Difference between revisions of "Roaming Windows User Profiles"

(Made word "profile" consistent in uppercase on the page.-)
(Major rewrite and restructuring)
Line 1: Line 1:
= Creating a profiles share and setting permissions=
+
= Introduction =
  
The following sections describe how to setup a profile share stored on a Samba server.
+
Roaming profiles are server side stored settings, that are "downloaded" to a Windows host, when the user logs on and "uploaded" back to the server, on log off. For more details about roaming profiles, see the same-titled section on the [[The_different_Windows_profile_types#Roaming_profiles|The different Windows profile types]] page.
 
 
There are different ways to setup the share, depending on using Windows ACLs (recommended) or POSIX ACLs:
 
  
 +
A roaming profile share can be setup in two ways: Using [[#Profile_share_using_Windows_ACLs|Windows ACLs] (recommended) or vi [[#Profile_share_with_using_POSIX_ACLs|POSIX ACLs]].
  
  
  
 +
= Creating a profiles share and setting permissions=
  
 
== Profile share using Windows ACLs ==
 
== Profile share using Windows ACLs ==
  
* [[Shares_with_Windows_ACLs#Preparatory_work|Preparatory work]]
+
* Setup a share named "Profiles" according to the documentation [[Shares_with_Windows_ACLs|Shares with Windows ACLs]]
  
* Create a folder for the roaming profiles, Note: These commands must be run by the 'root' user or with 'sudo'
+
* Set the following ACLs on the root of the Profiles share according to [[Shares_with_Windows_ACLs&action=submit#Set_ACLs_on_the_root_of_a_share|Set Windows ACLs on the root of a share]]
# mkdir -p /srv/samba/Profiles/
 
  
* Add a new share to your smb.conf:
+
:* Click "Advanced" and then the "Change permissions" button for a more granular way to edit the share permissions
[Profiles]
 
      path = /srv/samba/Profiles/
 
      read only = no
 
  
* Reload Samba:
+
::[[Image:Advanced_share_settings.png]]
# smbcontrol all reload-config
 
 
 
* Log on to a Windows machine as Domain Administrator
 
  
* Go to „\\Servername“. You'll see the newly added share.
+
:* Set the permissions as shown in the following table
  
:[[Image:Shares_view.png]]
+
::{| class="wikitable"
 
 
* Right-click the share name, choose „Properties“ and go to the „Security“ tab.
 
 
 
* Click  „Advanced“ and then the „Change permissions“ button for a more granular way to edit the share permissions.
 
 
 
:[[Image:Advanced_share_settings.png]]
 
 
 
* Set the permissions as shown in the following table
 
 
 
:{| border="1"
 
 
!Name
 
!Name
 
!Permissions
 
!Permissions
Line 56: Line 39:
 
|}
 
|}
  
:[[Image:Profile_share_permissions_for_group.png]]
+
::The above settings allow the auto-creation of new profile folders for users being member of "Domain users", but preventing them to access any profile of a different user. The domain administrator has full control on all profile folders.
 +
 
 +
::[[Image:Profile_share_permissions_for_group.png]]
  
:You can replace "Domain Users" with another group name, if you want to use that group to store profiles on the share. You can add multiple groups, just use the same recommended group permissions for "Domain Users".
+
:* Save the new permissions by closing the windows with "OK".
  
* Save the new permissions by closing the windows with „OK“.
 
  
  
 +
== Profile share using POSIX ACLs ==
  
== Profile share with using POSIX ACLs ==
+
* Create a folder for the roaming profiles and set the following ACLs
  
* Create a folder for the roaming profiles and set permissions
 
 
  # mkdir -p /srv/samba/Profiles/
 
  # mkdir -p /srv/samba/Profiles/
  # chmod 1770 /srv/samba/Profiles
+
  # chmod 1770 /srv/samba/Profiles/
  # chgrp „Domain Users“ /srv/samba/Profiles
+
  # chgrp "Domain Users" /srv/samba/Profiles/
 +
 
 +
* Add the Profiles share to your smb.conf
  
* Add a new share to your smb.conf:
 
 
  [Profiles]
 
  [Profiles]
  path = /srv/samba/Profiles/
+
        path = /srv/samba/Profiles/
  read only = no
+
        read only = no
  store dos attributes = Yes
+
        store dos attributes = Yes
  create mask = 0600
+
        create mask = 0600
  directory mask = 0700
+
        directory mask = 0700
  profile acls = yes
+
        profile acls = yes
  csc policy = disable
+
        csc policy = disable
 +
 
 +
:See the smb.conf man page for further details on the uses parameters.
  
 
* Reload Samba:
 
* Reload Samba:
 +
 
  # smbcontrol all reload-config
 
  # smbcontrol all reload-config
  
Line 88: Line 76:
  
  
= Configuring roaming profiles for a user =
+
= Setting roaming profiles for a user =
  
 
== In an AD environment ==
 
== In an AD environment ==
Line 94: Line 82:
 
In an AD environment, you can setup individual roaming profiles for every user.
 
In an AD environment, you can setup individual roaming profiles for every user.
  
