Chapter 24. Desktop Profile Management

+Roaming Profiles allow an administrator to make available a consistent user desktop +as the user moves from one machine to another. This chapter provides much information +regarding how to configure and manage Roaming Profiles. +

+While Roaming Profiles might sound like nirvana to some, they are a real and tangible +problem to others. In particular, users of mobile computing tools, where often there may not +be a sustained network connection, are often better served by purely Local Profiles. +This chapter provides information to help the Samba administrator to deal with those +situations also. +

Roaming Profiles

Warning

+Roaming profiles support is different for Win9x / Me and Windows NT4/200x. +

+Before discussing how to configure roaming profiles, it is useful to see how +Windows 9x / Me and Windows NT4/200x clients implement these features. +

+Windows 9x / Me clients send a NetUserGetInfo request to the server to get the user's +profiles location. However, the response does not have room for a separate +profiles location field, only the user's home share. This means that Win9X/Me +profiles are restricted to being stored in the user's home directory. +

+Windows NT4/200x clients send a NetSAMLogon RPC request, which contains many fields, +including a separate field for the location of the user's profiles. +

Samba Configuration for Profile Handling

+This section documents how to configure Samba for MS Windows client profile support. +

NT4/200x User Profiles

+To support Windows NT4/200x clients, in the [global] section of smb.conf set the +following (for example): +

logon path = \\profileserver\profileshare\profilepath\%U\moreprofilepath

+ + This is typically implemented like: + +

logon path = \\%L\Profiles\%u

+where %L translates to the name of the Samba server and %u translates to the user name +

+The default for this option is \\%N\%U\profile, +namely \\sambaserver\username\profile. +The \\N%\%U service is created automatically by the [homes] service. If you are using +a samba server for the profiles, you _must_ make the share specified in the logon path +browseable. Please refer to the man page for smb.conf in respect of the different +semantics of %L and %N, as well as %U and %u. +

Note

+MS Windows NT/2K clients at times do not disconnect a connection to a server +between logons. It is recommended to NOT use the homes +meta-service name as part of the profile share path. +

Windows 9x / Me User Profiles

+ To support Windows 9x / Me clients, you must use the logon home parameter. Samba has +now been fixed so that net use /home now works as well, and it, too, relies +on the logon home parameter. +

+By using the logon home parameter, you are restricted to putting Win9x / Me +profiles in the user's home directory. But wait! There is a trick you +can use. If you set the following in the [global] section of your smb.conf file: +

logon home = \\%L\%U\.profiles

+then your Windows 9x / Me clients will dutifully put their clients in a subdirectory +of your home directory called .profiles (thus making them hidden). +

+Not only that, but net use /home will also work, because of a feature in +Windows 9x / Me. It removes any directory stuff off the end of the home directory area +and only uses the server and share portion. That is, it looks like you +specified \\%L\%U for logon home. +

Mixed Windows 9x / Me and Windows NT4/200x User Profiles

+You can support profiles for both Win9X and WinNT clients by setting both the +logon home and logon path parameters. For example: +

logon home = \\%L\%u\.profiles

logon path = \\%L\profiles\%u

Disabling Roaming Profile Support

+ A question often asked is “How may I enforce use of local profiles?” or + “How do I disable Roaming Profiles?” +

+There are three ways of doing this: +

In smb.conf

+ Affect the following settings and ALL clients + will be forced to use a local profile: +

logon home

logon path

MS Windows Registry:

+ By using the Microsoft Management Console gpedit.msc to instruct your MS Windows XP machine to use only a local profile. This of course modifies registry settings. The full path to the option is: + + +

+	Local Computer Policy\
+		Computer Configuration\
+			Administrative Templates\
+				System\
+					User Profiles\
+
+	Disable:	Only Allow Local User Profiles
+	Disable:	Prevent Roaming Profile Change from Propagating to the Server
+

Change of Profile Type:

