summaryrefslogtreecommitdiff
path: root/docs/htmldocs/ProfileMgmt.html
diff options
context:
space:
mode:
authorJelmer Vernooij <jelmer@samba.org>2003-08-13 06:07:10 +0000
committerJelmer Vernooij <jelmer@samba.org>2003-08-13 06:07:10 +0000
commitf62eaeb1a5add34ee7353d0d95db3c84a5c71c22 (patch)
tree10cf7e89e5a1ec800b7f30f731cbd4f4ebf5f13d /docs/htmldocs/ProfileMgmt.html
parent879573e127150d258bc7ad9526f273c9c846da99 (diff)
downloadsamba-f62eaeb1a5add34ee7353d0d95db3c84a5c71c22.tar.gz
samba-f62eaeb1a5add34ee7353d0d95db3c84a5c71c22.tar.bz2
samba-f62eaeb1a5add34ee7353d0d95db3c84a5c71c22.zip
regenerate
(This used to be commit 75a8a906e8031b50e6583f2e0354073a8aa7f5f3)
Diffstat (limited to 'docs/htmldocs/ProfileMgmt.html')
-rw-r--r--docs/htmldocs/ProfileMgmt.html652
1 files changed, 652 insertions, 0 deletions
diff --git a/docs/htmldocs/ProfileMgmt.html b/docs/htmldocs/ProfileMgmt.html
new file mode 100644
index 0000000000..765ae4b0c4
--- /dev/null
+++ b/docs/htmldocs/ProfileMgmt.html
@@ -0,0 +1,652 @@
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 24. Desktop Profile Management</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="samba-doc.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="PolicyMgmt.html" title="Chapter 23. System and Account Policies"><link rel="next" href="pam.html" title="Chapter 25. PAM based Distributed Authentication"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 24. Desktop Profile Management</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="PolicyMgmt.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="pam.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="ProfileMgmt"></a>Chapter 24. Desktop Profile Management</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div><div><p class="pubdate">April 3 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="ProfileMgmt.html#id2945611">Features and Benefits</a></dt><dt><a href="ProfileMgmt.html#id2945646">Roaming Profiles</a></dt><dd><dl><dt><a href="ProfileMgmt.html#id2945686">Samba Configuration for Profile Handling</a></dt><dt><a href="ProfileMgmt.html#id2946178">Windows Client Profile Configuration Information</a></dt><dt><a href="ProfileMgmt.html#id2947427">Sharing Profiles between W9x/Me and NT4/200x/XP workstations</a></dt><dt><a href="ProfileMgmt.html#id2947512">Profile Migration from Windows NT4/200x Server to Samba</a></dt></dl></dd><dt><a href="ProfileMgmt.html#id2947770">Mandatory profiles</a></dt><dt><a href="ProfileMgmt.html#id2947828">Creating/Managing Group Profiles</a></dt><dt><a href="ProfileMgmt.html#id2947873">Default Profile for Windows Users</a></dt><dd><dl><dt><a href="ProfileMgmt.html#id2947893">MS Windows 9x/Me</a></dt><dt><a href="ProfileMgmt.html#id2948045">MS Windows NT4 Workstation</a></dt><dt><a href="ProfileMgmt.html#id2948600">MS Windows 200x/XP</a></dt></dl></dd><dt><a href="ProfileMgmt.html#id2949100">Common Errors</a></dt><dd><dl><dt><a href="ProfileMgmt.html#id2949130">Setting up roaming profiles for just a few user's or group's?</a></dt><dt><a href="ProfileMgmt.html#id2949201">Can NOT use Roaming Profiles</a></dt><dt><a href="ProfileMgmt.html#id2949414">Changing the default profile</a></dt></dl></dd></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2945611"></a>Features and Benefits</h2></div></div><div></div></div><p>
+Roaming Profiles are feared by some, hated by a few, loved by many, and a Godsend for
+some administrators.
+</p><p>
+Roaming Profiles allow an administrator to make available a consistent user desktop
+as the user moves from one machine to another. This chapter provides much information
+regarding how to configure and manage Roaming Profiles.
+</p><p>
+While Roaming Profiles might sound like nirvana to some, they are a real and tangible
+problem to others. In particular, users of mobile computing tools, where often there may not
+be a sustained network connection, are often better served by purely Local Profiles.
+This chapter provides information to help the Samba administrator to deal with those
+situations also.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2945646"></a>Roaming Profiles</h2></div></div><div></div></div><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>
+Roaming profiles support is different for Win9x / Me and Windows NT4/200x.
+</p></div><p>
+Before discussing how to configure roaming profiles, it is useful to see how
+Windows 9x / Me and Windows NT4/200x clients implement these features.
+</p><p>
+Windows 9x / Me clients send a NetUserGetInfo request to the server to get the user's
+profiles location. However, the response does not have room for a separate
+profiles location field, only the user's home share. This means that Win9X/Me
+profiles are restricted to being stored in the user's home directory.
+</p><p>
+Windows NT4/200x clients send a NetSAMLogon RPC request, which contains many fields,
+including a separate field for the location of the user's profiles.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2945686"></a>Samba Configuration for Profile Handling</h3></div></div><div></div></div><p>
+This section documents how to configure Samba for MS Windows client profile support.
+</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2945699"></a>NT4/200x User Profiles</h4></div></div><div></div></div><p>
+To support Windows NT4/200x clients, in the [global] section of smb.conf set the
+following (for example):
+</p><p>
+</p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>logon path = \\profileserver\profileshare\profilepath\%U\moreprofilepath</tt></i></td></tr></table><p>
+
+ This is typically implemented like:
+
+</p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>logon path = \\%L\Profiles\%u</tt></i></td></tr></table><p>
+where %L translates to the name of the Samba server and %u translates to the user name
+</p><p>
+The default for this option is <tt class="filename">\\%N\%U\profile</tt>,
+namely <tt class="filename">\\sambaserver\username\profile</tt>.
+The <tt class="filename">\\N%\%U</tt> service is created automatically by the [homes] service. If you are using
+a samba server for the profiles, you _must_ make the share specified in the logon path
+browseable. Please refer to the man page for <tt class="filename">smb.conf</tt> in respect of the different
+semantics of %L and %N, as well as %U and %u.
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+MS Windows NT/2K clients at times do not disconnect a connection to a server
+between logons. It is recommended to NOT use the <i class="parameter"><tt>homes</tt></i>
+meta-service name as part of the profile share path.
