From 06aa63b6f19131071800985746b445dee42d91eb Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Fri, 10 Jun 2005 20:29:09 +0000 Subject: Large number of small fixes to the layout and the build system. (This used to be commit 73fac0653c774a8ed8654b064fd63d4e486f6b0f) --- docs/Samba3-HOWTO/TOSHARG-ProfileMgmt.xml | 1125 +++++++++++++++++++++++++++++ 1 file changed, 1125 insertions(+) create mode 100644 docs/Samba3-HOWTO/TOSHARG-ProfileMgmt.xml (limited to 'docs/Samba3-HOWTO/TOSHARG-ProfileMgmt.xml') diff --git a/docs/Samba3-HOWTO/TOSHARG-ProfileMgmt.xml b/docs/Samba3-HOWTO/TOSHARG-ProfileMgmt.xml new file mode 100644 index 0000000000..8b137dd4ef --- /dev/null +++ b/docs/Samba3-HOWTO/TOSHARG-ProfileMgmt.xml @@ -0,0 +1,1125 @@ + + + + + &author.jht; + April 3 2003 + + +Desktop Profile Management + + +Features and Benefits + + +Roaming profiles are feared by some, hated by a few, loved by many, and a Godsend for +some administrators. + + + +Roaming profiles allow an administrator to make available a consistent user desktop +as the user moves from one machine to another. This chapter provides much information +regarding how to configure and manage roaming profiles. + + + +While roaming profiles might sound like nirvana to some, they are a real and tangible +problem to others. In particular, users of mobile computing tools, where often there may not +be a sustained network connection, are often better served by purely local profiles. +This chapter provides information to help the Samba administrator deal with those +situations. + + + + + +Roaming Profiles + + + +Roaming profiles support is different for Windows 9x/Me and Windows NT4/200x. + + + + +Before discussing how to configure roaming profiles, it is useful to see how +Windows 9x/Me and Windows NT4/200x clients implement these features. + + + +Windows 9x/Me clients send a NetUserGetInfo request to the server to get the user's +profiles location. However, the response does not have room for a separate +profiles location field, only the user's home share. This means that Windows 9x/Me +profiles are restricted to being stored in the user's home directory. + + + + +Windows NT4/200x clients send a NetSAMLogon RPC request, which contains many fields +including a separate field for the location of the user's profiles. + + + +Samba Configuration for Profile Handling + + +This section documents how to configure Samba for MS Windows client profile support. + + + +NT4/200x User Profiles + + +For example, to support Windows NT4/200x clients, set the following in the [global] section of the &smb.conf; file: + + + + + \\profileserver\profileshare\profilepath\%U\moreprofilepath + + +This is typically implemented like: + + +\\%L\Profiles\%u + +where %L translates to the name of the Samba server and %u translates to the user name. + + + +The default for this option is \\%N\%U\profile, namely \\sambaserver\username\profile. +The \\%N\%U service is created automatically by the [homes] service. If you are using +a Samba server for the profiles, you must make the share that is specified in the logon path +browseable. Please refer to the man page for &smb.conf; in respect of the different +semantics of %L and %N, as well as %U and %u. + + + + +MS Windows NT/200x clients at times do not disconnect a connection to a server between logons. It is recommended +to not use the meta-service name as part of the profile share path. + + + + + +Windows 9x/Me User Profiles + + +To support Windows 9x/Me clients, you must use the +parameter. Samba has been fixed so net use /home now works as well and it, too, relies +on the logon home parameter. + + + +By using the logon home parameter, you are restricted to putting Windows 9x/Me profiles in the user's home +directory. But wait! There is a trick you can use. If you set the following in the + section of your &smb.conf; file: + + +\\%L\%U\.profiles + + + +then your Windows 9x/Me clients will dutifully put their clients in a subdirectory +of your home directory called .profiles (making them hidden). + + + +Not only that, but net use /home will also work because of a feature in +Windows 9x/Me. It removes any directory stuff off the end of the home directory area +and only uses the server and share portion. That is, it looks like you +specified \\%L\%U for . + + + + +Mixed Windows 9x/Me and Windows NT4/200x User Profiles + + +You can support profiles for Windows 9x and Windows NT clients by setting both the + and parameters. For example: + + + +\\%L\%u\.profiles +\\%L\profiles\%u + + + + +Disabling Roaming Profile Support + + +A question often asked is: How may I enforce use of local profiles? or +How do I disable roaming profiles? + + + +roaming profiles +There are three ways of doing this: +windows registry settingsroaming profiles + + + + + + In &smb.conf; + + Affect the following settings and ALL clients will be forced to use