+ From the start menu right click on the + My Computer icon, select Properties, click on the User Profiles + tab, select the profile you wish to change from Roaming type to Local, click Change Type. +

+Consult the MS Windows registry guide for your particular MS Windows version for more +information about which registry keys to change to enforce use of only local user +profiles. +

Note

+The specifics of how to convert a local profile to a roaming profile, or a roaming profile +to a local one vary according to the version of MS Windows you are running. Consult the +Microsoft MS Windows Resource Kit for your version of Windows for specific information. +

Windows Client Profile Configuration Information

Windows 9x / Me Profile Setup

+When a user first logs in on Windows 9X, the file user.DAT is created, +as are folders Start Menu, Desktop, +Programs and Nethood. +These directories and their contents will be merged with the local +versions stored in c:\windows\profiles\username on subsequent logins, +taking the most recent from each. You will need to use the [global] +options preserve case = yes, short preserve case = yes and +case sensitive = no in order to maintain capital letters in shortcuts +in any of the profile folders. +

+The user.DAT file contains all the user's preferences. If you wish to +enforce a set of preferences, rename their user.DAT file to user.MAN, +and deny them write access to this file. +

+ On the Windows 9x / Me machine, go to Control Panel -> Passwords and + select the User Profiles tab. Select the required level of + roaming preferences. Press OK, but do _not_ allow the computer + to reboot. +
+ On the Windows 9x / Me machine, go to Control Panel -> Network -> + Client for Microsoft Networks -> Preferences. Select Log on to + NT Domain. Then, ensure that the Primary Logon is Client for + Microsoft Networks. Press OK, and this time allow the computer + to reboot. +

+Under Windows 9x / Me Profiles are downloaded from the Primary Logon. +If you have the Primary Logon as 'Client for Novell Networks', then +the profiles and logon script will be downloaded from your Novell +Server. If you have the Primary Logon as 'Windows Logon', then the +profiles will be loaded from the local machine - a bit against the +concept of roaming profiles, it would seem! +

+You will now find that the Microsoft Networks Login box contains +[user, password, domain] instead of just [user, password]. Type in +the samba server's domain name (or any other domain known to exist, +but bear in mind that the user will be authenticated against this +domain and profiles downloaded from it, if that domain logon server +supports it), user name and user's password. +

+Once the user has been successfully validated, the Windows 9x / Me machine +will inform you that The user has not logged on before and asks you +Do you wish to save the user's preferences?. Select yes. +

+Once the Windows 9x / Me client comes up with the desktop, you should be able +to examine the contents of the directory specified in the logon path +on the samba server and verify that the Desktop, Start Menu, +Programs and Nethood folders have been created. +

+These folders will be cached locally on the client, and updated when +the user logs off (if you haven't made them read-only by then). +You will find that if the user creates further folders or short-cuts, +that the client will merge the profile contents downloaded with the +contents of the profile directory already on the local client, taking +the newest folders and short-cuts from each set. +

+If you have made the folders / files read-only on the samba server, +then you will get errors from the Windows 9x / Me machine on logon and logout, as +it attempts to merge the local and the remote profile. Basically, if +you have any errors reported by the Windows 9x / Me machine, check the UNIX file +permissions and ownership rights on the profile directory contents, +on the samba server. +

+If you have problems creating user profiles, you can reset the user's +local desktop cache, as shown below. When this user then next logs in, +they will be told that they are logging in "for the first time". +

Warning

+ Before deleting the contents of the + directory listed in the ProfilePath (this is likely to be + c:\windows\profiles\username), ask them if they + have any important files stored on their desktop or in their start menu. + Delete the contents of the directory ProfilePath (making a backup if any + of the files are needed). +

+ This will have the effect of removing the local (read-only hidden + system file) user.DAT in their profile directory, as well as the + local "desktop", "nethood", "start menu" and "programs" folders. +

