1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-20 14:03:59 +03:00

More edits on profile management.

This commit is contained in:
John Terpstra -
parent 5827981c0d
commit 7dac688c4d

@ -412,7 +412,7 @@ nominated.
<para>
Done. You now have a profile that can be editted using the samba-3.0.0
profiles tool.
<filename>profiles</filename> tool.
</para>
<note>
@ -619,9 +619,29 @@ subkey, you will see a string value named ProfileImagePath.
<title>Mandatory profiles</title>
<para>
The above method can be used to create mandatory profiles also. To convert
a group profile into a mandatory profile simply locate the NTUser.DAT file
in the copied profile and rename it to NTUser.MAN.
A Mandatory Profile is a profile that the user does NOT have the ability to overwrite.
During the user's session it may be possible to change the desktop environment, but
as the user logs out all changes made will be lost. If it is desired to NOT allow the
user any ability to change the desktop environment then this must be done through
policy settings. See previous chapter.
</para>
<note>
<para>
Under NO circumstances should the profile directory (or it's contents) be made read-only
as this may render the profile un-usable.
</para>
</note>
<para>
For MS Windows NT4/200x/XP the above method can be used to create mandatory profiles
also. To convert a group profile into a mandatory profile simply locate the NTUser.DAT
file in the copied profile and rename it to NTUser.MAN.
</para>
<para>
For MS Windows 9x / Me it is the User.DAT file that must be renamed to User.MAN to
affect a mandatory profile.
</para>
</sect1>
@ -630,7 +650,229 @@ in the copied profile and rename it to NTUser.MAN.
<title>Creating/Managing Group Profiles</title>
<para>
Blah goes here.
Most organisations are arranged into departments. There is a nice benenfit in
this fact since usually most users in a department will require the same desktop
applications and the same desktop layout. MS Windows NT4/200x/XP will allow the
use of Group Profiles. A Group Profile is a profile that is created firstly using
a template (example) user. Then using the profile migration tool (see above) the
profile is assigned access rights for the user group that needs to be given access
to the group profile.
</para>
<para>
The next step is rather important. PLEASE NOTE: Instead of assigning a group profile
to users (ie: Using User Manager) on a "per user" basis, the group itself is assigned
the now modified profile.
</para>
<note>
<para>
Be careful with group profiles, if the user who is a member of a group also
has a personal profile, then the result will be a fusion (merge) of the two.
</para>
</note>
</sect1>
<sect1>
<title>Default Profile for Windows Users</title>
<para>
MS Windows 9x / Me and NT4/200x/XP will use a default profile for any user for whom
a profile does not already exist. Armed with a knowledge of where the default profile
is located on the Windows workstation, and knowing which registry keys affect the path
from which the default profile is created, it is possible to modify the default profile
to one that has been optimised for the site. This has significant administrative
advantages.
<para>
<sect2>
<title>MS Windows 9x/Me</title>
<para>
To enable default per use profiles in Windows 9x / Me you can either use the Windows 98 System
Policy Editor or change the registry directly.
</para>
<para>
To enable default per user profiles in Windows 9x / Me, launch the System Policy Editor, then
select File -> Open Registry, then click on the Local Computer icon, click on Windows 98 System,
select User Profiles, click on the enable box. Do not forget to save the registry changes.
</para>
<para>
To modify the registry directly, launch the Registry Editor (regedit.exe), select the hive
<filename>HKEY_LOCAL_MACHINE\Network\Logon</filename>. Now add a DWORD type key with the name
"User Profiles", to enable user profiles set the value to 1, to disable user profiles set it to 0.
</para>
</sect2>
<sect2>
<title>MS Windows NT4 Workstation</title>
<para>
Document NT4 default profile handling stuff here! Someone - please contribute appropriate
material here. Email your contribution to jht@samba.org.
</para>
</sect2>
<sect2>
<title>MS Windows 200x/XP</title>
<note>
<para>
MS Windows XP Home Edition does use default per user profiles, but can not participate
in domain security, can not log onto an NT/ADS style domain, and thus can obtain the profile
only from itself. While there are benefits in doing this the beauty of those MS Windows
clients that CAN participate in domain logon processes allows the administrator to create
a global default profile and to enforce it through the use of Group Policy Objects (GPOs).
</para>
</note>
<para>
