mirror of
https://github.com/samba-team/samba.git
synced 2025-01-20 14:03:59 +03:00
More edits on profile management.
This commit is contained in:
parent
5827981c0d
commit
7dac688c4d
@ -412,7 +412,7 @@ nominated.
|
||||
|
||||
<para>
|
||||
Done. You now have a profile that can be editted using the samba-3.0.0
|
||||
profiles tool.
|
||||
<filename>profiles</filename> tool.
|
||||
</para>
|
||||
|
||||
<note>
|
||||
@ -619,9 +619,29 @@ subkey, you will see a string value named ProfileImagePath.
|
||||
<title>Mandatory profiles</title>
|
||||
|
||||
<para>
|
||||
The above method can be used to create mandatory profiles also. To convert
|
||||
a group profile into a mandatory profile simply locate the NTUser.DAT file
|
||||
in the copied profile and rename it to NTUser.MAN.
|
||||
A Mandatory Profile is a profile that the user does NOT have the ability to overwrite.
|
||||
During the user's session it may be possible to change the desktop environment, but
|
||||
as the user logs out all changes made will be lost. If it is desired to NOT allow the
|
||||
user any ability to change the desktop environment then this must be done through
|
||||
policy settings. See previous chapter.
|
||||
</para>
|
||||
|
||||
<note>
|
||||
<para>
|
||||
Under NO circumstances should the profile directory (or it's contents) be made read-only
|
||||
as this may render the profile un-usable.
|
||||
</para>
|
||||
</note>
|
||||
|
||||
<para>
|
||||
For MS Windows NT4/200x/XP the above method can be used to create mandatory profiles
|
||||
also. To convert a group profile into a mandatory profile simply locate the NTUser.DAT
|
||||
file in the copied profile and rename it to NTUser.MAN.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
For MS Windows 9x / Me it is the User.DAT file that must be renamed to User.MAN to
|
||||
affect a mandatory profile.
|
||||
</para>
|
||||
|
||||
</sect1>
|
||||
@ -630,7 +650,229 @@ in the copied profile and rename it to NTUser.MAN.
|
||||
<title>Creating/Managing Group Profiles</title>
|
||||
|
||||
<para>
|
||||
Blah goes here.
|
||||
Most organisations are arranged into departments. There is a nice benenfit in
|
||||
this fact since usually most users in a department will require the same desktop
|
||||
applications and the same desktop layout. MS Windows NT4/200x/XP will allow the
|
||||
use of Group Profiles. A Group Profile is a profile that is created firstly using
|
||||
a template (example) user. Then using the profile migration tool (see above) the
|
||||
profile is assigned access rights for the user group that needs to be given access
|
||||
to the group profile.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
The next step is rather important. PLEASE NOTE: Instead of assigning a group profile
|
||||
to users (ie: Using User Manager) on a "per user" basis, the group itself is assigned
|
||||
the now modified profile.
|
||||
</para>
|
||||
|
||||
<note>
|
||||
<para>
|
||||
Be careful with group profiles, if the user who is a member of a group also
|
||||
has a personal profile, then the result will be a fusion (merge) of the two.
|
||||
</para>
|
||||
</note>
|
||||
|
||||
</sect1>
|
||||
|
||||
<sect1>
|
||||
<title>Default Profile for Windows Users</title>
|
||||
|
||||
<para>
|
||||
MS Windows 9x / Me and NT4/200x/XP will use a default profile for any user for whom
|
||||
a profile does not already exist. Armed with a knowledge of where the default profile
|
||||
is located on the Windows workstation, and knowing which registry keys affect the path
|
||||
from which the default profile is created, it is possible to modify the default profile
|
||||
to one that has been optimised for the site. This has significant administrative
|
||||
advantages.
|
||||
<para>
|
||||
|
||||
<sect2>
|
||||
<title>MS Windows 9x/Me</title>
|
||||
|
||||
<para>
|
||||
To enable default per use profiles in Windows 9x / Me you can either use the Windows 98 System
|
||||
Policy Editor or change the registry directly.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
To enable default per user profiles in Windows 9x / Me, launch the System Policy Editor, then
|
||||
select File -> Open Registry, then click on the Local Computer icon, click on Windows 98 System,
|
||||
select User Profiles, click on the enable box. Do not forget to save the registry changes.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
To modify the registry directly, launch the Registry Editor (regedit.exe), select the hive
|
||||
<filename>HKEY_LOCAL_MACHINE\Network\Logon</filename>. Now add a DWORD type key with the name
|
||||
"User Profiles", to enable user profiles set the value to 1, to disable user profiles set it to 0.
|
||||
</para>
|
||||
|
||||
</sect2>
|
||||
|
||||
<sect2>
|
||||
<title>MS Windows NT4 Workstation</title>
|
||||
|
||||
<para>
|
||||
Document NT4 default profile handling stuff here! Someone - please contribute appropriate
|
||||
material here. Email your contribution to jht@samba.org.
|
||||
</para>
|
||||
|
||||
</sect2>
|
||||
|
||||
<sect2>
|
||||
<title>MS Windows 200x/XP</title>
|
||||
|
||||
<note>
|
||||
<para>
|
||||
MS Windows XP Home Edition does use default per user profiles, but can not participate
|
||||
in domain security, can not log onto an NT/ADS style domain, and thus can obtain the profile
|
||||
only from itself. While there are benefits in doing this the beauty of those MS Windows
|
||||
clients that CAN participate in domain logon processes allows the administrator to create
|
||||
a global default profile and to enforce it through the use of Group Policy Objects (GPOs).