+ instead of logging in under the [user, password, domain] dialog, + press escape. +
+ run the regedit.exe program, and look in: +
+ HKEY_LOCAL_MACHINE\Windows\CurrentVersion\ProfileList +
+ you will find an entry, for each user, of ProfilePath. Note the + contents of this key (likely to be c:\windows\profiles\username), + then delete the key ProfilePath for the required user. +
[Exit the registry editor].
+ search for the user's .PWL password-caching file in the c:\windows + directory, and delete it. +
+ log off the windows 9x / Me client. +
+ check the contents of the profile path (see logon path described + above), and delete the user.DAT or user.MAN file for the user, + making a backup if required. +

+If all else fails, increase samba's debug log levels to between 3 and 10, +and / or run a packet trace program such as ethereal or netmon.exe, and +look for error messages. +

+If you have access to an Windows NT4/200x server, then first set up roaming profiles +and / or netlogons on the Windows NT4/200x server. Make a packet trace, or examine +the example packet traces provided with Windows NT4/200x server, and see what the +differences are with the equivalent samba trace. +

Windows NT4 Workstation

+When a user first logs in to a Windows NT Workstation, the profile +NTuser.DAT is created. The profile location can be now specified +through the logon path parameter. +

+There is a parameter that is now available for use with NT Profiles: +logon drive. This should be set to H: or any other drive, and +should be used in conjunction with the new logon home parameter. +

+The entry for the NT4 profile is a _directory_ not a file. The NT +help on profiles mentions that a directory is also created with a .PDS +extension. The user, while logging in, must have write permission to +create the full profile path (and the folder with the .PDS extension +for those situations where it might be created.) +

+In the profile directory, Windows NT4 creates more folders than Windows 9x / Me. +It creates Application Data and others, as well as Desktop, Nethood, +Start Menu and Programs. The profile itself is stored in a file +NTuser.DAT. Nothing appears to be stored in the .PDS directory, and +its purpose is currently unknown. +

+You can use the System Control Panel to copy a local profile onto +a samba server (see NT Help on profiles: it is also capable of firing +up the correct location in the System Control Panel for you). The +NT Help file also mentions that renaming NTuser.DAT to NTuser.MAN +turns a profile into a mandatory one. +

+The case of the profile is significant. The file must be called +NTuser.DAT or, for a mandatory profile, NTuser.MAN. +

Windows 2000/XP Professional

+You must first convert the profile from a local profile to a domain +profile on the MS Windows workstation as follows: +

+ Log on as the LOCAL workstation administrator. +
+ Right click on the My Computer Icon, select Properties +
+ Click on the User Profiles tab +
+ Select the profile you wish to convert (click on it once) +
+ Click on the button Copy To +
+ In the Permitted to use box, click on the Change button. +
+ Click on the 'Look in" area that lists the machine name, when you click + here it will open up a selection box. Click on the domain to which the + profile must be accessible. +
Note
You will need to log on if a logon box opens up. Eg: In the connect as: DOMAIN\root, password: mypassword.
+ To make the profile capable of being used by anyone select 'Everyone' +
+ Click OK. The Selection box will close. +
+ Now click on the Ok button to create the profile in the path you + nominated. +

+Done. You now have a profile that can be edited using the samba +profiles tool. +

Note

+Under NT/2K the use of mandatory profiles forces the use of MS Exchange +storage of mail data. That keeps desktop profiles usable. +

