mirror of
https://github.com/samba-team/samba.git
synced 2025-01-15 23:24:37 +03:00
b2166d297c
(This used to be commit 8f06e9feb2634939392dc0ce1397dcd8d04c79e5)
1355 lines
47 KiB
XML
1355 lines
47 KiB
XML
<chapter id="ProfileMgmt">
|
|
<chapterinfo>
|
|
&author.jht;
|
|
<pubdate>April 3 2003</pubdate>
|
|
</chapterinfo>
|
|
|
|
<title>Desktop Profile Management</title>
|
|
|
|
<sect1>
|
|
<title>Features and Benefits</title>
|
|
|
|
<para>
|
|
Roaming Profiles are feared by some, hated by a few, loved by many, and a Godsend for
|
|
some administrators.
|
|
</para>
|
|
|
|
<para>
|
|
Roaming Profiles allow an administrator to make available a consistent user desktop
|
|
as the user moves from one machine to another. This chapter provides much information
|
|
regarding how to configure and manage Roaming Profiles.
|
|
</para>
|
|
|
|
<para>
|
|
While Roaming Profiles might sound like nirvana to some, they are a real and tangible
|
|
problem to others. In particular, users of mobile computing tools, where often there may not
|
|
be a sustained network connection, are often better served by purely Local Profiles.
|
|
This chapter provides information to help the Samba administrator to deal with those
|
|
situations also.
|
|
</para>
|
|
|
|
</sect1>
|
|
|
|
<sect1>
|
|
<title>Roaming Profiles</title>
|
|
|
|
<warning>
|
|
<para>
|
|
Roaming profiles support is different for Win9x / Me and Windows NT4/200x.
|
|
</para>
|
|
</warning>
|
|
|
|
<para>
|
|
Before discussing how to configure roaming profiles, it is useful to see how
|
|
Windows 9x / Me and Windows NT4/200x clients implement these features.
|
|
</para>
|
|
|
|
<para>
|
|
Windows 9x / Me clients send a NetUserGetInfo request to the server to get the user's
|
|
profiles location. However, the response does not have room for a separate
|
|
profiles location field, only the user's home share. This means that Win9X/Me
|
|
profiles are restricted to being stored in the user's home directory.
|
|
</para>
|
|
|
|
|
|
<para>
|
|
Windows NT4/200x clients send a NetSAMLogon RPC request, which contains many fields,
|
|
including a separate field for the location of the user's profiles.
|
|
</para>
|
|
|
|
<sect2>
|
|
<title>Samba Configuration for Profile Handling</title>
|
|
|
|
<para>
|
|
This section documents how to configure Samba for MS Windows client profile support.
|
|
</para>
|
|
|
|
<sect3>
|
|
<title>NT4/200x User Profiles</title>
|
|
|
|
<para>
|
|
To support Windowns NT4/200x clients, in the [global] section of smb.conf set the
|
|
following (for example):
|
|
</para>
|
|
|
|
<para>
|
|
<programlisting>
|
|
logon path = \\profileserver\profileshare\profilepath\%U\moreprofilepath
|
|
</programlisting>
|
|
|
|
This is typically implemented like:
|
|
|
|
<programlisting>
|
|
logon path = \\%L\Profiles\%u
|
|
</programlisting>
|
|
where %L translates to the name of the Samba server and %u translates to the user name
|
|
</para>
|
|
|
|
<para>
|
|
The default for this option is <filename>\\%N\%U\profile</filename>,
|
|
namely <filename>\\sambaserver\username\profile</filename>.
|
|
The <filename>\\N%\%U</filename> service is created automatically by the [homes] service. If you are using
|
|
a samba server for the profiles, you _must_ make the share specified in the logon path
|
|
browseable. Please refer to the man page for &smb.conf; in respect of the different
|
|
symantics of %L and %N, as well as %U and %u.
|
|
</para>
|
|
|
|
<note>
|
|
<para>
|
|
MS Windows NT/2K clients at times do not disconnect a connection to a server
|
|
between logons. It is recommended to NOT use the <parameter>homes</parameter>
|
|
meta-service name as part of the profile share path.
|
|
</para>
|
|
</note>
|
|
</sect3>
|
|
|
|
<sect3>
|
|
<title>Windows 9x / Me User Profiles</title>
|
|
|
|
<para>
|
|
To support Windows 9x / Me clients, you must use the <parameter>logon home</parameter> parameter. Samba has
|
|
now been fixed so that <userinput>net use /home</userinput> now works as well, and it, too, relies
|
|
on the <command>logon home</command> parameter.
|
|
</para>
|
|
|
|
<para>
|
|
By using the logon home parameter, you are restricted to putting Win9x / Me
|
|
profiles in the user's home directory. But wait! There is a trick you
|
|
can use. If you set the following in the <parameter>[global]</parameter> section of your &smb.conf; file:
|
|
</para>
|
|
<para><programlisting>
|
|
logon home = \\%L\%U\.profiles
|
|
</programlisting></para>
|
|
|
|
<para>
|
|
then your Windows 9x / Me clients will dutifully put their clients in a subdirectory
|
|
of your home directory called <filename>.profiles</filename> (thus making them hidden).
|
|
</para>
|
|
|
|
<para>
|
|
Not only that, but <userinput>net use /home</userinput> will also work, because of a feature in
|
|
Windows 9x / Me. It removes any directory stuff off the end of the home directory area
|
|
and only uses the server and share portion. That is, it looks like you
|
|
specified <filename>\\%L\%U</filename> for <parameter>logon home</parameter>.
|
|
</para>
|
|
</sect3>
|
|
|
|
<sect3>
|
|
<title>Mixed Windows 9x / Me and Windows NT4/200x User Profiles</title>
|
|
|
|
<para>
|
|
You can support profiles for both Win9X and WinNT clients by setting both the
|
|
<parameter>logon home</parameter> and <parameter>logon path</parameter> parameters. For example:
|
|
</para>
|
|
|
|
<para><programlisting>
|
|
logon home = \\%L\%u\.profiles
|
|
logon path = \\%L\profiles\%u
|
|
</programlisting></para>
|
|
|
|
</sect3>
|
|
<sect3>
|
|
<title>Disabling Roaming Profile Support</title>
|
|
|
|
<para>
|
|
A question often asked is <quote>How may I enforce use of local profiles?</quote> or
|
|
<quote>How do I disable Roaming Profiles?</quote>
|
|
</para>
|
|
|
|
<para>
|
|
There are three ways of doing this:
|
|
</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>In &smb.conf;</term>
|
|
<listitem><para>
|
|
Affect the following settings and ALL clients
|
|
will be forced to use a local profile:
|
|
<programlisting>
|
|
logon home =
|
|
logon path =
|
|
</programlisting>
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>MS Windows Registry:</term>
|
|
<listitem><para>
|
|
By using the Microsoft Management Console gpedit.msc to instruct your MS Windows XP machine to use only a local profile. This of course modifies registry settings. The full path to the option is:
|
|
<!-- FIXME: Diagram for this ? -->
|
|
<programlisting>
|
|
Local Computer Policy\
|
|
Computer Configuration\
|
|
Administrative Templates\
|
|
System\
|
|
User Profiles\
|
|
|
|
Disable: Only Allow Local User Profiles
|
|
Disable: Prevent Roaming Profile Change from Propogating to the Server
|
|
</programlisting>
|
|
</para> </listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>Change of Profile Type:</term>
|
|
<listitem><para>
|
|
From the start menu right click on the
|
|
My Computer icon, select <guimenuitem>Properties</guimenuitem>, click on the <guilabel>User Profiles</guilabel>
|
|
tab, select the profile you wish to change from Roaming type to Local, click <guibutton>Change Type</guibutton>.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
|
|
<para>
|
|
Consult the MS Windows registry guide for your particular MS Windows version for more
|
|
information about which registry keys to change to enforce use of only local user
|
|
profiles.