+</p></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2945807"></a>Windows 9x / Me User Profiles</h4></div></div><div></div></div><p>
+ To support Windows 9x / Me clients, you must use the <a class="indexterm" name="id2945819"></a><i class="parameter"><tt>logon home</tt></i> parameter. Samba has
+now been fixed so that <b class="userinput"><tt>net use /home</tt></b> now works as well, and it, too, relies
+on the <b class="command">logon home</b> parameter.
+</p><p>
+By using the logon home parameter, you are restricted to putting Win9x / Me
+profiles in the user's home directory. But wait! There is a trick you
+can use. If you set the following in the <i class="parameter"><tt>[global]</tt></i> section of your <tt class="filename">smb.conf</tt> file:
+</p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>logon home = \\%L\%U\.profiles</tt></i></td></tr></table><p>
+then your Windows 9x / Me clients will dutifully put their clients in a subdirectory
+of your home directory called <tt class="filename">.profiles</tt> (thus making them hidden).
+</p><p>
+Not only that, but <b class="userinput"><tt>net use /home</tt></b> will also work, because of a feature in
+Windows 9x / Me. It removes any directory stuff off the end of the home directory area
+and only uses the server and share portion. That is, it looks like you
+specified <tt class="filename">\\%L\%U</tt> for <a class="indexterm" name="id2945923"></a><i class="parameter"><tt>logon home</tt></i>.
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2945938"></a>Mixed Windows 9x / Me and Windows NT4/200x User Profiles</h4></div></div><div></div></div><p>
+You can support profiles for both Win9X and WinNT clients by setting both the
+<a class="indexterm" name="id2945951"></a><i class="parameter"><tt>logon home</tt></i> and <a class="indexterm" name="id2945965"></a><i class="parameter"><tt>logon path</tt></i> parameters. For example:
+</p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>logon home = \\%L\%u\.profiles</tt></i></td></tr><tr><td><i class="parameter"><tt>logon path = \\%L\profiles\%u</tt></i></td></tr></table></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2946006"></a>Disabling Roaming Profile Support</h4></div></div><div></div></div><p>
+ A question often asked is &#8220;<span class="quote">How may I enforce use of local profiles?</span>&#8221; or
+ &#8220;<span class="quote">How do I disable Roaming Profiles?</span>&#8221;
+</p><p>
+There are three ways of doing this:
+</p><div class="variablelist"><dl><dt><span class="term">In <tt class="filename">smb.conf</tt></span></dt><dd><p>
+ Affect the following settings and ALL clients
+ will be forced to use a local profile:
+ </p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>logon home</tt></i></td></tr><tr><td><i class="parameter"><tt>logon path</tt></i></td></tr></table><p>
+ </p></dd><dt><span class="term">MS Windows Registry:</span></dt><dd><p>
+ By using the Microsoft Management Console gpedit.msc to instruct your MS Windows XP machine to use only a local profile. This of course modifies registry settings. The full path to the option is:
+
+
+ </p><pre class="programlisting">
+ Local Computer Policy\
+ Computer Configuration\
+ Administrative Templates\
+ System\
+ User Profiles\
+
+ Disable: Only Allow Local User Profiles
+ Disable: Prevent Roaming Profile Change from Propagating to the Server
+ </pre><p>
+ </p></dd><dt><span class="term">Change of Profile Type:</span></dt><dd><p>
+ From the start menu right click on the
+ My Computer icon, select <span class="guimenuitem">Properties</span>, click on the <span class="guilabel">User Profiles</span>
+ tab, select the profile you wish to change from Roaming type to Local, click <span class="guibutton">Change Type</span>.
+ </p></dd></dl></div><p>
+Consult the MS Windows registry guide for your particular MS Windows version for more
+information about which registry keys to change to enforce use of only local user
+profiles.
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+The specifics of how to convert a local profile to a roaming profile, or a roaming profile
+to a local one vary according to the version of MS Windows you are running. Consult the
+Microsoft MS Windows Resource Kit for your version of Windows for specific information.
+</p></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2946178"></a>Windows Client Profile Configuration Information</h3></div></div><div></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2946186"></a>Windows 9x / Me Profile Setup</h4></div></div><div></div></div><p>
+When a user first logs in on Windows 9X, the file user.DAT is created,
+as are folders <tt class="filename">Start Menu</tt>, <tt class="filename">Desktop</tt>,
+<tt class="filename">Programs</tt> and <tt class="filename">Nethood</tt>.
+These directories and their contents will be merged with the local
+versions stored in <tt class="filename">c:\windows\profiles\username</tt> on subsequent logins,
+taking the most recent from each. You will need to use the <i class="parameter"><tt>[global]</tt></i>
+options <a class="indexterm" name="id2946240"></a><i class="parameter"><tt>preserve case</tt></i> = yes, <a class="indexterm" name="id2946255"></a><i class="parameter"><tt>short preserve case</tt></i> = yes and
+<a class="indexterm" name="id2946269"></a><i class="parameter"><tt>case sensitive</tt></i> = no in order to maintain capital letters in shortcuts
+in any of the profile folders.
+</p><p>
+The user.DAT file contains all the user's preferences. If you wish to
+enforce a set of preferences, rename their user.DAT file to user.MAN,
+and deny them write access to this file.
+</p><div class="orderedlist"><ol type="1"><li><p>
+ On the Windows 9x / Me machine, go to <span class="guimenu">Control Panel</span> -&gt; <span class="guimenuitem">Passwords</span> and
+ select the <span class="guilabel">User Profiles</span> tab. Select the required level of
+ roaming preferences. Press <span class="guibutton">OK</span>, but do _not_ allow the computer
+ to reboot.
+ </p></li><li><p>
+ On the Windows 9x / Me machine, go to <span class="guimenu">Control Panel</span> -&gt; <span class="guimenuitem">Network</span> -&gt;
+ <span class="guimenuitem">Client for Microsoft Networks</span> -&gt; <span class="guilabel">Preferences</span>. Select <span class="guilabel">Log on to
+ NT Domain</span>. Then, ensure that the Primary Logon is <span class="guilabel">Client for
+ Microsoft Networks</span>. Press <span class="guibutton">OK</span>, and this time allow the computer
+ to reboot.
+ </p></li></ol></div><p>
+Under Windows 9x / Me Profiles are downloaded from the Primary Logon.
