summaryrefslogtreecommitdiff
path: root/docs/htmldocs/ProfileMgmt.html
diff options
context:
space:
mode:
authorGerald Carter <jerry@samba.org>2003-09-24 15:05:22 +0000
committerGerald Carter <jerry@samba.org>2003-09-24 15:05:22 +0000
commit293421f3c64a2adff7dc15f7ad3adb6120c9fd16 (patch)
treeb18b6e0cda6e04dac9f47ab9fdb661f1dfa65b7b /docs/htmldocs/ProfileMgmt.html
parent43004ba8830874a8ab02bc755b1e99160af982b5 (diff)
downloadsamba-293421f3c64a2adff7dc15f7ad3adb6120c9fd16.tar.gz
samba-293421f3c64a2adff7dc15f7ad3adb6120c9fd16.tar.bz2
samba-293421f3c64a2adff7dc15f7ad3adb6120c9fd16.zip
syncing up docs, examples, & packaging from 3.0
(This used to be commit dd1348c566b4700ea01bd89639e2d3330c878167)
Diffstat (limited to 'docs/htmldocs/ProfileMgmt.html')
-rw-r--r--docs/htmldocs/ProfileMgmt.html1005
1 files changed, 398 insertions, 607 deletions
diff --git a/docs/htmldocs/ProfileMgmt.html b/docs/htmldocs/ProfileMgmt.html
index 765ae4b0c4..9947526194 100644
--- a/docs/htmldocs/ProfileMgmt.html
+++ b/docs/htmldocs/ProfileMgmt.html
@@ -1,652 +1,443 @@
-<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 24. Desktop Profile Management</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="samba-doc.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="PolicyMgmt.html" title="Chapter 23. System and Account Policies"><link rel="next" href="pam.html" title="Chapter 25. PAM based Distributed Authentication"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 24. Desktop Profile Management</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="PolicyMgmt.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="pam.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="ProfileMgmt"></a>Chapter 24. Desktop Profile Management</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div><div><p class="pubdate">April 3 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="ProfileMgmt.html#id2945611">Features and Benefits</a></dt><dt><a href="ProfileMgmt.html#id2945646">Roaming Profiles</a></dt><dd><dl><dt><a href="ProfileMgmt.html#id2945686">Samba Configuration for Profile Handling</a></dt><dt><a href="ProfileMgmt.html#id2946178">Windows Client Profile Configuration Information</a></dt><dt><a href="ProfileMgmt.html#id2947427">Sharing Profiles between W9x/Me and NT4/200x/XP workstations</a></dt><dt><a href="ProfileMgmt.html#id2947512">Profile Migration from Windows NT4/200x Server to Samba</a></dt></dl></dd><dt><a href="ProfileMgmt.html#id2947770">Mandatory profiles</a></dt><dt><a href="ProfileMgmt.html#id2947828">Creating/Managing Group Profiles</a></dt><dt><a href="ProfileMgmt.html#id2947873">Default Profile for Windows Users</a></dt><dd><dl><dt><a href="ProfileMgmt.html#id2947893">MS Windows 9x/Me</a></dt><dt><a href="ProfileMgmt.html#id2948045">MS Windows NT4 Workstation</a></dt><dt><a href="ProfileMgmt.html#id2948600">MS Windows 200x/XP</a></dt></dl></dd><dt><a href="ProfileMgmt.html#id2949100">Common Errors</a></dt><dd><dl><dt><a href="ProfileMgmt.html#id2949130">Setting up roaming profiles for just a few user's or group's?</a></dt><dt><a href="ProfileMgmt.html#id2949201">Can NOT use Roaming Profiles</a></dt><dt><a href="ProfileMgmt.html#id2949414">Changing the default profile</a></dt></dl></dd></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2945611"></a>Features and Benefits</h2></div></div><div></div></div><p>
-Roaming Profiles are feared by some, hated by a few, loved by many, and a Godsend for
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 24. Desktop Profile Management</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="index.html" title="SAMBA Project Documentation"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="previous" href="PolicyMgmt.html" title="Chapter 23. System and Account Policies"><link rel="next" href="pam.html" title="Chapter 25. PAM-Based Distributed Authentication"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 24. Desktop Profile Management</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="PolicyMgmt.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="pam.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="ProfileMgmt"></a>Chapter 24. Desktop Profile Management</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email">&lt;<a href="mailto:jht@samba.org">jht@samba.org</a>&gt;</tt></p></div></div></div></div><div><p class="pubdate">April 3 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="ProfileMgmt.html#id2954425">Features and Benefits</a></dt><dt><a href="ProfileMgmt.html#id2954459">Roaming Profiles</a></dt><dd><dl><dt><a href="ProfileMgmt.html#id2954500">Samba Configuration for Profile Handling</a></dt><dt><a href="ProfileMgmt.html#id2955058">Windows Client Profile Configuration Information</a></dt><dt><a href="ProfileMgmt.html#id2956404">Sharing Profiles between W9x/Me and NT4/200x/XP Workstations</a></dt><dt><a href="ProfileMgmt.html#id2956492">Profile Migration from Windows NT4/200x Server to Samba</a></dt></dl></dd><dt><a href="ProfileMgmt.html#id2956822">Mandatory Profiles</a></dt><dt><a href="ProfileMgmt.html#id2956917">Creating and Managing Group Profiles</a></dt><dt><a href="ProfileMgmt.html#id2956970">Default Profile for Windows Users</a></dt><dd><dl><dt><a href="ProfileMgmt.html#id2956999">MS Windows 9x/Me</a></dt><dt><a href="ProfileMgmt.html#id2957150">MS Windows NT4 Workstation</a></dt><dt><a href="ProfileMgmt.html#id2957772">MS Windows 200x/XP</a></dt></dl></dd><dt><a href="ProfileMgmt.html#id2958338">Common Errors</a></dt><dd><dl><dt><a href="ProfileMgmt.html#id2958351">Configuring Roaming Profiles for a Few Users or Groups</a></dt><dt><a href="ProfileMgmt.html#id2958416">Cannot Use Roaming Profiles</a></dt><dt><a href="ProfileMgmt.html#id2958626">Changing the Default Profile</a></dt></dl></dd></dl></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2954425"></a>Features and Benefits</h2></div></div><div></div></div><p>
+Roaming profiles are feared by some, hated by a few, loved by many, and a Godsend for
some administrators.
</p><p>
-Roaming Profiles allow an administrator to make available a consistent user desktop
+Roaming profiles allow an administrator to make available a consistent user desktop
as the user moves from one machine to another. This chapter provides much information
-regarding how to configure and manage Roaming Profiles.
+regarding how to configure and manage roaming profiles.
</p><p>
-While Roaming Profiles might sound like nirvana to some, they are a real and tangible
+While roaming profiles might sound like nirvana to some, they are a real and tangible
problem to others. In particular, users of mobile computing tools, where often there may not
-be a sustained network connection, are often better served by purely Local Profiles.
-This chapter provides information to help the Samba administrator to deal with those
-situations also.
-</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2945646"></a>Roaming Profiles</h2></div></div><div></div></div><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>
-Roaming profiles support is different for Win9x / Me and Windows NT4/200x.
+be a sustained network connection, are often better served by purely local profiles.
+This chapter provides information to help the Samba administrator deal with those
+situations.
+</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2954459"></a>Roaming Profiles</h2></div></div><div></div></div><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>
+Roaming profiles support is different for Windows 9x/Me and Windows NT4/200x.
</p></div><p>
Before discussing how to configure roaming profiles, it is useful to see how
-Windows 9x / Me and Windows NT4/200x clients implement these features.
+Windows 9x/Me and Windows NT4/200x clients implement these features.
</p><p>
-Windows 9x / Me clients send a NetUserGetInfo request to the server to get the user's
+Windows 9x/Me clients send a NetUserGetInfo request to the server to get the user's
profiles location. However, the response does not have room for a separate
-profiles location field, only the user's home share. This means that Win9X/Me
+profiles location field, only the user's home share. This means that Windows 9x/Me
profiles are restricted to being stored in the user's home directory.
</p><p>
-Windows NT4/200x clients send a NetSAMLogon RPC request, which contains many fields,
+Windows NT4/200x clients send a NetSAMLogon RPC request, which contains many fields
including a separate field for the location of the user's profiles.
-</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2945686"></a>Samba Configuration for Profile Handling</h3></div></div><div></div></div><p>
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2954500"></a>Samba Configuration for Profile Handling</h3></div></div><div></div></div><p>
This section documents how to configure Samba for MS Windows client profile support.
-</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2945699"></a>NT4/200x User Profiles</h4></div></div><div></div></div><p>
-To support Windows NT4/200x clients, in the [global] section of smb.conf set the
-following (for example):
+</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2954513"></a>NT4/200x User Profiles</h4></div></div><div></div></div><p>
+For example, to support Windows NT4/200x clients, set the followoing in the [global] section of the <tt class="filename">smb.conf</tt> file:
</p><p>
</p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>logon path = \\profileserver\profileshare\profilepath\%U\moreprofilepath</tt></i></td></tr></table><p>
- This is typically implemented like:
+This is typically implemented like:
</p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>logon path = \\%L\Profiles\%u</tt></i></td></tr></table><p>
-where %L translates to the name of the Samba server and %u translates to the user name
+where &#8220;<span class="quote">%L</span>&#8221; translates to the name of the Samba server and &#8220;<span class="quote">%u</span>&#8221; translates to the user name.
</p><p>
-The default for this option is <tt class="filename">\\%N\%U\profile</tt>,
-namely <tt class="filename">\\sambaserver\username\profile</tt>.
-The <tt class="filename">\\N%\%U</tt> service is created automatically by the [homes] service. If you are using
-a samba server for the profiles, you _must_ make the share specified in the logon path
+The default for this option is <tt class="filename">\\%N\%U\profile</tt>, namely <tt class="filename">\\sambaserver\username\profile</tt>.
+The <tt class="filename">\\N%\%U</tt> service is created automatically by the [homes] service. If you are using
+a Samba server for the profiles, you must make the share that is specified in the logon path
browseable. Please refer to the man page for <tt class="filename">smb.conf</tt> in respect of the different
-semantics of %L and %N, as well as %U and %u.
+semantics of &#8220;<span class="quote">%L</span>&#8221; and &#8220;<span class="quote">%N</span>&#8221;, as well as &#8220;<span class="quote">%U</span>&#8221; and &#8220;<span class="quote">%u</span>&#8221;.
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
-MS Windows NT/2K clients at times do not disconnect a connection to a server
-between logons. It is recommended to NOT use the <i class="parameter"><tt>homes</tt></i>
-meta-service name as part of the profile share path.
-</p></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2945807"></a>Windows 9x / Me User Profiles</h4></div></div><div></div></div><p>
- To support Windows 9x / Me clients, you must use the <a class="indexterm" name="id2945819"></a><i class="parameter"><tt>logon home</tt></i> parameter. Samba has
-now been fixed so that <b class="userinput"><tt>net use /home</tt></b> now works as well, and it, too, relies
+MS Windows NT/200x clients at times do not disconnect a connection to a server between logons. It is recommended
+to not use the <i class="parameter"><tt>homes</tt></i> meta-service name as part of the profile share path.
+</p></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2954652"></a>Windows 9x/Me User Profiles</h4></div></div><div></div></div><p>
+To support Windows 9x/Me clients, you must use the <a class="indexterm" name="id2954664"></a><i class="parameter"><tt>logon home</tt></i>
+parameter. Samba has been fixed so <b class="userinput"><tt>net use /home</tt></b> now works as well and it, too, relies
on the <b class="command">logon home</b> parameter.
</p><p>
-By using the logon home parameter, you are restricted to putting Win9x / Me
-profiles in the user's home directory. But wait! There is a trick you
-can use. If you set the following in the <i class="parameter"><tt>[global]</tt></i> section of your <tt class="filename">smb.conf</tt> file:
+By using the logon home parameter, you are restricted to putting Windows 9x/Me profiles in the user's home
+directory. But wait! There is a trick you can use. If you set the following in the
+<i class="parameter"><tt>[global]</tt></i> section of your <tt class="filename">smb.conf</tt> file:
</p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>logon home = \\%L\%U\.profiles</tt></i></td></tr></table><p>
-then your Windows 9x / Me clients will dutifully put their clients in a subdirectory
-of your home directory called <tt class="filename">.profiles</tt> (thus making them hidden).
+then your Windows 9x/Me clients will dutifully put their clients in a subdirectory
+of your home directory called <tt class="filename">.profiles</tt> (making them hidden).