When a new user first logs onto MS Windows 200x/XP machine the default profile is obtained from
<filename>C:\Documents and Settings\Default User</filename>. The administrator can modify (or change
the contents of this location and MS Windows 200x/XP will gladly user it. This is far from the optimum
arrangement since it will involve copying a new default profile to every MS Windows 200x/XP client
workstation.
</para>
<para>
When MS Windows 200x/XP participate in a domain security context, and if the default user
profile is not found, then the client will search for a default profile in the NETLOGON share
of the authenticating server. ie: In MS Windows parlance:
<filename>%LOGONSERVER%\NETLOGON\Default User</filename> and if one exits there it will copy this
to the workstation to the <filename>C:\Documents and Settings\</filename> under the Windows
login name of the user.
</para>
<note>
<para>
This path translates, in Samba parlance, to the smb.conf [NETLOGON] share. The directory
should be created at the root of this share and msut be called <filename>Default Profile</filename>.
</para>
</note>
<para>
If a default profile does not exist in this location then MS Windows 200x/XP will use the local
default profile.
</para>
<para>
On loging out, the users' desktop profile will be stored to the location specified in the registry
settings that pertain to the user. If no specific policies have been created, or passed to the client
during the login process (as Samba does automatically), then the user's profile will be written to
the local machine only under the path <filename>C:\Documents and Settings\%USERNAME%</filename>.
</para>
<para>
Those wishing to modify the default behaviour can do so through up to three methods:
</para>
<itemizedlist>
<listitem>
<para>
Modify the registry keys on the local machine manually and place the new default profile in the
NETLOGON share root - NOT recommended as it is maintenance intensive.
</para>
</listitem>
<listitem>
<para>
Create an NT4 style NTConfig.POL file that specified this behaviour and locate this file
in the root of the NETLOGON share along with the new default profile.
</para>
</listitem>
<listitem>
<para>
Create a GPO that enforces this through Active Directory, and place the new default profile
in the NETLOGON share.
</para>
</listitem>
</itemizedlist>
<para>
The Registry Hive key that affects the behaviour of folders that are part of the default user profile
are controlled by entries on Windows 200x/XP is:
</para>
<para>
<programlisting>
HKEY_CURRENT_USER
\Software
\Microsoft
\Windows NT
\CurrentVersion
\Explorer
\User Shell Folders\
</programlisting>
</para>
<para>
The above hive key contains a list of automatically managed folders. The default entries are:
</para>
<para>
<programlisting>
Name Default Value
-------------- -----------------------------------------
AppData %USERPROFILE%\Application Data
Cache %USERPROFILE%\Local Settings\Temporary Internet Files
Cookies %USERPROFILE%\Cookies
Desktop %USERPROFILE%\Desktop
Favorites %USERPROFILE%\Favorites
History %USERPROFILE%\Local Settings\History
Local AppData %USERPROFILE%\Local Settings\Application Data
Local Settings %USERPROFILE%\Local Settings
My Pictures %USERPROFILE%\My Documents\My Pictures
NetHood %USERPROFILE%\NetHood
Personal %USERPROFILE%\My Documents
PrintHood %USERPROFILE%\PrintHood
Programs %USERPROFILE%\Start Menu\Programs
Recent %USERPROFILE%\Recent
SendTo %USERPROFILE%\SendTo
Start Menu %USERPROFILE%\Start Menu
Startup %USERPROFILE%\Start Menu\Programs\Startup
Templates %USERPROFILE%\Templates
</programlisting>
</para>
<para>
There is also an entry called "Default" that has no value set. The default entry is of type REG_SZ, all
the others are of type REG_EXPAND_SZ.
</para>
<para>
It makes a huge difference to the speed of handling roaming user profiles if all the folders are
stored on a dedicated location on a network server. This means that it will NOT be necessary to
write Outlook PST file over the network for every login and logout.
</para>
<para>
To set this to a network location you could use the followin examples:
%LOGONSERVER%\%USERNAME%\Default Folders
This would store the folders in the user's home directory under a directory called "Default Folders"
You could also use:
\\SambaServer\FolderShare\%USERNAME%
in which case the default folders will be stored in the server named <emphasis>SambaServer</emphasis>
in the share called <emphasis>FolderShare</emphasis> under a directory that has the name of the MS Windows
user as seen by the Linux/Unix file system.
</para>
<para>
Please note that once you have created a default profile share, you MUST migrate a user's profile
(default or custom) to it.
</para>
</sect2
</sect1>
</chapter>