Procedure 24.2. Windows XP Service Pack 1

+This is a security check new to Windows XP (or maybe only +Windows XP service pack 1). It can be disabled via a group policy in +Active Directory. The policy is:
Computer Configuration\Administrative Templates\System\User +Profiles\Do not check for user ownership of Roaming Profile Folders
...and it should be set to Enabled. +Does the new version of samba have an Active Directory analogue? If so, +then you may be able to set the policy through this. +
+If you cannot set group policies in samba, then you may be able to set +the policy locally on each machine. If you want to try this, then do +the following (N.B. I don't know for sure that this will work in the +same way as a domain group policy): +
+On the XP workstation log in with an Administrator account. +
Click: Start, Run
Type: mmc
Click: OK
A Microsoft Management Console should appear.
Click: File, Add/Remove Snap-in..., Add
Double-Click: Group Policy
Click: Finish, Close
Click: OK
In the "Console Root" window:
Expand: Local Computer Policy, Computer Configuration, + Administrative Templates, System, User Profiles
Double-Click: Do not check for user ownership of Roaming Profile Folders
Select: Enabled
Click: OK
Close the whole console. You do not need to save the settings (this + refers to the console settings rather than the policies you have + changed).
Reboot

Sharing Profiles between W9x/Me and NT4/200x/XP workstations

+Sharing of desktop profiles between Windows versions is NOT recommended. +Desktop profiles are an evolving phenomenon and profiles for later versions +of MS Windows clients add features that may interfere with earlier versions +of MS Windows clients. Probably the more salient reason to NOT mix profiles +is that when logging off an earlier version of MS Windows the older format +of profile contents may overwrite information that belongs to the newer +version resulting in loss of profile information content when that user logs +on again with the newer version of MS Windows. +

+If you then want to share the same Start Menu / Desktop with W9x/Me, you will +need to specify a common location for the profiles. The smb.conf parameters +that need to be common are logon path and +logon home. +

+If you have this set up correctly, you will find separate user.DAT and +NTuser.DAT files in the same profile directory. +

Profile Migration from Windows NT4/200x Server to Samba

+There is nothing to stop you specifying any path that you like for the +location of users' profiles. Therefore, you could specify that the +profile be stored on a samba server, or any other SMB server, as long as +that SMB server supports encrypted passwords. +

Windows NT4 Profile Management Tools

+Unfortunately, the Resource Kit information is specific to the version of MS Windows +NT4/200x. The correct resource kit is required for each platform. +

+Here is a quick guide: +

+On your NT4 Domain Controller, right click on My Computer, then +select the tab labelled User Profiles. +
+Select a user profile you want to migrate and click on it. +
Note
I am using the term "migrate" loosely. You can copy a profile to +create a group profile. You can give the user 'Everyone' rights to the +profile you copy this to. That is what you need to do, since your samba +domain is not a member of a trust relationship with your NT4 PDC.
Click the Copy To button.
In the box labelled Copy Profile to add your new path, eg: + c:\temp\foobar
Click on the button Change in the Permitted to use box.
Click on the group 'Everyone' and then click OK. This closes the + 'choose user' box.
Now click OK.

+Follow the above for every profile you need to migrate. +

Side bar Notes

+You should obtain the SID of your NT4 domain. You can use smbpasswd to do +this. Read the man page.

moveuser.exe

+The W2K professional resource kit has moveuser.exe. moveuser.exe changes +the security of a profile from one user to another. This allows the account +domain to change, and/or the user name to change. +

Get SID

+You can identify the SID by using GetSID.exe from the Windows NT Server 4.0 +Resource Kit. +

+Windows NT 4.0 stores the local profile information in the registry under +the following key: +HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList +

+Under the ProfileList key, there will be subkeys named with the SIDs of the +users who have logged on to this computer. (To find the profile information +for the user whose locally cached profile you want to move, find the SID for +the user with the GetSID.exe utility.) Inside of the appropriate user's +subkey, you will see a string value named ProfileImagePath. +

Mandatory profiles

+A Mandatory Profile is a profile that the user does NOT have the ability to overwrite. +During the user's session it may be possible to change the desktop environment, but +as the user logs out all changes made will be lost. If it is desired to NOT allow the +user any ability to change the desktop environment then this must be done through +policy settings. See previous chapter. +

Note

+Under NO circumstances should the profile directory (or it's contents) be made read-only +as this may render the profile un-usable. +