+If you have the Primary Logon as 'Client for Novell Networks', then
+the profiles and logon script will be downloaded from your Novell
+Server. If you have the Primary Logon as 'Windows Logon', then the
+profiles will be loaded from the local machine - a bit against the
+concept of roaming profiles, it would seem!
+</p><p>
+You will now find that the Microsoft Networks Login box contains
+[user, password, domain] instead of just [user, password]. Type in
+the samba server's domain name (or any other domain known to exist,
+but bear in mind that the user will be authenticated against this
+domain and profiles downloaded from it, if that domain logon server
+supports it), user name and user's password.
+</p><p>
+Once the user has been successfully validated, the Windows 9x / Me machine
+will inform you that <tt class="computeroutput">The user has not logged on before</tt> and asks you
+<tt class="computeroutput">Do you wish to save the user's preferences?</tt>. Select <span class="guibutton">yes</span>.
+</p><p>
+Once the Windows 9x / Me client comes up with the desktop, you should be able
+to examine the contents of the directory specified in the <a class="indexterm" name="id2946457"></a><i class="parameter"><tt>logon path</tt></i>
+on the samba server and verify that the <tt class="filename">Desktop</tt>, <tt class="filename">Start Menu</tt>,
+<tt class="filename">Programs</tt> and <tt class="filename">Nethood</tt> folders have been created.
+</p><p>
+These folders will be cached locally on the client, and updated when
+the user logs off (if you haven't made them read-only by then).
+You will find that if the user creates further folders or short-cuts,
+that the client will merge the profile contents downloaded with the
+contents of the profile directory already on the local client, taking
+the newest folders and short-cuts from each set.
+</p><p>
+If you have made the folders / files read-only on the samba server,
+then you will get errors from the Windows 9x / Me machine on logon and logout, as
+it attempts to merge the local and the remote profile. Basically, if
+you have any errors reported by the Windows 9x / Me machine, check the UNIX file
+permissions and ownership rights on the profile directory contents,
+on the samba server.
+</p><p>
+If you have problems creating user profiles, you can reset the user's
+local desktop cache, as shown below. When this user then next logs in,
+they will be told that they are logging in &quot;for the first time&quot;.
+</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>
+ Before deleting the contents of the
+ directory listed in the ProfilePath (this is likely to be
+ <tt class="filename">c:\windows\profiles\username)</tt>, ask them if they
+ have any important files stored on their desktop or in their start menu.
+ Delete the contents of the directory ProfilePath (making a backup if any
+ of the files are needed).
+ </p><p>
+ This will have the effect of removing the local (read-only hidden
+ system file) user.DAT in their profile directory, as well as the
+ local &quot;desktop&quot;, &quot;nethood&quot;, &quot;start menu&quot; and &quot;programs&quot; folders.
+ </p></div><div class="orderedlist"><ol type="1"><li><p>
+ instead of logging in under the [user, password, domain] dialog,
+ press <span class="guibutton">escape</span>.
+ </p></li><li><p>
+ run the <b class="command">regedit.exe</b> program, and look in:
+ </p><p>
+ <tt class="filename">HKEY_LOCAL_MACHINE\Windows\CurrentVersion\ProfileList</tt>
+ </p><p>
+ you will find an entry, for each user, of ProfilePath. Note the
+ contents of this key (likely to be <tt class="filename">c:\windows\profiles\username</tt>),
+ then delete the key ProfilePath for the required user.
+ </p><p>[Exit the registry editor].</p></li><li><p>
+ search for the user's .PWL password-caching file in the <tt class="filename">c:\windows</tt>
+ directory, and delete it.
+ </p></li><li><p>
+ log off the windows 9x / Me client.
+ </p></li><li><p>
+ check the contents of the profile path (see <a class="indexterm" name="id2946668"></a><i class="parameter"><tt>logon path</tt></i> described
+ above), and delete the <tt class="filename">user.DAT</tt> or <tt class="filename">user.MAN</tt> file for the user,
+ making a backup if required.
+ </p></li></ol></div><p>
+If all else fails, increase samba's debug log levels to between 3 and 10,
+and / or run a packet trace program such as ethereal or <b class="command">netmon.exe</b>, and
+look for error messages.
+</p><p>
+If you have access to an Windows NT4/200x server, then first set up roaming profiles
+and / or netlogons on the Windows NT4/200x server. Make a packet trace, or examine
+the example packet traces provided with Windows NT4/200x server, and see what the
+differences are with the equivalent samba trace.
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2946726"></a>Windows NT4 Workstation</h4></div></div><div></div></div><p>
+When a user first logs in to a Windows NT Workstation, the profile
+NTuser.DAT is created. The profile location can be now specified
+through the <a class="indexterm" name="id2946739"></a><i class="parameter"><tt>logon path</tt></i> parameter.
+</p><p>
+There is a parameter that is now available for use with NT Profiles:
+<a class="indexterm" name="id2946758"></a><i class="parameter"><tt>logon drive</tt></i>. This should be set to <tt class="filename">H:</tt> or any other drive, and
+should be used in conjunction with the new <a class="indexterm" name="id2946781"></a><i class="parameter"><tt>logon home</tt></i> parameter.
+</p><p>
+The entry for the NT4 profile is a _directory_ not a file. The NT
+help on profiles mentions that a directory is also created with a .PDS
+extension. The user, while logging in, must have write permission to
+create the full profile path (and the folder with the .PDS extension
+for those situations where it might be created.)
+</p><p>
+In the profile directory, Windows NT4 creates more folders than Windows 9x / Me.
+It creates <tt class="filename">Application Data</tt> and others, as well as <tt class="filename">Desktop</tt>, <tt class="filename">Nethood</tt>,
+<tt class="filename">Start Menu</tt> and <tt class="filename">Programs</tt>. The profile itself is stored in a file
+<tt class="filename">NTuser.DAT</tt>. Nothing appears to be stored in the .PDS directory, and
+its purpose is currently unknown.
+</p><p>
+You can use the <span class="application">System Control Panel</span> to copy a local profile onto
+a samba server (see NT Help on profiles: it is also capable of firing
+up the correct location in the <span class="application">System Control Panel</span> for you). The
+NT Help file also mentions that renaming <tt class="filename">NTuser.DAT</tt> to <tt class="filename">NTuser.MAN</tt>
+turns a profile into a mandatory one.
+</p><p>
+The case of the profile is significant. The file must be called
+<tt class="filename">NTuser.DAT</tt> or, for a mandatory profile, <tt class="filename">NTuser.MAN</tt>.
