summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
Diffstat (limited to 'docs')
-rw-r--r--docs/docbook/projdoc/AdvancedNetworkAdmin.xml13
-rw-r--r--docs/docbook/projdoc/PolicyMgmt.xml429
-rw-r--r--docs/docbook/projdoc/ProfileMgmt.xml124
3 files changed, 377 insertions, 189 deletions
diff --git a/docs/docbook/projdoc/AdvancedNetworkAdmin.xml b/docs/docbook/projdoc/AdvancedNetworkAdmin.xml
index bbaf5c2e59..5f29f32448 100644
--- a/docs/docbook/projdoc/AdvancedNetworkAdmin.xml
+++ b/docs/docbook/projdoc/AdvancedNetworkAdmin.xml
@@ -82,8 +82,9 @@ is the best tool in your network environment.
<para>
The following information was posted to the Samba mailing list at Apr 3 23:33:50 GMT 2003.
- It is presented in full (with author details omitted for privacy reasons).
- <para>
+ It is presented in slightly edited form (with author details omitted for privacy reasons).
+ The entire answer is reproduced below with some comments removed.
+ </para>
<para>
<screen>
@@ -94,8 +95,8 @@ is the best tool in your network environment.
&gt;
&gt; Is there a way to acomplish this? Do I need a windows terminal server?
&gt; Do I need to configure it so that it is a member of the domain or a
-&gt; BDC,PDC? Are there any hacks for MS Windows XP to enable remote login even if
-&gt; the computer is in a domain?
+&gt; BDC,PDC? Are there any hacks for MS Windows XP to enable remote login
+&gt; even if the computer is in a domain?
&gt;
&gt; Any ideas/experience would be appreciated :)
</screen>
@@ -350,7 +351,9 @@ See the documentation in the <ulink url="http://support.microsoft.com/default.as
<title>Common Errors</title>
<para>
-Stuff goes here.
+The information provided in this chapter has been reproduced from postings on the samba@samba.org
+mailing list. No implied endorsement or recommendation is offered. Administrators should conduct
+their own evaluation of alternatives and are encouraged to draw their own conclusions.
</para>
</sect1>
diff --git a/docs/docbook/projdoc/PolicyMgmt.xml b/docs/docbook/projdoc/PolicyMgmt.xml
index 2ae3fa5ea7..14be370d79 100644
--- a/docs/docbook/projdoc/PolicyMgmt.xml
+++ b/docs/docbook/projdoc/PolicyMgmt.xml
@@ -3,8 +3,51 @@
&author.jht;
<pubdate>April 3 2003</pubdate>
</chapterinfo>
+
<title>System and Account Policies</title>
+<para>
+This chapter summarises the current state of knowledge derived from personal
+practice and knowledge from samba mailing list subscribers. Before reproduction
+of posted information effort has been made to validate the information provided.
+Where additional information was uncovered through this validation it is provided
+also.
+</para>
+
+<sect1>
+<title>Features and Benefits</title>
+
+<para>
+When MS Windows NT3.5 was introduced the hot new topic was the ability to implmement
+Group Policies for users and group. Then along came MS Windows NT4 and a few sites
+started to adopt this capability. How do we know that? By way of the number of "booboos"
+(or mistakes) administrators made and then requested help to resolve.
+</para>
+
+<para>
+By the time that MS Windows 2000 and Active Directory was released, administrators
+got the message: Group Policies are a good thing! They can help reduce administrative
+costs and actually can help to create happier users. But adoption of the true
+potential of MS Windows 200x Active Directory and Group Policy Objects (GPOs) for users
+and machines were picked up on rather slowly. This was very obvious from the samba
+mailing list as in 2000 and 2001 there were very few postings regarding GPOs and
+how to replicate them in a Samba environment.
+</para>
+
+<para>
+Judging by the traffic volume since mid 2002, GPOs have become a standard part of
+the deployment in many sites. This chapter reviews techniques and methods that can
+be used to exploit opportunities for automation of control over user desktops and
+network client workstations.
