Chapter 24. Desktop Profile Management

-Roaming Profiles allow an administrator to make available a consistent user desktop -as the user moves from one machine to another. This chapter provides much information -regarding how to configure and manage Roaming Profiles. -

-While Roaming Profiles might sound like nirvana to some, they are a real and tangible -problem to others. In particular, users of mobile computing tools, where often there may not -be a sustained network connection, are often better served by purely Local Profiles. -This chapter provides information to help the Samba administrator to deal with those -situations also. -

Roaming Profiles

Warning

-Roaming profiles support is different for Win9x / Me and Windows NT4/200x. -

-Before discussing how to configure roaming profiles, it is useful to see how -Windows 9x / Me and Windows NT4/200x clients implement these features. -

-Windows 9x / Me clients send a NetUserGetInfo request to the server to get the user's -profiles location. However, the response does not have room for a separate -profiles location field, only the user's home share. This means that Win9X/Me -profiles are restricted to being stored in the user's home directory. -

-Windows NT4/200x clients send a NetSAMLogon RPC request, which contains many fields, -including a separate field for the location of the user's profiles. -

Samba Configuration for Profile Handling

-This section documents how to configure Samba for MS Windows client profile support. -

NT4/200x User Profiles

-To support Windows NT4/200x clients, in the [global] section of smb.conf set the -following (for example): -

-	logon path = \\profileserver\profileshare\profilepath\%U\moreprofilepath
-

- - This is typically implemented like: - -

-		logon path = \\%L\Profiles\%u
-

-where %L translates to the name of the Samba server and %u translates to the user name -

-The default for this option is \\%N\%U\profile, -namely \\sambaserver\username\profile. -The \\N%\%U service is created automatically by the [homes] service. If you are using -a samba server for the profiles, you _must_ make the share specified in the logon path -browseable. Please refer to the man page for smb.conf in respect of the different -semantics of %L and %N, as well as %U and %u. -

Note

-MS Windows NT/2K clients at times do not disconnect a connection to a server -between logons. It is recommended to NOT use the homes -meta-service name as part of the profile share path. -

Windows 9x / Me User Profiles

- To support Windows 9x / Me clients, you must use the logon home parameter. Samba has -now been fixed so that net use /home now works as well, and it, too, relies -on the logon home parameter. -

-By using the logon home parameter, you are restricted to putting Win9x / Me -profiles in the user's home directory. But wait! There is a trick you -can use. If you set the following in the [global] section of your smb.conf file: -

-	logon home = \\%L\%U\.profiles
-

-then your Windows 9x / Me clients will dutifully put their clients in a subdirectory -of your home directory called .profiles (thus making them hidden). -

-Not only that, but net use /home will also work, because of a feature in -Windows 9x / Me. It removes any directory stuff off the end of the home directory area -and only uses the server and share portion. That is, it looks like you -specified \\%L\%U for logon home. -

Mixed Windows 9x / Me and Windows NT4/200x User Profiles

-You can support profiles for both Win9X and WinNT clients by setting both the -logon home and logon path parameters. For example: -

-	logon home = \\%L\%u\.profiles
-	logon path = \\%L\profiles\%u
-

Disabling Roaming Profile Support

- A question often asked is “How may I enforce use of local profiles?” or - “How do I disable Roaming Profiles?” -

-There are three ways of doing this: -

In smb.conf

- Affect the following settings and ALL clients - will be forced to use a local profile: -

-			logon home =
-			logon path =
-

MS Windows Registry:

- By using the Microsoft Management Console gpedit.msc to instruct your MS Windows XP machine to use only a local profile. This of course modifies registry settings. The full path to the option is: - -

-	Local Computer Policy\
-		Computer Configuration\
-			Administrative Templates\
-				System\
-					User Profiles\
-
-	Disable:	Only Allow Local User Profiles
-	Disable:	Prevent Roaming Profile Change from Propagating to the Server
-