+For MS Windows NT4/200x/XP the above method can be used to create mandatory profiles +also. To convert a group profile into a mandatory profile simply locate the NTUser.DAT +file in the copied profile and rename it to NTUser.MAN. +

+For MS Windows 9x / Me it is the User.DAT file that must be renamed to User.MAN to +affect a mandatory profile. +

Creating/Managing Group Profiles

+Most organisations are arranged into departments. There is a nice benefit in +this fact since usually most users in a department will require the same desktop +applications and the same desktop layout. MS Windows NT4/200x/XP will allow the +use of Group Profiles. A Group Profile is a profile that is created firstly using +a template (example) user. Then using the profile migration tool (see above) the +profile is assigned access rights for the user group that needs to be given access +to the group profile. +

+The next step is rather important. Please note: Instead of assigning a group profile +to users (ie: Using User Manager) on a "per user" basis, the group itself is assigned +the now modified profile. +

Note

+ Be careful with group profiles, if the user who is a member of a group also + has a personal profile, then the result will be a fusion (merge) of the two. +

Default Profile for Windows Users

+MS Windows 9x / Me and NT4/200x/XP will use a default profile for any user for whom +a profile does not already exist. Armed with a knowledge of where the default profile +is located on the Windows workstation, and knowing which registry keys affect the path +from which the default profile is created, it is possible to modify the default profile +to one that has been optimised for the site. This has significant administrative +advantages. +

MS Windows 9x/Me

+To enable default per use profiles in Windows 9x / Me you can either use the Windows 98 System +Policy Editor or change the registry directly. +

+To enable default per user profiles in Windows 9x / Me, launch the System Policy Editor, then +select File -> Open Registry, then click on the +Local Computer icon, click on Windows 98 System, +select User Profiles, click on the enable box. Do not forget to save the registry changes. +

+To modify the registry directly, launch the Registry Editor (regedit.exe), select the hive +HKEY_LOCAL_MACHINE\Network\Logon. Now add a DWORD type key with the name +"User Profiles", to enable user profiles set the value to 1, to disable user profiles set it to 0. +

How User Profiles Are Handled in Windows 9x / Me?

+When a user logs on to a Windows 9x / Me machine, the local profile path, +HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ProfileList, is checked +for an existing entry for that user: +

+If the user has an entry in this registry location, Windows 9x / Me checks for a locally cached +version of the user profile. Windows 9x / Me also checks the user's home directory (or other +specified directory if the location has been modified) on the server for the User Profile. +If a profile exists in both locations, the newer of the two is used. If the User Profile exists +on the server, but does not exist on the local machine, the profile on the server is downloaded +and used. If the User Profile only exists on the local machine, that copy is used. +

+If a User Profile is not found in either location, the Default User Profile from the Windows 9x / Me +machine is used and is copied to a newly created folder for the logged on user. At log off, any +changes that the user made are written to the user's local profile. If the user has a roaming +profile, the changes are written to the user's profile on the server. +

MS Windows NT4 Workstation

+On MS Windows NT4 the default user profile is obtained from the location +%SystemRoot%\Profiles which in a default installation will translate to +C:\WinNT\Profiles. Under this directory on a clean install there will be +three (3) directories: Administrator, All Users, Default User. +

+The All Users directory contains menu settings that are common across all +system users. The Default User directory contains menu entries that are +customisable per user depending on the profile settings chosen/created. +

+When a new user first logs onto an MS Windows NT4 machine a new profile is created from: +

All Users settings
Default User settings (contains the default NTUser.DAT file)

+When a user logs onto an MS Windows NT4 machine that is a member of a Microsoft security domain +the following steps are followed in respect of profile handling: +