+</para>
+
+<para>
+A tool new to Samba-3 may become an important part of the future Samba Administrators'
+arsenal. The <command>editreg</command> tool is described in this document.
+</para>
+
+</sect1>
+
<sect1>
<title>Creating and Managing System Policies</title>
@@ -55,194 +98,193 @@ What follows is a very brief discussion with some helpful notes. The information
here is incomplete - you are warned.
</para>
-<sect2>
-<title>Windows 9x/Me Policies</title>
-
-<para>
-You need the Win98 Group Policy Editor to set Group Profiles up under Windows 9x/Me.
-It can be found on the Original full product Win98 installation CD under
-<filename>tools/reskit/netadmin/poledit</filename>. Install this using the
-Add/Remove Programs facility and then click on the 'Have Disk' tab.
-</para>
-
-<para>
-Use the Group Policy Editor to create a policy file that specifies the location of
-user profiles and/or the <filename>My Documents</filename> etc. stuff. Then
-save these settings in a file called <filename>Config.POL</filename> that needs to
-be placed in the root of the [NETLOGON] share. If Win98 is configured to log onto
-the Samba Domain, it will automatically read this file and update the Win9x/Me registry
-of the machine as it logs on.
-</para>
+ <sect2>
+ <title>Windows 9x/Me Policies</title>
-<para>
-Further details are covered in the Win98 Resource Kit documentation.
-</para>
-
-<para>
-If you do not take the right steps, then every so often Win9x/Me will check the
-integrity of the registry and will restore it's settings from the back-up
-copy of the registry it stores on each Win9x/Me machine. Hence, you will
-occasionally notice things changing back to the original settings.
-</para>
-
-<para>
-Install the group policy handler for Win9x to pick up group policies. Look on the
-Win98 CD in <filename>\tools\reskit\netadmin\poledit</filename>.
-Install group policies on a Win9x client by double-clicking
-<filename>grouppol.inf</filename>. Log off and on again a couple of times and see
-if Win98 picks up group policies. Unfortunately this needs to be done on every
-Win9x/Me machine that uses group policies.
-</para>
-
-</sect2>
-<sect2>
-<title>Windows NT4 Style Policy Files</title>
-
-<para>
-To create or edit <filename>ntconfig.pol</filename> you must use the NT Server
-Policy Editor, <command>poledit.exe</command> which is included with NT4 Server
-but <emphasis>not NT Workstation</emphasis>. There is a Policy Editor on a NT4
-Workstation but it is not suitable for creating <emphasis>Domain Policies</emphasis>.
-Further, although the Windows 95 Policy Editor can be installed on an NT4
-Workstation/Server, it will not work with NT clients. However, the files from
-the NT Server will run happily enough on an NT4 Workstation.
-</para>
-
-<para>
-You need <filename>poledit.exe, common.adm</filename> and <filename>winnt.adm</filename>.
-It is convenient to put the two *.adm files in the <filename>c:\winnt\inf</filename>
-directory which is where the binary will look for them unless told otherwise. Note also that that
-directory is normally 'hidden'.
-</para>
+ <para>
+ You need the Win98 Group Policy Editor to set Group Profiles up under Windows 9x/Me.
+ It can be found on the Original full product Win98 installation CD under
+ <filename>tools/reskit/netadmin/poledit</filename>. Install this using the
+ Add/Remove Programs facility and then click on the 'Have Disk' tab.
+ </para>
-<para>
-The Windows NT policy editor is also included with the Service Pack 3 (and
-later) for Windows NT 4.0. Extract the files using <command>servicepackname /x</command>,
-i.e. that's <command>Nt4sp6ai.exe /x</command> for service pack 6a. The policy editor,
-<command>poledit.exe</command> and the associated template files (*.adm) should
-be extracted as well. It is also possible to downloaded the policy template
-files for Office97 and get a copy of the policy editor. Another possible
-location is with the Zero Administration Kit available for download from Microsoft.