a local profile: + and + + + + The arguments to these parameters must be left blank. It is necessary to include the = sign + to specifically assign the empty value. + + + + + MS Windows Registry + + By using the Microsoft Management Console gpedit.msc to instruct your MS Windows XP + machine to use only a local profile. This, of course, modifies registry settings. The full + path to the option is: + +Local Computer Policy\ + Computer Configuration\ + Administrative Templates\ + System\ + User Profiles\ + +Disable: Only Allow Local User Profiles +Disable: Prevent Roaming Profile Change from Propagating to the Server + + + + + + Change of Profile Type: + From the start menu right-click on My Computer icon, + select Properties, click on the User Profiles + tab, select the profile you wish to change from + Roaming type to Local, and click on + Change Type. + + + + + +Consult the MS Windows registry guide for your particular MS Windows version for more information +about which registry keys to change to enforce use of only local user profiles. + + + +The specifics of how to convert a local profile to a roaming profile, or a roaming profile +to a local one vary according to the version of MS Windows you are running. Consult the Microsoft MS +Windows Resource Kit for your version of Windows for specific information. + + + + + Windows Client Profile Configuration Information + + Windows 9x/Me Profile Setup + + +When a user first logs in on Windows 9X, the file user.DAT is created, as are folders +Start Menu, Desktop, Programs, and +Nethood. These directories and their contents will be merged with the local +versions stored in c:\windows\profiles\username on subsequent logins, taking the +most recent from each. You will need to use the options +yes, +yes and +no +in order to maintain capital letters in shortcuts in any of the profile folders. + + + +The user.DAT file contains all the user's preferences. If you wish to enforce a set of preferences, +rename their user.DAT file to user.MAN, and deny them write access to this file. + + + + + On the Windows 9x/Me machine, go to Control Panel -> + Passwords and select the User Profiles tab. + Select the required level of roaming preferences. Press OK, but do not + allow the computer to reboot. + + + + On the Windows 9x/Me machine, go to Control Panel -> + Network -> Client for Microsoft Networks + -> Preferences. Select Log on to NT Domain. Then, + ensure that the Primary Logon is Client for Microsoft Networks. Press + OK, and this time allow the computer to reboot. + + + + Under Windows 9x/ME, profiles are downloaded from the Primary Logon. If you have the Primary Logon +as Client for Novell Networks, then the profiles and logon script will be downloaded from +your Novell Server. If you have the Primary Logon as Windows Logon, then the profiles will +be loaded from the local machine &smbmdash; a bit against the concept of roaming profiles, it would seem! + + +You will now find that the Microsoft Networks Login box contains [user, password, domain] instead +of just [user, password]. Type in the Samba server's domain name (or any other domain known to exist, +but bear in mind that the user will be authenticated against this domain and profiles downloaded from it, +if that domain logon server supports it), user name and user's password. + + + Once the user has been successfully validated, the Windows 9x/Me machine will inform you that +The user has not logged on before and asks you Do you +wish to save the user's preferences? Select Yes. + + Once the Windows 9x/Me client comes up with the desktop, you should be able to examine the +contents of the directory specified in the on +the Samba server and verify that the Desktop, Start Menu, +Programs and Nethood folders have been created. + + These folders will be cached locally on the client, and updated when the user logs off (if +you haven't made them read-only by then). You will find that if the user creates further folders or +shortcut, that the client will merge the profile contents downloaded with the contents of the profile +directory already on the local client, taking the newest folders and shortcut from each set. + + If you have made the folders/files read-only on the Samba server, then you will get errors from +the Windows 9x/Me machine on logon and logout as it attempts to merge the local and remote profile. +Basically, if you have any errors reported by the Windows 9x/Me machine, check the UNIX file permissions +and ownership rights on the profile directory contents, on the Samba server. + + If you have problems creating user profiles, you can reset the user's local desktop cache, as +shown below. When this user next logs in, the user will be told that he/she is logging in for + the first time. + +windows registry settingsprofile path + + + + + + Instead of logging in under the [user, password, domain] dialog, press escape. + + + + Run the regedit.exe program, and look in: + + + + HKEY_LOCAL_MACHINE\Windows\CurrentVersion\ProfileList + + + + You will find an entry for each user of ProfilePath. Note the contents of this key + (likely to be c:\windows\profiles\username), then delete the key + ProfilePath for the required user. + + + + Exit the registry editor. + + + + Search for the user's .PWL password-caching file in the c:\windows directory, and delete it. + + + + Log off the Windows 9x/Me client. + + + + Check the contents of the profile path (see + described above) and delete the user.DAT or user.MAN + file for the user, making a backup if required. + + + + +Before deleting the contents of the directory listed in the ProfilePath +(this is likely to be c:\windows\profiles\username), ask the owner if they have +any important files stored on their desktop or in their start menu. Delete the contents of the +directory ProfilePath (making a backup if any of the files are needed). + + + +This will have the effect of removing the local (read-only hidden system file) user.DAT +in their profile directory, as well as the local desktop, nethood, +start menu, and programs folders. + + + +If all else fails, increase Samba's debug log levels to between 3 and 10, and/or run a packet +sniffer program such as ethereal or netmon.exe, and look for error messages. + + + If you have access to an Windows NT4/200x server, then first set up roaming profiles and/or +netlogons on the Windows NT4/200x server. Make a packet trace, or examine the example packet traces +provided with Windows NT4/200x server, and see what the differences are with the equivalent Samba trace. + + + + + +Windows NT4 Workstation + + When a user first logs in to a Windows NT Workstation, the profile NTuser.DAT is created. The profile +location can be now specified through the parameter. + + + There is a parameter that is now available for use with NT Profiles: . +This should be set to H: or any other drive, and should be used in conjunction with +the new parameter. + + The entry for the NT4 profile is a directory not a file. The NT help on Profiles mentions that a +directory is also created with a .PDS extension. The user, while logging in, must have write permission +to create the full profile path (and the folder with the .PDS extension for those situations where it +might be created.) + + In the profile directory, Windows NT4 creates more folders than Windows 9x/Me. It creates +Application Data and others, as well as Desktop, +Nethood, Start Menu, and Programs. +The profile itself is stored in a file NTuser.DAT. Nothing appears to be stored +in the .PDS directory, and its purpose is currently unknown. + + You can use the System Control Panel to copy a local profile onto +a Samba server (see NT Help on Profiles; it is also capable of firing up the correct location in the +System Control Panel for you). The NT Help file also mentions that renaming +NTuser.DAT to NTuser.MAN turns a profile into a mandatory one. + + + The case of the profile is significant. The file must be called NTuser.DAT +or, for a mandatory profile, NTuser.MAN. + + Windows 2000/XP Professional + + You must first convert the profile from a local profile to a domain profile on the MS Windows +workstation as follows: + + + Log on as the local workstation administrator. + + Right-click on the My Computer Icon, select + Properties. + + Click on the User Profiles tab. + + Select the profile you wish to convert (click it once). + + Click on the Copy To button. + + In the Permitted to use box, click on the + Change button. + + Click on the Look in area that lists the machine name. When you click here, it will + open up a selection box. Click on the domain to which the profile must be accessible. + + You will need to log on if a logon box opens up. + For example, connect as DOMAIN\root, password: + mypassword. + + To make the profile capable of being used by anyone, select Everyone. + + Click on OK and the Selection box will close. + + Now click on OK to create the profile in the path + you nominated. + + + Done. You now have a profile that can be edited using the Samba profiles tool. + + + +Under Windows NT/200x, the use of mandatory profiles forces the use of MS Exchange storage of mail +data and keeps it out of the desktop profile. That keeps desktop profiles from becoming unusable. + + + +Windows XP Service Pack 1 + + There is a security check new to Windows XP (or maybe only Windows XP service pack 1). + It can be disabled via a group policy in the Active Directory. The policy is called: + + + + Computer Configuration\Administrative Templates\System\User Profiles\Do not check for + user ownership of Roaming Profile Foldersi + + + + This should be set to Enabled. + + + + Does the new version of Samba have an Active Directory analogue? If so, then you may be able