</p><p>
-Not only that, but <b class="userinput"><tt>net use /home</tt></b> will also work, because of a feature in
-Windows 9x / Me. It removes any directory stuff off the end of the home directory area
+Not only that, but <b class="userinput"><tt>net use /home</tt></b> will also work because of a feature in
+Windows 9x/Me. It removes any directory stuff off the end of the home directory area
and only uses the server and share portion. That is, it looks like you
-specified <tt class="filename">\\%L\%U</tt> for <a class="indexterm" name="id2945923"></a><i class="parameter"><tt>logon home</tt></i>.
-</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2945938"></a>Mixed Windows 9x / Me and Windows NT4/200x User Profiles</h4></div></div><div></div></div><p>
-You can support profiles for both Win9X and WinNT clients by setting both the
-<a class="indexterm" name="id2945951"></a><i class="parameter"><tt>logon home</tt></i> and <a class="indexterm" name="id2945965"></a><i class="parameter"><tt>logon path</tt></i> parameters. For example:
-</p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>logon home = \\%L\%u\.profiles</tt></i></td></tr><tr><td><i class="parameter"><tt>logon path = \\%L\profiles\%u</tt></i></td></tr></table></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2946006"></a>Disabling Roaming Profile Support</h4></div></div><div></div></div><p>
- A question often asked is &#8220;<span class="quote">How may I enforce use of local profiles?</span>&#8221; or
- &#8220;<span class="quote">How do I disable Roaming Profiles?</span>&#8221;
-</p><p>
+specified <tt class="filename">\\%L\%U</tt> for <a class="indexterm" name="id2954767"></a><i class="parameter"><tt>logon home</tt></i>.
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2954783"></a>Mixed Windows 9x/Me and Windows NT4/200x User Profiles</h4></div></div><div></div></div><p>
+You can support profiles for Windows 9x and Windows NT clients by setting both the
+<a class="indexterm" name="id2954795"></a><i class="parameter"><tt>logon home</tt></i> and <a class="indexterm" name="id2954809"></a><i class="parameter"><tt>logon path</tt></i> parameters. For example:
+</p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>logon home = \\%L\%u\.profiles</tt></i></td></tr><tr><td><i class="parameter"><tt>logon path = \\%L\profiles\%u</tt></i></td></tr></table></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2954850"></a>Disabling Roaming Profile Support</h4></div></div><div></div></div><p>
+A question often asked is: &#8220;<span class="quote">How may I enforce use of local profiles?</span>&#8221; or
+&#8220;<span class="quote">How do I disable roaming profiles?</span>&#8221;
+</p><p>
+<a class="indexterm" name="id2954876"></a>
There are three ways of doing this:
+<a class="indexterm" name="id2954885"></a>
</p><div class="variablelist"><dl><dt><span class="term">In <tt class="filename">smb.conf</tt></span></dt><dd><p>
- Affect the following settings and ALL clients
- will be forced to use a local profile:
- </p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>logon home</tt></i></td></tr><tr><td><i class="parameter"><tt>logon path</tt></i></td></tr></table><p>
- </p></dd><dt><span class="term">MS Windows Registry:</span></dt><dd><p>
- By using the Microsoft Management Console gpedit.msc to instruct your MS Windows XP machine to use only a local profile. This of course modifies registry settings. The full path to the option is:
-
-
- </p><pre class="programlisting">
- Local Computer Policy\
- Computer Configuration\
- Administrative Templates\
- System\
- User Profiles\
+ Affect the following settings and ALL clients will be forced to use a local profile:
+ <a class="indexterm" name="id2954920"></a><i class="parameter"><tt>logon home</tt></i> and <a class="indexterm" name="id2954933"></a><i class="parameter"><tt>logon path</tt></i>
+ </p></dd><dt><span class="term">MS Windows Registry</span></dt><dd><p>
+ By using the Microsoft Management Console gpedit.msc to instruct your MS Windows XP
+ machine to use only a local profile. This, of course, modifies registry settings. The full
+ path to the option is:
+</p><pre class="screen">
+Local Computer Policy\
+ Computer Configuration\
+ Administrative Templates\
+ System\
+ User Profiles\
- Disable: Only Allow Local User Profiles
- Disable: Prevent Roaming Profile Change from Propagating to the Server
- </pre><p>
- </p></dd><dt><span class="term">Change of Profile Type:</span></dt><dd><p>
- From the start menu right click on the
- My Computer icon, select <span class="guimenuitem">Properties</span>, click on the <span class="guilabel">User Profiles</span>
- tab, select the profile you wish to change from Roaming type to Local, click <span class="guibutton">Change Type</span>.
+Disable: Only Allow Local User Profiles
+Disable: Prevent Roaming Profile Change from Propagating to the Server
+</pre><p>
+ </p></dd><dt><span class="term">Change of Profile Type:</span></dt><dd><p>From the start menu right-click on <span class="guiicon">My Computer icon</span>,
+ select <span class="guimenuitem">Properties</span>, click on the <span class="guilabel">User Profiles</span>
+ tab, select the profile you wish to change from
+ <span class="guimenu">Roaming</span> type to <span class="guimenu">Local</span>, and click on
+ <span class="guibutton">Change Type</span>.
</p></dd></dl></div><p>
-Consult the MS Windows registry guide for your particular MS Windows version for more
-information about which registry keys to change to enforce use of only local user
-profiles.
+Consult the MS Windows registry guide for your particular MS Windows version for more information
+about which registry keys to change to enforce use of only local user profiles.
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
The specifics of how to convert a local profile to a roaming profile, or a roaming profile
-to a local one vary according to the version of MS Windows you are running. Consult the
-Microsoft MS Windows Resource Kit for your version of Windows for specific information.
-</p></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2946178"></a>Windows Client Profile Configuration Information</h3></div></div><div></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2946186"></a>Windows 9x / Me Profile Setup</h4></div></div><div></div></div><p>
-When a user first logs in on Windows 9X, the file user.DAT is created,
-as are folders <tt class="filename">Start Menu</tt>, <tt class="filename">Desktop</tt>,
-<tt class="filename">Programs</tt> and <tt class="filename">Nethood</tt>.
-These directories and their contents will be merged with the local
-versions stored in <tt class="filename">c:\windows\profiles\username</tt> on subsequent logins,
-taking the most recent from each. You will need to use the <i class="parameter"><tt>[global]</tt></i>
-options <a class="indexterm" name="id2946240"></a><i class="parameter"><tt>preserve case</tt></i> = yes, <a class="indexterm" name="id2946255"></a><i class="parameter"><tt>short preserve case</tt></i> = yes and
-<a class="indexterm" name="id2946269"></a><i class="parameter"><tt>case sensitive</tt></i> = no in order to maintain capital letters in shortcuts
-in any of the profile folders.
-</p><p>
-The user.DAT file contains all the user's preferences. If you wish to
-enforce a set of preferences, rename their user.DAT file to user.MAN,
-and deny them write access to this file.
+to a local one vary according to the version of MS Windows you are running. Consult the Microsoft MS
+Windows Resource Kit for your version of Windows for specific information.
+</p></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2955058"></a>Windows Client Profile Configuration Information</h3></div></div><div></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2955066"></a>Windows 9x/Me Profile Setup</h4></div></div><div></div></div><p>
+When a user first logs in on Windows 9X, the file user.DAT is created, as are folders
+<tt class="filename">Start Menu</tt>, <tt class="filename">Desktop</tt>, <tt class="filename">Programs</tt>, and
+<tt class="filename">Nethood</tt>. These directories and their contents will be merged with the local
+versions stored in <tt class="filename">c:\windows\profiles\username</tt> on subsequent logins, taking the
+most recent from each. You will need to use the <i class="parameter"><tt>[global]</tt></i> options
+<a class="indexterm" name="id2955121"></a><i class="parameter"><tt>preserve case</tt></i> = yes,
+<a class="indexterm" name="id2955136"></a><i class="parameter"><tt>short preserve case</tt></i> = yes and
+<a class="indexterm" name="id2955150"></a><i class="parameter"><tt>case sensitive</tt></i> = no
+in order to maintain capital letters in shortcuts in any of the profile folders.
+</p><p>
+The <tt class="filename">user.DAT</tt> file contains all the user's preferences. If you wish to enforce a set of preferences,
+rename their <tt class="filename">user.DAT</tt> file to <tt class="filename">user.MAN</tt>, and deny them write access to this file.
</p><div class="orderedlist"><ol type="1"><li><p>
- On the Windows 9x / Me machine, go to <span class="guimenu">Control Panel</span> -&gt; <span class="guimenuitem">Passwords</span> and
- select the <span class="guilabel">User Profiles</span> tab. Select the required level of
- roaming preferences. Press <span class="guibutton">OK</span>, but do _not_ allow the computer
- to reboot.
- </p></li><li><p>
- On the Windows 9x / Me machine, go to <span class="guimenu">Control Panel</span> -&gt; <span class="guimenuitem">Network</span> -&gt;
- <span class="guimenuitem">Client for Microsoft Networks</span> -&gt; <span class="guilabel">Preferences</span>. Select <span class="guilabel">Log on to
- NT Domain</span>. Then, ensure that the Primary Logon is <span class="guilabel">Client for
- Microsoft Networks</span>. Press <span class="guibutton">OK</span>, and this time allow the computer
- to reboot.
- </p></li></ol></div><p>
-Under Windows 9x / Me Profiles are downloaded from the Primary Logon.
-If you have the Primary Logon as 'Client for Novell Networks', then
-the profiles and logon script will be downloaded from your Novell
-Server. If you have the Primary Logon as 'Windows Logon', then the
-profiles will be loaded from the local machine - a bit against the
-concept of roaming profiles, it would seem!
-</p><p>
-You will now find that the Microsoft Networks Login box contains
-[user, password, domain] instead of just [user, password]. Type in
-the samba server's domain name (or any other domain known to exist,
-but bear in mind that the user will be authenticated against this
-domain and profiles downloaded from it, if that domain logon server
-supports it), user name and user's password.
-</p><p>
-Once the user has been successfully validated, the Windows 9x / Me machine
-will inform you that <tt class="computeroutput">The user has not logged on before</tt> and asks you
-<tt class="computeroutput">Do you wish to save the user's preferences?</tt>. Select <span class="guibutton">yes</span>.
-</p><p>
-Once the Windows 9x / Me client comes up with the desktop, you should be able
-to examine the contents of the directory specified in the <a class="indexterm" name="id2946457"></a><i class="parameter"><tt>logon path</tt></i>
-on the samba server and verify that the <tt class="filename">Desktop</tt>, <tt class="filename">Start Menu</tt>,
-<tt class="filename">Programs</tt> and <tt class="filename">Nethood</tt> folders have been created.
-</p><p>
-These folders will be cached locally on the client, and updated when
-the user logs off (if you haven't made them read-only by then).
-You will find that if the user creates further folders or short-cuts,
-that the client will merge the profile contents downloaded with the
-contents of the profile directory already on the local client, taking
-the newest folders and short-cuts from each set.
-</p><p>
-If you have made the folders / files read-only on the samba server,
-then you will get errors from the Windows 9x / Me machine on logon and logout, as
-it attempts to merge the local and the remote profile. Basically, if
-you have any errors reported by the Windows 9x / Me machine, check the UNIX file
-permissions and ownership rights on the profile directory contents,
-on the samba server.
-</p><p>
-If you have problems creating user profiles, you can reset the user's
-local desktop cache, as shown below. When this user then next logs in,
-they will be told that they are logging in &quot;for the first time&quot;.
-</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>
- Before deleting the contents of the
- directory listed in the ProfilePath (this is likely to be
- <tt class="filename">c:\windows\profiles\username)</tt>, ask them if they
- have any important files stored on their desktop or in their start menu.
- Delete the contents of the directory ProfilePath (making a backup if any
- of the files are needed).
- </p><p>
- This will have the effect of removing the local (read-only hidden
- system file) user.DAT in their profile directory, as well as the
- local &quot;desktop&quot;, &quot;nethood&quot;, &quot;start menu&quot; and &quot;programs&quot; folders.
- </p></div><div class="orderedlist"><ol type="1"><li><p>
- instead of logging in under the [user, password, domain] dialog,
- press <span class="guibutton">escape</span>.