-</para>
+ <para>
+ Use the Group Policy Editor to create a policy file that specifies the location of
+ user profiles and/or the <filename>My Documents</filename> etc. stuff. Then
+ save these settings in a file called <filename>Config.POL</filename> that needs to
+ be placed in the root of the [NETLOGON] share. If Win98 is configured to log onto
+ the Samba Domain, it will automatically read this file and update the Win9x/Me registry
+ of the machine as it logs on.
+ </para>
-<sect3>
-<title>Registry Tattoos</title>
+ <para>
+ Further details are covered in the Win98 Resource Kit documentation.
+ </para>
<para>
- With NT4 style registry based policy changes, a large number of settings are not
- automatically reversed as the user logs off. Since the settings that were in the
- NTConfig.POL file were applied to the client machine registry and that apply to the
- hive key HKEY_LOCAL_MACHINE are permanent until explicitly reversed. This is known
- as tattooing. It can have serious consequences down-stream and the administrator must
- be extremely careful not to lock out the ability to manage the machine at a later date.
+ If you do not take the right steps, then every so often Win9x/Me will check the
+ integrity of the registry and will restore it's settings from the back-up
+ copy of the registry it stores on each Win9x/Me machine. Hence, you will
+ occasionally notice things changing back to the original settings.
</para>
+ <para>
+ Install the group policy handler for Win9x to pick up group policies. Look on the
+ Win98 CD in <filename>\tools\reskit\netadmin\poledit</filename>.
+ Install group policies on a Win9x client by double-clicking
+ <filename>grouppol.inf</filename>. Log off and on again a couple of times and see
+ if Win98 picks up group policies. Unfortunately this needs to be done on every
+ Win9x/Me machine that uses group policies.
+ </para>
-</sect3>
-</sect2>
-<sect2>
-<title>MS Windows 200x / XP Professional Policies</title>
+ </sect2>
+ <sect2>
+ <title>Windows NT4 Style Policy Files</title>
-<para>
-Windows NT4 System policies allows setting of registry parameters specific to
-users, groups and computers (client workstations) that are members of the NT4
-style domain. Such policy file will work with MS Windows 2000 / XP clients also.
-</para>
+ <para>
+ To create or edit <filename>ntconfig.pol</filename> you must use the NT Server
+ Policy Editor, <command>poledit.exe</command> which is included with NT4 Server
+ but <emphasis>not NT Workstation</emphasis>. There is a Policy Editor on a NT4
+ Workstation but it is not suitable for creating <emphasis>Domain Policies</emphasis>.
+ Further, although the Windows 95 Policy Editor can be installed on an NT4
+ Workstation/Server, it will not work with NT clients. However, the files from
+ the NT Server will run happily enough on an NT4 Workstation.
+ </para>
-<para>
-New to MS Windows 2000 Microsoft introduced a new style of group policy that confers
-a superset of capabilities compared with NT4 style policies. Obviously, the tool used
-to create them is different, and the mechanism for implementing them is much changed.
-</para>
+ <para>
+ You need <filename>poledit.exe, common.adm</filename> and <filename>winnt.adm</filename>.
+ It is convenient to put the two *.adm files in the <filename>c:\winnt\inf</filename>
+ directory which is where the binary will look for them unless told otherwise. Note also that that
+ directory is normally 'hidden'.
+ </para>
-<para>
-The older NT4 style registry based policies are known as <emphasis>Administrative Templates</emphasis>
-in MS Windows 2000/XP Group Policy Objects (GPOs). The later includes ability to set various security
-configurations, enforce Internet Explorer browser settings, change and redirect aspects of the
-users' desktop (including: the location of <emphasis>My Documents</emphasis> files (directory), as
-well as intrinsics of where menu items will appear in the Start menu). An additional new
-feature is the ability to make available particular software Windows applications to particular
-users and/or groups.
-</para>
+ <para>
+ The Windows NT policy editor is also included with the Service Pack 3 (and
+ later) for Windows NT 4.0. Extract the files using <command>servicepackname /x</command>,
+ i.e. that's <command>Nt4sp6ai.exe /x</command> for service pack 6a. The policy editor,
+ <command>poledit.exe</command> and the associated template files (*.adm) should
+ be extracted as well. It is also possible to downloaded the policy template
+ files for Office97 and get a copy of the policy editor. Another possible
+ location is with the Zero Administration Kit available for download from Microsoft.