to set the policy through this. + + + If you cannot set group policies in Samba, then you may be able to set the policy locally on + each machine. If you want to try this, then do the following (N.B. I do not know for sure that this + will work in the same way as a domain group policy): + + + + + On the XP workstation, log in with an Administrative account. + + Click on Start -> Run. + Type mmc. + Click on OK. + A Microsoft Management Console should appear. + Click on File -> Add/Remove Snap-in -> Add. + Double-click on Group Policy. + Click on Finish -> Close. + Click on OK. + In the Console Root window expand Local Computer Policy -> + Computer Configuration -> Administrative Templates -> + System -> User Profiles. + Double-click on Do not check for user ownership of Roaming Profile Folders. + Select Enabled. + Click on OK. + Close the whole console. You do not need to save the settings (this refers to the + console settings rather than the policies you have changed). + Reboot. + + + + + + + User Profile Hive Cleanup Service + + +There certain situations that cause a cached local copy of roaming profile not to be deleted on exit, even if +the policy to force such deletion is set. To deal with that situation special service was created. The application +UPHClean (User Profile Hive Cleanup) can be installed as service on Windows NT4/2000/XP Professional, +and Windows 2003. + + + +The UPHClean software package can be downloaded from User Profile Hive Cleanup Service. + + + + + + Sharing Profiles between W9x/Me and NT4/200x/XP Workstations + + Sharing of desktop profiles between Windows versions is not recommended. Desktop profiles are an +evolving phenomenon and profiles for later versions of MS Windows clients add features that may interfere +with earlier versions of MS Windows clients. Probably the more salient reason to not mix profiles is +that when logging off an earlier version of MS Windows, the older format of profile contents may overwrite +information that belongs to the newer version resulting in loss of profile information content when that +user logs on again with the newer version of MS Windows. + + If you then want to share the same Start Menu/Desktop with W9x/Me, you will need to specify a common +location for the profiles. The &smb.conf; parameters that need to be common are + and +. + + If you have this set up correctly, you will find separate user.DAT and +NTuser.DAT files in the same profile directory. + + + + +Profile Migration from Windows NT4/200x Server to Samba + + There is nothing to stop you from specifying any path that you like for the location of users' profiles. +Therefore, you could specify that the profile be stored on a Samba server, or any other SMB server, +as long as that SMB server supports encrypted passwords. + + +Windows NT4 Profile Management Tools + + Unfortunately, the Resource Kit information is specific to the version of MS Windows NT4/200x. The +correct resource kit is required for each platform. + +Here is a quick guide: + + + On your NT4 Domain Controller, right click on My Computer, then select the + tab labeled User Profiles. + + Select a user profile you want to migrate and click on it. + + I am using the term migrate loosely. You can copy a profile to create a group + profile. You can give the user Everyone rights to the profile you copy this to. That + is what you need to do, since your Samba domain is not a member of a trust relationship with your NT4 + PDC. + + Click on the Copy To button. + + In the box labeled Copy Profile to add your new path, e.g., + c:\temp\foobar + + Click on Change in the Permitted to use box. + + Click on the group Everyone, click on OK. This + closes the choose user box. + + Now click on OK. + + + Follow the above for every profile you need to migrate. + + + + +Side Bar Notes + + + +SID +You should obtain the SID of your NT4 domain. You can use smbpasswd to do this. Read the man +page. + + + + moveuser.exe + + The Windows 200x professional resource kit has moveuser.exe. moveuser.exe changes the security of a profile +from one user to another. This allows the account domain to change, and/or the user name to change. + + +This command is like the Samba profiles tool. + + + + + +Get SID + + +SID +You can identify the SID by using GetSID.exe from the Windows NT Server 4.0 Resource Kit. + + Windows NT 4.0 stores the local profile information in the registry under the following key: +HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList + + Under the ProfileList key, there will be subkeys named with the SIDs of the users who have logged +on to this computer. (To find the profile information for the user whose locally cached profile you want +to move, find the SID for the user with the GetSID.exe utility.) Inside the appropriate user's subkey, +you will see a string value named ProfileImagePath. + + + + Mandatory