Change of Profile Type:

- From the start menu right click on the - My Computer icon, select Properties, click on the User Profiles - tab, select the profile you wish to change from Roaming type to Local, click Change Type. -

-Consult the MS Windows registry guide for your particular MS Windows version for more -information about which registry keys to change to enforce use of only local user -profiles. -

Note

-The specifics of how to convert a local profile to a roaming profile, or a roaming profile -to a local one vary according to the version of MS Windows you are running. Consult the -Microsoft MS Windows Resource Kit for your version of Windows for specific information. -

Windows Client Profile Configuration Information

Windows 9x / Me Profile Setup

-When a user first logs in on Windows 9X, the file user.DAT is created, -as are folders Start Menu, Desktop, -Programs and Nethood. -These directories and their contents will be merged with the local -versions stored in c:\windows\profiles\username on subsequent logins, -taking the most recent from each. You will need to use the [global] -options preserve case = yes, short preserve case = yes and -case sensitive = no in order to maintain capital letters in shortcuts -in any of the profile folders. -

-The user.DAT file contains all the user's preferences. If you wish to -enforce a set of preferences, rename their user.DAT file to user.MAN, -and deny them write access to this file. -

- On the Windows 9x / Me machine, go to Control Panel -> Passwords and - select the User Profiles tab. Select the required level of - roaming preferences. Press OK, but do _not_ allow the computer - to reboot. -
- On the Windows 9x / Me machine, go to Control Panel -> Network -> - Client for Microsoft Networks -> Preferences. Select Log on to - NT Domain. Then, ensure that the Primary Logon is Client for - Microsoft Networks. Press OK, and this time allow the computer - to reboot. -

-Under Windows 9x / Me Profiles are downloaded from the Primary Logon. -If you have the Primary Logon as 'Client for Novell Networks', then -the profiles and logon script will be downloaded from your Novell -Server. If you have the Primary Logon as 'Windows Logon', then the -profiles will be loaded from the local machine - a bit against the -concept of roaming profiles, it would seem! -

-You will now find that the Microsoft Networks Login box contains -[user, password, domain] instead of just [user, password]. Type in -the samba server's domain name (or any other domain known to exist, -but bear in mind that the user will be authenticated against this -domain and profiles downloaded from it, if that domain logon server -supports it), user name and user's password. -

-Once the user has been successfully validated, the Windows 9x / Me machine -will inform you that The user has not logged on before' and asks you - if you wish to save the user's preferences? Select yes. -

-Once the Windows 9x / Me client comes up with the desktop, you should be able -to examine the contents of the directory specified in the logon path -on the samba server and verify that the Desktop, Start Menu, -Programs and Nethood folders have been created. -

-These folders will be cached locally on the client, and updated when -the user logs off (if you haven't made them read-only by then). -You will find that if the user creates further folders or short-cuts, -that the client will merge the profile contents downloaded with the -contents of the profile directory already on the local client, taking -the newest folders and short-cuts from each set. -

-If you have made the folders / files read-only on the samba server, -then you will get errors from the Windows 9x / Me machine on logon and logout, as -it attempts to merge the local and the remote profile. Basically, if -you have any errors reported by the Windows 9x / Me machine, check the Unix file -permissions and ownership rights on the profile directory contents, -on the samba server. -

-If you have problems creating user profiles, you can reset the user's -local desktop cache, as shown below. When this user then next logs in, -they will be told that they are logging in "for the first time". -

Warning

- Before deleting the contents of the - directory listed in the ProfilePath (this is likely to be - c:\windows\profiles\username), ask them if they - have any important files stored on their desktop or in their start menu. - Delete the contents of the directory ProfilePath (making a backup if any - of the files are needed). -

- This will have the effect of removing the local (read-only hidden - system file) user.DAT in their profile directory, as well as the - local "desktop", "nethood", "start menu" and "programs" folders. -

