile will be written to -the local machine only under the path <filename>C:\Documents and Settings\%USERNAME%</filename>. -</para> +<para> On logging out, the users' desktop profile will be stored to the location specified in the registry +settings that pertain to the user. If no specific policies have been created or passed to the client +during the login process (as Samba does automatically), then the user's profile will be written to the +local machine only under the path <filename>C:\Documents and Settings\%USERNAME%</filename>. </para> -<para> -Those wishing to modify the default behaviour can do so through three methods: -</para> +<para> Those wishing to modify the default behavior can do so through these three methods: </para> <itemizedlist> - <listitem> - <para> - Modify the registry keys on the local machine manually and place the new default profile in the - NETLOGON share root - NOT recommended as it is maintenance intensive. - </para> - </listitem> + <listitem> <para> Modify the registry keys on the local machine manually and place the new + default profile in the NETLOGON share root. This is not recommended as it is maintenance intensive. + </para> </listitem> - <listitem> - <para> - Create an NT4 style NTConfig.POL file that specified this behaviour and locate this file - in the root of the NETLOGON share along with the new default profile. - </para> - </listitem> + <listitem> <para> Create an NT4-style NTConfig.POL file that specified this behavior and locate + this file in the root of the NETLOGON share along with the new default profile. </para> </listitem> - <listitem> - <para> - Create a GPO that enforces this through Active Directory, and place the new default profile - in the NETLOGON share. - </para> - </listitem> + <listitem> <para> Create a GPO that enforces this through Active Directory, and place the new + default profile in the NETLOGON share. </para> </listitem> </itemizedlist> -<para> -The Registry Hive key that affects the behaviour of folders that are part of the default user profile -are controlled by entries on Windows 200x/XP is: -</para> +<para>The registry hive key that effects the behavior of folders that are part of the default user +profile are controlled by entries on Windows 200x/XP is: </para> -<para> -<filename>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\</filename> -</para> +<para> <filename>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell +Folders\</filename> </para> <para> -The above hive key contains a list of automatically managed folders. The default entries are: +The above hive key contains a list of automatically managed folders. The default entries are shown +in <link linkend="defregpthkeys"/> +<indexterm><primary>windows registry settings</primary><secondary>default profile locations</secondary></indexterm> </para> -<para> -<table frame="all"> - <title>Defaults of default user profile paths registry keys</title> + +<table frame="all" id="defregpthkeys"> + <title>Defaults of Default User Profile Paths Registry Keys</title> <tgroup cols="2"> - <thead><row><entry>Name</entry><entry>Default Value</entry></row></thead> + <colspec align="left"/> + <colspec align="left"/> + <thead> + <row><entry>Name</entry><entry>Default Value</entry></row> + </thead> <tbody> <row><entry>AppData</entry><entry>%USERPROFILE%\Application Data</entry></row> <row><entry>Cache</entry><entry>%USERPROFILE%\Local Settings\Temporary Internet Files</entry></row> @@ -1089,227 +896,171 @@ The above hive key contains a list of automatically managed folders. The default <row><entry>Start Menu</entry><entry>%USERPROFILE%\Start Menu</entry></row> <row><entry>Startup</entry><entry>%USERPROFILE%\Start Menu\Programs\Startup</entry></row> <row><entry>Templates</entry><entry>%USERPROFILE%\Templates</entry></row> - </tbody></tgroup></table> -</para> + </tbody> + </tgroup> +</table> -<para> -There is also an entry called "Default" that has no value set. The default entry is of type <constant>REG_SZ</constant>, all -the others are of type <constant>REG_EXPAND_SZ</constant>. -</para> +<para> There is also an entry called <quote>Default</quote> that has no value set. The default entry is +of type <constant>REG_SZ</constant>, all the others are of type <constant>REG_EXPAND_SZ</constant>. </para> -<para> -It makes a huge difference to the speed of handling roaming user profiles if all the folders are -stored on a dedicated location on a network server. This means that it will NOT be necessary to -write the Outlook PST file over the network for every login and logout. -</para> +<para> It makes a huge difference to the speed of handling roaming user profiles if all the folders are +stored on a dedicated location on a network server. This means that it will not be necessary to write +the Outlook PST file over the network for every login and logout. </para> -<para> -To set this to a network location you could use the following examples: -</para> +<para> To set this to