Profiles + + +mandatory profiles +A Mandatory Profile is a profile that the user does not have the ability to overwrite. During the +user's session, it may be possible to change the desktop environment, however, as the user logs out all changes +made will be lost. If it is desired to not allow the user any ability to change the desktop environment, +then this must be done through policy settings. See the previous chapter. + + Under NO circumstances should the profile directory (or its +contents) be made read-only as this may render the profile un-usable. +Where it is essential to make a profile read-only within the UNIX file +system, this can be done but then you absolutely must use the +fake-permissions VFS module to instruct MS Windows +NT/200x/XP clients that the Profile has write permission for the user. +See fake_perms VFS module. + + For MS Windows NT4/200x/XP, the above method can also be used to create mandatory profiles. To +convert a group profile into a mandatory profile, simply locate the NTUser.DAT file in the copied profile +and rename it to NTUser.MAN. + + For MS Windows 9x/ME, it is the User.DAT file that must be renamed to +User.MAN to effect a mandatory profile. + + + + +Creating and Managing Group Profiles + + +group profiles +Most organizations are arranged into departments. There is a nice benefit in this fact since usually +most users in a department require the same desktop applications and the same desktop layout. MS +Windows NT4/200x/XP will allow the use of Group Profiles. A Group Profile is a profile that is created +first using a template (example) user. Then using the profile migration tool (see above), the profile is +assigned access rights for the user group that needs to be given access to the group profile. + + The next step is rather important. Instead of assigning a group profile to users (Using User Manager) +on a per user basis, the group itself is assigned the now modified profile. + + + Be careful with Group Profiles. If the user who is a member of a group also has a personal +profile, then the result will be a fusion (merge) of the two. + + + + + +Default Profile for Windows Users + + +default profile +MS Windows 9x/Me and NT4/200x/XP will use a default profile for any user for whom a profile +does not already exist. Armed with a knowledge of where the default profile is located on the Windows +workstation, and knowing which registry keys effect the path from which the default profile is created, +it is possible to modify the default profile to one that has been optimized for the site. This has +significant administrative advantages. + + +MS Windows 9x/Me + + To enable default per use profiles in Windows 9x/ME, you can either use the Windows +98 System Policy Editor or change the registry directly. + + To enable default per user profiles in Windows 9x/ME, launch the System Policy +Editor, then select File -> Open Registry, +next click on the Local Computer icon, click on Windows 98 System, +select User Profiles, and click on the enable box. Remember to save the registry +changes. + + To modify the registry directly, launch the Registry Editor +(regedit.exe) and select the hive HKEY_LOCAL_MACHINE\Network\Logon. Now +add a DWORD type key with the name User Profiles, to +enable user profiles to set the value +to 1; to disable user profiles set it to 0. + + +User Profile Handling with Windows 9x/Me + + When a user logs on to a Windows 9x/Me machine, the local profile path, +HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ProfileList, is checked +for an existing entry for that user. + + If the user has an entry in this registry location, Windows 9x/Me checks for a locally cached +version of the user profile. Windows 9x/Me also checks the user's home directory (or other specified +directory if the location has been modified) on the server for the User Profile. If a profile exists +in both locations, the newer of the two is used. If the User Profile exists on the server, but does not +exist on the local machine, the profile on the server is downloaded and used. If the User Profile only +exists on the local machine, that copy is used. + + If a User Profile is not found in either location, the Default User Profile from the Windows +9x/Me machine is used and copied to a newly created folder for the logged on user. At log off, any +changes that the user made are written to the user's local profile. If the user has a roaming profile, +the changes are written to the user's profile on the server. + + + + +MS Windows NT4 Workstation + + On MS Windows NT4, the default user profile is obtained from the location +%SystemRoot%\Profiles which in a default installation will translate to +C:\Windows NT\Profiles. Under this directory on a clean install there will be three +(3) directories: Administrator, All +Users, and Default +User. + + The All Users directory