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2946911"></a>Windows 2000/XP Professional</h4></div></div><div></div></div><p>
+You must first convert the profile from a local profile to a domain
+profile on the MS Windows workstation as follows:
+</p><div class="procedure"><ol type="1"><li><p>
+ Log on as the <span class="emphasis"><em>LOCAL</em></span> workstation administrator.
+ </p></li><li><p>
+ Right click on the <span class="guiicon">My Computer</span> Icon, select <span class="guimenuitem">Properties</span>
+ </p></li><li><p>
+ Click on the <span class="guilabel">User Profiles</span> tab
+ </p></li><li><p>
+ Select the profile you wish to convert (click on it once)
+ </p></li><li><p>
+ Click on the button <span class="guibutton">Copy To</span>
+ </p></li><li><p>
+ In the <span class="guilabel">Permitted to use</span> box, click on the <span class="guibutton">Change</span> button.
+ </p></li><li><p>
+ Click on the 'Look in&quot; area that lists the machine name, when you click
+ here it will open up a selection box. Click on the domain to which the
+ profile must be accessible.
+ </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>You will need to log on if a logon box opens up. Eg: In the connect as: <i class="replaceable"><tt>DOMAIN</tt></i>\root, password: <i class="replaceable"><tt>mypassword</tt></i>.</p></div></li><li><p>
+ To make the profile capable of being used by anyone select 'Everyone'
+ </p></li><li><p>
+ Click <span class="guibutton">OK</span>. The Selection box will close.
+ </p></li><li><p>
+ Now click on the <span class="guibutton">Ok</span> button to create the profile in the path you
+ nominated.
+ </p></li></ol></div><p>
+Done. You now have a profile that can be edited using the samba
+<b class="command">profiles</b> tool.
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+Under NT/2K the use of mandatory profiles forces the use of MS Exchange
+storage of mail data. That keeps desktop profiles usable.
+</p></div><div class="procedure"><p class="title"><b>Procedure 24.2. Windows XP Service Pack 1</b></p><ol type="1"><li><p>
+This is a security check new to Windows XP (or maybe only
+Windows XP service pack 1). It can be disabled via a group policy in
+Active Directory. The policy is:</p><p><tt class="filename">Computer Configuration\Administrative Templates\System\User
+Profiles\Do not check for user ownership of Roaming Profile Folders</tt></p><p>...and it should be set to <tt class="constant">Enabled</tt>.
+Does the new version of samba have an Active Directory analogue? If so,
+then you may be able to set the policy through this.
+</p><p>
+If you cannot set group policies in samba, then you may be able to set
+the policy locally on each machine. If you want to try this, then do
+the following (N.B. I don't know for sure that this will work in the
+same way as a domain group policy):
+</p></li><li><p>
+On the XP workstation log in with an Administrator account.
+</p></li><li><p>Click: <span class="guimenu">Start</span>, <span class="guimenuitem">Run</span></p></li><li><p>Type: <b class="userinput"><tt>mmc</tt></b></p></li><li><p>Click: <span class="guibutton">OK</span></p></li><li><p>A Microsoft Management Console should appear.</p></li><li><p>Click: <span class="guimenu">File</span>, <span class="guimenuitem">Add/Remove Snap-in...</span>, <span class="guimenuitem">Add</span></p></li><li><p>Double-Click: <span class="guiicon">Group Policy</span></p></li><li><p>Click: <span class="guibutton">Finish</span>, <span class="guibutton">Close</span></p></li><li><p>Click: <span class="guibutton">OK</span></p></li><li><p>In the &quot;Console Root&quot; window:</p></li><li><p>Expand: <span class="guiicon">Local Computer Policy</span>, <span class="guiicon">Computer Configuration</span>,
+ <span class="guiicon">Administrative Templates</span>, <span class="guiicon">System</span>, <span class="guiicon">User Profiles</span></p></li><li><p>Double-Click: <span class="guilabel">Do not check for user ownership of Roaming Profile Folders</span></p></li><li><p>Select: <span class="guilabel">Enabled</span></p></li><li><p>Click: <span class="guibutton">OK</span></p></li><li><p>Close the whole console. You do not need to save the settings (this
+ refers to the console settings rather than the policies you have
+ changed).</p></li><li><p>Reboot</p></li></ol></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2947427"></a>Sharing Profiles between W9x/Me and NT4/200x/XP workstations</h3></div></div><div></div></div><p>
+Sharing of desktop profiles between Windows versions is NOT recommended.
+Desktop profiles are an evolving phenomenon and profiles for later versions
+of MS Windows clients add features that may interfere with earlier versions
+of MS Windows clients. Probably the more salient reason to NOT mix profiles
+is that when logging off an earlier version of MS Windows the older format
+of profile contents may overwrite information that belongs to the newer
+version resulting in loss of profile information content when that user logs
+on again with the newer version of MS Windows.
+</p><p>
+If you then want to share the same Start Menu / Desktop with W9x/Me, you will
+need to specify a common location for the profiles. The <tt class="filename">smb.conf</tt> parameters
+that need to be common are <a class="indexterm" name="id2947463"></a><i class="parameter"><tt>logon path</tt></i> and
+<a class="indexterm" name="id2947477"></a><i class="parameter"><tt>logon home</tt></i>.
+</p><p>
+If you have this set up correctly, you will find separate <tt class="filename">user.DAT</tt> and
+<tt class="filename">NTuser.DAT</tt> files in the same profile directory.
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2947512"></a>Profile Migration from Windows NT4/200x Server to Samba</h3></div></div><div></div></div><p>
+There is nothing to stop you specifying any path that you like for the
+location of users' profiles. Therefore, you could specify that the
+profile be stored on a samba server, or any other SMB server, as long as
+that SMB server supports encrypted passwords.
+</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2947528"></a>Windows NT4 Profile Management Tools</h4></div></div><div></div></div><p>
+Unfortunately, the Resource Kit information is specific to the version of MS Windows
+NT4/200x. The correct resource kit is required for each platform.
+</p><p>
+Here is a quick guide:
+</p><div class="procedure"><ol type="1"><li><p>
+On your NT4 Domain Controller, right click on <span class="guiicon">My Computer</span>, then
+select the tab labelled <span class="guilabel">User Profiles</span>.
+</p></li><li><p>
+Select a user profile you want to migrate and click on it.