- instead of logging in under the [user, password, domain] dialog, - press escape. -
- run the regedit.exe program, and look in: -
- HKEY_LOCAL_MACHINE\Windows\CurrentVersion\ProfileList -
- you will find an entry, for each user, of ProfilePath. Note the - contents of this key (likely to be c:\windows\profiles\username), - then delete the key ProfilePath for the required user. -
[Exit the registry editor].
- search for the user's .PWL password-caching file in the c:\windows - directory, and delete it. -
- log off the windows 9x / Me client. -
- check the contents of the profile path (see logon path described - above), and delete the user.DAT or user.MAN file for the user, - making a backup if required. -

-If all else fails, increase samba's debug log levels to between 3 and 10, -and / or run a packet trace program such as ethereal or netmon.exe, and -look for error messages. -

-If you have access to an Windows NT4/200x server, then first set up roaming profiles -and / or netlogons on the Windows NT4/200x server. Make a packet trace, or examine -the example packet traces provided with Windows NT4/200x server, and see what the -differences are with the equivalent samba trace. -

Windows NT4 Workstation

-When a user first logs in to a Windows NT Workstation, the profile -NTuser.DAT is created. The profile location can be now specified -through the logon path parameter. -

-There is a parameter that is now available for use with NT Profiles: -logon drive. This should be set to H: or any other drive, and -should be used in conjunction with the new "logon home" parameter. -

-The entry for the NT4 profile is a _directory_ not a file. The NT -help on profiles mentions that a directory is also created with a .PDS -extension. The user, while logging in, must have write permission to -create the full profile path (and the folder with the .PDS extension -for those situations where it might be created.) -

-In the profile directory, Windows NT4 creates more folders than Windows 9x / Me. -It creates Application Data and others, as well as Desktop, Nethood, -Start Menu and Programs. The profile itself is stored in a file -NTuser.DAT. Nothing appears to be stored in the .PDS directory, and -its purpose is currently unknown. -

-You can use the System Control Panel to copy a local profile onto -a samba server (see NT Help on profiles: it is also capable of firing -up the correct location in the System Control Panel for you). The -NT Help file also mentions that renaming NTuser.DAT to NTuser.MAN -turns a profile into a mandatory one. -

-The case of the profile is significant. The file must be called -NTuser.DAT or, for a mandatory profile, NTuser.MAN. -

Windows 2000/XP Professional

-You must first convert the profile from a local profile to a domain -profile on the MS Windows workstation as follows: -

- Log on as the LOCAL workstation administrator. -
- Right click on the My Computer Icon, select Properties -
- Click on the User Profiles tab -
- Select the profile you wish to convert (click on it once) -
- Click on the button Copy To -
- In the Permitted to use box, click on the Change button. -
- Click on the 'Look in" area that lists the machine name, when you click - here it will open up a selection box. Click on the domain to which the - profile must be accessible. -
Note
You will need to log on if a logon box opens up. Eg: In the connect - as: MIDEARTH\root, password: mypassword.
- To make the profile capable of being used by anyone select 'Everyone' -
- Click OK. The Selection box will close. -
- Now click on the Ok button to create the profile in the path you - nominated. -

-Done. You now have a profile that can be edited using the samba-3.0.0 -profiles tool. -

Note

-Under NT/2K the use of mandatory profiles forces the use of MS Exchange -storage of mail data. That keeps desktop profiles usable. -