a network location, you could use the following examples: </para> <para><filename>%LOGONSERVER%\%USERNAME%\Default Folders</filename></para> -<para> -This would store the folders in the user's home directory under a directory called <filename>Default Folders</filename> -You could also use: -</para> +<para> This would store the folders in the user's home directory under a directory called <filename>Default +Folders</filename>. You could also use: </para> <para><filename>\\<replaceable>SambaServer</replaceable>\<replaceable>FolderShare</replaceable>\%USERNAME%</filename></para> <para> - in which case the default folders will be stored in the server named <replaceable>SambaServer</replaceable> -in the share called <replaceable>FolderShare</replaceable> under a directory that has the name of the MS Windows -user as seen by the Linux/UNIX file system. -</para> +in which case the default folders will be stored in the server named <replaceable>SambaServer</replaceable> +in the share called <replaceable>FolderShare</replaceable> under a directory that has the name of the +MS Windows user as seen by the Linux/UNIX file system. </para> -<para> -Please note that once you have created a default profile share, you MUST migrate a user's profile -(default or custom) to it. -</para> +<para> Please note that once you have created a default profile share, you MUST migrate a user's profile +(default or custom) to it. </para> -<para> -MS Windows 200x/XP profiles may be <emphasis>Local</emphasis> or <emphasis>Roaming</emphasis>. -A roaming profile will be cached locally unless the following registry key is created: +<para> MS Windows 200x/XP profiles may be <emphasis>Local</emphasis> or <emphasis>Roaming</emphasis>. + A roaming profile will be cached locally unless the following registry key is created: + +<indexterm><primary>delete roaming profiles</primary></indexterm> </para> -<para> -<programlisting> -HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\Windows NT\CurrentVersion\ + +<para> <programlisting> HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\Windows NT\CurrentVersion\ winlogon\"DeleteRoamingCache"=dword:00000001</programlisting></para> <para> -In which case, the local cache copy will be deleted on logout. -</para> -</sect2> +In this case, the local cache copy will be deleted on logout. +</para> +</sect2> </sect1> -<sect1> -<title>Common Errors</title> +<sect1> <title>Common Errors</title> <para> -The following are some typical errors/problems/questions that have been asked. +The following are some typical errors, problems and questions that have been asked on the Samba mailing lists. </para> <sect2> -<title>Setting up roaming profiles for just a few user's or group's?</title> +<title>Configuring Roaming Profiles for a Few Users or Groups</title> <para> -With samba-2.2.x the choice you have is to enable or disable roaming -profiles support. It is a global only setting. The default is to have -roaming profiles and the default path will locate them in the user's home -directory. +With Samba-2.2.x, the choice you have is to enable or disable roaming profiles support. It is a +global only setting. The default is to have roaming profiles and the default path will locate them in +the user's home directory. </para> <para> -If disabled globally then no-one will have roaming profile ability. -If enabled and you want it to apply only to certain machines, then on -those machines on which roaming profile support is NOT wanted it is then -necessary to disable roaming profile handling in the registry of each such -machine. +If disabled globally, then no one will have roaming profile ability. If enabled and you want it +to apply only to certain machines, then on those machines on which roaming profile support is not wanted +it is then necessary to disable roaming profile handling in the registry of each such machine. </para> <para> -With samba-3 you can have a global profile -setting in &smb.conf; _AND_ you can over-ride this by per-user settings -using the Domain User Manager (as with MS Windows NT4/ Win 2Kx). -</para> +With Samba-3, you can have a global profile setting in &smb.conf; and you can override this by +per-user settings using the Domain User Manager (as with MS Windows NT4/ Win 200xx). </para> -<para> -In any case, you can configure only one profile per user. That profile can -be either: -</para> +<para> In any case, you can configure only one profile per user. That profile can be either: </para> <itemizedlist> - <listitem><para>A profile unique to that user</para></listitem> - <listitem><para>A mandatory profile (one the user can not change)</para></listitem> - <listitem><para>A group profile (really should be mandatory ie:unchangable)</para></listitem> + <listitem>A profile unique to that user.</listitem> + <listitem>A mandatory profile (one the user cannot change).</listitem> + <listitem>A group profile (really should be mandatory, that is unchangable).