- </p></li><li><p>
- run the <b class="command">regedit.exe</b> program, and look in:
- </p><p>
- <tt class="filename">HKEY_LOCAL_MACHINE\Windows\CurrentVersion\ProfileList</tt>
- </p><p>
- you will find an entry, for each user, of ProfilePath. Note the
- contents of this key (likely to be <tt class="filename">c:\windows\profiles\username</tt>),
- then delete the key ProfilePath for the required user.
- </p><p>[Exit the registry editor].</p></li><li><p>
- search for the user's .PWL password-caching file in the <tt class="filename">c:\windows</tt>
- directory, and delete it.
- </p></li><li><p>
- log off the windows 9x / Me client.
- </p></li><li><p>
- check the contents of the profile path (see <a class="indexterm" name="id2946668"></a><i class="parameter"><tt>logon path</tt></i> described
- above), and delete the <tt class="filename">user.DAT</tt> or <tt class="filename">user.MAN</tt> file for the user,
- making a backup if required.
- </p></li></ol></div><p>
-If all else fails, increase samba's debug log levels to between 3 and 10,
-and / or run a packet trace program such as ethereal or <b class="command">netmon.exe</b>, and
-look for error messages.
-</p><p>
-If you have access to an Windows NT4/200x server, then first set up roaming profiles
-and / or netlogons on the Windows NT4/200x server. Make a packet trace, or examine
-the example packet traces provided with Windows NT4/200x server, and see what the
-differences are with the equivalent samba trace.
-</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2946726"></a>Windows NT4 Workstation</h4></div></div><div></div></div><p>
-When a user first logs in to a Windows NT Workstation, the profile
-NTuser.DAT is created. The profile location can be now specified
-through the <a class="indexterm" name="id2946739"></a><i class="parameter"><tt>logon path</tt></i> parameter.
-</p><p>
-There is a parameter that is now available for use with NT Profiles:
-<a class="indexterm" name="id2946758"></a><i class="parameter"><tt>logon drive</tt></i>. This should be set to <tt class="filename">H:</tt> or any other drive, and
-should be used in conjunction with the new <a class="indexterm" name="id2946781"></a><i class="parameter"><tt>logon home</tt></i> parameter.
-</p><p>
-The entry for the NT4 profile is a _directory_ not a file. The NT
-help on profiles mentions that a directory is also created with a .PDS
-extension. The user, while logging in, must have write permission to
-create the full profile path (and the folder with the .PDS extension
-for those situations where it might be created.)
-</p><p>
-In the profile directory, Windows NT4 creates more folders than Windows 9x / Me.
-It creates <tt class="filename">Application Data</tt> and others, as well as <tt class="filename">Desktop</tt>, <tt class="filename">Nethood</tt>,
-<tt class="filename">Start Menu</tt> and <tt class="filename">Programs</tt>. The profile itself is stored in a file
-<tt class="filename">NTuser.DAT</tt>. Nothing appears to be stored in the .PDS directory, and
-its purpose is currently unknown.
-</p><p>
-You can use the <span class="application">System Control Panel</span> to copy a local profile onto
-a samba server (see NT Help on profiles: it is also capable of firing
-up the correct location in the <span class="application">System Control Panel</span> for you). The
-NT Help file also mentions that renaming <tt class="filename">NTuser.DAT</tt> to <tt class="filename">NTuser.MAN</tt>
-turns a profile into a mandatory one.
-</p><p>
-The case of the profile is significant. The file must be called
-<tt class="filename">NTuser.DAT</tt> or, for a mandatory profile, <tt class="filename">NTuser.MAN</tt>.
-</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2946911"></a>Windows 2000/XP Professional</h4></div></div><div></div></div><p>
-You must first convert the profile from a local profile to a domain
-profile on the MS Windows workstation as follows:
-</p><div class="procedure"><ol type="1"><li><p>
- Log on as the <span class="emphasis"><em>LOCAL</em></span> workstation administrator.
+ On the Windows 9x/Me machine, go to <span class="guimenu">Control Panel</span> -&gt;
+ <span class="guimenuitem">Passwords</span> and select the <span class="guilabel">User Profiles</span> tab.
+ Select the required level of roaming preferences. Press <span class="guibutton">OK</span>, but do not
+ allow the computer to reboot.
</p></li><li><p>
- Right click on the <span class="guiicon">My Computer</span> Icon, select <span class="guimenuitem">Properties</span>
+ On the Windows 9x/Me machine, go to <span class="guimenu">Control Panel</span> -&gt;
+ <span class="guimenuitem">Network</span> -&gt; <span class="guimenuitem">Client for Microsoft Networks</span>
+ -&gt; <span class="guilabel">Preferences</span>. Select <span class="guilabel">Log on to NT Domain</span>. Then,
+ ensure that the Primary Logon is <span class="guilabel">Client for Microsoft Networks</span>. Press
+ <span class="guibutton">OK</span>, and this time allow the computer to reboot.
+ </p></li></ol></div><p> Under Windows 9x/ME, profiles are downloaded from the Primary Logon. If you have the Primary Logon
+as &#8220;<span class="quote">Client for Novell Networks</span>&#8221;, then the profiles and logon script will be downloaded from
+your Novell Server. If you have the Primary Logon as &#8220;<span class="quote">Windows Logon</span>&#8221;, then the profiles will
+be loaded from the local machine a bit against the concept of roaming profiles, it would seem! </p><p>
+You will now find that the Microsoft Networks Login box contains <tt class="constant">[user, password, domain]</tt> instead
+of just <tt class="constant">[user, password]</tt>. Type in the Samba server's domain name (or any other domain known to exist,
+but bear in mind that the user will be authenticated against this domain and profiles downloaded from it,
+if that domain logon server supports it), user name and user's password.
+</p><p> Once the user has been successfully validated, the Windows 9x/Me machine will inform you that
+<tt class="computeroutput">The user has not logged on before</tt> and asks you <tt class="computeroutput">Do you
+wish to save the user's preferences?</tt> Select <span class="guibutton">Yes</span>. </p><p> Once the Windows 9x/Me client comes up with the desktop, you should be able to examine the
+contents of the directory specified in the <a class="indexterm" name="id2955374"></a><i class="parameter"><tt>logon path</tt></i> on
+the Samba server and verify that the <tt class="filename">Desktop</tt>, <tt class="filename">Start Menu</tt>,
+<tt class="filename">Programs</tt> and <tt class="filename">Nethood</tt> folders have been created. </p><p> These folders will be cached locally on the client, and updated when the user logs off (if
+you haven't made them read-only by then). You will find that if the user creates further folders or
+shortcut, that the client will merge the profile contents downloaded with the contents of the profile
+directory already on the local client, taking the newest folders and shortcut from each set. </p><p> If you have made the folders/files read-only on the Samba server, then you will get errors from
+the Windows 9x/Me machine on logon and logout as it attempts to merge the local and remote profile.
+Basically, if you have any errors reported by the Windows 9x/Me machine, check the UNIX file permissions
+and ownership rights on the profile directory contents, on the Samba server. </p><p> If you have problems creating user profiles, you can reset the user's local desktop cache, as
+shown below. When this user next logs in, the user will be told that he/she is logging in &#8220;<span class="quote">for
+ the first time</span>&#8221;.
+
+<a class="indexterm" name="id2955451"></a>
+ </p><div class="orderedlist"><ol type="1"><li><p>
+ Instead of logging in under the [user, password, domain] dialog, press <span class="guibutton">escape</span>.
</p></li><li><p>
- Click on the <span class="guilabel">User Profiles</span> tab
+ Run the <b class="command">regedit.exe</b> program, and look in:
+ </p><p>
+ <tt class="filename">HKEY_LOCAL_MACHINE\Windows\CurrentVersion\ProfileList</tt>
+ </p><p>
+ You will find an entry for each user of ProfilePath. Note the contents of this key
+ (likely to be <tt class="filename">c:\windows\profiles\username</tt>), then delete the key
+ <i class="parameter"><tt>ProfilePath</tt></i> for the required user.
</p></li><li><p>
- Select the profile you wish to convert (click on it once)
+ Exit the registry editor.
</p></li><li><p>
- Click on the button <span class="guibutton">Copy To</span>
+ Search for the user's .PWL password-caching file in the <tt class="filename">c:\windows</tt> directory, and delete it.
</p></li><li><p>
- In the <span class="guilabel">Permitted to use</span> box, click on the <span class="guibutton">Change</span> button.
+ Log off the Windows 9x/Me client.
</p></li><li><p>
- Click on the 'Look in&quot; area that lists the machine name, when you click
- here it will open up a selection box. Click on the domain to which the
- profile must be accessible.
- </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>You will need to log on if a logon box opens up. Eg: In the connect as: <i class="replaceable"><tt>DOMAIN</tt></i>\root, password: <i class="replaceable"><tt>mypassword</tt></i>.</p></div></li><li><p>
- To make the profile capable of being used by anyone select 'Everyone'
- </p></li><li><p>
- Click <span class="guibutton">OK</span>. The Selection box will close.
- </p></li><li><p>
- Now click on the <span class="guibutton">Ok</span> button to create the profile in the path you
- nominated.
- </p></li></ol></div><p>
-Done. You now have a profile that can be edited using the samba
-<b class="command">profiles</b> tool.
-</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
-Under NT/2K the use of mandatory profiles forces the use of MS Exchange
-storage of mail data. That keeps desktop profiles usable.
-</p></div><div class="procedure"><p class="title"><b>Procedure 24.2. Windows XP Service Pack 1</b></p><ol type="1"><li><p>
-This is a security check new to Windows XP (or maybe only
-Windows XP service pack 1). It can be disabled via a group policy in
-Active Directory. The policy is:</p><p><tt class="filename">Computer Configuration\Administrative Templates\System\User
-Profiles\Do not check for user ownership of Roaming Profile Folders</tt></p><p>...and it should be set to <tt class="constant">Enabled</tt>.
-Does the new version of samba have an Active Directory analogue? If so,
-then you may be able to set the policy through this.
-</p><p>
-If you cannot set group policies in samba, then you may be able to set
-the policy locally on each machine. If you want to try this, then do
-the following (N.B. I don't know for sure that this will work in the
-same way as a domain group policy):
-</p></li><li><p>
-On the XP workstation log in with an Administrator account.
-</p></li><li><p>Click: <span class="guimenu">Start</span>, <span class="guimenuitem">Run</span></p></li><li><p>Type: <b class="userinput"><tt>mmc</tt></b></p></li><li><p>Click: <span class="guibutton">OK</span></p></li><li><p>A Microsoft Management Console should appear.</p></li><li><p>Click: <span class="guimenu">File</span>, <span class="guimenuitem">Add/Remove Snap-in...</span>, <span class="guimenuitem">Add</span></p></li><li><p>Double-Click: <span class="guiicon">Group Policy</span></p></li><li><p>Click: <span class="guibutton">Finish</span>, <span class="guibutton">Close</span></p></li><li><p>Click: <span class="guibutton">OK</span></p></li><li><p>In the &quot;Console Root&quot; window:</p></li><li><p>Expand: <span class="guiicon">Local Computer Policy</span>, <span class="guiicon">Computer Configuration</span>,
- <span class="guiicon">Administrative Templates</span>, <span class="guiicon">System</span>, <span class="guiicon">User Profiles</span></p></li><li><p>Double-Click: <span class="guilabel">Do not check for user ownership of Roaming Profile Folders</span></p></li><li><p>Select: <span class="guilabel">Enabled</span></p></li><li><p>Click: <span class="guibutton">OK</span></p></li><li><p>Close the whole console. You do not need to save the settings (this
- refers to the console settings rather than the policies you have
- changed).</p></li><li><p>Reboot</p></li></ol></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2947427"></a>Sharing Profiles between W9x/Me and NT4/200x/XP workstations</h3></div></div><div></div></div><p>
-Sharing of desktop profiles between Windows versions is NOT recommended.
-Desktop profiles are an evolving phenomenon and profiles for later versions
-of MS Windows clients add features that may interfere with earlier versions
-of MS Windows clients. Probably the more salient reason to NOT mix profiles
-is that when logging off an earlier version of MS Windows the older format
-of profile contents may overwrite information that belongs to the newer
-version resulting in loss of profile information content when that user logs
-on again with the newer version of MS Windows.
-</p><p>
-If you then want to share the same Start Menu / Desktop with W9x/Me, you will
-need to specify a common location for the profiles. The <tt class="filename">smb.conf</tt> parameters
-that need to be common are <a class="indexterm" name="id2947463"></a><i class="parameter"><tt>logon path</tt></i> and
-<a class="indexterm" name="id2947477"></a><i class="parameter"><tt>logon home</tt></i>.