|
|
</para>
|
|
|
|
<note><para>
|
|
The specifics of how to convert a local profile to a roaming profile, or a roaming profile
|
|
to a local one vary according to the version of MS Windows you are running. Consult the
|
|
Microsoft MS Windows Resource Kit for your version of Windows for specific information.
|
|
</para></note>
|
|
|
|
</sect3>
|
|
</sect2>
|
|
|
|
<sect2>
|
|
<title>Windows Client Profile Configuration Information</title>
|
|
|
|
<sect3>
|
|
<title>Windows 9x / Me Profile Setup</title>
|
|
|
|
<para>
|
|
When a user first logs in on Windows 9X, the file user.DAT is created,
|
|
as are folders <filename>Start Menu</filename>, <filename>Desktop</filename>,
|
|
<filename>Programs</filename> and <filename>Nethood</filename>.
|
|
These directories and their contents will be merged with the local
|
|
versions stored in <filename>c:\windows\profiles\username</filename> on subsequent logins,
|
|
taking the most recent from each. You will need to use the <parameter>[global]</parameter>
|
|
options <parameter>preserve case = yes</parameter>, <parameter>short preserve case = yes</parameter> and
|
|
<parameter>case sensitive = no</parameter> in order to maintain capital letters in shortcuts
|
|
in any of the profile folders.
|
|
</para>
|
|
|
|
<para>
|
|
The user.DAT file contains all the user's preferences. If you wish to
|
|
enforce a set of preferences, rename their user.DAT file to user.MAN,
|
|
and deny them write access to this file.
|
|
</para>
|
|
|
|
<orderedlist>
|
|
<listitem>
|
|
<para>
|
|
On the Windows 9x / Me machine, go to <guimenu>Control Panel</guimenu> -> <guimenuitem>Passwords</guimenuitem> and
|
|
select the <guilabel>User Profiles</guilabel> tab. Select the required level of
|
|
roaming preferences. Press <guibutton>OK</guibutton>, but do _not_ allow the computer
|
|
to reboot.
|
|
</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>
|
|
On the Windows 9x / Me machine, go to <guimenu>Control Panel</guimenu> -> <guimenuitem>Network</guimenuitem> ->
|
|
<guimenuitem>Client for Microsoft Networks</guimenuitem> -> <guilabel>Preferences</guilabel>. Select <guilabel>Log on to
|
|
NT Domain</guilabel>. Then, ensure that the Primary Logon is <guilabel>Client for
|
|
Microsoft Networks</guilabel>. Press <guibutton>OK</guibutton>, and this time allow the computer
|
|
to reboot.
|
|
</para>
|
|
</listitem>
|
|
</orderedlist>
|
|
|
|
<para>
|
|
Under Windows 9x / Me Profiles are downloaded from the Primary Logon.
|
|
If you have the Primary Logon as 'Client for Novell Networks', then
|
|
the profiles and logon script will be downloaded from your Novell
|
|
Server. If you have the Primary Logon as 'Windows Logon', then the
|
|
profiles will be loaded from the local machine - a bit against the
|
|
concept of roaming profiles, it would seem!
|
|
</para>
|
|
|
|
<para>
|
|
You will now find that the Microsoft Networks Login box contains
|
|
[user, password, domain] instead of just [user, password]. Type in
|
|
the samba server's domain name (or any other domain known to exist,
|
|
but bear in mind that the user will be authenticated against this
|
|
domain and profiles downloaded from it, if that domain logon server
|
|
supports it), user name and user's password.
|
|
</para>
|
|
|
|
<para>
|
|
Once the user has been successfully validated, the Windows 9x / Me machine
|
|
will inform you that <computeroutput>The user has not logged on before' and asks you
|
|
if you wish to save the user's preferences?</computeroutput> Select <guibutton>yes</guibutton>.
|
|
</para>
|
|
|
|
<para>
|
|
Once the Windows 9x / Me client comes up with the desktop, you should be able
|
|
to examine the contents of the directory specified in the <parameter>logon path</parameter>
|
|
on the samba server and verify that the <filename>Desktop</filename>, <filename>Start Menu</filename>,
|
|
<filename>Programs</filename> and <filename>Nethood</filename> folders have been created.
|
|
</para>
|
|
|
|
<para>
|
|
These folders will be cached locally on the client, and updated when
|
|
the user logs off (if you haven't made them read-only by then).
|
|
You will find that if the user creates further folders or short-cuts,
|
|
that the client will merge the profile contents downloaded with the
|
|
contents of the profile directory already on the local client, taking
|
|
the newest folders and short-cuts from each set.
|
|
</para>
|
|
|
|
<para>
|
|
If you have made the folders / files read-only on the samba server,
|
|
then you will get errors from the Windows 9x / Me machine on logon and logout, as
|
|
it attempts to merge the local and the remote profile. Basically, if
|
|
you have any errors reported by the Windows 9x / Me machine, check the Unix file
|
|
permissions and ownership rights on the profile directory contents,
|
|
on the samba server.
|
|
</para>
|
|
|
|
<para>
|
|
If you have problems creating user profiles, you can reset the user's
|
|
local desktop cache, as shown below. When this user then next logs in,
|
|
they will be told that they are logging in "for the first time".
|
|
</para>
|
|
|
|
<orderedlist>
|
|
<listitem>
|
|
<para>
|
|
instead of logging in under the [user, password, domain] dialog,
|
|
press <guibutton>escape</guibutton>.
|
|
</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>
|
|
run the <command>regedit.exe</command> program, and look in:
|
|
</para>
|
|
|
|
<para>
|
|
<filename>HKEY_LOCAL_MACHINE\Windows\CurrentVersion\ProfileList</filename>
|
|
</para>
|
|
|
|
<para>
|
|
you will find an entry, for each user, of ProfilePath. Note the
|
|
contents of this key (likely to be <filename>c:\windows\profiles\username</filename>),
|
|
then delete the key ProfilePath for the required user.