Note

-This is a security check new to Windows XP (or maybe only -Windows XP service pack 1). It can be disabled via a group policy in -Active Directory. The policy is:
Computer Configuration\Administrative Templates\System\User -Profiles\Do not check for user ownership of Roaming Profile Folders
...and it should be set to Enabled. -Does the new version of samba have an Active Directory analogue? If so, -then you may be able to set the policy through this. -
-If you cannot set group policies in samba, then you may be able to set -the policy locally on each machine. If you want to try this, then do -the following (N.B. I don't know for sure that this will work in the -same way as a domain group policy): -
-On the XP workstation log in with an Administrator account. -
Click: Start, Run
Type: mmc
Click: OK
A Microsoft Management Console should appear.
Click: File, Add/Remove Snap-in..., Add
Double-Click: Group Policy
Click: Finish, Close
Click: OK
In the "Console Root" window:
Expand: Local Computer Policy, Computer Configuration, - Administrative Templates, System, User Profiles
Double-Click: Do not check for user ownership of Roaming Profile Folders
Select: Enabled
Click: OK
Close the whole console. You do not need to save the settings (this - refers to the console settings rather than the policies you have - changed).
Reboot

Sharing Profiles between W9x/Me and NT4/200x/XP workstations

-Sharing of desktop profiles between Windows versions is NOT recommended. -Desktop profiles are an evolving phenomenon and profiles for later versions -of MS Windows clients add features that may interfere with earlier versions -of MS Windows clients. Probably the more salient reason to NOT mix profiles -is that when logging off an earlier version of MS Windows the older format -of profile contents may overwrite information that belongs to the newer -version resulting in loss of profile information content when that user logs -on again with the newer version of MS Windows. -

-If you then want to share the same Start Menu / Desktop with W9x/Me, you will -need to specify a common location for the profiles. The smb.conf parameters -that need to be common are logon path and -logon home. -

-If you have this set up correctly, you will find separate user.DAT and -NTuser.DAT files in the same profile directory. -

Profile Migration from Windows NT4/200x Server to Samba

-There is nothing to stop you specifying any path that you like for the -location of users' profiles. Therefore, you could specify that the -profile be stored on a samba server, or any other SMB server, as long as -that SMB server supports encrypted passwords. -

Windows NT4 Profile Management Tools

-Unfortunately, the Resource Kit information is specific to the version of MS Windows -NT4/200x. The correct resource kit is required for each platform. -

-Here is a quick guide: -

-On your NT4 Domain Controller, right click on My Computer, then -select the tab labelled User Profiles. -
-Select a user profile you want to migrate and click on it. -
Note
I am using the term "migrate" loosely. You can copy a profile to -create a group profile. You can give the user 'Everyone' rights to the -profile you copy this to. That is what you need to do, since your samba -domain is not a member of a trust relationship with your NT4 PDC.
Click the Copy To button.
In the box labelled Copy Profile to add your new path, eg: - c:\temp\foobar
Click on the button Change in the Permitted to use box.
Click on the group 'Everyone' and then click OK. This closes the - 'choose user' box.
Now click OK.

-Follow the above for every profile you need to migrate. -

Side bar Notes

-You should obtain the SID of your NT4 domain. You can use smbpasswd to do -this. Read the man page.

-With Samba-3.0.0 alpha code you can import all you NT4 domain accounts -using the net samsync method. This way you can retain your profile -settings as well as all your users. -

moveuser.exe

-The W2K professional resource kit has moveuser.exe. moveuser.exe changes -the security of a profile from one user to another. This allows the account -domain to change, and/or the user name to change. -

Get SID

-You can identify the SID by using GetSID.exe from the Windows NT Server 4.0 -Resource Kit. -

-Windows NT 4.0 stores the local profile information in the registry under -the following key: -HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList -

-Under the ProfileList key, there will be subkeys named with the SIDs of the -users who have logged on to this computer. (To find the profile information -for the user whose locally cached profile you want to move, find the SID for -the user with the GetSID.exe utility.) Inside of the appropriate user's -subkey, you will see a string value named ProfileImagePath. -

Mandatory profiles

-A Mandatory Profile is a profile that the user does NOT have the ability to overwrite. -During the user's session it may be possible to change the desktop environment, but -as the user logs out all changes made will be lost. If it is desired to NOT allow the -user any ability to change the desktop environment then this must be done through -policy settings. See previous chapter. -