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>I am using the term &quot;migrate&quot; loosely. You can copy a profile to
+create a group profile. You can give the user 'Everyone' rights to the
+profile you copy this to. That is what you need to do, since your samba
+domain is not a member of a trust relationship with your NT4 PDC.</p></div></li><li><p>Click the <span class="guibutton">Copy To</span> button.</p></li><li><p>In the box labelled <span class="guilabel">Copy Profile to</span> add your new path, eg:
+ <tt class="filename">c:\temp\foobar</tt></p></li><li><p>Click on the button <span class="guibutton">Change</span> in the <span class="guilabel">Permitted to use</span> box.</p></li><li><p>Click on the group 'Everyone' and then click <span class="guibutton">OK</span>. This closes the
+ 'choose user' box.</p></li><li><p>Now click <span class="guibutton">OK</span>.</p></li></ol></div><p>
+Follow the above for every profile you need to migrate.
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2947698"></a>Side bar Notes</h4></div></div><div></div></div><p>
+You should obtain the SID of your NT4 domain. You can use smbpasswd to do
+this. Read the man page.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2947712"></a>moveuser.exe</h4></div></div><div></div></div><p>
+The W2K professional resource kit has moveuser.exe. moveuser.exe changes
+the security of a profile from one user to another. This allows the account
+domain to change, and/or the user name to change.
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2947728"></a>Get SID</h4></div></div><div></div></div><p>
+You can identify the SID by using GetSID.exe from the Windows NT Server 4.0
+Resource Kit.
+</p><p>
+Windows NT 4.0 stores the local profile information in the registry under
+the following key:
+<tt class="filename">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList</tt>
+</p><p>
+Under the ProfileList key, there will be subkeys named with the SIDs of the
+users who have logged on to this computer. (To find the profile information
+for the user whose locally cached profile you want to move, find the SID for
+the user with the GetSID.exe utility.) Inside of the appropriate user's
+subkey, you will see a string value named ProfileImagePath.
+</p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2947770"></a>Mandatory profiles</h2></div></div><div></div></div><p>
+A Mandatory Profile is a profile that the user does NOT have the ability to overwrite.
+During the user's session it may be possible to change the desktop environment, but
+as the user logs out all changes made will be lost. If it is desired to NOT allow the
+user any ability to change the desktop environment then this must be done through
+policy settings. See previous chapter.
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+Under NO circumstances should the profile directory (or it's contents) be made read-only
+as this may render the profile un-usable.
+</p></div><p>
+For MS Windows NT4/200x/XP the above method can be used to create mandatory profiles
+also. To convert a group profile into a mandatory profile simply locate the NTUser.DAT
+file in the copied profile and rename it to NTUser.MAN.
+</p><p>
+For MS Windows 9x / Me it is the <tt class="filename">User.DAT</tt> file that must be renamed to <tt class="filename">User.MAN</tt> to
+affect a mandatory profile.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2947828"></a>Creating/Managing Group Profiles</h2></div></div><div></div></div><p>
+Most organisations are arranged into departments. There is a nice benefit in
+this fact since usually most users in a department will require the same desktop
+applications and the same desktop layout. MS Windows NT4/200x/XP will allow the
+use of Group Profiles. A Group Profile is a profile that is created firstly using
+a template (example) user. Then using the profile migration tool (see above) the
+profile is assigned access rights for the user group that needs to be given access
+to the group profile.
+</p><p>
+The next step is rather important. <span class="emphasis"><em>Please note:</em></span> Instead of assigning a group profile
+to users (ie: Using User Manager) on a &quot;per user&quot; basis, the group itself is assigned
+the now modified profile.
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+ Be careful with group profiles, if the user who is a member of a group also
+ has a personal profile, then the result will be a fusion (merge) of the two.
+ </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2947873"></a>Default Profile for Windows Users</h2></div></div><div></div></div><p>
+MS Windows 9x / Me and NT4/200x/XP will use a default profile for any user for whom
+a profile does not already exist. Armed with a knowledge of where the default profile
+is located on the Windows workstation, and knowing which registry keys affect the path
+from which the default profile is created, it is possible to modify the default profile
+to one that has been optimised for the site. This has significant administrative
+advantages.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2947893"></a>MS Windows 9x/Me</h3></div></div><div></div></div><p>
+To enable default per use profiles in Windows 9x / Me you can either use the <span class="application">Windows 98 System
+Policy Editor</span> or change the registry directly.
+</p><p>
+To enable default per user profiles in Windows 9x / Me, launch the <span class="application">System Policy Editor</span>, then
+select <span class="guimenu">File</span> -&gt; <span class="guimenuitem">Open Registry</span>, then click on the
+<span class="guiicon">Local Computer</span> icon, click on <span class="guilabel">Windows 98 System</span>,
+select <span class="guilabel">User Profiles</span>, click on the enable box. Do not forget to save the registry changes.
+</p><p>
+To modify the registry directly, launch the <span class="application">Registry Editor</span> (<b class="command">regedit.exe</b>), select the hive
+<tt class="filename">HKEY_LOCAL_MACHINE\Network\Logon</tt>. Now add a DWORD type key with the name
+&quot;User Profiles&quot;, to enable user profiles set the value to 1, to disable user profiles set it to 0.
+</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2947996"></a>How User Profiles Are Handled in Windows 9x / Me?</h4></div></div><div></div></div><p>
+When a user logs on to a Windows 9x / Me machine, the local profile path,
+<tt class="filename">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ProfileList</tt>, is checked
+for an existing entry for that user:
+</p><p>
+If the user has an entry in this registry location, Windows 9x / Me checks for a locally cached
+version of the user profile. Windows 9x / Me also checks the user's home directory (or other
+specified directory if the location has been modified) on the server for the User Profile.
+If a profile exists in both locations, the newer of the two is used. If the User Profile exists
+on the server, but does not exist on the local machine, the profile on the server is downloaded
+and used. If the User Profile only exists on the local machine, that copy is used.
+</p><p>
+If a User Profile is not found in either location, the Default User Profile from the Windows 9x / Me
+machine is used and is copied to a newly created folder for the logged on user. At log off, any
+changes that the user made are written to the user's local profile. If the user has a roaming
+profile, the changes are written to the user's profile on the server.