|
|
</para>
|
|
|
|
<para>[Exit the registry editor].</para>
|
|
</listitem>
|
|
|
|
<warning>
|
|
<para>
|
|
Before deleting the contents of the
|
|
directory listed in the ProfilePath (this is likely to be
|
|
<filename>c:\windows\profiles\username)</filename>, ask them if they
|
|
have any important files stored on their desktop or in their start menu.
|
|
Delete the contents of the directory ProfilePath (making a backup if any
|
|
of the files are needed).
|
|
</para>
|
|
|
|
<para>
|
|
This will have the effect of removing the local (read-only hidden
|
|
system file) user.DAT in their profile directory, as well as the
|
|
local "desktop", "nethood", "start menu" and "programs" folders.
|
|
</para>
|
|
</warning>
|
|
|
|
<listitem>
|
|
<para>
|
|
search for the user's .PWL password-caching file in the <filename>c:\windows</filename>
|
|
directory, and delete it.
|
|
</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>
|
|
log off the windows 9x / Me client.
|
|
</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>
|
|
check the contents of the profile path (see <parameter>logon path</parameter> described
|
|
above), and delete the <filename>user.DAT</filename> or <filename>user.MAN</filename> file for the user,
|
|
making a backup if required.
|
|
</para>
|
|
</listitem>
|
|
|
|
</orderedlist>
|
|
|
|
<para>
|
|
If all else fails, increase samba's debug log levels to between 3 and 10,
|
|
and / or run a packet trace program such as ethereal or <command>netmon.exe</command>, and
|
|
look for error messages.
|
|
</para>
|
|
|
|
<para>
|
|
If you have access to an Windows NT4/200x server, then first set up roaming profiles
|
|
and / or netlogons on the Windows NT4/200x server. Make a packet trace, or examine
|
|
the example packet traces provided with Windows NT4/200x server, and see what the
|
|
differences are with the equivalent samba trace.
|
|
</para>
|
|
|
|
</sect3>
|
|
|
|
<sect3>
|
|
<title>Windows NT4 Workstation</title>
|
|
|
|
<para>
|
|
When a user first logs in to a Windows NT Workstation, the profile
|
|
NTuser.DAT is created. The profile location can be now specified
|
|
through the <parameter>logon path</parameter> parameter.
|
|
</para>
|
|
|
|
<para>
|
|
There is a parameter that is now available for use with NT Profiles:
|
|
<parameter>logon drive</parameter>. This should be set to <filename>H:</filename> or any other drive, and
|
|
should be used in conjunction with the new "logon home" parameter.
|
|
</para>
|
|
|
|
<para>
|
|
The entry for the NT4 profile is a _directory_ not a file. The NT
|
|
help on profiles mentions that a directory is also created with a .PDS
|
|
extension. The user, while logging in, must have write permission to
|
|
create the full profile path (and the folder with the .PDS extension
|
|
for those situations where it might be created.)
|
|
</para>
|
|
|
|
<para>
|
|
In the profile directory, Windows NT4 creates more folders than Windows 9x / Me.
|
|
It creates <filename>Application Data</filename> and others, as well as <filename>Desktop</filename>, <filename>Nethood</filename>,
|
|
<filename>Start Menu</filename> and <filename>Programs</filename>. The profile itself is stored in a file
|
|
<filename>NTuser.DAT</filename>. Nothing appears to be stored in the .PDS directory, and
|
|
its purpose is currently unknown.
|
|
</para>
|
|
|
|
<para>
|
|
You can use the <application>System Control Panel</application> to copy a local profile onto
|
|
a samba server (see NT Help on profiles: it is also capable of firing
|
|
up the correct location in the <application>System Control Panel</application> for you). The
|
|
NT Help file also mentions that renaming <filename>NTuser.DAT</filename> to <filename>NTuser.MAN</filename>
|
|
turns a profile into a mandatory one.
|
|
</para>
|
|
|
|
<para>
|
|
The case of the profile is significant. The file must be called
|
|
<filename>NTuser.DAT</filename> or, for a mandatory profile, <filename>NTuser.MAN</filename>.
|
|
</para>
|
|
</sect3>
|
|
|
|
<sect3>
|
|
<title>Windows 2000/XP Professional</title>
|
|
|
|
<para>
|
|
You must first convert the profile from a local profile to a domain
|
|
profile on the MS Windows workstation as follows:
|
|
</para>
|
|
|
|
<procedure>
|
|
<step><para>
|
|
Log on as the <emphasis>LOCAL</emphasis> workstation administrator.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Right click on the <guiicon>My Computer</guiicon> Icon, select <guimenuitem>Properties</guimenuitem>
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Click on the <guilabel>User Profiles</guilabel> tab
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Select the profile you wish to convert (click on it once)
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Click on the button <guibutton>Copy To</guibutton>
|
|
</para></step>
|
|
|
|
<step><para>
|
|
In the <guilabel>Permitted to use</guilabel> box, click on the <guibutton>Change</guibutton> button.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Click on the 'Look in" area that lists the machine name, when you click
|
|
here it will open up a selection box. Click on the domain to which the
|
|
profile must be accessible.
|
|
</para>
|
|
|
|
<note><para>You will need to log on if a logon box opens up. Eg: In the connect
|
|
as: <replaceable>MIDEARTH</replaceable>\root, password: <replaceable>mypassword</replaceable>.</para></note>
|
|
</step>
|
|
|
|
<step><para>
|
|
To make the profile capable of being used by anyone select 'Everyone'
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Click <guibutton>OK</guibutton>. The Selection box will close.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Now click on the <guibutton>Ok</guibutton> button to create the profile in the path you
|
|
nominated.
|
|
</para></step>
|
|
</procedure>
|
|
|
|
<para>
|
|
Done. You now have a profile that can be editted using the samba-3.0.0
|
|
<command>profiles</command> tool.
|
|
</para>
|
|
|
|
<note>
|
|
<para>
|
|
Under NT/2K the use of mandotory profiles forces the use of MS Exchange
|
|
storage of mail data. That keeps desktop profiles usable.
|
|
</para>
|
|
</note>
|
|
|
|
<note>
|
|
<procedure>
|
|
<step><para>
|
|
This is a security check new to Windows XP (or maybe only
|
|
Windows XP service pack 1). It can be disabled via a group policy in
|
|
Active Directory. The policy is:</para>
|
|
|
|
<para><filename>Computer Configuration\Administrative Templates\System\User
|
|
Profiles\Do not check for user ownership of Roaming Profile Folders</filename></para>
|
|
|
|
<para>...and it should be set to <constant>Enabled</constant>.
|
|
Does the new version of samba have an Active Directory analogue? If so,
|
|
then you may be able to set the policy through this.
|
|
</para>
|
|
|
|
<para>
|
|
If you cannot set group policies in samba, then you may be able to set
|
|
the policy locally on each machine. If you want to try this, then do
|
|
the following (N.B. I don't know for sure that this will work in the
|
|
same way as a domain group policy):
|
|
</para>
|
|
|
|
</step>
|
|
|
|
<step><para>
|
|
On the XP workstation log in with an Administrator account.