Note

-Under NO circumstances should the profile directory (or it's contents) be made read-only -as this may render the profile un-usable. -

-For MS Windows NT4/200x/XP the above method can be used to create mandatory profiles -also. To convert a group profile into a mandatory profile simply locate the NTUser.DAT -file in the copied profile and rename it to NTUser.MAN. -

-For MS Windows 9x / Me it is the User.DAT file that must be renamed to User.MAN to -affect a mandatory profile. -

Creating/Managing Group Profiles

-Most organisations are arranged into departments. There is a nice benefit in -this fact since usually most users in a department will require the same desktop -applications and the same desktop layout. MS Windows NT4/200x/XP will allow the -use of Group Profiles. A Group Profile is a profile that is created firstly using -a template (example) user. Then using the profile migration tool (see above) the -profile is assigned access rights for the user group that needs to be given access -to the group profile. -

-The next step is rather important. Please note: Instead of assigning a group profile -to users (ie: Using User Manager) on a "per user" basis, the group itself is assigned -the now modified profile. -

Note

- Be careful with group profiles, if the user who is a member of a group also - has a personal profile, then the result will be a fusion (merge) of the two. -

Default Profile for Windows Users

-MS Windows 9x / Me and NT4/200x/XP will use a default profile for any user for whom -a profile does not already exist. Armed with a knowledge of where the default profile -is located on the Windows workstation, and knowing which registry keys affect the path -from which the default profile is created, it is possible to modify the default profile -to one that has been optimised for the site. This has significant administrative -advantages. -

MS Windows 9x/Me

-To enable default per use profiles in Windows 9x / Me you can either use the Windows 98 System -Policy Editor or change the registry directly. -

-To enable default per user profiles in Windows 9x / Me, launch the System Policy Editor, then -select File -> Open Registry, then click on the -Local Computer icon, click on Windows 98 System, -select User Profiles, click on the enable box. Do not forget to save the registry changes. -

-To modify the registry directly, launch the Registry Editor (regedit.exe), select the hive -HKEY_LOCAL_MACHINE\Network\Logon. Now add a DWORD type key with the name -"User Profiles", to enable user profiles set the value to 1, to disable user profiles set it to 0. -

How User Profiles Are Handled in Windows 9x / Me?

-When a user logs on to a Windows 9x / Me machine, the local profile path, -HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ProfileList, is checked -for an existing entry for that user: -

-If the user has an entry in this registry location, Windows 9x / Me checks for a locally cached -version of the user profile. Windows 9x / Me also checks the user's home directory (or other -specified directory if the location has been modified) on the server for the User Profile. -If a profile exists in both locations, the newer of the two is used. If the User Profile exists -on the server, but does not exist on the local machine, the profile on the server is downloaded -and used. If the User Profile only exists on the local machine, that copy is used. -

-If a User Profile is not found in either location, the Default User Profile from the Windows 9x / Me -machine is used and is copied to a newly created folder for the logged on user. At log off, any -changes that the user made are written to the user's local profile. If the user has a roaming -profile, the changes are written to the user's profile on the server. -

MS Windows NT4 Workstation

-On MS Windows NT4 the default user profile is obtained from the location -%SystemRoot%\Profiles which in a default installation will translate to -C:\WinNT\Profiles. Under this directory on a clean install there will be -three (3) directories: Administrator, All Users, Default User. -

-The All Users directory contains menu settings that are common across all -system users. The Default User directory contains menu entries that are -customisable per user depending on the profile settings chosen/created. -

-When a new user first logs onto an MS Windows NT4 machine a new profile is created from: -

All Users settings

Default User settings (contains the default NTUser.DAT file)

-When a user logs onto an MS Windows NT4 machine that is a member of a Microsoft security domain -the following steps are followed in respect of profile handling: -