contains menu settings that are common across all +system users. The Default User directory contains menu entries that are customizable +per user depending on the profile settings chosen/created. + + When a new user first logs onto an MS Windows NT4 machine, a new profile is created from: + + + All Users settings. + Default User settings (contains the default NTUser.DAT file). + + + When a user logs onto an MS Windows NT4 machine that is a member of a Microsoft security domain, + the following steps are followed in respect of profile handling: + +NTConfig.POL + + + + + The users' account information that is obtained during the logon process + contains the location of the users' desktop profile. The profile path may be local to + the machine or it may be located on a network share. If there exists a profile at the + location of the path from the user account, then this profile is copied to the location + %SystemRoot%\Profiles\%USERNAME%. This profile then inherits the settings + in the All Users profile in the %SystemRoot%\Profiles + location. + + If the user account has a profile path, but at its location a profile does not + exist, then a new profile is created in the %SystemRoot%\Profiles\%USERNAME% + directory from reading the Default User profile. + + If the NETLOGON share on the authenticating server (logon server) contains + a policy file (NTConfig.POL), then its contents are applied to the + NTUser.DAT which is applied to the HKEY_CURRENT_USER + part of the registry. + + + When the user logs out, if the profile is set to be a roaming profile it will be + written out to the location of the profile. The NTuser.DAT file is then + recreated from the contents of the HKEY_CURRENT_USER contents. Thus, + should there not exist in the NETLOGON share an NTConfig.POL at the next + logon, the effect of the previous NTConfig.POL will still be held in the + profile. The effect of this is known as tattooing. + + + + MS Windows NT4 profiles may be local or roaming. A local +profile will stored in the %SystemRoot%\Profiles\%USERNAME% location. A roaming +profile will also remain stored in the same way, unless the following registry key is created as shown: + + HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\Windows NT\CurrentVersion\ +winlogon\"DeleteRoamingCache"=dword:0000000 + +In this case, the local copy (in %SystemRoot%\Profiles\%USERNAME%) will be deleted +on logout. + + Under MS Windows NT4, default locations for common resources like My Documents +may be redirected to a network share by modifying the following registry keys. These changes may be +affected via use of the System Policy Editor. To do so may require that you create your own template +extension for the policy editor to allow this to be done through the GUI. Another way to do this is by +way of first creating a default user profile, then while logged in as that user, run regedt32 to edit +the key settings. + + +The Registry Hive key that affects the behavior of folders that are part of the default user +profile are controlled by entries on Windows NT4 is: + +HKEY_CURRENT_USER + \Software + \Microsoft + \Windows + \CurrentVersion + \Explorer + \User Shell Folders + +windows registry settingsdefault profile locations + + + The above hive key contains a list of automatically managed +folders. The default entries are shown in the next table. + + + + User Shell Folder Registry Keys Default Values + + + + + NameDefault Value + + + AppData%USERPROFILE%\Application Data + Desktop%USERPROFILE%\Desktop + Favorites%USERPROFILE%\Favorites + NetHood%USERPROFILE%\NetHood + PrintHood%USERPROFILE%\PrintHood + Programs%USERPROFILE%\Start Menu\Programs + Recent%USERPROFILE%\Recent + SendTo%USERPROFILE%\SendTo + Start Menu %USERPROFILE%\Start Menu + Startup%USERPROFILE%\Start Menu\Programs\Startup + + +
+ + The registry key that contains the location of the default profile settings is: + + HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ +User Shell Folders + + The default entries are shown in the next table. + + + Defaults of Profile Settings Registry Keys + + + + + Common Desktop%SystemRoot%\Profiles\All Users\Desktop + Common Programs%SystemRoot%\Profiles\All Users\Programs + Common Start Menu%SystemRoot%\Profiles\All Users\Start Menu + Common Startup%SystemRoot%\Profiles\All Users\Start Menu\Programs\Startup + + +