+ </para>
-<para>
-Remember: NT4 policy files are named <filename>NTConfig.POL</filename> and are stored in the root
-of the NETLOGON share on the domain controllers. A Windows NT4 user enters a username, a password
-and selects the domain name to which the logon will attempt to take place. During the logon
-process the client machine reads the NTConfig.POL file from the NETLOGON share on the authenticating
-server, modifies the local registry values according to the settings in this file.
-</para>
+ <sect3>
+ <title>Registry Spoiling</title>
-<para>
-Windows 2K GPOs are very feature rich. They are NOT stored in the NETLOGON share, rather part of
-a Windows 200x policy file is stored in the Active Directory itself and the other part is stored
-in a shared (and replicated) volume called the SYSVOL folder. This folder is present on all Active
-Directory domain controllers. The part that is stored in the Active Directory itself is called the
-group policy container (GPC), and the part that is stored in the replicated share called SYSVOL is
-known as the group policy template (GPT).
-</para>
+ <para>
+ With NT4 style registry based policy changes, a large number of settings are not
+ automatically reversed as the user logs off. Since the settings that were in the
+ NTConfig.POL file were applied to the client machine registry and that apply to the
+ hive key HKEY_LOCAL_MACHINE are permanent until explicitly reversed. This is known
+ as tattooing. It can have serious consequences down-stream and the administrator must
+ be extremely careful not to lock out the ability to manage the machine at a later date.
+ </para>
-<para>
-With NT4 clients the policy file is read and executed upon only as each user logs onto the network.
-MS Windows 200x policies are much more complex - GPOs are processed and applied at client machine
-startup (machine specific part) and when the user logs onto the network the user specific part
-is applied. In MS Windows 200x style policy management each machine and/or user may be subject
-to any number of concurently applicable (and applied) policy sets (GPOs). Active Directory allows
-the administrator to also set filters over the policy settings. No such equivalent capability
-exists with NT4 style policy files.
-</para>
-<sect3>
-<title>Administration of Win2K / XP Policies</title>
+ </sect3>
+ </sect2>
+ <sect2>
+ <title>MS Windows 200x / XP Professional Policies</title>
-<title>Instructions</title>
-<para>
-Instead of using the tool called "The System Policy Editor", commonly called Poledit (from the
-executable name poledit.exe), GPOs are created and managed using a Microsoft Management Console
-(MMC) snap-in as follows:</para>
-<procedure>
-<step>
-<para>
-Go to the Windows 200x / XP menu <filename>Start->Programs->Administrative Tools</filename>
- and select the MMC snap-in called "Active Directory Users and Computers"
-</para>
-</step>
+ <para>
+ Windows NT4 System policies allows setting of registry parameters specific to
+ users, groups and computers (client workstations) that are members of the NT4
+ style domain. Such policy file will work with MS Windows 2000 / XP clients also.
+ </para>
-<step><para>
-Select the domain or organizational unit (OU) that you wish to manage, then right click
-to open the context menu for that object, select the properties item.
-</para></step>
+ <para>
+ New to MS Windows 2000 Microsoft introduced a new style of group policy that confers
+ a superset of capabilities compared with NT4 style policies. Obviously, the tool used
+ to create them is different, and the mechanism for implementing them is much changed.
+ </para>
-<step><para>
-Now left click on the Group Policy tab, then left click on the New tab. Type a name
-for the new policy you will create.
-</para></step>
+ <para>
+ The older NT4 style registry based policies are known as <emphasis>Administrative Templates</emphasis>
+ in MS Windows 2000/XP Group Policy Objects (GPOs). The later includes ability to set various security
+ configurations, enforce Internet Explorer browser settings, change and redirect aspects of the
+ users' desktop (including: the location of <emphasis>My Documents</emphasis> files (directory), as
+ well as intrinsics of where menu items will appear in the Start menu). An additional new
+ feature is the ability to make available particular software Windows applications to particular
+ users and/or groups.