</listitem> </itemizedlist> </sect2> -<sect2> -<title>Can NOT use Roaming Profiles</title> +<sect2> <title>Cannot Use Roaming Profiles</title> -<para> -A user requested the following: -<quote> -I do not want Roaming profiles to be implemented. I want to give users a local profile alone. ... -Please help me I am totally lost with this error. For the past two days I tried everything, I googled -around but found no useful pointers. Please help me. -</quote></para> +<para> A user requested the following: <quote> I do not want Roaming profiles to be implemented. I want +to give users a local profile alone. Please help me, I am totally lost with this error. For the past +two days I tried everything, I googled around but found no useful pointers. Please help me. </quote></para> -<para> -The choices are: -</para> +<para> The choices are: </para> <variablelist> <varlistentry> - <term>Local profiles:</term> - <listitem><para> - I know of no registry keys that will allow auto-deletion of LOCAL profiles on log out - </para></listitem> + <term>Local profiles</term> <listitem><para> I know of no registry keys that will allow + auto-deletion of LOCAL profiles on log out.</para></listitem> </varlistentry> - + <varlistentry> - <term>Roaming profiles:</term> - <listitem><para> - As a user logs onto the network a centrally stored profile is copied to the workstation - to form a local profile. This local profile will persist (remain on the workstation disk) - unless a registry key is changed that will cause this profile to be automatically deleted - on logout. - </para></listitem> + <term>Roaming profiles</term> <listitem><para> As a user logs onto the network, a centrally + stored profile is copied to the workstation to form a local profile. This local profile + will persist (remain on the workstation disk) unless a registry key is changed that will + cause this profile to be automatically deleted on logout. </para></listitem> </varlistentry> </variablelist> -<para> -The <emphasis>Roaming Profile</emphasis> choices are: -</para> +<para>The roaming profile choices are: </para> <variablelist> <varlistentry> - <term>Personal Roaming profiles</term> - <listitem><para> - These are typically stored in a profile share on a central (or conveniently located - local) server. - </para> + <term>Personal roaming profiles</term> <listitem><para> These are typically stored in + a profile share on a central (or conveniently located local) server. </para> - <para> - Workstations 'cache' (store) a local copy of the profile. This cached copy is used when - the profile can not be downloaded at next logon. - </para></listitem> + <para> Workstations cache (store) a local copy of the profile. This cached + copy is used when the profile cannot be downloaded at next logon. </para></listitem> </varlistentry> <varlistentry> - <term>Group profiles</term> - <listitem><para>These are loaded from a central profile server</para></listitem> + <term>Group profiles</term> <listitem><para>These are loaded from a central profile + server.</para></listitem> </varlistentry> <varlistentry> - <term>Mandatory profiles</term> - <listitem><para> - Mandatory profiles can be created for a user as well as for any group that a user - is a member of. Mandatory profiles can NOT be changed by ordinary users. Only the administrator - can change or reconfigure a mandatory profile. - </para></listitem> + <term>Mandatory profiles</term> <listitem><para> Mandatory profiles can be created for + a user as well as for any group that a user is a member of. Mandatory profiles cannot be + changed by ordinary users. Only the administrator can change or reconfigure a mandatory + profile. </para></listitem> </varlistentry> </variablelist> -<para> -A WinNT4/2K/XP profile can vary in size from 130KB to off the scale. -Outlook PST files are most often part of the profile and can be many GB in -size. On average (in a well controlled environment) roaming profile size of -2MB is a good rule of thumb to use for planning purposes. In an -undisciplined environment I have seen up to 2GB profiles. Users tend to -complain when it take an hour to log onto a workstation but they harvest -the fruits of folly (and ignorance). -</para> +<para> A Windows NT4/200x/XP profile can vary in size from 130KB to very large. Outlook PST files are +most often part of the profile and can be many GB in size. On average (in a well controlled environment), +roaming profile size of 2MB is a good rule of thumb to use for planning purposes. In an undisciplined +environment, I have seen up to 2GB profiles. Users tend to complain when it takes an hour to log onto a +workstation but they harvest the fruits of folly (and ignorance). </para> -<para> -The point of all the above is to show that roaming profiles and good -controls of how they can be changed as well as good discipline make up for -a problem free site. -</para> +<para> The point of all the above is to show that roaming profiles and good controls of how they can be +changed as well as good discipline make up for a problem-free site. </para> -<para> -Microsoft's answer to the PST problem is to store all email in an MS -Exchange Server back-end. This removes the need for a PST file. -</para> +<para> Microsoft's answer to the PST problem is to store all email in an MS Exchange Server backend. This +removes the need for a PST file. </para> -<para> -LOCAL profiles mean: -</para> +<para>Local profiles mean: </para> <itemizedlist> - <listitem><para>If each machine is used my many users then much local disk storage is needed for local profiles</para></listitem> - <listitem><para>Every workstation the user logs into has it's own profile, these can be very different from machine to machine</para></listitem> + <listitem><para>If each machine is used by many users, then much local disk storage is needed + for local profiles.</para></listitem> <listitem><para>Every workstation the user logs into has + its own profile; these can be very different from machine to machine.</para></listitem> </itemizedlist> -<para> -On the other hand, use of roaming profiles means: -</para> +<para> On the other hand, use of roaming profiles means: </para> <itemizedlist> <listitem><para>The network administrator can control the desktop environment of all users.</para></listitem> - <listitem><para>Use of mandatory profiles drasitcally reduces network management overheads.</para></listitem> - <listitem><para>In the long run users will be experience fewer problems.</para></listitem> + <listitem><para>Use of mandatory profiles drastically reduces network management overheads.</para></listitem> + <listitem><para>In the long run, users will experience fewer problems.</para></listitem> </itemizedlist> </sect2> <sect2> -<title>Changing the default profile</title> +<title>Changing the Default Profile</title> -<para> -<emphasis>Question:</emphasis> -<quote> -When the client logs onto the domain controller it searches for a profile to download, -where do I put this default profile? -</quote></para> +<para><quote>When the client logs onto the Domain Controller, it searches +for a profile to download. Where do I put this default profile?</quote></para> <para> -Firstly, the samba server needs to be configured as a domain controller. -This can be done by setting in &smb.conf;: -</para> +<indexterm><primary>default profile</primary></indexterm> +First, the Samba server needs to be configured as a Domain Controller. This can be done by +setting in &smb.conf;: </para> <smbconfblock> <smbconfoption><name>security</name><value>user</value></smbconfoption> @@ -1317,39 +1068,28 @@ This can be done by setting in &smb.conf;: <smbconfoption><name>domain logons</name><value>Yes</value></smbconfoption> </smbconfblock> -<para> -There must be an <smbconfsection>[netlogon]</smbconfsection> share that is world readable. -It is a good idea to add a logon script to pre-set printer and -drive connections. There is also a facility for automatically -synchronizing the workstation time clock with that of the logon -server (another good thing to do). -</para> +<para> There must be a <smbconfsection>[netlogon]</smbconfsection> share that is world readable. It is +a good idea to add a logon script to pre-set printer and drive connections. There is also a facility +for automatically synchronizing the workstation time clock with that of the logon server (another good +thing to do). </para> -<note><para> -To invoke auto-deletion of roaming profile from the local -workstation cache (disk storage) use the <application>Group Policy Editor</application> -to create a file called <filename>NTConfig.POL</filename> with the appropriate entries. This -file needs to be located in the <smbconfsection>netlogon</smbconfsection> share root directory.</para></note> +<note><para> To invoke auto-deletion of roaming profile from the local workstation cache (disk storage), use +the <application>Group Policy Editor</application> to create a file called <filename>NTConfig.POL</filename> +with the appropriate entries. This file needs to be located in the <smbconfsection>netlogon</smbconfsection> +share root directory.</para></note> -<para> -Windows clients need to be members of the domain. Workgroup machines do NOT use network logons so -they do not interoperate with domain profiles. -</para> +<para> Windows clients need to be members of the domain. Workgroup machines do not use network logons +so they do not interoperate with domain profiles. </para> -<para> -For roaming profiles add to &smb.conf;: -</para> +<para> For roaming profiles, add to &smb.conf;: </para> -<para> <smbconfblock> <smbconfoption><name>logon path</name><value>\\%N\profiles\%U</value></smbconfoption> <smbconfcomment>Default logon drive is Z:</smbconfcomment> <smbconfoption><name>logon drive</name><value>H:</value></smbconfoption> <smbconfcomment>This requires a PROFILES share that is world writable.</smbconfcomment> </smbconfblock> -</para> </sect2> </sect1> - </chapter> |