+ + + + MS Windows 200x/XP + + +GPOs +MS Windows XP Home Edition does use default per user profiles, but cannot participate +in domain security, cannot log onto an NT/ADS-style domain, and thus can obtain the profile only +from itself. While there are benefits in doing this, the beauty of those MS Windows clients that +can participate in domain logon processes allows the administrator to create a global default +profile and enforce it through the use of Group Policy Objects (GPOs). + + + When a new user first logs onto an MS Windows 200x/XP machine, the default profile is obtained from +C:\Documents and Settings\Default User. The administrator can modify or change the +contents of this location and MS Windows 200x/XP will gladly use it. This is far from the optimum arrangement +since it will involve copying a new default profile to every MS Windows 200x/XP client workstation. + + When MS Windows 200x/XP participates in a domain security context, and if the default user profile is + not found, then the client will search for a default profile in the NETLOGON share of the authenticating + server. In MS Windows parlance,%LOGONSERVER%\NETLOGON\Default User, and if one +exists there it will copy this to the workstation to the C:\Documents and Settings\ +under the Windows login name of the user. + + This path translates, in Samba parlance, to the &smb.conf; + share. The directory should be created at the root +of this share and must be called Default User. + + + If a default profile does not exist in this location, then MS Windows 200x/XP will use the local +default profile. + + On logging out, the users' desktop profile will be stored to the location specified in the registry +settings that pertain to the user. If no specific policies have been created or passed to the client +during the login process (as Samba does automatically), then the user's profile will be written to the +local machine only under the path C:\Documents and Settings\%USERNAME%. + + Those wishing to modify the default behavior can do so through these three methods: + + + Modify the registry keys on the local machine manually and place the new + default profile in the NETLOGON share root. This is not recommended as it is maintenance intensive. + + + Create an NT4-style NTConfig.POL file that specified this behavior and locate + this file in the root of the NETLOGON share along with the new default profile. + + Create a GPO that enforces this through Active Directory, and place the new + default profile in the NETLOGON share. + + +The registry hive key that effects the behavior of folders that are part of the default user +profile are controlled by entries on Windows 200x/XP is: + + HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell +Folders\ + + +The above hive key contains a list of automatically managed folders. The default entries are shown +in the next table +windows registry settingsdefault profile locations + + + + + Defaults of Default User Profile Paths Registry Keys + + + + + NameDefault Value + + + AppData%USERPROFILE%\Application Data + Cache%USERPROFILE%\Local Settings\Temporary Internet Files + Cookies%USERPROFILE%\Cookies + Desktop%USERPROFILE%\Desktop + Favorites%USERPROFILE%\Favorites + History%USERPROFILE%\Local Settings\History + Local AppData%USERPROFILE%\Local Settings\Application Data + Local Settings%USERPROFILE%\Local Settings + My Pictures%USERPROFILE%\My Documents\My Pictures + NetHood%USERPROFILE%\NetHood + Personal%USERPROFILE%\My Documents + PrintHood%USERPROFILE%\PrintHood + Programs%USERPROFILE%\Start Menu\Programs + Recent%USERPROFILE%\Recent + SendTo%USERPROFILE%\SendTo + Start Menu%USERPROFILE%\Start Menu + Startup%USERPROFILE%\Start Menu\Programs\Startup + Templates%USERPROFILE%\Templates + + +
+ + There is also an entry called Default that has no value set. The default entry is +of type REG_SZ, all the others are of type REG_EXPAND_SZ. + + It makes a huge difference to the speed of handling roaming user profiles if all the folders are +stored on a dedicated location on a network server. This means that it will not be necessary to write +the Outlook PST file over the network for every login and logout. + + To set this to a network location, you could use the following examples: + +%LOGONSERVER%\%USERNAME%\Default Folders + + This would store the folders in the user's home directory under a directory called Default +Folders. You could also use: + +\\SambaServer\FolderShare\%USERNAME% + + +in which case the default folders will be stored in the server named SambaServer +in the share called FolderShare under a directory that has the name of the +MS Windows user as seen by the Linux/UNIX file system. + + Please note that once you have created a default profile share, you MUST migrate a user's profile +(default or custom) to it. + + MS Windows 200x/XP profiles may be Local or Roaming. + A roaming profile will be cached locally unless the following registry key is created: + +delete roaming profiles + + + + HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\Windows NT\CurrentVersion\ + winlogon\"DeleteRoamingCache"=dword:00000001 + + +In this case, the local cache copy will be deleted on logout. + + + + + Common Errors + + +The following are some typical errors, problems and questions that have been asked on the Samba mailing lists. + + + +Configuring Roaming Profiles for a Few Users or Groups + + +With