+ The users' account information which is obtained during the logon process contains + the location of the users' desktop profile. The profile path may be local to the + machine or it may be located on a network share. If there exists a profile at the location + of the path from the user account, then this profile is copied to the location + %SystemRoot%\Profiles\%USERNAME%. This profile then inherits the + settings in the All Users profile in the %SystemRoot%\Profiles + location. +
+ If the user account has a profile path, but at it's location a profile does not exist, + then a new profile is created in the %SystemRoot%\Profiles\%USERNAME% + directory from reading the Default User profile. +
+ If the NETLOGON share on the authenticating server (logon server) contains a policy file + (NTConfig.POL) then it's contents are applied to the NTUser.DAT + which is applied to the HKEY_CURRENT_USER part of the registry. +
+ When the user logs out, if the profile is set to be a roaming profile it will be written + out to the location of the profile. The NTuser.DAT file is then + re-created from the contents of the HKEY_CURRENT_USER contents. + Thus, should there not exist in the NETLOGON share an NTConfig.POL at the + next logon, the effect of the previous NTConfig.POL will still be held + in the profile. The effect of this is known as tatooing. +

+MS Windows NT4 profiles may be Local or Roaming. A Local profile +will stored in the %SystemRoot%\Profiles\%USERNAME% location. A roaming profile will +also remain stored in the same way, unless the following registry key is created: +

+HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\Windows NT\CurrentVersion\
+winlogon\"DeleteRoamingCache"=dword:00000001
+

+ +In which case, the local copy (in %SystemRoot%\Profiles\%USERNAME%) will be +deleted on logout. +

+Under MS Windows NT4 default locations for common resources (like My Documents +may be redirected to a network share by modifying the following registry keys. These changes may be affected +via use of the System Policy Editor (to do so may require that you create your owns template extension +for the policy editor to allow this to be done through the GUI. Another way to do this is by way of first +creating a default user profile, then while logged in as that user, run regedt32 to edit the key settings. +

+The Registry Hive key that affects the behaviour of folders that are part of the default user profile +are controlled by entries on Windows NT4 is: +

+HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\ +

+The above hive key contains a list of automatically managed folders. The default entries are: +

Table 24.1. User Shell Folder registry keys default values

Name	Default Value
AppData	%USERPROFILE%\Application Data
Desktop	%USERPROFILE%\Desktop
Favorites	%USERPROFILE%\Favorites
NetHood	%USERPROFILE%\NetHood
PrintHood	%USERPROFILE%\PrintHood
Programs	%USERPROFILE%\Start Menu\Programs
Recent	%USERPROFILE%\Recent
SendTo	%USERPROFILE%\SendTo
Start Menu	%USERPROFILE%\Start Menu
Startup	%USERPROFILE%\Start Menu\Programs\Startup

+The registry key that contains the location of the default profile settings is: +

+HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders +

+The default entries are: + +

Table 24.2. Defaults of profile settings registry keys

Common Desktop	%SystemRoot%\Profiles\All Users\Desktop
Common Programs	%SystemRoot%\Profiles\All Users\Programs
Common Start Menu	%SystemRoot%\Profiles\All Users\Start Menu
Common Startup	%SystemRoot%\Profiles\All Users\Start Menu\Programs\Startup

MS Windows 200x/XP

Note

+ MS Windows XP Home Edition does use default per user profiles, but can not participate + in domain security, can not log onto an NT/ADS style domain, and thus can obtain the profile + only from itself. While there are benefits in doing this the beauty of those MS Windows + clients that CAN participate in domain logon processes allows the administrator to create + a global default profile and to enforce it through the use of Group Policy Objects (GPOs). +

+When a new user first logs onto MS Windows 200x/XP machine the default profile is obtained from +C:\Documents and Settings\Default User. The administrator can modify (or change +the contents of this location and MS Windows 200x/XP will gladly use it. This is far from the optimum +arrangement since it will involve copying a new default profile to every MS Windows 200x/XP client +workstation. +

+When MS Windows 200x/XP participate in a domain security context, and if the default user +profile is not found, then the client will search for a default profile in the NETLOGON share +of the authenticating server. ie: In MS Windows parlance: +%LOGONSERVER%\NETLOGON\Default User and if one exits there it will copy this +to the workstation to the C:\Documents and Settings\ under the Windows +login name of the user. +