+ </para>
-<step><para>
-Now left click on the Edit tab to commence the steps needed to create the GPO.
-</para></step>
-</procedure>
+ <para>
+ Remember: NT4 policy files are named <filename>NTConfig.POL</filename> and are stored in the root
+ of the NETLOGON share on the domain controllers. A Windows NT4 user enters a username, a password
+ and selects the domain name to which the logon will attempt to take place. During the logon
+ process the client machine reads the NTConfig.POL file from the NETLOGON share on the authenticating
+ server, modifies the local registry values according to the settings in this file.
+ </para>
-<para>
-All policy configuration options are controlled through the use of policy administrative
-templates. These files have a .adm extension, both in NT4 as well as in Windows 200x / XP.
-Beware however, since the .adm files are NOT interchangible across NT4 and Windows 200x.
-The later introduces many new features as well as extended definition capabilities. It is
-well beyond the scope of this documentation to explain how to program .adm files, for that
-the adminsitrator is referred to the Microsoft Windows Resource Kit for your particular
-version of MS Windows.
-</para>
+ <para>
+ Windows 2K GPOs are very feature rich. They are NOT stored in the NETLOGON share, rather part of
+ a Windows 200x policy file is stored in the Active Directory itself and the other part is stored
+ in a shared (and replicated) volume called the SYSVOL folder. This folder is present on all Active
+ Directory domain controllers. The part that is stored in the Active Directory itself is called the
+ group policy container (GPC), and the part that is stored in the replicated share called SYSVOL is
+ known as the group policy template (GPT).
+ </para>
-<note>
-<para>
-The MS Windows 2000 Resource Kit contains a tool called gpolmig.exe. This tool can be used
-to migrate an NT4 NTConfig.POL file into a Windows 200x style GPO. Be VERY careful how you
-use this powerful tool. Please refer to the resource kit manuals for specific usage information.
-</para>
-</note>
+ <para>
+ With NT4 clients the policy file is read and executed upon only as each user logs onto the network.
+ MS Windows 200x policies are much more complex - GPOs are processed and applied at client machine
+ startup (machine specific part) and when the user logs onto the network the user specific part
+ is applied. In MS Windows 200x style policy management each machine and/or user may be subject
+ to any number of concurently applicable (and applied) policy sets (GPOs). Active Directory allows
+ the administrator to also set filters over the policy settings. No such equivalent capability
+ exists with NT4 style policy files.
+ </para>
-</sect3>
-</sect2>
+ <sect3>
+ <title>Administration of Win2K / XP Policies</title>
+
+ <para>
+ Instead of using the tool called "The System Policy Editor", commonly called Poledit (from the
+ executable name poledit.exe), GPOs are created and managed using a Microsoft Management Console
+ (MMC) snap-in as follows:</para>
+ <procedure>
+ <step>
+ <para>
+ Go to the Windows 200x / XP menu <filename>Start->Programs->Administrative Tools</filename>
+ and select the MMC snap-in called "Active Directory Users and Computers"
+ </para>
+ </step>
+
+ <step><para>
+ Select the domain or organizational unit (OU) that you wish to manage, then right click
+ to open the context menu for that object, select the properties item.
+ </para></step>
+
+ <step><para>
+ Now left click on the Group Policy tab, then left click on the New tab. Type a name
+ for the new policy you will create.
+ </para></step>
+
+ <step><para>
+ Now left click on the Edit tab to commence the steps needed to create the GPO.
+ </para></step>
+ </procedure>
+
+ <para>
+ All policy configuration options are controlled through the use of policy administrative
+ templates. These files have a .adm extension, both in NT4 as well as in Windows 200x / XP.
+ Beware however, since the .adm files are NOT interchangible across NT4 and Windows 200x.
+ The later introduces many new features as well as extended definition capabilities. It is
+ well beyond the scope of this documentation to explain how to program .adm files, for that
+ the adminsitrator is referred to the Microsoft Windows Resource Kit for your particular
+ version of MS Windows.