* Open ADUC.
+
* Open ADUC
  
* Right-click to an user account and choose „Properties“.
+
* Right-click to an user account and choose "Properties"
  
* Go to the „Profile“ tab, and fill the path to the users profile.
+
* Go to the "Profile" tab and fill the path with the one to the users profile
  
 
:[[Image:ADUC_profile_share.png]]
 
:[[Image:ADUC_profile_share.png]]
  
:If you use the %USERNAME% variable, you can set the profile path to multiple accounts at once, too.
+
:Using the windows variable %USERNAME% allows setting profile paths on multiple accounts at once
  
:Windows Vista up to Windows 8.0 create .V2 folders for their profiles. Windows 8.1 starts using .V4 folders and Windows 10 .V5. This is appended automatically if a profile from those systems is uploaded to the server.
+
:Note: Newer Windows version use different profile version, that are indicated by an appended .V* (like username.V5 for Windows 10 profiles). You only fill the path to the users base profile folder here. The version is appended automatically by Windows!
  
  
Line 110: Line 98:
 
=== In a NT4 domain ===
 
=== In a NT4 domain ===
  
In a NT4 environment, you can setup roaming profiles globally for all users on the Samba PDC.
+
In a NT4 environment, you can only setup roaming profiles globally for all users on the Samba PDC.
  
 
* Add the following directive to your smb.conf:
 
* Add the following directive to your smb.conf:
Line 118: Line 106:
 
:The logon path directive is where you actually set up roaming profiles. This directive should contain a Windows network path to the location of the profile for each user. If the users profile directory does not exist, it will be created on that location (as long as the user has write access to that directory).
 
:The logon path directive is where you actually set up roaming profiles. This directive should contain a Windows network path to the location of the profile for each user. If the users profile directory does not exist, it will be created on that location (as long as the user has write access to that directory).
  
:You can also take full advantage of Samba's variable substitutions (see „man smb.conf“ in the „variable substitutions“ section).
+
:You can also take full advantage of Samba's variable substitutions (see the "variable substitutions" section of the smb.conf man page).
  
 
* Reload Samba:
 
* Reload Samba:

Revision as of 16:59, 31 October 2015

Introduction

Roaming profiles are server side stored settings, that are "downloaded" to a Windows host, when the user logs on and "uploaded" back to the server, on log off. For more details about roaming profiles, see the same-titled section on the The different Windows profile types page.

A roaming profile share can be setup in two ways: Using [[#Profile_share_using_Windows_ACLs|Windows ACLs] (recommended) or vi POSIX ACLs.


Creating a profiles share and setting permissions

Profile share using Windows ACLs

  • Click "Advanced" and then the "Change permissions" button for a more granular way to edit the share permissions
File:Advanced share settings.png
  • Set the permissions as shown in the following table
Name Permissions Apply to
Administrator Full control This folder, subfolders and files
Domain Users Traverse folder/execute file, List folder/read data, Create folder/append data This folder only
CREATOR OWNER Full control Subfolders and files only
The above settings allow the auto-creation of new profile folders for users being member of "Domain users", but preventing them to access any profile of a different user. The domain administrator has full control on all profile folders.
File:Profile share permissions for group.png
  • Save the new permissions by closing the windows with "OK".


Profile share using POSIX ACLs

  • Create a folder for the roaming profiles and set the following ACLs
# mkdir -p /srv/samba/Profiles/
# chmod 1770 /srv/samba/Profiles/
# chgrp "Domain Users" /srv/samba/Profiles/
  • Add the Profiles share to your smb.conf
[Profiles]
       path = /srv/samba/Profiles/
       read only = no
       store dos attributes = Yes
       create mask = 0600
       directory mask = 0700
       profile acls = yes
       csc policy = disable
See the smb.conf man page for further details on the uses parameters.
  • Reload Samba:
# smbcontrol all reload-config



Setting roaming profiles for a user

In an AD environment

In an AD environment, you can setup individual roaming profiles for every user.

  • Open ADUC
  • Right-click to an user account and choose "Properties"
  • Go to the "Profile" tab and fill the path with the one to the users profile
ADUC profile share.png
Using the windows variable %USERNAME% allows setting profile paths on multiple accounts at once
Note: Newer Windows version use different profile version, that are indicated by an appended .V* (like username.V5 for Windows 10 profiles). You only fill the path to the users base profile folder here. The version is appended automatically by Windows!


In a NT4 domain

In a NT4 environment, you can only setup roaming profiles globally for all users on the Samba PDC.

  • Add the following directive to your smb.conf:
logon path = \\%L\Profiles\%U
The logon path directive is where you actually set up roaming profiles. This directive should contain a Windows network path to the location of the profile for each user. If the users profile directory does not exist, it will be created on that location (as long as the user has write access to that directory).
You can also take full advantage of Samba's variable substitutions (see the "variable substitutions" section of the smb.conf man page).
  • Reload Samba:
# smbcontrol all reload-config



Troubleshooting roaming profiles

The registry contains information about each user's profile and should your Samba infrastructure change, like the network location of users profiles, Windows might be unable to find it. The list of user profiles is located at:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ProfileList

Deleting the correct subkey (user SID) will force Windows to look up the user's profile setting from the domain controller and restore the profile when the next login happens.