|
|
</para></step>
|
|
|
|
<step><para>Click: <guimenu>Start</guimenu>, <guimenuitem>Run</guimenuitem></para></step>
|
|
<step><para>Type: <userinput>mmc</userinput></para></step>
|
|
<step><para>Click: <guibutton>OK</guibutton></para></step>
|
|
|
|
<step><para>A Microsoft Management Console should appear.</para></step>
|
|
<step><para>Click: <guimenu>File</guimenu>, <guimenuitem>Add/Remove Snap-in...</guimenuitem>, <guimenuitem>Add</guimenuitem></para></step>
|
|
<step><para>Double-Click: <guiicon>Group Policy</guiicon></para></step>
|
|
<step><para>Click: <guibutton>Finish</guibutton>, <guibutton>Close</guibutton></para></step>
|
|
<step><para>Click: <guibutton>OK</guibutton></para></step>
|
|
|
|
<step><para>In the "Console Root" window:</para></step>
|
|
<step><para>Expand: <guiicon>Local Computer Policy</guiicon>, <guiicon>Computer Configuration</guiicon>,
|
|
<guiicon>Administrative Templates</guiicon>, <guiicon>System</guiicon>, <guiicon>User Profiles</guiicon></para></step>
|
|
<step><para>Double-Click: <guilabel>Do not check for user ownership of Roaming Profile Folders</guilabel></para></step>
|
|
<step><para>Select: <guilabel>Enabled</guilabel></para></step>
|
|
<step><para>Click: <guibutton>OK</guibutton></para></step>
|
|
|
|
<step><para>Close the whole console. You do not need to save the settings (this
|
|
refers to the console settings rather than the policies you have
|
|
changed).</para></step>
|
|
|
|
<step><para>Reboot</para></step>
|
|
</procedure>
|
|
</note>
|
|
</sect3>
|
|
</sect2>
|
|
|
|
<sect2>
|
|
<title>Sharing Profiles between W9x/Me and NT4/200x/XP workstations</title>
|
|
|
|
<para>
|
|
Sharing of desktop profiles between Windows versions is NOT recommended.
|
|
Desktop profiles are an evolving phenomenon and profiles for later versions
|
|
of MS Windows clients add features that may interfere with earlier versions
|
|
of MS Windows clients. Probably the more salient reason to NOT mix profiles
|
|
is that when logging off an earlier version of MS Windows the older format
|
|
of profile contents may overwrite information that belongs to the newer
|
|
version resulting in loss of profile information content when that user logs
|
|
on again with the newer version of MS Windows.
|
|
</para>
|
|
|
|
<para>
|
|
If you then want to share the same Start Menu / Desktop with W9x/Me, you will
|
|
need to specify a common location for the profiles. The smb.conf parameters
|
|
that need to be common are <parameter>logon path</parameter> and
|
|
<parameter>logon home</parameter>.
|
|
</para>
|
|
|
|
<para>
|
|
If you have this set up correctly, you will find separate <filename>user.DAT</filename> and
|
|
<filename>NTuser.DAT</filename> files in the same profile directory.
|
|
</para>
|
|
|
|
</sect2>
|
|
|
|
<sect2>
|
|
<title>Profile Migration from Windows NT4/200x Server to Samba</title>
|
|
|
|
<para>
|
|
There is nothing to stop you specifying any path that you like for the
|
|
location of users' profiles. Therefore, you could specify that the
|
|
profile be stored on a samba server, or any other SMB server, as long as
|
|
that SMB server supports encrypted passwords.
|
|
</para>
|
|
|
|
<sect3>
|
|
<title>Windows NT4 Profile Management Tools</title>
|
|
|
|
<para>
|
|
Unfortunately, the Resource Kit information is specific to the version of MS Windows
|
|
NT4/200x. The correct resource kit is required for each platform.
|
|
</para>
|
|
|
|
<para>
|
|
Here is a quick guide:
|
|
</para>
|
|
|
|
<procedure>
|
|
|
|
<step><para>
|
|
On your NT4 Domain Controller, right click on <guiicon>My Computer</guiicon>, then
|
|
select the tab labelled <guilabel>User Profiles</guilabel>.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Select a user profile you want to migrate and click on it.
|
|
</para>
|
|
|
|
<note><para>I am using the term "migrate" lossely. You can copy a profile to
|
|
create a group profile. You can give the user 'Everyone' rights to the
|
|
profile you copy this to. That is what you need to do, since your samba
|
|
domain is not a member of a trust relationship with your NT4 PDC.</para></note>
|
|
</step>
|
|
|
|
<step><para>Click the <guibutton>Copy To</guibutton> button.</para></step>
|
|
|
|
<step><para>In the box labelled <guilabel>Copy Profile to</guilabel> add your new path, eg:
|
|
<filename>c:\temp\foobar</filename></para></step>
|
|
|
|
<step><para>Click on the button <guibutton>Change</guibutton> in the <guilabel>Permitted to use</guilabel> box.</para></step>
|
|
|
|
<step><para>Click on the group 'Everyone' and then click <guibutton>OK</guibutton>. This closes the
|
|
'choose user' box.</para></step>
|
|
|
|
<step><para>Now click <guibutton>OK</guibutton>.</para></step>
|
|
</procedure>
|
|
|
|
<para>
|
|
Follow the above for every profile you need to migrate.
|
|
</para>
|
|
|
|
</sect3>
|
|
|
|
<sect3>
|
|
<title>Side bar Notes</title>
|
|
|
|
<para>
|
|
You should obtain the SID of your NT4 domain. You can use smbpasswd to do
|
|
this. Read the man page.</para>
|
|
|
|
<para>
|
|
With Samba-3.0.0 alpha code you can import all you NT4 domain accounts
|
|
using the net samsync method. This way you can retain your profile
|
|
settings as well as all your users.
|
|
</para>
|
|
|
|
</sect3>
|
|
|
|
<sect3>
|
|
<title>moveuser.exe</title>
|
|
|
|
<para>
|
|
The W2K professional resource kit has moveuser.exe. moveuser.exe changes
|
|
the security of a profile from one user to another. This allows the account
|
|
domain to change, and/or the user name to change.
|
|
</para>
|
|
|
|
</sect3>
|
|
|
|
<sect3>
|
|
<title>Get SID</title>
|
|
|
|
<para>
|
|
You can identify the SID by using GetSID.exe from the Windows NT Server 4.0
|
|
Resource Kit.
|
|
</para>
|
|
|
|
<para>
|
|
Windows NT 4.0 stores the local profile information in the registry under
|
|
the following key:
|
|
<filename>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList</filename>
|
|
</para>
|
|
|
|
<para>
|
|
Under the ProfileList key, there will be subkeys named with the SIDs of the
|
|
users who have logged on to this computer. (To find the profile information
|
|
for the user whose locally cached profile you want to move, find the SID for
|
|
the user with the GetSID.exe utility.) Inside of the appropriate user's
|
|
subkey, you will see a string value named ProfileImagePath.