Samba-2.2.x, the choice you have is to enable or disable roaming profiles support. It is a +global only setting. The default is to have roaming profiles and the default path will locate them in +the user's home directory. + + + +If disabled globally, then no one will have roaming profile ability. If enabled and you want it +to apply only to certain machines, then on those machines on which roaming profile support is not wanted +it is then necessary to disable roaming profile handling in the registry of each such machine. + + + +With Samba-3, you can have a global profile setting in &smb.conf; and you can override this by +per-user settings using the Domain User Manager (as with MS Windows NT4/ Win 200xx). + + In any case, you can configure only one profile per user. That profile can be either: + + + A profile unique to that user. + A mandatory profile (one the user cannot change). + A group profile (really should be mandatory, that is unchangable). + + + + + Cannot Use Roaming Profiles + + A user requested the following: I do not want Roaming profiles to be implemented. I want +to give users a local profile alone. Please help me, I am totally lost with this error. For the past +two days I tried everything, I googled around but found no useful pointers. Please help me. + + The choices are: + + + + Local profiles I know of no registry keys that will allow + auto-deletion of LOCAL profiles on log out. + + + + Roaming profiles As a user logs onto the network, a centrally + stored profile is copied to the workstation to form a local profile. This local profile + will persist (remain on the workstation disk) unless a registry key is changed that will + cause this profile to be automatically deleted on logout. + + + +The roaming profile choices are: + + + + Personal roaming profiles These are typically stored in + a profile share on a central (or conveniently located local) server. + + Workstations cache (store) a local copy of the profile. This cached + copy is used when the profile cannot be downloaded at next logon. + + + + Group profiles These are loaded from a central profile + server. + + + + Mandatory profiles Mandatory profiles can be created for + a user as well as for any group that a user is a member of. Mandatory profiles cannot be + changed by ordinary users. Only the administrator can change or reconfigure a mandatory + profile. + + + + A Windows NT4/200x/XP profile can vary in size from 130KB to very large. Outlook PST files are +most often part of the profile and can be many GB in size. On average (in a well controlled environment), +roaming profile size of 2MB is a good rule of thumb to use for planning purposes. In an undisciplined +environment, I have seen up to 2GB profiles. Users tend to complain when it takes an hour to log onto a +workstation but they harvest the fruits of folly (and ignorance). + + The point of all the above is to show that roaming profiles and good controls of how they can be +changed as well as good discipline make up for a problem-free site. + + Microsoft's answer to the PST problem is to store all email in an MS Exchange Server backend. This +removes the need for a PST file. + +Local profiles mean: + + + If each machine is used by many users, then much local disk storage is needed + for local profiles. Every workstation the user logs into has + its own profile; these can be very different from machine to machine. + + + On the other hand, use of roaming profiles means: + + + The network administrator can control the desktop environment of all users. + Use of mandatory profiles drastically reduces network management overheads. + In the long run, users will experience fewer problems. + + + + + +Changing the Default Profile + +When the client logs onto the Domain Controller, it searches +for a profile to download. Where do I put this default profile? + + +default profile +First, the Samba server needs to be configured as a Domain Controller. This can be done by +setting in &smb.conf;: + + +user +32 (or more) +Yes + + + There must be a share that is world readable. It is +a good idea to add a logon script to pre-set printer and drive connections. There is also a facility +for automatically synchronizing the workstation time clock with that of the logon server (another good +thing to do). + + To invoke auto-deletion of roaming profile from the local workstation cache (disk storage), use +the Group Policy Editor to create a file called NTConfig.POL +with the appropriate entries. This file needs to be located in the +share root directory. + + Windows clients need to be members of the domain. Workgroup machines do not use network logons +so they do not interoperate with domain profiles. + + For roaming profiles, add to &smb.conf;: + + +\\%N\profiles\%U +Default logon drive is Z: +H: +This requires a PROFILES share that is world writable. + + + + + -- cgit