-</p><p>
-If you have this set up correctly, you will find separate <tt class="filename">user.DAT</tt> and
-<tt class="filename">NTuser.DAT</tt> files in the same profile directory.
-</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2947512"></a>Profile Migration from Windows NT4/200x Server to Samba</h3></div></div><div></div></div><p>
-There is nothing to stop you specifying any path that you like for the
-location of users' profiles. Therefore, you could specify that the
-profile be stored on a samba server, or any other SMB server, as long as
-that SMB server supports encrypted passwords.
-</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2947528"></a>Windows NT4 Profile Management Tools</h4></div></div><div></div></div><p>
-Unfortunately, the Resource Kit information is specific to the version of MS Windows
-NT4/200x. The correct resource kit is required for each platform.
-</p><p>
-Here is a quick guide:
-</p><div class="procedure"><ol type="1"><li><p>
-On your NT4 Domain Controller, right click on <span class="guiicon">My Computer</span>, then
-select the tab labelled <span class="guilabel">User Profiles</span>.
-</p></li><li><p>
-Select a user profile you want to migrate and click on it.
-</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>I am using the term &quot;migrate&quot; loosely. You can copy a profile to
-create a group profile. You can give the user 'Everyone' rights to the
-profile you copy this to. That is what you need to do, since your samba
-domain is not a member of a trust relationship with your NT4 PDC.</p></div></li><li><p>Click the <span class="guibutton">Copy To</span> button.</p></li><li><p>In the box labelled <span class="guilabel">Copy Profile to</span> add your new path, eg:
- <tt class="filename">c:\temp\foobar</tt></p></li><li><p>Click on the button <span class="guibutton">Change</span> in the <span class="guilabel">Permitted to use</span> box.</p></li><li><p>Click on the group 'Everyone' and then click <span class="guibutton">OK</span>. This closes the
- 'choose user' box.</p></li><li><p>Now click <span class="guibutton">OK</span>.</p></li></ol></div><p>
-Follow the above for every profile you need to migrate.
-</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2947698"></a>Side bar Notes</h4></div></div><div></div></div><p>
-You should obtain the SID of your NT4 domain. You can use smbpasswd to do
-this. Read the man page.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2947712"></a>moveuser.exe</h4></div></div><div></div></div><p>
-The W2K professional resource kit has moveuser.exe. moveuser.exe changes
-the security of a profile from one user to another. This allows the account
-domain to change, and/or the user name to change.
-</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2947728"></a>Get SID</h4></div></div><div></div></div><p>
-You can identify the SID by using GetSID.exe from the Windows NT Server 4.0
-Resource Kit.
-</p><p>
-Windows NT 4.0 stores the local profile information in the registry under
-the following key:
-<tt class="filename">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList</tt>
-</p><p>
-Under the ProfileList key, there will be subkeys named with the SIDs of the
-users who have logged on to this computer. (To find the profile information
-for the user whose locally cached profile you want to move, find the SID for
-the user with the GetSID.exe utility.) Inside of the appropriate user's
-subkey, you will see a string value named ProfileImagePath.
-</p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2947770"></a>Mandatory profiles</h2></div></div><div></div></div><p>
-A Mandatory Profile is a profile that the user does NOT have the ability to overwrite.
-During the user's session it may be possible to change the desktop environment, but
-as the user logs out all changes made will be lost. If it is desired to NOT allow the
-user any ability to change the desktop environment then this must be done through
-policy settings. See previous chapter.
-</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
-Under NO circumstances should the profile directory (or it's contents) be made read-only
-as this may render the profile un-usable.
+ Check the contents of the profile path (see <a class="indexterm" name="id2955562"></a><i class="parameter"><tt>logon path</tt></i>
+ described above) and delete the <tt class="filename">user.DAT</tt> or <tt class="filename">user.MAN</tt>
+ file for the user, making a backup if required.
+ </p></li></ol></div><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>
+Before deleting the contents of the directory listed in the <i class="parameter"><tt>ProfilePath</tt></i>
+(this is likely to be <tt class="filename">c:\windows\profiles\username)</tt>, ask the owner if they have
+any important files stored on their desktop or in their start menu. Delete the contents of the
+directory <i class="parameter"><tt>ProfilePath</tt></i> (making a backup if any of the files are needed).
+</p><p>
+This will have the effect of removing the local (read-only hidden system file) <tt class="filename">user.DAT</tt>
+in their profile directory, as well as the local &#8220;<span class="quote">desktop,</span>&#8221; &#8220;<span class="quote">nethood,</span>&#8221;
+&#8220;<span class="quote">start menu,</span>&#8221; and &#8220;<span class="quote">programs</span>&#8221; folders.
</p></div><p>
-For MS Windows NT4/200x/XP the above method can be used to create mandatory profiles
-also. To convert a group profile into a mandatory profile simply locate the NTUser.DAT
-file in the copied profile and rename it to NTUser.MAN.
-</p><p>
-For MS Windows 9x / Me it is the <tt class="filename">User.DAT</tt> file that must be renamed to <tt class="filename">User.MAN</tt> to
-affect a mandatory profile.
-</p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2947828"></a>Creating/Managing Group Profiles</h2></div></div><div></div></div><p>
-Most organisations are arranged into departments. There is a nice benefit in
-this fact since usually most users in a department will require the same desktop
-applications and the same desktop layout. MS Windows NT4/200x/XP will allow the
-use of Group Profiles. A Group Profile is a profile that is created firstly using
-a template (example) user. Then using the profile migration tool (see above) the
-profile is assigned access rights for the user group that needs to be given access
-to the group profile.
-</p><p>
-The next step is rather important. <span class="emphasis"><em>Please note:</em></span> Instead of assigning a group profile
-to users (ie: Using User Manager) on a &quot;per user&quot; basis, the group itself is assigned
-the now modified profile.
+If all else fails, increase Samba's debug log levels to between 3 and 10, and/or run a packet
+sniffer program such as ethereal or <b class="command">netmon.exe</b>, and look for error messages.
+</p><p> If you have access to an Windows NT4/200x server, then first set up roaming profiles and/or
+netlogons on the Windows NT4/200x server. Make a packet trace, or examine the example packet traces
+provided with Windows NT4/200x server, and see what the differences are with the equivalent Samba trace.
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2955678"></a>Windows NT4 Workstation</h4></div></div><div></div></div><p> When a user first logs in to a Windows NT Workstation, the profile NTuser.DAT is created. The profile
+location can be now specified through the <a class="indexterm" name="id2955691"></a><i class="parameter"><tt>logon path</tt></i> parameter.
+</p><p> There is a parameter that is now available for use with NT Profiles: <a class="indexterm" name="id2955710"></a><i class="parameter"><tt>logon drive</tt></i>.
+This should be set to <tt class="filename">H:</tt> or any other drive, and should be used in conjunction with
+the new <a class="indexterm" name="id2955733"></a><i class="parameter"><tt>logon home</tt></i> parameter. </p><p> The entry for the NT4 profile is a directory not a file. The NT help on Profiles mentions that a
+directory is also created with a .PDS extension. The user, while logging in, must have write permission
+to create the full profile path (and the folder with the .PDS extension for those situations where it
+might be created.) </p><p> In the profile directory, Windows NT4 creates more folders than Windows 9x/Me. It creates
+<tt class="filename">Application Data</tt> and others, as well as <tt class="filename">Desktop</tt>,
+<tt class="filename">Nethood</tt>, <tt class="filename">Start Menu,</tt> and <tt class="filename">Programs</tt>.
+The profile itself is stored in a file <tt class="filename">NTuser.DAT</tt>. Nothing appears to be stored
+in the .PDS directory, and its purpose is currently unknown. </p><p> You can use the <span class="application">System Control Panel</span> to copy a local profile onto
+a Samba server (see NT Help on Profiles; it is also capable of firing up the correct location in the
+<span class="application">System Control Panel</span> for you). The NT Help file also mentions that renaming
+<tt class="filename">NTuser.DAT</tt> to <tt class="filename">NTuser.MAN</tt> turns a profile into a mandatory one.
+</p><p> The case of the profile is significant. The file must be called <tt class="filename">NTuser.DAT</tt>
+or, for a mandatory profile, <tt class="filename">NTuser.MAN</tt>. </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2955863"></a>Windows 2000/XP Professional</h4></div></div><div></div></div><p> You must first convert the profile from a local profile to a domain profile on the MS Windows
+workstation as follows: </p><div class="procedure"><ol type="1"><li><p> Log on as the <span class="emphasis"><em>local</em></span> workstation administrator. </p></li><li><p> Right-click on the <span class="guiicon">My Computer</span> Icon, select
+ <span class="guimenuitem">Properties</span>.</p></li><li><p> Click on the <span class="guilabel">User Profiles</span> tab.</p></li><li><p> Select the profile you wish to convert (click it once).</p></li><li><p> Click on the <span class="guibutton">Copy To</span> button.</p></li><li><p> In the <span class="guilabel">Permitted to use</span> box, click on the
+ <span class="guibutton">Change</span> button. </p></li><li><p> Click on the <span class="guilabel">Look in</span> area that lists the machine name. When you click here, it will
+ open up a selection box. Click on the domain to which the profile must be accessible. </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>You will need to log on if a logon box opens up.
+ For example, connect as <i class="replaceable"><tt>DOMAIN</tt></i>\root, password:
+ <i class="replaceable"><tt>mypassword</tt></i>.</p></div></li><li><p> To make the profile capable of being used by anyone, select &#8220;<span class="quote">Everyone</span>&#8221;. </p></li><li><p> Click on <span class="guibutton">OK</span> and the Selection box will close. </p></li><li><p> Now click on <span class="guibutton">OK</span> to create the profile in the path
+ you nominated. </p></li></ol></div><p> Done. You now have a profile that can be edited using the Samba <b class="command">profiles</b> tool.
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
- Be careful with group profiles, if the user who is a member of a group also
- has a personal profile, then the result will be a fusion (merge) of the two.
- </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2947873"></a>Default Profile for Windows Users</h2></div></div><div></div></div><p>
-MS Windows 9x / Me and NT4/200x/XP will use a default profile for any user for whom
-a profile does not already exist. Armed with a knowledge of where the default profile
-is located on the Windows workstation, and knowing which registry keys affect the path
-from which the default profile is created, it is possible to modify the default profile
-to one that has been optimised for the site. This has significant administrative
-advantages.
-</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2947893"></a>MS Windows 9x/Me</h3></div></div><div></div></div><p>
-To enable default per use profiles in Windows 9x / Me you can either use the <span class="application">Windows 98 System
-Policy Editor</span> or change the registry directly.
-</p><p>
-To enable default per user profiles in Windows 9x / Me, launch the <span class="application">System Policy Editor</span>, then
-select <span class="guimenu">File</span> -&gt; <span class="guimenuitem">Open Registry</span>, then click on the
-<span class="guiicon">Local Computer</span> icon, click on <span class="guilabel">Windows 98 System</span>,
-select <span class="guilabel">User Profiles</span>, click on the enable box. Do not forget to save the registry changes.
-</p><p>
-To modify the registry directly, launch the <span class="application">Registry Editor</span> (<b class="command">regedit.exe</b>), select the hive
-<tt class="filename">HKEY_LOCAL_MACHINE\Network\Logon</tt>. Now add a DWORD type key with the name
-&quot;User Profiles&quot;, to enable user profiles set the value to 1, to disable user profiles set it to 0.
-</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2947996"></a>How User Profiles Are Handled in Windows 9x / Me?</h4></div></div><div></div></div><p>
-When a user logs on to a Windows 9x / Me machine, the local profile path,
+Under Windows NT/200x, the use of mandatory profiles forces the use of MS Exchange storage of mail
+data and keeps it out of the desktop profile. That keeps desktop profiles from becoming unusable.
+</p></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2956079"></a>Windows XP Service Pack 1</h5></div></div><div></div></div><p>
+ There is a security check new to Windows XP (or maybe only Windows XP service pack 1).
+ It can be disabled via a group policy in the Active Directory. The policy is called:
+ </p><p>
+ <tt class="filename">Computer Configuration\Administrative Templates\System\User Profiles\Do not check for
+ user ownership of Roaming Profile Folders</tt>i
+ </p><p>
+ This should be set to <tt class="constant">Enabled</tt>.
+ </p><p>
+ Does the new version of Samba have an Active Directory analogue? If so, then you may be able to set the policy through this.
