diff options
Diffstat (limited to 'docs/docbook/projdoc/ProfileMgmt.sgml')
-rw-r--r-- | docs/docbook/projdoc/ProfileMgmt.sgml | 264 |
1 files changed, 249 insertions, 15 deletions
diff --git a/docs/docbook/projdoc/ProfileMgmt.sgml b/docs/docbook/projdoc/ProfileMgmt.sgml index 72eac8635a..8eded5e9fb 100644 --- a/docs/docbook/projdoc/ProfileMgmt.sgml +++ b/docs/docbook/projdoc/ProfileMgmt.sgml @@ -1,15 +1,7 @@ <chapter id="ProfileMgmt"> <chapterinfo> - <author> - <firstname>John H</firstname><surname>Terpstra</surname> - <affiliation> - <orgname>Samba Team</orgname> - <address> - <email>jht@samba.org</email> - </address> - </affiliation> - </author> - <pubdate>April 3 2003</pubdate> + &author.jht; + <pubdate>April 3 2003</pubdate> </chapterinfo> <title>Desktop Profile Management</title> @@ -420,7 +412,7 @@ nominated. <para> Done. You now have a profile that can be editted using the samba-3.0.0 -profiles tool. +<filename>profiles</filename> tool. </para> <note> @@ -627,9 +619,29 @@ subkey, you will see a string value named ProfileImagePath. <title>Mandatory profiles</title> <para> -The above method can be used to create mandatory profiles also. To convert -a group profile into a mandatory profile simply locate the NTUser.DAT file -in the copied profile and rename it to NTUser.MAN. +A Mandatory Profile is a profile that the user does NOT have the ability to overwrite. +During the user's session it may be possible to change the desktop environment, but +as the user logs out all changes made will be lost. If it is desired to NOT allow the +user any ability to change the desktop environment then this must be done through +policy settings. See previous chapter. +</para> + +<note> +<para> +Under NO circumstances should the profile directory (or it's contents) be made read-only +as this may render the profile un-usable. +</para> +</note> + +<para> +For MS Windows NT4/200x/XP the above method can be used to create mandatory profiles +also. To convert a group profile into a mandatory profile simply locate the NTUser.DAT +file in the copied profile and rename it to NTUser.MAN. +</para> + +<para> +For MS Windows 9x / Me it is the User.DAT file that must be renamed to User.MAN to +affect a mandatory profile. </para> </sect1> @@ -638,7 +650,229 @@ in the copied profile and rename it to NTUser.MAN. <title>Creating/Managing Group Profiles</title> <para> -Blah goes here. +Most organisations are arranged into departments. There is a nice benenfit in +this fact since usually most users in a department will require the same desktop +applications and the same desktop layout. MS Windows NT4/200x/XP will allow the +use of Group Profiles. A Group Profile is a profile that is created firstly using +a template (example) user. Then using the profile migration tool (see above) the +profile is assigned access rights for the user group that needs to be given access +to the group profile. +</para> + +<para> +The next step is rather important. PLEASE NOTE: Instead of assigning a group profile +to users (ie: Using User Manager) on a "per user" basis, the group itself is assigned +the now modified profile. </para> + +<note> + <para> + Be careful with group profiles, if the user who is a member of a group also + has a personal profile, then the result will be a fusion (merge) of the two. + </para> +</note> + </sect1> + +<sect1> +<title>Default Profile for Windows Users</title> + +<para> +MS Windows 9x / Me and NT4/200x/XP will use a default profile for any user for whom +a profile does not already exist. Armed with a knowledge of where the default profile +is located on the Windows workstation, and knowing which registry keys affect the path +from which the default profile is created, it is possible to modify the default profile +to one that has been optimised for the site. This has significant administrative +advantages. +<para> + +<sect2> +<title>MS Windows 9x/Me</title> + +<para> +To enable default per use profiles in Windows 9x / Me you can either use the Windows 98 System +Policy Editor or change the registry directly. +</para> + +<para> +To enable default per user profiles in Windows 9x / Me, launch the System Policy Editor, then +select File -> Open Registry, then click on the Local Computer icon, click on Windows 98 System, +select User Profiles, click on the enable box. Do not forget to save the registry changes. +</para> + +<para> +To modify the registry directly, launch the Registry Editor (regedit.exe), select the hive +<filename>HKEY_LOCAL_MACHINE\Network\Logon</filename>. Now add a DWORD type key with the name +"User Profiles", to enable user profiles set the value to 1, to disable user profiles set it to 0. +</para> + +</sect2> + +<sect2> +<title>MS Windows NT4 Workstation</title> + +<para> +Document NT4 default profile handling stuff here! Someone - please contribute appropriate +material here. Email your contribution to jht@samba.org. +</para> + +</sect2> + +<sect2> +<title>MS Windows 200x/XP</title> + + <note> + <para> + MS Windows XP Home Edition does use default per user profiles, but can not participate + in domain security, can not log onto an NT/ADS style domain, and thus can obtain the profile + only from itself. While there are benefits