+</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2948045"></a>MS Windows NT4 Workstation</h3></div></div><div></div></div><p>
+On MS Windows NT4 the default user profile is obtained from the location
+<tt class="filename">%SystemRoot%\Profiles</tt> which in a default installation will translate to
+<tt class="filename">C:\WinNT\Profiles</tt>. Under this directory on a clean install there will be
+three (3) directories: <tt class="filename">Administrator</tt>, <tt class="filename">All Users</tt>, <tt class="filename">Default User</tt>.
+</p><p>
+The <tt class="filename">All Users</tt> directory contains menu settings that are common across all
+system users. The <tt class="filename">Default User</tt> directory contains menu entries that are
+customisable per user depending on the profile settings chosen/created.
+</p><p>
+When a new user first logs onto an MS Windows NT4 machine a new profile is created from:
+</p><div class="itemizedlist"><ul type="disc"><li><p>All Users settings</p></li><li><p>Default User settings (contains the default NTUser.DAT file)</p></li></ul></div><p>
+When a user logs onto an MS Windows NT4 machine that is a member of a Microsoft security domain
+the following steps are followed in respect of profile handling:
+</p><div class="procedure"><ol type="1"><li><p>
+ The users' account information which is obtained during the logon process contains
+ the location of the users' desktop profile. The profile path may be local to the
+ machine or it may be located on a network share. If there exists a profile at the location
+ of the path from the user account, then this profile is copied to the location
+ <tt class="filename">%SystemRoot%\Profiles\%USERNAME%</tt>. This profile then inherits the
+ settings in the <tt class="filename">All Users</tt> profile in the <tt class="filename">%SystemRoot%\Profiles</tt>
+ location.
+ </p></li><li><p>
+ If the user account has a profile path, but at it's location a profile does not exist,
+ then a new profile is created in the <tt class="filename">%SystemRoot%\Profiles\%USERNAME%</tt>
+ directory from reading the <tt class="filename">Default User</tt> profile.
+ </p></li><li><p>
+ If the NETLOGON share on the authenticating server (logon server) contains a policy file
+ (<tt class="filename">NTConfig.POL</tt>) then it's contents are applied to the <tt class="filename">NTUser.DAT</tt>
+ which is applied to the <tt class="filename">HKEY_CURRENT_USER</tt> part of the registry.
+ </p></li><li><p>
+ When the user logs out, if the profile is set to be a roaming profile it will be written
+ out to the location of the profile. The <tt class="filename">NTuser.DAT</tt> file is then
+ re-created from the contents of the <tt class="filename">HKEY_CURRENT_USER</tt> contents.
+ Thus, should there not exist in the NETLOGON share an <tt class="filename">NTConfig.POL</tt> at the
+ next logon, the effect of the previous <tt class="filename">NTConfig.POL</tt> will still be held
+ in the profile. The effect of this is known as <span class="emphasis"><em>tatooing</em></span>.
+ </p></li></ol></div><p>
+MS Windows NT4 profiles may be <span class="emphasis"><em>Local</em></span> or <span class="emphasis"><em>Roaming</em></span>. A Local profile
+will stored in the <tt class="filename">%SystemRoot%\Profiles\%USERNAME%</tt> location. A roaming profile will
+also remain stored in the same way, unless the following registry key is created:
+</p><p>
+</p><pre class="programlisting">
+HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\Windows NT\CurrentVersion\
+winlogon\&quot;DeleteRoamingCache&quot;=dword:00000001
+</pre><p>
+
+In which case, the local copy (in <tt class="filename">%SystemRoot%\Profiles\%USERNAME%</tt>) will be
+deleted on logout.
+</p><p>
+Under MS Windows NT4 default locations for common resources (like <tt class="filename">My Documents</tt>
+may be redirected to a network share by modifying the following registry keys. These changes may be affected
+via use of the System Policy Editor (to do so may require that you create your owns template extension
+for the policy editor to allow this to be done through the GUI. Another way to do this is by way of first
+creating a default user profile, then while logged in as that user, run regedt32 to edit the key settings.
+</p><p>
+The Registry Hive key that affects the behaviour of folders that are part of the default user profile
+are controlled by entries on Windows NT4 is:
+</p><p>
+<tt class="filename">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\</tt>
+</p><p>
+The above hive key contains a list of automatically managed folders. The default entries are:
+</p><p>
+</p><div class="table"><a name="id2948397"></a><p class="title"><b>Table 24.1. User Shell Folder registry keys default values</b></p><table summary="User Shell Folder registry keys default values" border="1"><colgroup><col><col></colgroup><thead><tr><th>Name</th><th>Default Value</th></tr></thead><tbody><tr><td>AppData</td><td>%USERPROFILE%\Application Data</td></tr><tr><td>Desktop</td><td>%USERPROFILE%\Desktop</td></tr><tr><td>Favorites</td><td>%USERPROFILE%\Favorites</td></tr><tr><td>NetHood</td><td>%USERPROFILE%\NetHood</td></tr><tr><td>PrintHood</td><td>%USERPROFILE%\PrintHood</td></tr><tr><td>Programs</td><td>%USERPROFILE%\Start Menu\Programs</td></tr><tr><td>Recent</td><td>%USERPROFILE%\Recent</td></tr><tr><td>SendTo</td><td>%USERPROFILE%\SendTo</td></tr><tr><td>Start Menu </td><td>%USERPROFILE%\Start Menu</td></tr><tr><td>Startup</td><td>%USERPROFILE%\Start Menu\Programs\Startup</td></tr></tbody></table></div><p>
+</p><p>
+The registry key that contains the location of the default profile settings is:
+</p><p>
+<tt class="filename">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders</tt>
+</p><p>
+The default entries are:
+
+</p><div class="table"><a name="id2948541"></a><p class="title"><b>Table 24.2. Defaults of profile settings registry keys</b></p><table summary="Defaults of profile settings registry keys" border="1"><colgroup><col><col></colgroup><tbody><tr><td>Common Desktop</td><td>%SystemRoot%\Profiles\All Users\Desktop</td></tr><tr><td>Common Programs</td><td>%SystemRoot%\Profiles\All Users\Programs</td></tr><tr><td>Common Start Menu</td><td>%SystemRoot%\Profiles\All Users\Start Menu</td></tr><tr><td>Common Startup</td><td>%SystemRoot%\Profiles\All Users\Start Menu\Programs\Startup</td></tr></tbody></table></div><p>
+</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2948600"></a>MS Windows 200x/XP</h3></div></div><div></div></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+ MS Windows XP Home Edition does use default per user profiles, but can not participate
+ in domain security, can not log onto an NT/ADS style domain, and thus can obtain the profile
+ only from itself. While there are benefits in doing this the beauty of those MS Windows
+ clients that CAN participate in domain logon processes allows the administrator to create
+ a global default profile and to enforce it through the use of Group Policy Objects (GPOs).