+ </p><p>If you cannot set group policies in Samba, then you may be able to set the policy locally on
+ each machine. If you want to try this, then do the following (N.B. I do not know for sure that this
+ will work in the same way as a domain group policy):
+ </p><div class="procedure"><ol type="1"><li><p>On the XP workstation, log in with an Administrative account.</p></li><li><p>Click on <span class="guimenu">Start</span> -&gt; <span class="guimenuitem">Run</span>.</p></li><li><p>Type <b class="command">mmc</b>.</p></li><li><p>Click on <span class="guibutton">OK</span>.</p></li><li><p>A Microsoft Management Console should appear.</p></li><li><p>Click on <span class="guimenu">File</span> -&gt; <span class="guimenuitem">Add/Remove Snap-in</span> -&gt; <span class="guimenuitem">Add</span>.</p></li><li><p>Double-click on <span class="guiicon">Group Policy</span>.</p></li><li><p>Click on <span class="guibutton">Finish</span> -&gt; <span class="guibutton">Close</span>.</p></li><li><p>Click on <span class="guibutton">OK</span>.</p></li><li><p>In the &#8220;<span class="quote">Console Root</span>&#8221; window expand <span class="guiicon">Local Computer Policy</span> -&gt;
+ <span class="guiicon">Computer Configuration</span> -&gt; <span class="guiicon">Administrative Templates</span> -&gt; <span class="guiicon">System</span> -&gt; <span class="guiicon">User Profiles</span>.</p></li><li><p>Double-click on <span class="guilabel">Do not check for user ownership of Roaming Profile Folders</span>.</p></li><li><p>Select <span class="guilabel">Enabled</span>.</p></li><li><p>Click on <span class="guibutton">OK</span>.</p></li><li><p>Close the whole console. You do not need to save the settings (this refers to the
+ console settings rather than the policies you have changed).</p></li><li><p>Reboot.</p></li></ol></div></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2956404"></a>Sharing Profiles between W9x/Me and NT4/200x/XP Workstations</h3></div></div><div></div></div><p> Sharing of desktop profiles between Windows versions is not recommended. Desktop profiles are an
+evolving phenomenon and profiles for later versions of MS Windows clients add features that may interfere
+with earlier versions of MS Windows clients. Probably the more salient reason to not mix profiles is
+that when logging off an earlier version of MS Windows, the older format of profile contents may overwrite
+information that belongs to the newer version resulting in loss of profile information content when that
+user logs on again with the newer version of MS Windows. </p><p> If you then want to share the same Start Menu/Desktop with W9x/Me, you will need to specify a common
+location for the profiles. The <tt class="filename">smb.conf</tt> parameters that need to be common are <a class="indexterm" name="id2956443"></a><i class="parameter"><tt>logon path</tt></i> and <a class="indexterm" name="id2956457"></a><i class="parameter"><tt>logon home</tt></i>. </p><p> If you have this set up correctly, you will find separate <tt class="filename">user.DAT</tt> and
+<tt class="filename">NTuser.DAT</tt> files in the same profile directory. </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2956492"></a>Profile Migration from Windows NT4/200x Server to Samba</h3></div></div><div></div></div><p> There is nothing to stop you from specifying any path that you like for the location of users' profiles.
+Therefore, you could specify that the profile be stored on a Samba server, or any other SMB server,
+as long as that SMB server supports encrypted passwords. </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2956509"></a>Windows NT4 Profile Management Tools</h4></div></div><div></div></div><p> Unfortunately, the Resource Kit information is specific to the version of MS Windows NT4/200x. The
+correct resource kit is required for each platform. </p><p>Here is a quick guide:</p><div class="procedure"><ol type="1"><li><p> On your NT4 Domain Controller, right click on <span class="guiicon">My Computer</span>, then select the
+ tab labeled <span class="guilabel">User Profiles</span>. </p></li><li><p> Select a user profile you want to migrate and click on it. </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>I am using the term &#8220;<span class="quote">migrate</span>&#8221; loosely. You can copy a profile to create a group
+ profile. You can give the user <i class="parameter"><tt>Everyone</tt></i> rights to the profile you copy this to. That
+ is what you need to do, since your Samba domain is not a member of a trust relationship with your NT4
+ PDC.</p></div></li><li><p>Click on the <span class="guibutton">Copy To</span> button.</p></li><li><p>In the box labeled <span class="guilabel">Copy Profile to</span> add your new path, e.g.,
+ <tt class="filename">c:\temp\foobar</tt></p></li><li><p>Click on <span class="guibutton">Change</span> in the <span class="guilabel">Permitted to use</span> box.</p></li><li><p>Click on the group &#8220;<span class="quote">Everyone</span>&#8221;, click on <span class="guibutton">OK</span>. This
+ closes the &#8220;<span class="quote">choose user</span>&#8221; box.</p></li><li><p>Now click on <span class="guibutton">OK</span>.</p></li></ol></div><p> Follow the above for every profile you need to migrate. </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2956689"></a>Side Bar Notes</h4></div></div><div></div></div><p>
+<a class="indexterm" name="id2956700"></a>
+You should obtain the SID of your NT4 domain. You can use smbpasswd to do this. Read the man
+page.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2956712"></a>moveuser.exe</h4></div></div><div></div></div><p> The Windows 200x professional resource kit has <b class="command">moveuser.exe</b>. <b class="command">moveuser.exe</b> changes the security of a profile
+from one user to another. This allows the account domain to change, and/or the user name to change.</p><p>
+This command is like the Samba <b class="command">profiles</b> tool.
+</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2956753"></a>Get SID</h4></div></div><div></div></div><p>
+<a class="indexterm" name="id2956764"></a>
+You can identify the SID by using <b class="command">GetSID.exe</b> from the Windows NT Server 4.0 Resource Kit. </p><p> Windows NT 4.0 stores the local profile information in the registry under the following key:
+<tt class="filename">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList</tt> </p><p> Under the ProfileList key, there will be subkeys named with the SIDs of the users who have logged
+on to this computer. (To find the profile information for the user whose locally cached profile you want
+to move, find the SID for the user with the <b class="command">GetSID.exe</b> utility.) Inside the appropriate user's subkey,
+you will see a string value named <i class="parameter"><tt>ProfileImagePath</tt></i>. </p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2956822"></a>Mandatory Profiles</h2></div></div><div></div></div><p>
+<a class="indexterm" name="id2956832"></a>
+A Mandatory Profile is a profile that the user does not have the ability to overwrite. During the
+user's session, it may be possible to change the desktop environment, however, as the user logs out all changes
+made will be lost. If it is desired to not allow the user any ability to change the desktop environment,
+then this must be done through policy settings. See the previous chapter. </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+Under NO circumstances should the profile directory (or its contents) be made read-only
+as this may render the profile un-usable. Where it is essential to make a profile read-only
+within the UNIX file system, this can be done but then you absolutely must use the <b class="command">fake-permissions</b>
+VFS module to instruct MS Windows NT/200x/XP clients that the Profile has write permission for the user. See <link linkend="fakeperms">.
+</p></div><p> For MS Windows NT4/200x/XP, the above method can also be used to create mandatory profiles. To
+convert a group profile into a mandatory profile, simply locate the <tt class="filename">NTUser.DAT</tt> file in the copied profile
+and rename it to <tt class="filename">NTUser.MAN</tt>. </p><p> For MS Windows 9x/ME, it is the <tt class="filename">User.DAT</tt> file that must be renamed to
+<tt class="filename">User.MAN</tt> to effect a mandatory profile. </p></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2956917"></a>Creating and Managing Group Profiles</h2></div></div><div></div></div><p>
+<a class="indexterm" name="id2956929"></a>
+Most organizations are arranged into departments. There is a nice benefit in this fact since usually
+most users in a department require the same desktop applications and the same desktop layout. MS
+Windows NT4/200x/XP will allow the use of Group Profiles. A Group Profile is a profile that is created
+first using a template (example) user. Then using the profile migration tool (see above), the profile is
+assigned access rights for the user group that needs to be given access to the group profile. </p><p> The next step is rather important. Instead of assigning a group profile to users (Using User Manager)
+on a &#8220;<span class="quote">per user</span>&#8221; basis, the group itself is assigned the now modified profile. </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> Be careful with Group Profiles. If the user who is a member of a group also has a personal
+profile, then the result will be a fusion (merge) of the two. </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2956970"></a>Default Profile for Windows Users</h2></div></div><div></div></div><p>
+<a class="indexterm" name="id2956982"></a>
+MS Windows 9x/Me and NT4/200x/XP will use a default profile for any user for whom a profile
+does not already exist. Armed with a knowledge of where the default profile is located on the Windows
+workstation, and knowing which registry keys effect the path from which the default profile is created,
+it is possible to modify the default profile to one that has been optimized for the site. This has
+significant administrative advantages. </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2956999"></a>MS Windows 9x/Me</h3></div></div><div></div></div><p> To enable default per use profiles in Windows 9x/ME, you can either use the <span class="application">Windows
+98 System Policy Editor</span> or change the registry directly. </p><p> To enable default per user profiles in Windows 9x/ME, launch the <span class="application">System Policy
+Editor</span>, then select <span class="guimenu">File</span> -&gt; <span class="guimenuitem">Open Registry</span>,
+next click on the <span class="guiicon">Local Computer</span> icon, click on <span class="guilabel">Windows 98 System</span>,
+select <span class="guilabel">User Profiles</span>, and click on the enable box. Remember to save the registry
+changes. </p><p> To modify the registry directly, launch the <span class="application">Registry Editor</span>
+(<b class="command">regedit.exe</b>) and select the hive <tt class="filename">HKEY_LOCAL_MACHINE\Network\Logon</tt>. Now
+add a DWORD type key with the name &#8220;<span class="quote">User Profiles,</span>&#8221; to
+enable user profiles to set the value
+to 1; to disable user profiles set it to 0. </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2957101"></a>User Profile Handling with Windows 9x/Me</h4></div></div><div></div></div><p> When a user logs on to a Windows 9x/Me machine, the local profile path,
<tt class="filename">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ProfileList</tt>, is checked
-for an existing entry for that user:
-</p><p>
-If the user has an entry in this registry location, Windows 9x / Me checks for a locally cached
-version of the user profile. Windows 9x / Me also checks the user's home directory (or other
-specified directory if the location has been modified) on the server for the User Profile.
-If a profile exists in both locations, the newer of the two is used. If the User Profile exists
-on the server, but does not exist on the local machine, the profile on the server is downloaded
-and used. If the User Profile only exists on the local machine, that copy is used.
-</p><p>
-If a User Profile is not found in either location, the Default User Profile from the Windows 9x / Me
-machine is used and is copied to a newly created folder for the logged on user. At log off, any
-changes that the user made are written to the user's local profile. If the user has a roaming
-profile, the changes are written to the user's profile on the server.
-</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2948045"></a>MS Windows NT4 Workstation</h3></div></div><div></div></div><p>
-On MS Windows NT4 the default user profile is obtained from the location
+for an existing entry for that user. </p><p> If the user has an entry in this registry location, Windows 9x/Me checks for a locally cached
+version of the user profile. Windows 9x/Me also checks the user's home directory (or other specified
+directory if the location has been modified) on the server for the User Profile. If a profile exists
+in both locations, the newer of the two is used. If the User Profile exists on the server, but does not
+exist on the local machine, the profile on the server is downloaded and used. If the User Profile only
+exists on the local machine, that copy is used. </p><p> If a User Profile is not found in either location, the Default User Profile from the Windows
+9x/Me machine is used and copied to a newly created folder for the logged on user. At log off, any
+changes that the user made are written to the user's local profile. If the user has a roaming profile,
+the changes are written to the user's profile on the server. </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2957150"></a>MS Windows NT4 Workstation</h3></div></div><div></div></div><p> On MS Windows NT4, the default user profile is obtained from the location
<tt class="filename">%SystemRoot%\Profiles</tt> which in a default installation will translate to
-<tt class="filename">C:\WinNT\Profiles</tt>. Under this directory on a clean install there will be
-three (3) directories: <tt class="filename">Administrator</tt>, <tt class="filename">All Users</tt>, <tt class="filename">Default User</tt>.
-</p><p>
-The <tt class="filename">All Users</tt> directory contains menu settings that are common across all
-system users. The <tt class="filename">Default User</tt> directory contains menu entries that are
-customisable per user depending on the profile settings chosen/created.
