Roaming Windows User Profiles: Difference between revisions
Mmuehlfeld (talk | contribs) (Made word "profile" consistent in uppercase on the page.-) |
Mmuehlfeld (talk | contribs) (Major rewrite and restructuring) |
||
Line 1: | Line 1: | ||
= Introduction = |
|||
⚫ | |||
Roaming profiles are server side stored settings, that are "downloaded" to a Windows host, when the user logs on and "uploaded" back to the server, on log off. For more details about roaming profiles, see the same-titled section on the [[The_different_Windows_profile_types#Roaming_profiles|The different Windows profile types]] page. |
|||
The following sections describe how to setup a profile share stored on a Samba server. |
|||
There are different ways to setup the share, depending on using Windows ACLs (recommended) or POSIX ACLs: |
|||
A roaming profile share can be setup in two ways: Using [[#Profile_share_using_Windows_ACLs|Windows ACLs] (recommended) or vi [[#Profile_share_with_using_POSIX_ACLs|POSIX ACLs]]. |
|||
⚫ | |||
== Profile share using Windows ACLs == |
== Profile share using Windows ACLs == |
||
* [[Shares_with_Windows_ACLs |
* Setup a share named "Profiles" according to the documentation [[Shares_with_Windows_ACLs|Shares with Windows ACLs]] |
||
* Set the following ACLs on the root of the Profiles share according to [[Shares_with_Windows_ACLs&action=submit#Set_ACLs_on_the_root_of_a_share|Set Windows ACLs on the root of a share]] |
|||
⚫ | |||
# mkdir -p /srv/samba/Profiles/ |
|||
⚫ | |||
⚫ | |||
[Profiles] |
|||
path = /srv/samba/Profiles/ |
|||
read only = no |
|||
⚫ | |||
* Reload Samba: |
|||
# smbcontrol all reload-config |
|||
* Log on to a Windows machine as Domain Administrator |
|||
* Go to „\\Servername“. You'll see the newly added share. |
|||
:[[Image:Shares_view.png]] |
|||
* Right-click the share name, choose „Properties“ and go to the „Security“ tab. |
|||
⚫ | |||
⚫ | |||
* Set the permissions as shown in the following table |
:* Set the permissions as shown in the following table |
||
:{| |
::{| class="wikitable" |
||
!Name |
!Name |
||
!Permissions |
!Permissions |
||
Line 56: | Line 39: | ||
|} |
|} |
||
::The above settings allow the auto-creation of new profile folders for users being member of "Domain users", but preventing them to access any profile of a different user. The domain administrator has full control on all profile folders. |
|||
⚫ | |||
⚫ | |||
:You can replace "Domain Users" with another group name, if you want to use that group to store profiles on the share. You can add multiple groups, just use the same recommended group permissions for "Domain Users". |
|||
* Save the new permissions by closing the windows with |
:* Save the new permissions by closing the windows with "OK". |
||
== Profile share |
== Profile share using POSIX ACLs == |
||
⚫ | |||
* Create a folder for the roaming profiles and set permissions |
|||
# mkdir -p /srv/samba/Profiles/ |
# mkdir -p /srv/samba/Profiles/ |
||
# chmod 1770 /srv/samba/Profiles |
# chmod 1770 /srv/samba/Profiles/ |
||
# chgrp |
# chgrp "Domain Users" /srv/samba/Profiles/ |
||
⚫ | |||
* Add a new share to your smb.conf: |
|||
[Profiles] |
[Profiles] |
||
path = /srv/samba/Profiles/ |
path = /srv/samba/Profiles/ |
||
read only = no |
read only = no |
||
store dos attributes = Yes |
store dos attributes = Yes |
||
create mask = 0600 |
create mask = 0600 |
||
directory mask = 0700 |
directory mask = 0700 |
||
profile acls = yes |
profile acls = yes |
||
csc policy = disable |
csc policy = disable |
||
:See the smb.conf man page for further details on the uses parameters. |
|||
* Reload Samba: |
* Reload Samba: |
||
# smbcontrol all reload-config |
# smbcontrol all reload-config |
||
Line 88: | Line 76: | ||
= |
= Setting roaming profiles for a user = |
||
== In an AD environment == |
== In an AD environment == |
||
Line 94: | Line 82: | ||
In an AD environment, you can setup individual roaming profiles for every user. |
In an AD environment, you can setup individual roaming profiles for every user. |
||
* Open ADUC |
* Open ADUC |
||
* Right-click to an user account and choose |
* Right-click to an user account and choose "Properties" |
||
* Go to the |
* Go to the "Profile" tab and fill the path with the one to the users profile |
||
:[[Image:ADUC_profile_share.png]] |
:[[Image:ADUC_profile_share.png]] |
||
: |
:Using the windows variable %USERNAME% allows setting profile paths on multiple accounts at once |
||
:Windows |
:Note: Newer Windows version use different profile version, that are indicated by an appended .V* (like username.V5 for Windows 10 profiles). You only fill the path to the users base profile folder here. The version is appended automatically by Windows! |
||
Line 110: | Line 98: | ||
=== In a NT4 domain === |
=== In a NT4 domain === |
||
In a NT4 environment, you can setup roaming profiles globally for all users on the Samba PDC. |