in doing this the beauty of those MS Windows + clients that CAN participate in domain logon processes allows the administrator to create + a global default profile and to enforce it through the use of Group Policy Objects (GPOs). + </para> + </note> + +<para> +When a new user first logs onto MS Windows 200x/XP machine the default profile is obtained from +<filename>C:\Documents and Settings\Default User</filename>. The administrator can modify (or change +the contents of this location and MS Windows 200x/XP will gladly user it. This is far from the optimum +arrangement since it will involve copying a new default profile to every MS Windows 200x/XP client +workstation. +</para> + +<para> +When MS Windows 200x/XP participate in a domain security context, and if the default user +profile is not found, then the client will search for a default profile in the NETLOGON share +of the authenticating server. ie: In MS Windows parlance: +<filename>%LOGONSERVER%\NETLOGON\Default User</filename> and if one exits there it will copy this +to the workstation to the <filename>C:\Documents and Settings\</filename> under the Windows +login name of the user. +</para> + + <note> + <para> + This path translates, in Samba parlance, to the smb.conf [NETLOGON] share. The directory + should be created at the root of this share and msut be called <filename>Default Profile</filename>. + </para> + </note> + +<para> +If a default profile does not exist in this location then MS Windows 200x/XP will use the local +default profile. +</para> + +<para> +On loging out, the users' desktop profile will be stored to the location specified in the registry +settings that pertain to the user. If no specific policies have been created, or passed to the client +during the login process (as Samba does automatically), then the user's profile will be written to +the local machine only under the path <filename>C:\Documents and Settings\%USERNAME%</filename>. +</para> + +<para> +Those wishing to modify the default behaviour can do so through up to three methods: +</para> + +<itemizedlist> + <listitem> + <para> + Modify the registry keys on the local machine manually and place the new default profile in the + NETLOGON share root - NOT recommended as it is maintenance intensive. + </para> + </listitem> + + <listitem> + <para> + Create an NT4 style NTConfig.POL file that specified this behaviour and locate this file + in the root of the NETLOGON share along with the new default profile. + </para> + </listitem> + + <listitem> + <para> + Create a GPO that enforces this through Active Directory, and place the new default profile + in the NETLOGON share. + </para> + </listitem> +</itemizedlist> + +<para> +The Registry Hive key that affects the behaviour of folders that are part of the default user profile +are controlled by entries on Windows 200x/XP is: +</para> + +<para> +<programlisting> + HKEY_CURRENT_USER + \Software + \Microsoft + \Windows NT + \CurrentVersion + \Explorer + \User Shell Folders\ +</programlisting> +</para> + +<para> +The above hive key contains a list of automatically managed folders. The default entries are: +</para> + + <para> + <programlisting> + Name Default Value + -------------- ----------------------------------------- + AppData %USERPROFILE%\Application Data + Cache %USERPROFILE%\Local Settings\Temporary Internet Files + Cookies %USERPROFILE%\Cookies + Desktop %USERPROFILE%\Desktop + Favorites %USERPROFILE%\Favorites + History %USERPROFILE%\Local Settings\History + Local AppData %USERPROFILE%\Local Settings\Application Data + Local Settings %USERPROFILE%\Local Settings + My Pictures %USERPROFILE%\My Documents\My Pictures + NetHood %USERPROFILE%\NetHood + Personal %USERPROFILE%\My Documents + PrintHood %USERPROFILE%\PrintHood + Programs %USERPROFILE%\Start Menu\Programs + Recent %USERPROFILE%\Recent + SendTo %USERPROFILE%\SendTo + Start Menu %USERPROFILE%\Start Menu + Startup %USERPROFILE%\Start Menu\Programs\Startup + Templates %USERPROFILE%\Templates + </programlisting> + </para> + +<para> +There is also an entry called "Default" that has no value set. The default entry is of type REG_SZ, all +the others are of type REG_EXPAND_SZ. +</para> + +<para> +It makes a huge difference to the speed of handling roaming user profiles if all the folders are +stored on a dedicated location on a network server. This means that it will NOT be necessary to +write Outlook PST file over the network for every login and logout. +</para> + +<para> +To set this to a network location you could use the followin examples: + + %LOGONSERVER%\%USERNAME%\Default Folders + +This would store the folders in the user's home directory under a directory called "Default Folders" + +You could also use: + + \\SambaServer\FolderShare\%USERNAME% + +in which case the default folders will be stored in the server named <emphasis>SambaServer</emphasis> +in the share called <emphasis>FolderShare</emphasis> under a directory that has the name of the MS Windows +user as seen by the Linux/Unix file system. +</para> + +<para> +Please note that once you have created a default profile share, you MUST migrate a user's profile +(default or custom) to it. +</para> + +</sect2 +</sect1> + </chapter> |