+ </p></div><p>
+When a new user first logs onto MS Windows 200x/XP machine the default profile is obtained from
+<tt class="filename">C:\Documents and Settings\Default User</tt>. The administrator can modify (or change
+the contents of this location and MS Windows 200x/XP will gladly use it. This is far from the optimum
+arrangement since it will involve copying a new default profile to every MS Windows 200x/XP client
+workstation.
+</p><p>
+When MS Windows 200x/XP participate in a domain security context, and if the default user
+profile is not found, then the client will search for a default profile in the NETLOGON share
+of the authenticating server. ie: In MS Windows parlance:
+<tt class="filename">%LOGONSERVER%\NETLOGON\Default User</tt> and if one exits there it will copy this
+to the workstation to the <tt class="filename">C:\Documents and Settings\</tt> under the Windows
+login name of the user.
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+ This path translates, in Samba parlance, to the <tt class="filename">smb.conf</tt> <i class="parameter"><tt>[NETLOGON]</tt></i> share. The directory
+ should be created at the root of this share and must be called <tt class="filename">Default Profile</tt>.
+ </p></div><p>
+If a default profile does not exist in this location then MS Windows 200x/XP will use the local
+default profile.
+</p><p>
+On logging out, the users' desktop profile will be stored to the location specified in the registry
+settings that pertain to the user. If no specific policies have been created, or passed to the client
+during the login process (as Samba does automatically), then the user's profile will be written to
+the local machine only under the path <tt class="filename">C:\Documents and Settings\%USERNAME%</tt>.
+</p><p>
+Those wishing to modify the default behaviour can do so through three methods:
+</p><div class="itemizedlist"><ul type="disc"><li><p>
+ Modify the registry keys on the local machine manually and place the new default profile in the
+ NETLOGON share root - NOT recommended as it is maintenance intensive.
+ </p></li><li><p>
+ Create an NT4 style NTConfig.POL file that specified this behaviour and locate this file
+ in the root of the NETLOGON share along with the new default profile.
+ </p></li><li><p>
+ Create a GPO that enforces this through Active Directory, and place the new default profile
+ in the NETLOGON share.
+ </p></li></ul></div><p>
+The Registry Hive key that affects the behaviour of folders that are part of the default user profile
+are controlled by entries on Windows 200x/XP is:
+</p><p>
+<tt class="filename">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\</tt>
+</p><p>
+The above hive key contains a list of automatically managed folders. The default entries are:
+</p><p>
+</p><div class="table"><a name="id2948802"></a><p class="title"><b>Table 24.3. Defaults of default user profile paths registry keys</b></p><table summary="Defaults of default user profile paths registry keys" border="1"><colgroup><col><col></colgroup><thead><tr><th>Name</th><th>Default Value</th></tr></thead><tbody><tr><td>AppData</td><td>%USERPROFILE%\Application Data</td></tr><tr><td>Cache</td><td>%USERPROFILE%\Local Settings\Temporary Internet Files</td></tr><tr><td>Cookies</td><td>%USERPROFILE%\Cookies</td></tr><tr><td>Desktop</td><td>%USERPROFILE%\Desktop</td></tr><tr><td>Favorites</td><td>%USERPROFILE%\Favorites</td></tr><tr><td>History</td><td>%USERPROFILE%\Local Settings\History</td></tr><tr><td>Local AppData</td><td>%USERPROFILE%\Local Settings\Application Data</td></tr><tr><td>Local Settings</td><td>%USERPROFILE%\Local Settings</td></tr><tr><td>My Pictures</td><td>%USERPROFILE%\My Documents\My Pictures</td></tr><tr><td>NetHood</td><td>%USERPROFILE%\NetHood</td></tr><tr><td>Personal</td><td>%USERPROFILE%\My Documents</td></tr><tr><td>PrintHood</td><td>%USERPROFILE%\PrintHood</td></tr><tr><td>Programs</td><td>%USERPROFILE%\Start Menu\Programs</td></tr><tr><td>Recent</td><td>%USERPROFILE%\Recent</td></tr><tr><td>SendTo</td><td>%USERPROFILE%\SendTo</td></tr><tr><td>Start Menu</td><td>%USERPROFILE%\Start Menu</td></tr><tr><td>Startup</td><td>%USERPROFILE%\Start Menu\Programs\Startup</td></tr><tr><td>Templates</td><td>%USERPROFILE%\Templates</td></tr></tbody></table></div><p>
+</p><p>
+There is also an entry called &quot;Default&quot; that has no value set. The default entry is of type <tt class="constant">REG_SZ</tt>, all
+the others are of type <tt class="constant">REG_EXPAND_SZ</tt>.
+</p><p>
+It makes a huge difference to the speed of handling roaming user profiles if all the folders are
+stored on a dedicated location on a network server. This means that it will NOT be necessary to
+write the Outlook PST file over the network for every login and logout.
+</p><p>
+To set this to a network location you could use the following examples:
+</p><p><tt class="filename">%LOGONSERVER%\%USERNAME%\Default Folders</tt></p><p>
+This would store the folders in the user's home directory under a directory called <tt class="filename">Default Folders</tt>
+You could also use:
+</p><p><tt class="filename">\\<i class="replaceable"><tt>SambaServer</tt></i>\<i class="replaceable"><tt>FolderShare</tt></i>\%USERNAME%</tt></p><p>
+ in which case the default folders will be stored in the server named <i class="replaceable"><tt>SambaServer</tt></i>
+in the share called <i class="replaceable"><tt>FolderShare</tt></i> under a directory that has the name of the MS Windows
+user as seen by the Linux/UNIX file system.
+</p><p>
+Please note that once you have created a default profile share, you MUST migrate a user's profile
+(default or custom) to it.
+</p><p>
+MS Windows 200x/XP profiles may be <span class="emphasis"><em>Local</em></span> or <span class="emphasis"><em>Roaming</em></span>.
+A roaming profile will be cached locally unless the following registry key is created:
+</p><p>
+</p><pre class="programlisting">
+HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\Windows NT\CurrentVersion\
+ winlogon\&quot;DeleteRoamingCache&quot;=dword:00000001</pre><p>
+In which case, the local cache copy will be deleted on logout.