|
|
</para>
|
|
|
|
</sect3>
|
|
</sect2>
|
|
</sect1>
|
|
|
|
<sect1>
|
|
<title>Mandatory profiles</title>
|
|
|
|
<para>
|
|
A Mandatory Profile is a profile that the user does NOT have the ability to overwrite.
|
|
During the user's session it may be possible to change the desktop environment, but
|
|
as the user logs out all changes made will be lost. If it is desired to NOT allow the
|
|
user any ability to change the desktop environment then this must be done through
|
|
policy settings. See previous chapter.
|
|
</para>
|
|
|
|
<note>
|
|
<para>
|
|
Under NO circumstances should the profile directory (or it's contents) be made read-only
|
|
as this may render the profile un-usable.
|
|
</para>
|
|
</note>
|
|
|
|
<para>
|
|
For MS Windows NT4/200x/XP the above method can be used to create mandatory profiles
|
|
also. To convert a group profile into a mandatory profile simply locate the NTUser.DAT
|
|
file in the copied profile and rename it to NTUser.MAN.
|
|
</para>
|
|
|
|
<para>
|
|
For MS Windows 9x / Me it is the <filename>User.DAT</filename> file that must be renamed to <filename>User.MAN</filename> to
|
|
affect a mandatory profile.
|
|
</para>
|
|
|
|
</sect1>
|
|
|
|
<sect1>
|
|
<title>Creating/Managing Group Profiles</title>
|
|
|
|
<para>
|
|
Most organisations are arranged into departments. There is a nice benenfit in
|
|
this fact since usually most users in a department will require the same desktop
|
|
applications and the same desktop layout. MS Windows NT4/200x/XP will allow the
|
|
use of Group Profiles. A Group Profile is a profile that is created firstly using
|
|
a template (example) user. Then using the profile migration tool (see above) the
|
|
profile is assigned access rights for the user group that needs to be given access
|
|
to the group profile.
|
|
</para>
|
|
|
|
<para>
|
|
The next step is rather important. <emphasis>Please note:</emphasis> Instead of assigning a group profile
|
|
to users (ie: Using User Manager) on a "per user" basis, the group itself is assigned
|
|
the now modified profile.
|
|
</para>
|
|
|
|
<note>
|
|
<para>
|
|
Be careful with group profiles, if the user who is a member of a group also
|
|
has a personal profile, then the result will be a fusion (merge) of the two.
|
|
</para>
|
|
</note>
|
|
|
|
</sect1>
|
|
|
|
<sect1>
|
|
<title>Default Profile for Windows Users</title>
|
|
|
|
<para>
|
|
MS Windows 9x / Me and NT4/200x/XP will use a default profile for any user for whom
|
|
a profile does not already exist. Armed with a knowledge of where the default profile
|
|
is located on the Windows workstation, and knowing which registry keys affect the path
|
|
from which the default profile is created, it is possible to modify the default profile
|
|
to one that has been optimised for the site. This has significant administrative
|
|
advantages.
|
|
</para>
|
|
|
|
<sect2>
|
|
<title>MS Windows 9x/Me</title>
|
|
|
|
<para>
|
|
To enable default per use profiles in Windows 9x / Me you can either use the <application>Windows 98 System
|
|
Policy Editor</application> or change the registry directly.
|
|
</para>
|
|
|
|
<para>
|
|
To enable default per user profiles in Windows 9x / Me, launch the <application>System Policy Editor</application>, then
|
|
select <guimenu>File</guimenu> -> <guimenuitem>Open Registry</guimenuitem>, then click on the
|
|
<guiicon>Local Computer</guiicon> icon, click on <guilabel>Windows 98 System</guilabel>,
|
|
select <guilabel>User Profiles</guilabel>, click on the enable box. Do not forget to save the registry changes.
|
|
</para>
|
|
|
|
<para>
|
|
To modify the registry directly, launch the <application>Registry Editor</application> (<command>regedit.exe</command>), select the hive
|
|
<filename>HKEY_LOCAL_MACHINE\Network\Logon</filename>. Now add a DWORD type key with the name
|
|
"User Profiles", to enable user profiles set the value to 1, to disable user profiles set it to 0.
|
|
</para>
|
|
|
|
<sect3>
|
|
<title>How User Profiles Are Handled in Windows 9x / Me?</title>
|
|
|
|
<para>
|
|
When a user logs on to a Windows 9x / Me machine, the local profile path,
|
|
<filename>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ProfileList</filename>, is checked
|
|
for an existing entry for that user:
|
|
</para>
|
|
|
|
<para>
|
|
If the user has an entry in this registry location, Windows 9x / Me checks for a locally cached
|
|
version of the user profile. Windows 9x / Me also checks the user's home directory (or other
|
|
specified directory if the location has been modified) on the server for the User Profile.
|
|
If a profile exists in both locations, the newer of the two is used. If the User Profile exists
|
|
on the server, but does not exist on the local machine, the profile on the server is downloaded
|
|
and used. If the User Profile only exists on the local machine, that copy is used.
|
|
</para>
|
|
|
|
<para>
|
|
If a User Profile is not found in either location, the Default User Profile from the Windows 9x / Me
|
|
machine is used and is copied to a newly created folder for the logged on user. At log off, any
|
|
changes that the user made are written to the user's local profile. If the user has a roaming
|
|
profile, the changes are written to the user's profile on the server.
|
|
</para>
|
|
|
|
</sect3>
|
|
</sect2>
|
|
|
|
<sect2>
|
|
<title>MS Windows NT4 Workstation</title>
|
|
|
|
<para>
|
|
On MS Windows NT4 the default user profile is obtained from the location
|
|
<filename>%SystemRoot%\Profiles</filename> which in a default installation will translate to
|
|
<filename>C:\WinNT\Profiles</filename>. Under this directory on a clean install there will be
|
|
three (3) directories: <filename>Administrator</filename>, <filename>All Users</filename>, <filename>Default User</filename>.
|
|
</para>
|
|
|
|
<para>
|
|
The <filename>All Users</filename> directory contains menu settings that are common across all
|
|
system users. The <filename>Default User</filename> directory contains menu entries that are
|
|
customisable per user depending on the profile settings chosen/created.