+ </para>
+
+ <note>
+ <para>
+ The MS Windows 2000 Resource Kit contains a tool called gpolmig.exe. This tool can be used
+ to migrate an NT4 NTConfig.POL file into a Windows 200x style GPO. Be VERY careful how you
+ use this powerful tool. Please refer to the resource kit manuals for specific usage information.
+ </para>
+ </note>
+
+ </sect3>
+ </sect2>
</sect1>
<sect1>
@@ -272,7 +314,7 @@ applied to the user's part of the registry.
<para>
MS Windows 200x/XP clients that log onto an MS Windows Active Directory security domain may additionally,
acquire policy settings through Group Policy Objects (GPOs) that are defined and stored in Active Directory
-itself. The key benefit of using AS GPOs is that they impose no registry <emphasis>tatooing</emphasis> effect.
+itself. The key benefit of using AS GPOs is that they impose no registry <emphasis>spoiling</emphasis> effect.
This has considerable advanage compared with the use of NTConfig.POL (NT4) style policy updates.
</para>
@@ -293,27 +335,36 @@ Common restrictions that are frequently used includes:
</simplelist>
</para>
-<sect2>
-<title>With Windows NT4/200x</title>
+ <sect2>
+ <title>Samba Editreg Toolset</title>
-<para>
-The tools that may be used to configure these types of controls from the MS Windows environment are:
-The NT4 User Manager for domains, the NT4 System and Group Policy Editor, the registry editor (regedt32.exe).
-Under MS Windows 200x/XP this is done using the Microsoft Managment Console (MMC) with approapriate
-"snap-ins", the registry editor, and potentially also the NT4 System and Group Policy Editor.
-</para>
-</sect2>
+ <para>
+ Describe in detail the benefits of <command>editreg</command> and how to use it.
+ </para>
-<sect2>
-<title>With a Samba PDC</title>
+ </sect2>
-<para>
-With a Samba Domain Controller, the new tools for managing of user account and policy information includes:
-<filename>smbpasswd, pdbedit, net, rpcclient.</filename>. The administrator should read the
-man pages for these tools and become familiar with their use.
-</para>
+ <sect2>
+ <title>Windows NT4/200x</title>
-</sect2>
+ <para>
+ The tools that may be used to configure these types of controls from the MS Windows environment are:
+ The NT4 User Manager for domains, the NT4 System and Group Policy Editor, the registry editor (regedt32.exe).
+ Under MS Windows 200x/XP this is done using the Microsoft Managment Console (MMC) with approapriate
+ "snap-ins", the registry editor, and potentially also the NT4 System and Group Policy Editor.
+ </para>
+ </sect2>
+
+ <sect2>
+ <title>Samba PDC</title>
+
+ <para>
+ With a Samba Domain Controller, the new tools for managing of user account and policy information includes:
+ <filename>smbpasswd, pdbedit, net, rpcclient.</filename>. The administrator should read the
+ man pages for these tools and become familiar with their use.
+ </para>
+
+ </sect2>
</sect1>
<sect1>
@@ -381,4 +432,14 @@ reboot and as part of the user logon:
</orderedlist>
</sect1>
+
+<sect1>
+<title>Common Errors</title>
+
+<para>
+Stuff goes here.
+</para>
+
+</sect1>
+
</chapter>
diff --git a/docs/docbook/projdoc/ProfileMgmt.xml b/docs/docbook/projdoc/ProfileMgmt.xml
index 140dd44ba1..58c6af3b90 100644
--- a/docs/docbook/projdoc/ProfileMgmt.xml
+++ b/docs/docbook/projdoc/ProfileMgmt.xml
@@ -7,6 +7,30 @@
<title>Desktop Profile Management</title>
<sect1>
+<title>Features and Benefits</title>
+
+<para>
+Roaming Profiles are feared by some, hated by a few, loved by many, and a Godsend for
+some administrators.
+</para>
+
+<para>
+Roaming Profiles allow an administrator to make available a consistent user desktop
+as the user moves from one machine to another. This chapter provides much information
+regarding how to configure and manage Roaming Profiles.