Note

+ This path translates, in Samba parlance, to the smb.conf [NETLOGON] share. The directory + should be created at the root of this share and must be called Default Profile. +

+If a default profile does not exist in this location then MS Windows 200x/XP will use the local +default profile. +

+On logging out, the users' desktop profile will be stored to the location specified in the registry +settings that pertain to the user. If no specific policies have been created, or passed to the client +during the login process (as Samba does automatically), then the user's profile will be written to +the local machine only under the path C:\Documents and Settings\%USERNAME%. +

+Those wishing to modify the default behaviour can do so through three methods: +

+ Modify the registry keys on the local machine manually and place the new default profile in the + NETLOGON share root - NOT recommended as it is maintenance intensive. +
+ Create an NT4 style NTConfig.POL file that specified this behaviour and locate this file + in the root of the NETLOGON share along with the new default profile. +
+ Create a GPO that enforces this through Active Directory, and place the new default profile + in the NETLOGON share. +

+The Registry Hive key that affects the behaviour of folders that are part of the default user profile +are controlled by entries on Windows 200x/XP is: +

+HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\ +

+The above hive key contains a list of automatically managed folders. The default entries are: +

Table 24.3. Defaults of default user profile paths registry keys

Name	Default Value
AppData	%USERPROFILE%\Application Data
Cache	%USERPROFILE%\Local Settings\Temporary Internet Files
Cookies	%USERPROFILE%\Cookies
Desktop	%USERPROFILE%\Desktop
Favorites	%USERPROFILE%\Favorites
History	%USERPROFILE%\Local Settings\History
Local AppData	%USERPROFILE%\Local Settings\Application Data
Local Settings	%USERPROFILE%\Local Settings
My Pictures	%USERPROFILE%\My Documents\My Pictures
NetHood	%USERPROFILE%\NetHood
Personal	%USERPROFILE%\My Documents
PrintHood	%USERPROFILE%\PrintHood
Programs	%USERPROFILE%\Start Menu\Programs
Recent	%USERPROFILE%\Recent
SendTo	%USERPROFILE%\SendTo
Start Menu	%USERPROFILE%\Start Menu
Startup	%USERPROFILE%\Start Menu\Programs\Startup
Templates	%USERPROFILE%\Templates

+There is also an entry called "Default" that has no value set. The default entry is of type REG_SZ, all +the others are of type REG_EXPAND_SZ. +

+It makes a huge difference to the speed of handling roaming user profiles if all the folders are +stored on a dedicated location on a network server. This means that it will NOT be necessary to +write the Outlook PST file over the network for every login and logout. +

+To set this to a network location you could use the following examples: +

%LOGONSERVER%\%USERNAME%\Default Folders

+This would store the folders in the user's home directory under a directory called Default Folders +You could also use: +

\\SambaServer\FolderShare\%USERNAME%

+ in which case the default folders will be stored in the server named SambaServer +in the share called FolderShare under a directory that has the name of the MS Windows +user as seen by the Linux/UNIX file system. +

+Please note that once you have created a default profile share, you MUST migrate a user's profile +(default or custom) to it. +

+MS Windows 200x/XP profiles may be Local or Roaming. +A roaming profile will be cached locally unless the following registry key is created: +

+HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\Windows NT\CurrentVersion\
+	winlogon\"DeleteRoamingCache"=dword:00000001

+In which case, the local cache copy will be deleted on logout. +

Common Errors

+The following are some typical errors/problems/questions that have been asked. +

Setting up roaming profiles for just a few user's or group's?