|
|
</para>
|
|
|
|
<para>
|
|
When a new user first logs onto an MS Windows NT4 machine a new profile is created from:
|
|
</para>
|
|
|
|
<simplelist>
|
|
<member>All Users settings</member>
|
|
<member>Default User settings (contains the default NTUser.DAT file)</member>
|
|
</simplelist>
|
|
|
|
<para>
|
|
When a user logs onto an MS Windows NT4 machine that is a member of a Microsoft security domain
|
|
the following steps are followed in respect of profile handling:
|
|
</para>
|
|
|
|
<procedure>
|
|
<step>
|
|
<para>
|
|
The users' account information which is obtained during the logon process contains
|
|
the location of the users' desktop profile. The profile path may be local to the
|
|
machine or it may be located on a network share. If there exists a profile at the location
|
|
of the path from the user account, then this profile is copied to the location
|
|
<filename>%SystemRoot%\Profiles\%USERNAME%</filename>. This profile then inherits the
|
|
settings in the <filename>All Users</filename> profile in the <filename>%SystemRoot%\Profiles</filename>
|
|
location.
|
|
</para>
|
|
</step>
|
|
|
|
<step>
|
|
<para>
|
|
If the user account has a profile path, but at it's location a profile does not exist,
|
|
then a new profile is created in the <filename>%SystemRoot%\Profiles\%USERNAME%</filename>
|
|
directory from reading the <filename>Default User</filename> profile.
|
|
</para>
|
|
</step>
|
|
|
|
<step>
|
|
<para>
|
|
If the NETLOGON share on the authenticating server (logon server) contains a policy file
|
|
(<filename>NTConfig.POL</filename>) then it's contents are applied to the <filename>NTUser.DAT</filename>
|
|
which is applied to the <filename>HKEY_CURRENT_USER</filename> part of the registry.
|
|
</para>
|
|
</step>
|
|
|
|
<step>
|
|
<para>
|
|
When the user logs out, if the profile is set to be a roaming profile it will be written
|
|
out to the location of the profile. The <filename>NTuser.DAT</filename> file is then
|
|
re-created from the contents of the <filename>HKEY_CURRENT_USER</filename> contents.
|
|
Thus, should there not exist in the NETLOGON share an <filename>NTConfig.POL</filename> at the
|
|
next logon, the effect of the provious <filename>NTConfig.POL</filename> will still be held
|
|
in the profile. The effect of this is known as <emphasis>tatooing</emphasis>.
|
|
</para>
|
|
</step>
|
|
</procedure>
|
|
|
|
<para>
|
|
MS Windows NT4 profiles may be <emphasis>Local</emphasis> or <emphasis>Roaming</emphasis>. A Local profile
|
|
will stored in the <filename>%SystemRoot%\Profiles\%USERNAME%</filename> location. A roaming profile will
|
|
also remain stored in the same way, unless the following registry key is created:
|
|
</para>
|
|
|
|
<para>
|
|
<programlisting>
|
|
HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\Windows NT\CurrentVersion\winlogon\
|
|
"DeleteRoamingCache"=dword:00000001
|
|
</programlisting>
|
|
|
|
In which case, the local copy (in <filename>%SystemRoot%\Profiles\%USERNAME%</filename>) will be
|
|
deleted on logout.
|
|
</para>
|
|
|
|
<para>
|
|
Under MS Windows NT4 default locations for common resources (like <filename>My Documents</filename>
|
|
may be redirected to a network share by modifying the following registry keys. These changes may be affected
|
|
via use of the System Policy Editor (to do so may require that you create your owns template extension
|
|
for the policy editor to allow this to be done through the GUI. Another way to do this is by way of first
|
|
creating a default user profile, then while logged in as that user, run regedt32 to edit the key settings.
|
|
</para>
|
|
|
|
<para>
|
|
The Registry Hive key that affects the behaviour of folders that are part of the default user profile
|
|
are controlled by entries on Windows NT4 is:
|
|
</para>
|
|
|
|
<para>
|
|
<filename>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\</filename>
|
|
</para>
|
|
|
|
<para>
|
|
The above hive key contains a list of automatically managed folders. The default entries are:
|
|
</para>
|
|
|
|
<para>
|
|
<table frame="all">
|
|
<title>User Shell Folder registry keys default values</title>
|
|
<tgroup cols="2">
|
|
<thead>
|
|
<row><entry>Name</entry><entry>Default Value</entry></row>
|
|
</thead>
|
|
<tbody>
|
|
<row><entry>AppData</entry><entry>%USERPROFILE%\Application Data</entry></row>
|
|
<row><entry>Desktop</entry><entry>%USERPROFILE%\Desktop</entry></row>
|
|
<row><entry>Favorites</entry><entry>%USERPROFILE%\Favorites</entry></row>
|
|
<row><entry>NetHood</entry><entry>%USERPROFILE%\NetHood</entry></row>
|
|
<row><entry>PrintHood</entry><entry>%USERPROFILE%\PrintHood</entry></row>
|
|
<row><entry>Programs</entry><entry>%USERPROFILE%\Start Menu\Programs</entry></row>
|
|
<row><entry>Recent</entry><entry>%USERPROFILE%\Recent</entry></row>
|
|
<row><entry>SendTo</entry><entry>%USERPROFILE%\SendTo</entry></row>
|
|
<row><entry>Start Menu </entry><entry>%USERPROFILE%\Start Menu</entry></row>
|
|
<row><entry>Startup</entry><entry>%USERPROFILE%\Start Menu\Programs\Startup</entry></row>
|
|
</tbody>
|
|
</tgroup>
|
|
</table>
|
|
</para>
|
|
|
|
<para>
|
|
The registry key that contains the location of the default profile settings is:
|
|
</para>
|
|
|
|
<para>
|
|
<filename>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders</filename>
|
|
</para>
|
|
|
|
<para>
|
|
The default entries are:
|
|
|
|
<table frame="all">
|
|
<title>Defaults of profile settings registry keys</title>
|
|
<tgroup cols="2">
|
|
<tbody>
|
|
<row><entry>Common Desktop</entry><entry>%SystemRoot%\Profiles\All Users\Desktop</entry></row>
|
|
<row><entry>Common Programs</entry><entry>%SystemRoot%\Profiles\All Users\Programs</entry></row>
|
|
<row><entry>Common Start Menu</entry><entry>%SystemRoot%\Profiles\All Users\Start Menu</entry></row>
|
|
<row><entry>Common Startup</entry><entry>%SystemRoot%\Profiles\All Users\Start Menu\Progams\Startup</entry></row>
|
|
</tbody>
|
|
</tgroup>
|
|
</table>
|
|
</para>
|
|
|
|
</sect2>
|
|
|
|
<sect2>
|
|
<title>MS Windows 200x/XP</title>
|
|
|
|
<note>
|
|
<para>
|
|
MS Windows XP Home Edition does use default per user profiles, but can not participate
|
|
in domain security, can not log onto an NT/ADS style domain, and thus can obtain the profile
|
|
only from itself. While there are benefits in doing this the beauty of those MS Windows
|
|
clients that CAN participate in domain logon processes allows the administrator to create
|
|
a global default profile and to enforce it through the use of Group Policy Objects (GPOs).