- The users' account information which is obtained during the logon process contains - the location of the users' desktop profile. The profile path may be local to the - machine or it may be located on a network share. If there exists a profile at the location - of the path from the user account, then this profile is copied to the location - %SystemRoot%\Profiles\%USERNAME%. This profile then inherits the - settings in the All Users profile in the %SystemRoot%\Profiles - location. -
- If the user account has a profile path, but at it's location a profile does not exist, - then a new profile is created in the %SystemRoot%\Profiles\%USERNAME% - directory from reading the Default User profile. -
- If the NETLOGON share on the authenticating server (logon server) contains a policy file - (NTConfig.POL) then it's contents are applied to the NTUser.DAT - which is applied to the HKEY_CURRENT_USER part of the registry. -
- When the user logs out, if the profile is set to be a roaming profile it will be written - out to the location of the profile. The NTuser.DAT file is then - re-created from the contents of the HKEY_CURRENT_USER contents. - Thus, should there not exist in the NETLOGON share an NTConfig.POL at the - next logon, the effect of the previous NTConfig.POL will still be held - in the profile. The effect of this is known as tatooing. -

-MS Windows NT4 profiles may be Local or Roaming. A Local profile -will stored in the %SystemRoot%\Profiles\%USERNAME% location. A roaming profile will -also remain stored in the same way, unless the following registry key is created: -

-	HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\Windows NT\CurrentVersion\winlogon\
-	"DeleteRoamingCache"=dword:00000001
-

- -In which case, the local copy (in %SystemRoot%\Profiles\%USERNAME%) will be -deleted on logout. -

-Under MS Windows NT4 default locations for common resources (like My Documents -may be redirected to a network share by modifying the following registry keys. These changes may be affected -via use of the System Policy Editor (to do so may require that you create your owns template extension -for the policy editor to allow this to be done through the GUI. Another way to do this is by way of first -creating a default user profile, then while logged in as that user, run regedt32 to edit the key settings. -

-The Registry Hive key that affects the behaviour of folders that are part of the default user profile -are controlled by entries on Windows NT4 is: -

-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\ -

-The above hive key contains a list of automatically managed folders. The default entries are: -

Table 24.1. User Shell Folder registry keys default values

Name	Default Value
AppData	%USERPROFILE%\Application Data
Desktop	%USERPROFILE%\Desktop
Favorites	%USERPROFILE%\Favorites
NetHood	%USERPROFILE%\NetHood
PrintHood	%USERPROFILE%\PrintHood
Programs	%USERPROFILE%\Start Menu\Programs
Recent	%USERPROFILE%\Recent
SendTo	%USERPROFILE%\SendTo
Start Menu	%USERPROFILE%\Start Menu
Startup	%USERPROFILE%\Start Menu\Programs\Startup

-The registry key that contains the location of the default profile settings is: -

-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders -

-The default entries are: - -

Table 24.2. Defaults of profile settings registry keys

Common Desktop	%SystemRoot%\Profiles\All Users\Desktop
Common Programs	%SystemRoot%\Profiles\All Users\Programs
Common Start Menu	%SystemRoot%\Profiles\All Users\Start Menu
Common Startup	%SystemRoot%\Profiles\All Users\Start Menu\Programs\Startup

MS Windows 200x/XP

Note

- MS Windows XP Home Edition does use default per user profiles, but can not participate - in domain security, can not log onto an NT/ADS style domain, and thus can obtain the profile - only from itself. While there are benefits in doing this the beauty of those MS Windows - clients that CAN participate in domain logon processes allows the administrator to create - a global default profile and to enforce it through the use of Group Policy Objects (GPOs). -

-When a new user first logs onto MS Windows 200x/XP machine the default profile is obtained from -C:\Documents and Settings\Default User. The administrator can modify (or change -the contents of this location and MS Windows 200x/XP will gladly use it. This is far from the optimum -arrangement since it will involve copying a new default profile to every MS Windows 200x/XP client -workstation. -