+</para>
+
+<para>
+While Roaming Profiles might sound like nirvana to some, they are a real and tangible
+problem to others. In particular, users of mobile computing tools, where often there may not
+be a sustained network connection, are often better served by purely Local Profiles.
+This chapter provides information to help the Samba administrator to deal with those
+situations also.
+</para>
+
+</sect1>
+
+<sect1>
<title>Roaming Profiles</title>
<warning>
@@ -1172,6 +1196,106 @@ be either:
</itemizedlist>
</sect2>
+
+<sect2>
+<title>Can NOT use Roaming Profiles</title>
+
+<para>
+<screen>
+> I dont want Roaming profile to be implemented, I just want to give users
+> local profiles only.
+...
+> Please help me I am totally lost with this error from past two days I tried
+> everything and googled around quite a bit but of no help. Please help me.
+
+
+Your choices are:
+ 1. Local profiles
+ - I know of no registry keys that will allow auto-deletion
+ of LOCAL profiles on log out
+ 2. Roaming profiles
+ - your options here are:
+ - can use auto-delete on logout option
+ - requires a registry key change on workstation
+ a) Personal Roaming profiles
+ - should be preserved on a central server
+ - workstations 'cache' (store) a local copy
+ - used in case the profile can not be downloaded
+ at next logon
+ b) Group profiles
+ - loaded from a cetral place
+ c) Mandatory profiles
+ - can be personal or group
+ - can NOT be changed (except by an administrator
+
+A WinNT4/2K/XP profile can vary in size from 130KB to off the scale.
+Outlook PST files are most often part of the profile and can be many GB in
+size. On average (in a well controlled environment) roaming profie size of
+2MB is a good rule of thumb to use for planning purposes. In an
+undisciplined environment I have seen up to 2GB profiles. Users tend to
+complain when it take an hour to log onto a workstation but they harvest
+the fuits of folly (and ignorance).
+
+The point of all the above is to show that roaming profiles and good
+controls of how they can be changed as well as good discipline make up for
+a problem free site.
+
+PS: Microsoft's answer to the PST problem is to store all email in an MS
+Exchange Server back-end. But this is another story ...!
+
+So, having LOCAL profiles means:
+ a) If lots of users user each machine
+ - lot's of local disk storage needed for local profiles
+ b) Every workstation the user logs into has it's own profile
+ - can be very different from machine to machine
+
+On the other hand, having roaming profiles means:
+ a) The network administrator can control EVERY aspect of user
+ profiles
+ b) With the use of mandatory profiles - a drastic reduction
+ in network management overheads
+ c) User unhappiness about not being able to change their profiles
+ soon fades as they get used to being able to work reliably
+
+But note:
+
+I have managed and installed MANY NT/2K networks and have NEVER found one
+where users who move from machine to machine are happy with local
+profiles. In the long run local profiles bite them.
+
+> When the client tries to logon to the PDC it looks for a profile to download
+> where do I put this default profile.
+
+Firstly, your samba server need to be configured as a domain controller.
+ server = user
+ os level = 32 (or more)
+ domain logons = Yes
+
+ Plus you need to have a NETLOGON share that is world readable.
+ It is a good idea to add a logon script to pre-set printer and
+ drive connections. There is also a facility for automatically
+ synchronizing the workstation time clock with that of the logon
+ server (another good thing to do).
+
+Note: To invoke auto-deletion of roaming profile from the local
+workstation cache (disk storage) you need to use the Group Policy Editor
+to create a file called NTConfig.POL with the appropriate entries. This
+file needs to be located in the NETLOGON share root directory.
+
+Oh, of course the windows clients need to be members of the domain.
+Workgroup machines do NOT do network logons - so they never see domain
+profiles.
+
+Secondly, for roaming profiles you need:
+
+ logon path = \\%N\profiles\%U (with some such path)
+ logon drive = H: (Z: is the default)
+
+ Plus you need a PROFILES share that is world writable.
+</screen>
+</para>
+
+</sect2>
</sect1>
</chapter>