|
|
</para>
|
|
</note>
|
|
|
|
<para>
|
|
When a new user first logs onto MS Windows 200x/XP machine the default profile is obtained from
|
|
<filename>C:\Documents and Settings\Default User</filename>. The administrator can modify (or change
|
|
the contents of this location and MS Windows 200x/XP will gladly use it. This is far from the optimum
|
|
arrangement since it will involve copying a new default profile to every MS Windows 200x/XP client
|
|
workstation.
|
|
</para>
|
|
|
|
<para>
|
|
When MS Windows 200x/XP participate in a domain security context, and if the default user
|
|
profile is not found, then the client will search for a default profile in the NETLOGON share
|
|
of the authenticating server. ie: In MS Windows parlance:
|
|
<filename>%LOGONSERVER%\NETLOGON\Default User</filename> and if one exits there it will copy this
|
|
to the workstation to the <filename>C:\Documents and Settings\</filename> under the Windows
|
|
login name of the user.
|
|
</para>
|
|
|
|
<note>
|
|
<para>
|
|
This path translates, in Samba parlance, to the &smb.conf; <parameter>[NETLOGON]</parameter> share. The directory
|
|
should be created at the root of this share and must be called <filename>Default Profile</filename>.
|
|
</para>
|
|
</note>
|
|
|
|
<para>
|
|
If a default profile does not exist in this location then MS Windows 200x/XP will use the local
|
|
default profile.
|
|
</para>
|
|
|
|
<para>
|
|
On loging out, the users' desktop profile will be stored to the location specified in the registry
|
|
settings that pertain to the user. If no specific policies have been created, or passed to the client
|
|
during the login process (as Samba does automatically), then the user's profile will be written to
|
|
the local machine only under the path <filename>C:\Documents and Settings\%USERNAME%</filename>.
|
|
</para>
|
|
|
|
<para>
|
|
Those wishing to modify the default behaviour can do so through three methods:
|
|
</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
Modify the registry keys on the local machine manually and place the new default profile in the
|
|
NETLOGON share root - NOT recommended as it is maintenance intensive.
|
|
</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>
|
|
Create an NT4 style NTConfig.POL file that specified this behaviour and locate this file
|
|
in the root of the NETLOGON share along with the new default profile.
|
|
</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>
|
|
Create a GPO that enforces this through Active Directory, and place the new default profile
|
|
in the NETLOGON share.
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>
|
|
The Registry Hive key that affects the behaviour of folders that are part of the default user profile
|
|
are controlled by entries on Windows 200x/XP is:
|
|
</para>
|
|
|
|
<para>
|
|
<filename>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\</filename>
|
|
</para>
|
|
|
|
<para>
|
|
The above hive key contains a list of automatically managed folders. The default entries are:
|
|
</para>
|
|
|
|
<para>
|
|
<table frame="all">
|
|
<title>Defaults of default user profile paths registry keys</title>
|
|
<tgroup cols="2">
|
|
<thead><row><entry>Name</entry><entry>Default Value</entry></row></thead>
|
|
<tbody>
|
|
<row><entry>AppData</entry><entry>%USERPROFILE%\Application Data</entry></row>
|
|
<row><entry>Cache</entry><entry>%USERPROFILE%\Local Settings\Temporary Internet Files</entry></row>
|
|
<row><entry>Cookies</entry><entry>%USERPROFILE%\Cookies</entry></row>
|
|
<row><entry>Desktop</entry><entry>%USERPROFILE%\Desktop</entry></row>
|
|
<row><entry>Favorites</entry><entry>%USERPROFILE%\Favorites</entry></row>
|
|
<row><entry>History</entry><entry>%USERPROFILE%\Local Settings\History</entry></row>
|
|
<row><entry>Local AppData</entry><entry>%USERPROFILE%\Local Settings\Application Data</entry></row>
|
|
<row><entry>Local Settings</entry><entry>%USERPROFILE%\Local Settings</entry></row>
|
|
<row><entry>My Pictures</entry><entry>%USERPROFILE%\My Documents\My Pictures</entry></row>
|
|
<row><entry>NetHood</entry><entry>%USERPROFILE%\NetHood</entry></row>
|
|
<row><entry>Personal</entry><entry>%USERPROFILE%\My Documents</entry></row>
|
|
<row><entry>PrintHood</entry><entry>%USERPROFILE%\PrintHood</entry></row>
|
|
<row><entry>Programs</entry><entry>%USERPROFILE%\Start Menu\Programs</entry></row>
|
|
<row><entry>Recent</entry><entry>%USERPROFILE%\Recent</entry></row>
|
|
<row><entry>SendTo</entry><entry>%USERPROFILE%\SendTo</entry></row>
|
|
<row><entry>Start Menu</entry><entry>%USERPROFILE%\Start Menu</entry></row>
|
|
<row><entry>Startup</entry><entry>%USERPROFILE%\Start Menu\Programs\Startup</entry></row>
|
|
<row><entry>Templates</entry><entry>%USERPROFILE%\Templates</entry></row>
|
|
</tbody></tgroup></table>
|
|
</para>
|
|
|
|
<para>
|
|
There is also an entry called "Default" that has no value set. The default entry is of type <constant>REG_SZ</constant>, all
|
|
the others are of type <constant>REG_EXPAND_SZ</constant>.
|
|
</para>
|
|
|
|
<para>
|
|
It makes a huge difference to the speed of handling roaming user profiles if all the folders are
|
|
stored on a dedicated location on a network server. This means that it will NOT be necessary to
|
|
write the Outlook PST file over the network for every login and logout.
|
|
</para>
|
|
|
|
<para>
|
|
To set this to a network location you could use the following examples:
|
|
</para>
|
|
|
|
<para><filename>%LOGONSERVER%\%USERNAME%\Default Folders</filename></para>
|
|
|
|
<para>
|
|
This would store the folders in the user's home directory under a directory called <filename>Default Folders</filename>
|
|
You could also use:
|
|
</para>
|
|
|
|
<para><filename>\\<replaceable>SambaServer</replaceable>\<replaceable>FolderShare</replaceable>\%USERNAME%</filename></para>
|
|
|
|
<para>
|
|
in which case the default folders will be stored in the server named <replaceable>SambaServer</replaceable>
|
|
in the share called <replaceable>FolderShare</replaceable> under a directory that has the name of the MS Windows
|
|
user as seen by the Linux/Unix file system.
|
|
</para>
|
|
|
|
<para>
|
|
Please note that once you have created a default profile share, you MUST migrate a user's profile
|
|
(default or custom) to it.
|
|
</para>
|
|
|
|
<para>
|
|
MS Windows 200x/XP profiles may be <emphasis>Local</emphasis> or <emphasis>Roaming</emphasis>.
|
|
A roaming profile will be cached locally unless the following registry key is created:
|
|
</para>
|
|
|
|
<para><filename>HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\Windows NT\CurrentVersion\winlogon\"DeleteRoamingCache"=dword:00000001</filename></para>
|
|
|
|
<para>
|
|
In which case, the local cache copy will be deleted on logout.