-</p><p>
-When a new user first logs onto an MS Windows NT4 machine a new profile is created from:
-</p><div class="itemizedlist"><ul type="disc"><li><p>All Users settings</p></li><li><p>Default User settings (contains the default NTUser.DAT file)</p></li></ul></div><p>
-When a user logs onto an MS Windows NT4 machine that is a member of a Microsoft security domain
-the following steps are followed in respect of profile handling:
-</p><div class="procedure"><ol type="1"><li><p>
- The users' account information which is obtained during the logon process contains
- the location of the users' desktop profile. The profile path may be local to the
- machine or it may be located on a network share. If there exists a profile at the location
- of the path from the user account, then this profile is copied to the location
- <tt class="filename">%SystemRoot%\Profiles\%USERNAME%</tt>. This profile then inherits the
- settings in the <tt class="filename">All Users</tt> profile in the <tt class="filename">%SystemRoot%\Profiles</tt>
- location.
- </p></li><li><p>
- If the user account has a profile path, but at it's location a profile does not exist,
- then a new profile is created in the <tt class="filename">%SystemRoot%\Profiles\%USERNAME%</tt>
- directory from reading the <tt class="filename">Default User</tt> profile.
- </p></li><li><p>
- If the NETLOGON share on the authenticating server (logon server) contains a policy file
- (<tt class="filename">NTConfig.POL</tt>) then it's contents are applied to the <tt class="filename">NTUser.DAT</tt>
- which is applied to the <tt class="filename">HKEY_CURRENT_USER</tt> part of the registry.
- </p></li><li><p>
- When the user logs out, if the profile is set to be a roaming profile it will be written
- out to the location of the profile. The <tt class="filename">NTuser.DAT</tt> file is then
- re-created from the contents of the <tt class="filename">HKEY_CURRENT_USER</tt> contents.
- Thus, should there not exist in the NETLOGON share an <tt class="filename">NTConfig.POL</tt> at the
- next logon, the effect of the previous <tt class="filename">NTConfig.POL</tt> will still be held
- in the profile. The effect of this is known as <span class="emphasis"><em>tatooing</em></span>.
- </p></li></ol></div><p>
-MS Windows NT4 profiles may be <span class="emphasis"><em>Local</em></span> or <span class="emphasis"><em>Roaming</em></span>. A Local profile
-will stored in the <tt class="filename">%SystemRoot%\Profiles\%USERNAME%</tt> location. A roaming profile will
-also remain stored in the same way, unless the following registry key is created:
-</p><p>
-</p><pre class="programlisting">
-HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\Windows NT\CurrentVersion\
-winlogon\&quot;DeleteRoamingCache&quot;=dword:00000001
-</pre><p>
+<tt class="filename">C:\Windows NT\Profiles</tt>. Under this directory on a clean install there will be three
+(3) directories: <tt class="filename">Administrator</tt>, <tt class="filename">All
+Users,</tt> and <tt class="filename">Default
+User</tt>. </p><p> The <tt class="filename">All Users</tt> directory contains menu settings that are common across all
+system users. The <tt class="filename">Default User</tt> directory contains menu entries that are customizable
+per user depending on the profile settings chosen/created. </p><p> When a new user first logs onto an MS Windows NT4 machine, a new profile is created from: </p><div class="itemizedlist"><ul type="disc"><li><p>All Users settings.</p></li><li><p>Default User settings (contains the default <tt class="filename">NTUser.DAT</tt> file).</p></li></ul></div><p> When a user logs onto an MS Windows NT4 machine that is a member of a Microsoft security domain,
+ the following steps are followed in respect of profile handling:
-In which case, the local copy (in <tt class="filename">%SystemRoot%\Profiles\%USERNAME%</tt>) will be
-deleted on logout.
-</p><p>
-Under MS Windows NT4 default locations for common resources (like <tt class="filename">My Documents</tt>
-may be redirected to a network share by modifying the following registry keys. These changes may be affected
-via use of the System Policy Editor (to do so may require that you create your owns template extension
-for the policy editor to allow this to be done through the GUI. Another way to do this is by way of first
-creating a default user profile, then while logged in as that user, run regedt32 to edit the key settings.
-</p><p>
-The Registry Hive key that affects the behaviour of folders that are part of the default user profile
-are controlled by entries on Windows NT4 is:
-</p><p>
-<tt class="filename">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\</tt>
-</p><p>
-The above hive key contains a list of automatically managed folders. The default entries are:
-</p><p>
-</p><div class="table"><a name="id2948397"></a><p class="title"><b>Table 24.1. User Shell Folder registry keys default values</b></p><table summary="User Shell Folder registry keys default values" border="1"><colgroup><col><col></colgroup><thead><tr><th>Name</th><th>Default Value</th></tr></thead><tbody><tr><td>AppData</td><td>%USERPROFILE%\Application Data</td></tr><tr><td>Desktop</td><td>%USERPROFILE%\Desktop</td></tr><tr><td>Favorites</td><td>%USERPROFILE%\Favorites</td></tr><tr><td>NetHood</td><td>%USERPROFILE%\NetHood</td></tr><tr><td>PrintHood</td><td>%USERPROFILE%\PrintHood</td></tr><tr><td>Programs</td><td>%USERPROFILE%\Start Menu\Programs</td></tr><tr><td>Recent</td><td>%USERPROFILE%\Recent</td></tr><tr><td>SendTo</td><td>%USERPROFILE%\SendTo</td></tr><tr><td>Start Menu </td><td>%USERPROFILE%\Start Menu</td></tr><tr><td>Startup</td><td>%USERPROFILE%\Start Menu\Programs\Startup</td></tr></tbody></table></div><p>
-</p><p>
-The registry key that contains the location of the default profile settings is:
-</p><p>
-<tt class="filename">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders</tt>
-</p><p>
-The default entries are:
+<a class="indexterm" name="id2957258"></a>
+</p><div class="procedure"><ol type="1"><li><p> The users' account information that is obtained during the logon process
+ contains the location of the users' desktop profile. The profile path may be local to
+ the machine or it may be located on a network share. If there exists a profile at the
+ location of the path from the user account, then this profile is copied to the location
+ <tt class="filename">%SystemRoot%\Profiles\%USERNAME%</tt>. This profile then inherits the settings
+ in the <tt class="filename">All Users</tt> profile in the <tt class="filename">%SystemRoot%\Profiles</tt>
+ location. </p></li><li><p> If the user account has a profile path, but at its location a profile does not
+ exist, then a new profile is created in the <tt class="filename">%SystemRoot%\Profiles\%USERNAME%</tt>
+ directory from reading the <tt class="filename">Default User</tt> profile. </p></li><li><p> If the NETLOGON share on the authenticating server (logon server) contains
+ a policy file (<tt class="filename">NTConfig.POL</tt>), then its contents are applied to the
+ <tt class="filename">NTUser.DAT</tt> which is applied to the <tt class="filename">HKEY_CURRENT_USER</tt>
+ part of the registry.
+ </p></li><li><p> When the user logs out, if the profile is set to be a roaming profile it will be
+ written out to the location of the profile. The <tt class="filename">NTuser.DAT</tt> file is then
+ recreated from the contents of the <tt class="filename">HKEY_CURRENT_USER</tt> contents. Thus,
+ should there not exist in the NETLOGON share an <tt class="filename">NTConfig.POL</tt> at the next
+ logon, the effect of the previous <tt class="filename">NTConfig.POL</tt> will still be held in the
+ profile. The effect of this is known as tattooing.
+ </p></li></ol></div><p> MS Windows NT4 profiles may be <span class="emphasis"><em>local</em></span> or <span class="emphasis"><em>roaming</em></span>. A local
+profile will stored in the <tt class="filename">%SystemRoot%\Profiles\%USERNAME%</tt> location. A roaming
+profile will also remain stored in the same way, unless the following registry key is created as shown: </p><pre class="screen"> HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\Windows NT\CurrentVersion\
+winlogon\"DeleteRoamingCache"=dword:0000000
+ </pre><p>
+In this case, the local copy (in <tt class="filename">%SystemRoot%\Profiles\%USERNAME%</tt>) will be deleted
+on logout.</p><p> Under MS Windows NT4, default locations for common resources like <tt class="filename">My Documents</tt>
+may be redirected to a network share by modifying the following registry keys. These changes may be
+affected via use of the System Policy Editor. To do so may require that you create your own template
+extension for the policy editor to allow this to be done through the GUI. Another way to do this is by
+way of first creating a default user profile, then while logged in as that user, run <b class="command">regedt32</b> to edit
+the key settings. </p><p>
+The Registry Hive key that affects the behavior of folders that are part of the default user
+profile are controlled by entries on Windows NT4 is:
+</p><pre class="screen">
+HKEY_CURRENT_USER
+ \Software
+ \Microsoft
+ \Windows
+ \CurrentVersion
+ \Explorer
+ \User Shell Folders
+</pre><p>
+<a class="indexterm" name="id2957503"></a>
+</p><p> The above hive key contains a list of automatically managed folders. The default entries are shown in <link linkend="ProfileLocs">. </p><div class="table"><a name="ProfileLocs"></a><p class="title"><b>Table 24.1. User Shell Folder Registry Keys Default Values</b></p><table summary="User Shell Folder Registry Keys Default Values" border="1"><colgroup><col align="left"><col align="left"></colgroup><thead><tr><th align="left">Name</th><th align="left">Default Value</th></tr></thead><tbody><tr><td align="left">AppData</td><td align="left">%USERPROFILE%\Application Data</td></tr><tr><td align="left">Desktop</td><td align="left">%USERPROFILE%\Desktop</td></tr><tr><td align="left">Favorites</td><td align="left">%USERPROFILE%\Favorites</td></tr><tr><td align="left">NetHood</td><td align="left">%USERPROFILE%\NetHood</td></tr><tr><td align="left">PrintHood</td><td align="left">%USERPROFILE%\PrintHood</td></tr><tr><td align="left">Programs</td><td align="left">%USERPROFILE%\Start Menu\Programs</td></tr><tr><td align="left">Recent</td><td align="left">%USERPROFILE%\Recent</td></tr><tr><td align="left">SendTo</td><td align="left">%USERPROFILE%\SendTo</td></tr><tr><td align="left">Start Menu </td><td align="left">%USERPROFILE%\Start Menu</td></tr><tr><td align="left">Startup</td><td align="left">%USERPROFILE%\Start Menu\Programs\Startup</td></tr></tbody></table></div><p> The registry key that contains the location of the default profile settings is: </p><p> <tt class="filename">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
+User Shell Folders</tt> </p><p> The default entries are shown in <link linkend="regkeys">.</p><div class="table"><a name="regkeys"></a><p class="title"><b>Table 24.2. Defaults of Profile Settings Registry Keys</b></p><table summary="Defaults of Profile Settings Registry Keys" border="1"><colgroup><col align="left"><col align="left"></colgroup><tbody><tr><td align="left">Common Desktop</td><td align="left">%SystemRoot%\Profiles\All Users\Desktop</td></tr><tr><td align="left">Common Programs</td><td align="left">%SystemRoot%\Profiles\All Users\Programs</td></tr><tr><td align="left">Common Start Menu</td><td align="left">%SystemRoot%\Profiles\All Users\Start Menu</td></tr><tr><td align="left">Common Startup</td><td align="left">%SystemRoot%\Profiles\All Users\Start Menu\Programs\Startup</td></tr></tbody></table></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2957772"></a>MS Windows 200x/XP</h3></div></div><div></div></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+<a class="indexterm" name="id2957786"></a>
+MS Windows XP Home Edition does use default per user profiles, but cannot participate
+in domain security, cannot log onto an NT/ADS-style domain, and thus can obtain the profile only
+from itself. While there are benefits in doing this, the beauty of those MS Windows clients that
+can participate in domain logon processes allows the administrator to create a global default
+profile and enforce it through the use of Group Policy Objects (GPOs).