-When MS Windows 200x/XP participate in a domain security context, and if the default user -profile is not found, then the client will search for a default profile in the NETLOGON share -of the authenticating server. ie: In MS Windows parlance: -%LOGONSERVER%\NETLOGON\Default User and if one exits there it will copy this -to the workstation to the C:\Documents and Settings\ under the Windows -login name of the user. -

Note

- This path translates, in Samba parlance, to the smb.conf [NETLOGON] share. The directory - should be created at the root of this share and must be called Default Profile. -

-If a default profile does not exist in this location then MS Windows 200x/XP will use the local -default profile. -

-On logging out, the users' desktop profile will be stored to the location specified in the registry -settings that pertain to the user. If no specific policies have been created, or passed to the client -during the login process (as Samba does automatically), then the user's profile will be written to -the local machine only under the path C:\Documents and Settings\%USERNAME%. -

-Those wishing to modify the default behaviour can do so through three methods: -

- Modify the registry keys on the local machine manually and place the new default profile in the - NETLOGON share root - NOT recommended as it is maintenance intensive. -
- Create an NT4 style NTConfig.POL file that specified this behaviour and locate this file - in the root of the NETLOGON share along with the new default profile. -
- Create a GPO that enforces this through Active Directory, and place the new default profile - in the NETLOGON share. -

-The Registry Hive key that affects the behaviour of folders that are part of the default user profile -are controlled by entries on Windows 200x/XP is: -

-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\ -

-The above hive key contains a list of automatically managed folders. The default entries are: -

Table 24.3. Defaults of default user profile paths registry keys

Name	Default Value
AppData	%USERPROFILE%\Application Data
Cache	%USERPROFILE%\Local Settings\Temporary Internet Files
Cookies	%USERPROFILE%\Cookies
Desktop	%USERPROFILE%\Desktop
Favorites	%USERPROFILE%\Favorites
History	%USERPROFILE%\Local Settings\History
Local AppData	%USERPROFILE%\Local Settings\Application Data
Local Settings	%USERPROFILE%\Local Settings
My Pictures	%USERPROFILE%\My Documents\My Pictures
NetHood	%USERPROFILE%\NetHood
Personal	%USERPROFILE%\My Documents
PrintHood	%USERPROFILE%\PrintHood
Programs	%USERPROFILE%\Start Menu\Programs
Recent	%USERPROFILE%\Recent
SendTo	%USERPROFILE%\SendTo
Start Menu	%USERPROFILE%\Start Menu
Startup	%USERPROFILE%\Start Menu\Programs\Startup
Templates	%USERPROFILE%\Templates

-There is also an entry called "Default" that has no value set. The default entry is of type REG_SZ, all -the others are of type REG_EXPAND_SZ. -

-It makes a huge difference to the speed of handling roaming user profiles if all the folders are -stored on a dedicated location on a network server. This means that it will NOT be necessary to -write the Outlook PST file over the network for every login and logout. -

-To set this to a network location you could use the following examples: -

%LOGONSERVER%\%USERNAME%\Default Folders

-This would store the folders in the user's home directory under a directory called Default Folders -You could also use: -

\\SambaServer\FolderShare\%USERNAME%

- in which case the default folders will be stored in the server named SambaServer -in the share called FolderShare under a directory that has the name of the MS Windows -user as seen by the Linux/Unix file system. -

-Please note that once you have created a default profile share, you MUST migrate a user's profile -(default or custom) to it. -

-MS Windows 200x/XP profiles may be Local or Roaming. -A roaming profile will be cached locally unless the following registry key is created: -

HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\Windows NT\CurrentVersion\winlogon\"DeleteRoamingCache"=dword:00000001

-In which case, the local cache copy will be deleted on logout. -

Common Errors

-The following are some typical errors/problems/questions that have been asked. -

How does one set up roaming profiles for just one (or a few) user/s or group/s?