|
|
</para>
|
|
</sect2>
|
|
</sect1>
|
|
|
|
<sect1>
|
|
<title>Common Errors</title>
|
|
|
|
<para>
|
|
THe following are some typical errors/problems/questions that have been asked.
|
|
</para>
|
|
|
|
<sect2>
|
|
<title>How does one set up roaming profiles for just one (or a few) user/s or group/s?</title>
|
|
|
|
<para>
|
|
With samba-2.2.x the choice you have is to enable or disable roaming
|
|
profiles support. It is a global only setting. The default is to have
|
|
roaming profiles and the default path will locate them in the user's home
|
|
directory.
|
|
</para>
|
|
|
|
<para>
|
|
If disabled globally then no-one will have roaming profile ability.
|
|
If enabled and you want it to apply only to certain machines, then on
|
|
those machines on which roaming profile support is NOT wanted it is then
|
|
necessary to disable roaming profile handling in the registry of each such
|
|
machine.
|
|
</para>
|
|
|
|
<para>
|
|
With samba-3.0.0 (soon to be released) you can have a global profile
|
|
setting in smb.conf _AND_ you can over-ride this by per-user settings
|
|
using the Domain User Manager (as with MS Windows NT4/ Win 2Kx).
|
|
</para>
|
|
|
|
<para>
|
|
In any case, you can configure only one profile per user. That profile can
|
|
be either:
|
|
</para>
|
|
|
|
<simplelist>
|
|
<member>A profile unique to that user</member>
|
|
<member>A mandatory profile (one the user can not change)</member>
|
|
<member>A group profile (really should be mandatory ie:unchangable)</member>
|
|
</simplelist>
|
|
|
|
</sect2>
|
|
|
|
<sect2>
|
|
<title>Can NOT use Roaming Profiles</title>
|
|
|
|
<para>
|
|
<quote>
|
|
I dont want Roaming profile to be implemented, I just want to give users
|
|
local profiles only.
|
|
...
|
|
Please help me I am totally lost with this error from past two days I tried
|
|
everything and googled around quite a bit but of no help. Please help me.
|
|
</quote></para>
|
|
|
|
<para>
|
|
Your choices are:
|
|
<!-- FIXME: Write to whole sentences -->
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>Local profiles</term>
|
|
<listitem><para>
|
|
I know of no registry keys that will allow auto-deletion of LOCAL profiles on log out
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>Roaming profiles</term>
|
|
<listitem><para>
|
|
<simplelist>
|
|
<member>can use auto-delete on logout option</member>
|
|
<member>requires a registry key change on workstation</member>
|
|
</simplelist>
|
|
|
|
Your choices are:
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>Personal Roaming profiles</term>
|
|
<listitem><para>
|
|
- should be preserved on a central server
|
|
- workstations 'cache' (store) a local copy
|
|
- used in case the profile can not be downloaded
|
|
at next logon
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>Group profiles</term>
|
|
<listitem><para>- loaded from a cetral place</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>Mandatory profiles</term>
|
|
<listitem><para>
|
|
- can be personal or group
|
|
- can NOT be changed (except by an administrator
|
|
</para></listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</para></listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
|
|
</para>
|
|
|
|
<para>
|
|
A WinNT4/2K/XP profile can vary in size from 130KB to off the scale.
|
|
Outlook PST files are most often part of the profile and can be many GB in
|
|
size. On average (in a well controlled environment) roaming profie size of
|
|
2MB is a good rule of thumb to use for planning purposes. In an
|
|
undisciplined environment I have seen up to 2GB profiles. Users tend to
|
|
complain when it take an hour to log onto a workstation but they harvest
|
|
the fuits of folly (and ignorance).
|
|
</para>
|
|
|
|
<para>
|
|
The point of all the above is to show that roaming profiles and good
|
|
controls of how they can be changed as well as good discipline make up for
|
|
a problem free site.
|
|
</para>
|
|
|
|
<para>
|
|
Microsoft's answer to the PST problem is to store all email in an MS
|
|
Exchange Server back-end. But this is another story ...!
|
|
</para>
|
|
|
|
<para>
|
|
So, having LOCAL profiles means:
|
|
|
|
<simplelist>
|
|
<member>If lots of users user each machine - lot's of local disk storage needed for local profiles</member>
|
|
<member>Every workstation the user logs into has it's own profile - can be very different from machine to machine</member>
|
|
</simplelist>
|
|
|
|
On the other hand, having roaming profiles means:
|
|
<simplelist>
|
|
<member>The network administrator can control EVERY aspect of user profiles</member>
|
|
<member>With the use of mandatory profiles - a drastic reduction in network management overheads</member>
|
|
<member>User unhappiness about not being able to change their profiles soon fades as they get used to being able to work reliably</member>
|
|
</simplelist>
|
|
|
|
</para>
|
|
|
|
<para>
|
|
I have managed and installed MANY NT/2K networks and have NEVER found one
|
|
where users who move from machine to machine are happy with local
|
|
profiles. In the long run local profiles bite them.
|
|
</para>
|
|
|
|
</sect2>
|
|
|
|
<!-- FIXME: Everything below this is a mess. I didn't quite understand it - Jelmer -->
|
|
|
|
<sect2>
|
|
<title>Changing the default profile</title>
|
|
|
|
<para><quote>
|
|
When the client tries to logon to the PDC it looks for a profile to download
|
|
where do I put this default profile.
|
|
</quote></para>
|
|
|
|
<para>
|
|
Firstly, your samba server need to be configured as a domain controller.
|
|
</para>
|
|
|
|
<programlisting>
|
|
server = user
|
|
os level = 32 (or more)
|
|
domain logons = Yes
|
|
</programlisting>
|
|
|
|
<para>
|
|
Plus you need to have a <parameter>[netlogon]</parameter> share that is world readable.
|
|
It is a good idea to add a logon script to pre-set printer and
|
|
drive connections. There is also a facility for automatically
|
|
synchronizing the workstation time clock with that of the logon
|
|
server (another good thing to do).
|
|
</para>
|
|
|
|
<note><para>
|
|
To invoke auto-deletion of roaming profile from the local
|
|
workstation cache (disk storage) you need to use the <application>Group Policy Editor</application>
|
|
to create a file called <filename>NTConfig.POL</filename> with the appropriate entries. This
|
|
file needs to be located in the <parameter>netlogon</parameter> share root directory.</para></note>
|
|
|
|
<para>
|
|
Oh, of course the windows clients need to be members of the domain.
|
|
Workgroup machines do NOT do network logons - so they never see domain
|
|
profiles.
|
|
</para>
|
|
|
|
<para>
|
|
Secondly, for roaming profiles you need:
|
|
|
|
logon path = \\%N\profiles\%U (with some such path)
|
|
logon drive = H: (Z: is the default)
|
|
|
|
Plus you need a PROFILES share that is world writable.
|
|
</para>
|
|
|
|
</sect2>
|
|
</sect1>
|
|
|
|
</chapter>
|