+</p></div><p> When a new user first logs onto an MS Windows 200x/XP machine, the default profile is obtained from
+<tt class="filename">C:\Documents and Settings\Default User</tt>. The administrator can modify or change the
+contents of this location and MS Windows 200x/XP will gladly use it. This is far from the optimum arrangement
+since it will involve copying a new default profile to every MS Windows 200x/XP client workstation. </p><p> When MS Windows 200x/XP participates in a domain security context, and if the default user profile is
+ not found, then the client will search for a default profile in the NETLOGON share of the authenticating
+ server. In MS Windows parlance,<tt class="filename">%LOGONSERVER%\NETLOGON\Default User,</tt> and if one
+exists there it will copy this to the workstation to the <tt class="filename">C:\Documents and Settings\</tt>
+under the Windows login name of the user. </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> This path translates, in Samba parlance, to the <tt class="filename">smb.conf</tt>
+<i class="parameter"><tt>[NETLOGON]</tt></i> share. The directory should be created at the root
+of this share and must be called <tt class="filename">Default Profile</tt>. </p></div><p> If a default profile does not exist in this location, then MS Windows 200x/XP will use the local
+default profile. </p><p> On logging out, the users' desktop profile will be stored to the location specified in the registry
+settings that pertain to the user. If no specific policies have been created or passed to the client
+during the login process (as Samba does automatically), then the user's profile will be written to the
+local machine only under the path <tt class="filename">C:\Documents and Settings\%USERNAME%</tt>. </p><p> Those wishing to modify the default behavior can do so through these three methods: </p><div class="itemizedlist"><ul type="disc"><li><p> Modify the registry keys on the local machine manually and place the new
+ default profile in the NETLOGON share root. This is not recommended as it is maintenance intensive.
+ </p></li><li><p> Create an NT4-style NTConfig.POL file that specified this behavior and locate
+ this file in the root of the NETLOGON share along with the new default profile. </p></li><li><p> Create a GPO that enforces this through Active Directory, and place the new
+ default profile in the NETLOGON share. </p></li></ul></div><p>The registry hive key that effects the behavior of folders that are part of the default user
+profile are controlled by entries on Windows 200x/XP is: </p><p> <tt class="filename">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell
+Folders\</tt> </p><p>
+The above hive key contains a list of automatically managed folders. The default entries are shown
+in <link linkend="defregpthkeys">
+<a class="indexterm" name="id2957980"></a>
+</p><div class="table"><a name="defregpthkeys"></a><p class="title"><b>Table 24.3. Defaults of Default User Profile Paths Registry Keys</b></p><table summary="Defaults of Default User Profile Paths Registry Keys" border="1"><colgroup><col align="left"><col align="left"></colgroup><thead><tr><th align="left">Name</th><th align="left">Default Value</th></tr></thead><tbody><tr><td align="left">AppData</td><td align="left">%USERPROFILE%\Application Data</td></tr><tr><td align="left">Cache</td><td align="left">%USERPROFILE%\Local Settings\Temporary Internet Files</td></tr><tr><td align="left">Cookies</td><td align="left">%USERPROFILE%\Cookies</td></tr><tr><td align="left">Desktop</td><td align="left">%USERPROFILE%\Desktop</td></tr><tr><td align="left">Favorites</td><td align="left">%USERPROFILE%\Favorites</td></tr><tr><td align="left">History</td><td align="left">%USERPROFILE%\Local Settings\History</td></tr><tr><td align="left">Local AppData</td><td align="left">%USERPROFILE%\Local Settings\Application Data</td></tr><tr><td align="left">Local Settings</td><td align="left">%USERPROFILE%\Local Settings</td></tr><tr><td align="left">My Pictures</td><td align="left">%USERPROFILE%\My Documents\My Pictures</td></tr><tr><td align="left">NetHood</td><td align="left">%USERPROFILE%\NetHood</td></tr><tr><td align="left">Personal</td><td align="left">%USERPROFILE%\My Documents</td></tr><tr><td align="left">PrintHood</td><td align="left">%USERPROFILE%\PrintHood</td></tr><tr><td align="left">Programs</td><td align="left">%USERPROFILE%\Start Menu\Programs</td></tr><tr><td align="left">Recent</td><td align="left">%USERPROFILE%\Recent</td></tr><tr><td align="left">SendTo</td><td align="left">%USERPROFILE%\SendTo</td></tr><tr><td align="left">Start Menu</td><td align="left">%USERPROFILE%\Start Menu</td></tr><tr><td align="left">Startup</td><td align="left">%USERPROFILE%\Start Menu\Programs\Startup</td></tr><tr><td align="left">Templates</td><td align="left">%USERPROFILE%\Templates</td></tr></tbody></table></div><p> There is also an entry called &#8220;<span class="quote">Default</span>&#8221; that has no value set. The default entry is
+of type <tt class="constant">REG_SZ</tt>, all the others are of type <tt class="constant">REG_EXPAND_SZ</tt>. </p><p> It makes a huge difference to the speed of handling roaming user profiles if all the folders are
+stored on a dedicated location on a network server. This means that it will not be necessary to write
+the Outlook PST file over the network for every login and logout. </p><p> To set this to a network location, you could use the following examples: </p><p><tt class="filename">%LOGONSERVER%\%USERNAME%\Default Folders</tt></p><p> This would store the folders in the user's home directory under a directory called <tt class="filename">Default
+Folders</tt>. You could also use: </p><p><tt class="filename">\\<i class="replaceable"><tt>SambaServer</tt></i>\<i class="replaceable"><tt>FolderShare</tt></i>\%USERNAME%</tt></p><p>
+in which case the default folders will be stored in the server named <i class="replaceable"><tt>SambaServer</tt></i>
+in the share called <i class="replaceable"><tt>FolderShare</tt></i> under a directory that has the name of the
+MS Windows user as seen by the Linux/UNIX file system. </p><p> Please note that once you have created a default profile share, you MUST migrate a user's profile
+(default or custom) to it. </p><p> MS Windows 200x/XP profiles may be <span class="emphasis"><em>Local</em></span> or <span class="emphasis"><em>Roaming</em></span>.
+ A roaming profile will be cached locally unless the following registry key is created:
-</p><div class="table"><a name="id2948541"></a><p class="title"><b>Table 24.2. Defaults of profile settings registry keys</b></p><table summary="Defaults of profile settings registry keys" border="1"><colgroup><col><col></colgroup><tbody><tr><td>Common Desktop</td><td>%SystemRoot%\Profiles\All Users\Desktop</td></tr><tr><td>Common Programs</td><td>%SystemRoot%\Profiles\All Users\Programs</td></tr><tr><td>Common Start Menu</td><td>%SystemRoot%\Profiles\All Users\Start Menu</td></tr><tr><td>Common Startup</td><td>%SystemRoot%\Profiles\All Users\Start Menu\Programs\Startup</td></tr></tbody></table></div><p>
-</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2948600"></a>MS Windows 200x/XP</h3></div></div><div></div></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
- MS Windows XP Home Edition does use default per user profiles, but can not participate
- in domain security, can not log onto an NT/ADS style domain, and thus can obtain the profile
- only from itself. While there are benefits in doing this the beauty of those MS Windows
- clients that CAN participate in domain logon processes allows the administrator to create
- a global default profile and to enforce it through the use of Group Policy Objects (GPOs).
- </p></div><p>
-When a new user first logs onto MS Windows 200x/XP machine the default profile is obtained from
-<tt class="filename">C:\Documents and Settings\Default User</tt>. The administrator can modify (or change
-the contents of this location and MS Windows 200x/XP will gladly use it. This is far from the optimum
-arrangement since it will involve copying a new default profile to every MS Windows 200x/XP client
-workstation.
-</p><p>
-When MS Windows 200x/XP participate in a domain security context, and if the default user
-profile is not found, then the client will search for a default profile in the NETLOGON share
-of the authenticating server. ie: In MS Windows parlance:
-<tt class="filename">%LOGONSERVER%\NETLOGON\Default User</tt> and if one exits there it will copy this
-to the workstation to the <tt class="filename">C:\Documents and Settings\</tt> under the Windows
-login name of the user.
-</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
- This path translates, in Samba parlance, to the <tt class="filename">smb.conf</tt> <i class="parameter"><tt>[NETLOGON]</tt></i> share. The directory
- should be created at the root of this share and must be called <tt class="filename">Default Profile</tt>.
- </p></div><p>
-If a default profile does not exist in this location then MS Windows 200x/XP will use the local
-default profile.
-</p><p>
-On logging out, the users' desktop profile will be stored to the location specified in the registry
-settings that pertain to the user. If no specific policies have been created, or passed to the client
-during the login process (as Samba does automatically), then the user's profile will be written to
-the local machine only under the path <tt class="filename">C:\Documents and Settings\%USERNAME%</tt>.
-</p><p>
-Those wishing to modify the default behaviour can do so through three methods:
-</p><div class="itemizedlist"><ul type="disc"><li><p>
- Modify the registry keys on the local machine manually and place the new default profile in the
- NETLOGON share root - NOT recommended as it is maintenance intensive.
- </p></li><li><p>
- Create an NT4 style NTConfig.POL file that specified this behaviour and locate this file
- in the root of the NETLOGON share along with the new default profile.
- </p></li><li><p>
- Create a GPO that enforces this through Active Directory, and place the new default profile
- in the NETLOGON share.
- </p></li></ul></div><p>
-The Registry Hive key that affects the behaviour of folders that are part of the default user profile
-are controlled by entries on Windows 200x/XP is:
-</p><p>
-<tt class="filename">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\</tt>
-</p><p>
-The above hive key contains a list of automatically managed folders. The default entries are:
-</p><p>
-</p><div class="table"><a name="id2948802"></a><p class="title"><b>Table 24.3. Defaults of default user profile paths registry keys</b></p><table summary="Defaults of default user profile paths registry keys" border="1"><colgroup><col><col></colgroup><thead><tr><th>Name</th><th>Default Value</th></tr></thead><tbody><tr><td>AppData</td><td>%USERPROFILE%\Application Data</td></tr><tr><td>Cache</td><td>%USERPROFILE%\Local Settings\Temporary Internet Files</td></tr><tr><td>Cookies</td><td>%USERPROFILE%\Cookies</td></tr><tr><td>Desktop</td><td>%USERPROFILE%\Desktop</td></tr><tr><td>Favorites</td><td>%USERPROFILE%\Favorites</td></tr><tr><td>History</td><td>%USERPROFILE%\Local Settings\History</td></tr><tr><td>Local AppData</td><td>%USERPROFILE%\Local Settings\Application Data</td></tr><tr><td>Local Settings</td><td>%USERPROFILE%\Local Settings</td></tr><tr><td>My Pictures</td><td>%USERPROFILE%\My Documents\My Pictures</td></tr><tr><td>NetHood</td><td>%USERPROFILE%\NetHood</td></tr><tr><td>Personal</td><td>%USERPROFILE%\My Documents</td></tr><tr><td>PrintHood</td><td>%USERPROFILE%\PrintHood</td></tr><tr><td>Programs</td><td>%USERPROFILE%\Start Menu\Programs</td></tr><tr><td>Recent</td><td>%USERPROFILE%\Recent</td></tr><tr><td>SendTo</td><td>%USERPROFILE%\SendTo</td></tr><tr><td>Start Menu</td><td>%USERPROFILE%\Start Menu</td></tr><tr><td>Startup</td><td>%USERPROFILE%\Start Menu\Programs\Startup</td></tr><tr><td>Templates</td><td>%USERPROFILE%\Templates</td></tr></tbody></table></div><p>
-</p><p>
-There is also an entry called &quot;Default&quot; that has no value set. The default entry is of type <tt class="constant">REG_SZ</tt>, all
-the others are of type <tt class="constant">REG_EXPAND_SZ</tt>.
-</p><p>
-It makes a huge difference to the speed of handling roaming user profiles if all the folders are
-stored on a dedicated location on a network server. This means that it will NOT be necessary to
-write the Outlook PST file over the network for every login and logout.
-</p><p>
-To set this to a network location you could use the following examples:
-</p><p><tt class="filename">%LOGONSERVER%\%USERNAME%\Default Folders</tt></p><p>
-This would store the folders in the user's home directory under a directory called <tt class="filename">Default Folders</tt>
-You could also use:
-</p><p><tt class="filename">\\<i class="replaceable"><tt>SambaServer</tt></i>\<i class="replaceable"><tt>FolderShare</tt></i>\%USERNAME%</tt></p><p>
- in which case the default folders will be stored in the server named <i class="replaceable"><tt>SambaServer</tt></i>
-in the share called <i class="replaceable"><tt>FolderShare</tt></i> under a directory that has the name of the MS Windows
-user as seen by the Linux/UNIX file system.
-</p><p>
-Please note that once you have created a default profile share, you MUST migrate a user's profile
-(default or custom) to it.
-</p><p>
-MS Windows 200x/XP profiles may be <span class="emphasis"><em>Local</em></span> or <span class="emphasis"><em>Roaming</em></span>.
-A roaming profile will be cached locally unless the following registry key is created:
-</p><p>
-</p><pre class="programlisting">
-HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\Windows NT\CurrentVersion\
- winlogon\&quot;DeleteRoamingCache&quot;=dword:00000001</pre><p>
-In which case, the local cache copy will be deleted on logout.