-With samba-2.2.x the choice you have is to enable or disable roaming -profiles support. It is a global only setting. The default is to have -roaming profiles and the default path will locate them in the user's home -directory. -

-If disabled globally then no-one will have roaming profile ability. -If enabled and you want it to apply only to certain machines, then on -those machines on which roaming profile support is NOT wanted it is then -necessary to disable roaming profile handling in the registry of each such -machine. -

-With samba-3.0.0 (soon to be released) you can have a global profile -setting in smb.conf _AND_ you can over-ride this by per-user settings -using the Domain User Manager (as with MS Windows NT4/ Win 2Kx). -

-In any case, you can configure only one profile per user. That profile can -be either: -

A profile unique to that user

A mandatory profile (one the user can not change)

A group profile (really should be mandatory ie:unchangable)

Can NOT use Roaming Profiles

-“ - I dont want Roaming profile to be implemented, I just want to give users - local profiles only. -... - Please help me I am totally lost with this error from past two days I tried - everything and googled around quite a bit but of no help. Please help me. -”

-Your choices are: - - -

Local profiles

- I know of no registry keys that will allow auto-deletion of LOCAL profiles on log out -

Roaming profiles

can use auto-delete on logout option

requires a registry key change on workstation

- - Your choices are: - -

Personal Roaming profiles: - - should be preserved on a central server - - workstations 'cache' (store) a local copy - - used in case the profile can not be downloaded - at next logon -
Group profiles: - loaded from a central place
Mandatory profiles: - - can be personal or group - - can NOT be changed (except by an administrator -

- -

-A WinNT4/2K/XP profile can vary in size from 130KB to off the scale. -Outlook PST files are most often part of the profile and can be many GB in -size. On average (in a well controlled environment) roaming profile size of -2MB is a good rule of thumb to use for planning purposes. In an -undisciplined environment I have seen up to 2GB profiles. Users tend to -complain when it take an hour to log onto a workstation but they harvest -the fruits of folly (and ignorance). -

-The point of all the above is to show that roaming profiles and good -controls of how they can be changed as well as good discipline make up for -a problem free site. -

-Microsoft's answer to the PST problem is to store all email in an MS -Exchange Server back-end. But this is another story ...! -

-So, having LOCAL profiles means: - -

If lots of users user each machine - lot's of local disk storage needed for local profiles

Every workstation the user logs into has it's own profile - can be very different from machine to machine

- -On the other hand, having roaming profiles means: -

The network administrator can control EVERY aspect of user profiles

With the use of mandatory profiles - a drastic reduction in network management overheads

User unhappiness about not being able to change their profiles soon fades as they get used to being able to work reliably

- -

-I have managed and installed MANY NT/2K networks and have NEVER found one -where users who move from machine to machine are happy with local -profiles. In the long run local profiles bite them. -

Changing the default profile

“ -When the client tries to logon to the PDC it looks for a profile to download -where do I put this default profile. -”

-Firstly, your samba server need to be configured as a domain controller. -

-	server = user
-    os level = 32 (or more)
-	domain logons = Yes
-

-Plus you need to have a [netlogon] share that is world readable. -It is a good idea to add a logon script to pre-set printer and -drive connections. There is also a facility for automatically -synchronizing the workstation time clock with that of the logon -server (another good thing to do). -

Note

-To invoke auto-deletion of roaming profile from the local -workstation cache (disk storage) you need to use the Group Policy Editor -to create a file called NTConfig.POL with the appropriate entries. This -file needs to be located in the netlogon share root directory.

-Oh, of course the windows clients need to be members of the domain. -Workgroup machines do NOT do network logons - so they never see domain -profiles. -

-Secondly, for roaming profiles you need: - - logon path = \\%N\profiles\%U (with some such path) - logon drive = H: (Z: is the default) - - Plus you need a PROFILES share that is world writable. -

Prev	Up	Next
Chapter 23. System and Account Policies	Home	Chapter 25. PAM based Distributed Authentication