+</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2949100"></a>Common Errors</h2></div></div><div></div></div><p>
+The following are some typical errors/problems/questions that have been asked.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2949130"></a>Setting up roaming profiles for just a few user's or group's?</h3></div></div><div></div></div><p>
+With samba-2.2.x the choice you have is to enable or disable roaming
+profiles support. It is a global only setting. The default is to have
+roaming profiles and the default path will locate them in the user's home
+directory.
+</p><p>
+If disabled globally then no-one will have roaming profile ability.
+If enabled and you want it to apply only to certain machines, then on
+those machines on which roaming profile support is NOT wanted it is then
+necessary to disable roaming profile handling in the registry of each such
+machine.
+</p><p>
+With samba-3 you can have a global profile
+setting in <tt class="filename">smb.conf</tt> _AND_ you can over-ride this by per-user settings
+using the Domain User Manager (as with MS Windows NT4/ Win 2Kx).
+</p><p>
+In any case, you can configure only one profile per user. That profile can
+be either:
+</p><div class="itemizedlist"><ul type="disc"><li><p>A profile unique to that user</p></li><li><p>A mandatory profile (one the user can not change)</p></li><li><p>A group profile (really should be mandatory ie:unchangable)</p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2949201"></a>Can NOT use Roaming Profiles</h3></div></div><div></div></div><p>
+A user requested the following:
+&#8220;<span class="quote">
+I do not want Roaming profiles to be implemented. I want to give users a local profile alone. ...
+Please help me I am totally lost with this error. For the past two days I tried everything, I googled
+around but found no useful pointers. Please help me.
+</span>&#8221;</p><p>
+The choices are:
+</p><div class="variablelist"><dl><dt><span class="term">Local profiles:</span></dt><dd><p>
+ I know of no registry keys that will allow auto-deletion of LOCAL profiles on log out
+ </p></dd><dt><span class="term">Roaming profiles:</span></dt><dd><p>
+ As a user logs onto the network a centrally stored profile is copied to the workstation
+ to form a local profile. This local profile will persist (remain on the workstation disk)
+ unless a registry key is changed that will cause this profile to be automatically deleted
+ on logout.
+ </p></dd></dl></div><p>
+The <span class="emphasis"><em>Roaming Profile</em></span> choices are:
+</p><div class="variablelist"><dl><dt><span class="term">Personal Roaming profiles</span></dt><dd><p>
+ These are typically stored in a profile share on a central (or conveniently located
+ local) server.
+ </p><p>
+ Workstations 'cache' (store) a local copy of the profile. This cached copy is used when
+ the profile can not be downloaded at next logon.
+ </p></dd><dt><span class="term">Group profiles</span></dt><dd><p>These are loaded from a central profile server</p></dd><dt><span class="term">Mandatory profiles</span></dt><dd><p>
+ Mandatory profiles can be created for a user as well as for any group that a user
+ is a member of. Mandatory profiles can NOT be changed by ordinary users. Only the administrator
+ can change or reconfigure a mandatory profile.
+ </p></dd></dl></div><p>
+A WinNT4/2K/XP profile can vary in size from 130KB to off the scale.
+Outlook PST files are most often part of the profile and can be many GB in
+size. On average (in a well controlled environment) roaming profile size of
+2MB is a good rule of thumb to use for planning purposes. In an
+undisciplined environment I have seen up to 2GB profiles. Users tend to
+complain when it take an hour to log onto a workstation but they harvest
+the fruits of folly (and ignorance).
+</p><p>
+The point of all the above is to show that roaming profiles and good
+controls of how they can be changed as well as good discipline make up for
+a problem free site.
+</p><p>
+Microsoft's answer to the PST problem is to store all email in an MS
+Exchange Server back-end. This removes the need for a PST file.
+</p><p>
+LOCAL profiles mean:
+</p><div class="itemizedlist"><ul type="disc"><li><p>If each machine is used my many users then much local disk storage is needed for local profiles</p></li><li><p>Every workstation the user logs into has it's own profile, these can be very different from machine to machine</p></li></ul></div><p>
+On the other hand, use of roaming profiles means:
+</p><div class="itemizedlist"><ul type="disc"><li><p>The network administrator can control the desktop environment of all users.</p></li><li><p>Use of mandatory profiles drasitcally reduces network management overheads.</p></li><li><p>In the long run users will be experience fewer problems.</p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2949414"></a>Changing the default profile</h3></div></div><div></div></div><p>
+<span class="emphasis"><em>Question:</em></span>
+&#8220;<span class="quote">
+When the client logs onto the domain controller it searches for a profile to download,
+where do I put this default profile?
+</span>&#8221;</p><p>
+Firstly, the samba server needs to be configured as a domain controller.
+This can be done by setting in <tt class="filename">smb.conf</tt>:
+</p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>security = user</tt></i></td></tr><tr><td><i class="parameter"><tt>os level = 32 (or more)</tt></i></td></tr><tr><td><i class="parameter"><tt>domain logons = Yes</tt></i></td></tr></table><p>
+There must be an <i class="parameter"><tt>[netlogon]</tt></i> share that is world readable.
+It is a good idea to add a logon script to pre-set printer and
+drive connections. There is also a facility for automatically
+synchronizing the workstation time clock with that of the logon
+server (another good thing to do).
+</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+To invoke auto-deletion of roaming profile from the local
+workstation cache (disk storage) use the <span class="application">Group Policy Editor</span>
+to create a file called <tt class="filename">NTConfig.POL</tt> with the appropriate entries. This
+file needs to be located in the <i class="parameter"><tt>netlogon</tt></i> share root directory.</p></div><p>
+Windows clients need to be members of the domain. Workgroup machines do NOT use network logons so
+they do not interoperate with domain profiles.
+</p><p>
+For roaming profiles add to <tt class="filename">smb.conf</tt>:
+</p><p>
+</p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>logon path = \\%N\profiles\%U</tt></i></td></tr><tr><td># Default logon drive is Z:</td></tr><tr><td><i class="parameter"><tt>logon drive = H:</tt></i></td></tr><tr><td># This requires a PROFILES share that is world writable.</td></tr></table><p>
+</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="PolicyMgmt.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="pam.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 23. System and Account Policies </td><td width="20%" align="center"><a accesskey="h" href="samba-doc.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 25. PAM based Distributed Authentication</td></tr></table></div></body></html>
generated by cgit (git 2.34.1) at 2024-12-15 23:41:27 +0000