+With samba-2.2.x the choice you have is to enable or disable roaming +profiles support. It is a global only setting. The default is to have +roaming profiles and the default path will locate them in the user's home +directory. +

+If disabled globally then no-one will have roaming profile ability. +If enabled and you want it to apply only to certain machines, then on +those machines on which roaming profile support is NOT wanted it is then +necessary to disable roaming profile handling in the registry of each such +machine. +

+With samba-3 you can have a global profile +setting in smb.conf _AND_ you can over-ride this by per-user settings +using the Domain User Manager (as with MS Windows NT4/ Win 2Kx). +

+In any case, you can configure only one profile per user. That profile can +be either: +

A profile unique to that user
A mandatory profile (one the user can not change)
A group profile (really should be mandatory ie:unchangable)

Can NOT use Roaming Profiles

+A user requested the following: +“ +I do not want Roaming profiles to be implemented. I want to give users a local profile alone. ... +Please help me I am totally lost with this error. For the past two days I tried everything, I googled +around but found no useful pointers. Please help me. +”

+The choices are: +

Local profiles:: + I know of no registry keys that will allow auto-deletion of LOCAL profiles on log out +
Roaming profiles:: + As a user logs onto the network a centrally stored profile is copied to the workstation + to form a local profile. This local profile will persist (remain on the workstation disk) + unless a registry key is changed that will cause this profile to be automatically deleted + on logout. +

+The Roaming Profile choices are: +

Personal Roaming profiles

+ These are typically stored in a profile share on a central (or conveniently located + local) server. +

+ Workstations 'cache' (store) a local copy of the profile. This cached copy is used when + the profile can not be downloaded at next logon. +

Group profiles

These are loaded from a central profile server

Mandatory profiles

+ Mandatory profiles can be created for a user as well as for any group that a user + is a member of. Mandatory profiles can NOT be changed by ordinary users. Only the administrator + can change or reconfigure a mandatory profile. +

+A WinNT4/2K/XP profile can vary in size from 130KB to off the scale. +Outlook PST files are most often part of the profile and can be many GB in +size. On average (in a well controlled environment) roaming profile size of +2MB is a good rule of thumb to use for planning purposes. In an +undisciplined environment I have seen up to 2GB profiles. Users tend to +complain when it take an hour to log onto a workstation but they harvest +the fruits of folly (and ignorance). +

+The point of all the above is to show that roaming profiles and good +controls of how they can be changed as well as good discipline make up for +a problem free site. +

+Microsoft's answer to the PST problem is to store all email in an MS +Exchange Server back-end. This removes the need for a PST file. +

+LOCAL profiles mean: +

If each machine is used my many users then much local disk storage is needed for local profiles
Every workstation the user logs into has it's own profile, these can be very different from machine to machine

+On the other hand, use of roaming profiles means: +

The network administrator can control the desktop environment of all users.
Use of mandatory profiles drasitcally reduces network management overheads.
In the long run users will be experience fewer problems.

Changing the default profile

+Question: +“ +When the client logs onto the domain controller it searches for a profile to download, +where do I put this default profile? +”

+Firstly, the samba server needs to be configured as a domain controller. +This can be done by setting in smb.conf: +

security = user

os level = 32 (or more)

domain logons = Yes

+There must be an [netlogon] share that is world readable. +It is a good idea to add a logon script to pre-set printer and +drive connections. There is also a facility for automatically +synchronizing the workstation time clock with that of the logon +server (another good thing to do). +

Note

+To invoke auto-deletion of roaming profile from the local +workstation cache (disk storage) use the Group Policy Editor +to create a file called NTConfig.POL with the appropriate entries. This +file needs to be located in the netlogon share root directory.

+Windows clients need to be members of the domain. Workgroup machines do NOT use network logons so +they do not interoperate with domain profiles. +

+For roaming profiles add to smb.conf: +

logon path = \\%N\profiles\%U

# Default logon drive is Z:

logon drive = H:

# This requires a PROFILES share that is world writable.

Prev	Up	Next
Chapter 23. System and Account Policies	Home	Chapter 25. PAM based Distributed Authentication