-</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2949100"></a>Common Errors</h2></div></div><div></div></div><p>
-The following are some typical errors/problems/questions that have been asked.
-</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2949130"></a>Setting up roaming profiles for just a few user's or group's?</h3></div></div><div></div></div><p>
-With samba-2.2.x the choice you have is to enable or disable roaming
-profiles support. It is a global only setting. The default is to have
-roaming profiles and the default path will locate them in the user's home
-directory.
-</p><p>
-If disabled globally then no-one will have roaming profile ability.
-If enabled and you want it to apply only to certain machines, then on
-those machines on which roaming profile support is NOT wanted it is then
-necessary to disable roaming profile handling in the registry of each such
-machine.
-</p><p>
-With samba-3 you can have a global profile
-setting in <tt class="filename">smb.conf</tt> _AND_ you can over-ride this by per-user settings
-using the Domain User Manager (as with MS Windows NT4/ Win 2Kx).
-</p><p>
-In any case, you can configure only one profile per user. That profile can
-be either:
-</p><div class="itemizedlist"><ul type="disc"><li><p>A profile unique to that user</p></li><li><p>A mandatory profile (one the user can not change)</p></li><li><p>A group profile (really should be mandatory ie:unchangable)</p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2949201"></a>Can NOT use Roaming Profiles</h3></div></div><div></div></div><p>
-A user requested the following:
-&#8220;<span class="quote">
-I do not want Roaming profiles to be implemented. I want to give users a local profile alone. ...
-Please help me I am totally lost with this error. For the past two days I tried everything, I googled
-around but found no useful pointers. Please help me.
-</span>&#8221;</p><p>
-The choices are:
-</p><div class="variablelist"><dl><dt><span class="term">Local profiles:</span></dt><dd><p>
- I know of no registry keys that will allow auto-deletion of LOCAL profiles on log out
- </p></dd><dt><span class="term">Roaming profiles:</span></dt><dd><p>
- As a user logs onto the network a centrally stored profile is copied to the workstation
- to form a local profile. This local profile will persist (remain on the workstation disk)
- unless a registry key is changed that will cause this profile to be automatically deleted
- on logout.
- </p></dd></dl></div><p>
-The <span class="emphasis"><em>Roaming Profile</em></span> choices are:
-</p><div class="variablelist"><dl><dt><span class="term">Personal Roaming profiles</span></dt><dd><p>
- These are typically stored in a profile share on a central (or conveniently located
- local) server.
- </p><p>
- Workstations 'cache' (store) a local copy of the profile. This cached copy is used when
- the profile can not be downloaded at next logon.
- </p></dd><dt><span class="term">Group profiles</span></dt><dd><p>These are loaded from a central profile server</p></dd><dt><span class="term">Mandatory profiles</span></dt><dd><p>
- Mandatory profiles can be created for a user as well as for any group that a user
- is a member of. Mandatory profiles can NOT be changed by ordinary users. Only the administrator
- can change or reconfigure a mandatory profile.
- </p></dd></dl></div><p>
-A WinNT4/2K/XP profile can vary in size from 130KB to off the scale.
-Outlook PST files are most often part of the profile and can be many GB in
-size. On average (in a well controlled environment) roaming profile size of
-2MB is a good rule of thumb to use for planning purposes. In an
-undisciplined environment I have seen up to 2GB profiles. Users tend to
-complain when it take an hour to log onto a workstation but they harvest
-the fruits of folly (and ignorance).
-</p><p>
-The point of all the above is to show that roaming profiles and good
-controls of how they can be changed as well as good discipline make up for
-a problem free site.
-</p><p>
-Microsoft's answer to the PST problem is to store all email in an MS
-Exchange Server back-end. This removes the need for a PST file.
-</p><p>
-LOCAL profiles mean:
-</p><div class="itemizedlist"><ul type="disc"><li><p>If each machine is used my many users then much local disk storage is needed for local profiles</p></li><li><p>Every workstation the user logs into has it's own profile, these can be very different from machine to machine</p></li></ul></div><p>
-On the other hand, use of roaming profiles means:
-</p><div class="itemizedlist"><ul type="disc"><li><p>The network administrator can control the desktop environment of all users.</p></li><li><p>Use of mandatory profiles drasitcally reduces network management overheads.</p></li><li><p>In the long run users will be experience fewer problems.</p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2949414"></a>Changing the default profile</h3></div></div><div></div></div><p>
-<span class="emphasis"><em>Question:</em></span>
-&#8220;<span class="quote">
-When the client logs onto the domain controller it searches for a profile to download,
-where do I put this default profile?
-</span>&#8221;</p><p>
-Firstly, the samba server needs to be configured as a domain controller.
-This can be done by setting in <tt class="filename">smb.conf</tt>:
-</p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>security = user</tt></i></td></tr><tr><td><i class="parameter"><tt>os level = 32 (or more)</tt></i></td></tr><tr><td><i class="parameter"><tt>domain logons = Yes</tt></i></td></tr></table><p>
-There must be an <i class="parameter"><tt>[netlogon]</tt></i> share that is world readable.
-It is a good idea to add a logon script to pre-set printer and
-drive connections. There is also a facility for automatically
-synchronizing the workstation time clock with that of the logon
-server (another good thing to do).
-</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
-To invoke auto-deletion of roaming profile from the local
-workstation cache (disk storage) use the <span class="application">Group Policy Editor</span>
-to create a file called <tt class="filename">NTConfig.POL</tt> with the appropriate entries. This
-file needs to be located in the <i class="parameter"><tt>netlogon</tt></i> share root directory.</p></div><p>
-Windows clients need to be members of the domain. Workgroup machines do NOT use network logons so
-they do not interoperate with domain profiles.
-</p><p>
-For roaming profiles add to <tt class="filename">smb.conf</tt>:
-</p><p>
-</p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>logon path = \\%N\profiles\%U</tt></i></td></tr><tr><td># Default logon drive is Z:</td></tr><tr><td><i class="parameter"><tt>logon drive = H:</tt></i></td></tr><tr><td># This requires a PROFILES share that is world writable.</td></tr></table><p>
-</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="PolicyMgmt.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="pam.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 23. System and Account Policies </td><td width="20%" align="center"><a accesskey="h" href="samba-doc.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 25. PAM based Distributed Authentication</td></tr></table></div></body></html>
+<a class="indexterm" name="id2958308"></a>
+</p><p> </p><pre class="programlisting"> HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\Windows NT\CurrentVersion\
+ winlogon\"DeleteRoamingCache"=dword:00000001</pre><p>
+In this case, the local cache copy will be deleted on logout.
+</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2958338"></a>Common Errors</h2></div></div><div></div></div><p>
+The following are some typical errors, problems and questions that have been asked on the Samba mailing lists.
+</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2958351"></a>Configuring Roaming Profiles for a Few Users or Groups</h3></div></div><div></div></div><p>
+With Samba-2.2.x, the choice you have is to enable or disable roaming profiles support. It is a
+global only setting. The default is to have roaming profiles and the default path will locate them in
+the user's home directory.
+</p><p>
+If disabled globally, then no one will have roaming profile ability. If enabled and you want it
+to apply only to certain machines, then on those machines on which roaming profile support is not wanted
+it is then necessary to disable roaming profile handling in the registry of each such machine.
+</p><p>
+With Samba-3, you can have a global profile setting in <tt class="filename">smb.conf</tt> and you can override this by
+per-user settings using the Domain User Manager (as with MS Windows NT4/ Win 200xx). </p><p> In any case, you can configure only one profile per user. That profile can be either: </p><div class="itemizedlist"><ul type="disc"><li>A profile unique to that user.</li><li>A mandatory profile (one the user cannot change).</li><li>A group profile (really should be mandatory, that is unchangable).</li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2958416"></a>Cannot Use Roaming Profiles</h3></div></div><div></div></div><p> A user requested the following: &#8220;<span class="quote"> I do not want Roaming profiles to be implemented. I want
+to give users a local profile alone. Please help me, I am totally lost with this error. For the past
+two days I tried everything, I googled around but found no useful pointers. Please help me. </span>&#8221;</p><p> The choices are: </p><div class="variablelist"><dl><dt><span class="term">Local profiles</span></dt><dd><p> I know of no registry keys that will allow
+ auto-deletion of LOCAL profiles on log out.</p></dd><dt><span class="term">Roaming profiles</span></dt><dd><p> As a user logs onto the network, a centrally
+ stored profile is copied to the workstation to form a local profile. This local profile
+ will persist (remain on the workstation disk) unless a registry key is changed that will
+ cause this profile to be automatically deleted on logout. </p></dd></dl></div><p>The roaming profile choices are: </p><div class="variablelist"><dl><dt><span class="term">Personal roaming profiles</span></dt><dd><p> These are typically stored in
+ a profile share on a central (or conveniently located local) server. </p><p> Workstations cache (store) a local copy of the profile. This cached
+ copy is used when the profile cannot be downloaded at next logon. </p></dd><dt><span class="term">Group profiles</span></dt><dd><p>These are loaded from a central profile
+ server.</p></dd><dt><span class="term">Mandatory profiles</span></dt><dd><p> Mandatory profiles can be created for
+ a user as well as for any group that a user is a member of. Mandatory profiles cannot be
+ changed by ordinary users. Only the administrator can change or reconfigure a mandatory
+ profile. </p></dd></dl></div><p> A Windows NT4/200x/XP profile can vary in size from 130KB to very large. Outlook PST files are
+most often part of the profile and can be many GB in size. On average (in a well controlled environment),
+roaming profile size of 2MB is a good rule of thumb to use for planning purposes. In an undisciplined
+environment, I have seen up to 2GB profiles. Users tend to complain when it takes an hour to log onto a
+workstation but they harvest the fruits of folly (and ignorance). </p><p> The point of all the above is to show that roaming profiles and good controls of how they can be
+changed as well as good discipline make up for a problem-free site. </p><p> Microsoft's answer to the PST problem is to store all email in an MS Exchange Server backend. This
+removes the need for a PST file. </p><p>Local profiles mean: </p><div class="itemizedlist"><ul type="disc"><li><p>If each machine is used by many users, then much local disk storage is needed
+ for local profiles.</p></li><li><p>Every workstation the user logs into has
+ its own profile; these can be very different from machine to machine.</p></li></ul></div><p> On the other hand, use of roaming profiles means: </p><div class="itemizedlist"><ul type="disc"><li><p>The network administrator can control the desktop environment of all users.</p></li><li><p>Use of mandatory profiles drastically reduces network management overheads.</p></li><li><p>In the long run, users will experience fewer problems.</p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2958626"></a>Changing the Default Profile</h3></div></div><div></div></div><p>&#8220;<span class="quote">When the client logs onto the Domain Controller, it searches
+for a profile to download. Where do I put this default profile?</span>&#8221;</p><p>
+<a class="indexterm" name="id2958644"></a>
+First, the Samba server needs to be configured as a Domain Controller. This can be done by
+setting in <tt class="filename">smb.conf</tt>: </p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>security = user</tt></i></td></tr><tr><td><i class="parameter"><tt>os level = 32 (or more)</tt></i></td></tr><tr><td><i class="parameter"><tt>domain logons = Yes</tt></i></td></tr></table><p> There must be a <i class="parameter"><tt>[netlogon]</tt></i> share that is world readable. It is
+a good idea to add a logon script to pre-set printer and drive connections. There is also a facility
+for automatically synchronizing the workstation time clock with that of the logon server (another good
+thing to do). </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> To invoke auto-deletion of roaming profile from the local workstation cache (disk storage), use
+the <span class="application">Group Policy Editor</span> to create a file called <tt class="filename">NTConfig.POL</tt>
+with the appropriate entries. This file needs to be located in the <i class="parameter"><tt>netlogon</tt></i>
+share root directory.</p></div><p> Windows clients need to be members of the domain. Workgroup machines do not use network logons
+so they do not interoperate with domain profiles. </p><p> For roaming profiles, add to <tt class="filename">smb.conf</tt>: </p><table class="simplelist" border="0" summary="Simple list"><tr><td><i class="parameter"><tt>logon path = \\%N\profiles\%U</tt></i></td></tr><tr><td># Default logon drive is Z:</td></tr><tr><td><i class="parameter"><tt>logon drive = H:</tt></i></td></tr><tr><td># This requires a PROFILES share that is world writable.</td></tr></table></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="PolicyMgmt.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="pam.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 23. System and Account Policies </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 25. PAM-Based Distributed Authentication</td></tr></table></div></body></html>