In a NT4 environment, you can only setup roaming profiles globally for all users on the Samba PDC. |
||
* Add the following directive to your smb.conf: |
* Add the following directive to your smb.conf: |
||
Line 118: | Line 106: | ||
:The logon path directive is where you actually set up roaming profiles. This directive should contain a Windows network path to the location of the profile for each user. If the users profile directory does not exist, it will be created on that location (as long as the user has write access to that directory). |
:The logon path directive is where you actually set up roaming profiles. This directive should contain a Windows network path to the location of the profile for each user. If the users profile directory does not exist, it will be created on that location (as long as the user has write access to that directory). |
||
:You can also take full advantage of Samba's variable substitutions (see |
:You can also take full advantage of Samba's variable substitutions (see the "variable substitutions" section of the smb.conf man page). |
||
* Reload Samba: |
* Reload Samba: |
Revision as of 16:59, 31 October 2015
Introduction
Roaming profiles are server side stored settings, that are "downloaded" to a Windows host, when the user logs on and "uploaded" back to the server, on log off. For more details about roaming profiles, see the same-titled section on the The different Windows profile types page.
A roaming profile share can be setup in two ways: Using [[#Profile_share_using_Windows_ACLs|Windows ACLs] (recommended) or vi POSIX ACLs.
- Setup a share named "Profiles" according to the documentation Shares with Windows ACLs
- Set the following ACLs on the root of the Profiles share according to Set Windows ACLs on the root of a share
- Click "Advanced" and then the "Change permissions" button for a more granular way to edit the share permissions
- Set the permissions as shown in the following table
Name Permissions Apply to Administrator Full control This folder, subfolders and files Domain Users Traverse folder/execute file, List folder/read data, Create folder/append data This folder only CREATOR OWNER Full control Subfolders and files only
- The above settings allow the auto-creation of new profile folders for users being member of "Domain users", but preventing them to access any profile of a different user. The domain administrator has full control on all profile folders.
- Save the new permissions by closing the windows with "OK".
- Create a folder for the roaming profiles and set the following ACLs
# mkdir -p /srv/samba/Profiles/ # chmod 1770 /srv/samba/Profiles/ # chgrp "Domain Users" /srv/samba/Profiles/
- Add the Profiles share to your smb.conf
[Profiles] path = /srv/samba/Profiles/ read only = no store dos attributes = Yes create mask = 0600 directory mask = 0700 profile acls = yes csc policy = disable
- See the smb.conf man page for further details on the uses parameters.
- Reload Samba:
# smbcontrol all reload-config
Setting roaming profiles for a user
In an AD environment
In an AD environment, you can setup individual roaming profiles for every user.
- Open ADUC
- Right-click to an user account and choose "Properties"
- Go to the "Profile" tab and fill the path with the one to the users profile
- Using the windows variable %USERNAME% allows setting profile paths on multiple accounts at once
- Note: Newer Windows version use different profile version, that are indicated by an appended .V* (like username.V5 for Windows 10 profiles). You only fill the path to the users base profile folder here. The version is appended automatically by Windows!
In a NT4 domain
In a NT4 environment, you can only setup roaming profiles globally for all users on the Samba PDC.
- Add the following directive to your smb.conf:
logon path = \\%L\Profiles\%U
- The logon path directive is where you actually set up roaming profiles. This directive should contain a Windows network path to the location of the profile for each user. If the users profile directory does not exist, it will be created on that location (as long as the user has write access to that directory).
- You can also take full advantage of Samba's variable substitutions (see the "variable substitutions" section of the smb.conf man page).
- Reload Samba:
# smbcontrol all reload-config
Troubleshooting roaming profiles
The registry contains information about each user's profile and should your Samba infrastructure change, like the network location of users profiles, Windows might be unable to find it. The list of user profiles is located at:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ProfileList
Deleting the correct subkey (user SID) will force Windows to look up the user's profile setting from the domain controller and restore the profile when the next login happens.