|
||||
</para>
|
||||
</note>
|
||||
|
||||
<para>
|
||||
When a new user first logs onto MS Windows 200x/XP machine the default profile is obtained from
|
||||
<filename>C:\Documents and Settings\Default User</filename>. The administrator can modify (or change
|
||||
the contents of this location and MS Windows 200x/XP will gladly user it. This is far from the optimum
|
||||
arrangement since it will involve copying a new default profile to every MS Windows 200x/XP client
|
||||
workstation.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
When MS Windows 200x/XP participate in a domain security context, and if the default user
|
||||
profile is not found, then the client will search for a default profile in the NETLOGON share
|
||||
of the authenticating server. ie: In MS Windows parlance:
|
||||
<filename>%LOGONSERVER%\NETLOGON\Default User</filename> and if one exits there it will copy this
|
||||
to the workstation to the <filename>C:\Documents and Settings\</filename> under the Windows
|
||||
login name of the user.
|
||||
</para>
|
||||
|
||||
<note>
|
||||
<para>
|
||||
This path translates, in Samba parlance, to the smb.conf [NETLOGON] share. The directory
|
||||
should be created at the root of this share and msut be called <filename>Default Profile</filename>.
|
||||
</para>
|
||||
</note>
|
||||
|
||||
<para>
|
||||
If a default profile does not exist in this location then MS Windows 200x/XP will use the local
|
||||
default profile.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
On loging out, the users' desktop profile will be stored to the location specified in the registry
|
||||
settings that pertain to the user. If no specific policies have been created, or passed to the client
|
||||
during the login process (as Samba does automatically), then the user's profile will be written to
|
||||
the local machine only under the path <filename>C:\Documents and Settings\%USERNAME%</filename>.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Those wishing to modify the default behaviour can do so through up to three methods:
|
||||
</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>
|
||||
Modify the registry keys on the local machine manually and place the new default profile in the
|
||||
NETLOGON share root - NOT recommended as it is maintenance intensive.
|
||||
</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>
|
||||
Create an NT4 style NTConfig.POL file that specified this behaviour and locate this file
|
||||
in the root of the NETLOGON share along with the new default profile.
|
||||
</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>
|
||||
Create a GPO that enforces this through Active Directory, and place the new default profile
|
||||
in the NETLOGON share.
|
||||
</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>
|
||||
The Registry Hive key that affects the behaviour of folders that are part of the default user profile
|
||||
are controlled by entries on Windows 200x/XP is:
|
||||
</para>
|
||||
|
||||
<para>
|
||||
<programlisting>
|
||||
HKEY_CURRENT_USER
|
||||
\Software
|
||||
\Microsoft
|
||||
\Windows NT
|
||||
\CurrentVersion
|
||||
\Explorer
|
||||
\User Shell Folders\
|
||||
</programlisting>
|
||||
</para>
|
||||
|
||||
<para>
|
||||
The above hive key contains a list of automatically managed folders. The default entries are:
|
||||
</para>
|
||||
|
||||
<para>
|
||||
<programlisting>
|
||||
Name Default Value
|
||||
-------------- -----------------------------------------
|
||||
AppData %USERPROFILE%\Application Data
|
||||
Cache %USERPROFILE%\Local Settings\Temporary Internet Files
|
||||
Cookies %USERPROFILE%\Cookies
|
||||
Desktop %USERPROFILE%\Desktop
|
||||
Favorites %USERPROFILE%\Favorites
|
||||
History %USERPROFILE%\Local Settings\History
|
||||
Local AppData %USERPROFILE%\Local Settings\Application Data
|
||||
Local Settings %USERPROFILE%\Local Settings
|
||||
My Pictures %USERPROFILE%\My Documents\My Pictures
|
||||
NetHood %USERPROFILE%\NetHood
|
||||
Personal %USERPROFILE%\My Documents
|
||||
PrintHood %USERPROFILE%\PrintHood
|
||||
Programs %USERPROFILE%\Start Menu\Programs
|
||||
Recent %USERPROFILE%\Recent
|
||||
SendTo %USERPROFILE%\SendTo
|
||||
Start Menu %USERPROFILE%\Start Menu
|
||||
Startup %USERPROFILE%\Start Menu\Programs\Startup
|
||||
Templates %USERPROFILE%\Templates
|
||||
</programlisting>
|
||||
</para>
|
||||
|
||||
<para>
|
||||
There is also an entry called "Default" that has no value set. The default entry is of type REG_SZ, all
|
||||
the others are of type REG_EXPAND_SZ.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
It makes a huge difference to the speed of handling roaming user profiles if all the folders are
|
||||
stored on a dedicated location on a network server. This means that it will NOT be necessary to
|
||||
write Outlook PST file over the network for every login and logout.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
To set this to a network location you could use the followin examples:
|
||||
|
||||
%LOGONSERVER%\%USERNAME%\Default Folders
|
||||
|
||||
This would store the folders in the user's home directory under a directory called "Default Folders"
|
||||
|
||||
You could also use:
|
||||
|
||||
\\SambaServer\FolderShare\%USERNAME%
|
||||
|
||||
in which case the default folders will be stored in the server named <emphasis>SambaServer</emphasis>
|
||||
in the share called <emphasis>FolderShare</emphasis> under a directory that has the name of the MS Windows
|
||||
user as seen by the Linux/Unix file system.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Please note that once you have created a default profile share, you MUST migrate a user's profile
|
||||
(default or custom) to it.
|
||||
</para>
|
||||
|
||||
</sect2
|
||||
</sect1>
|
||||
|
||||
</chapter>
|
||||
|
Loading…
x
Reference in New Issue
Block a user