Roaming Windows User Profiles: Difference between revisions

From SambaWiki
m (Fix heading)
m (Updated links)
Line 11: Line 11:
== Profile share using Windows ACLs ==
== Profile share using Windows ACLs ==


* Setup a share named "Profiles" according to the documentation [[Shares_with_Windows_ACLs|Shares with Windows ACLs]]
* Setup a share named "Profiles" according to the documentation [[Setting_up_a_Share_Using_Windows_ACLs]]


* Set the following ACLs on the root of the Profiles share according to [[Shares_with_Windows_ACLs#Set_ACLs_on_the_root_of_a_share|Set ACLs on the root of a share]]
* Set the following ACLs on the root of the Profiles share according to [[Setting_up_a_Share_Using_Windows_ACLs#Set_ACLs_on_the_root_of_a_share|Set ACLs on the root of a share]]


:* Click "Advanced" and then the "Change permissions" button for a more granular way to edit the share permissions
:* Click "Advanced" and then the "Change permissions" button for a more granular way to edit the share permissions

Revision as of 16:00, 7 January 2017

Introduction

Roaming profiles are server side stored settings, that are "downloaded" to a Windows host when the user logs on and "uploaded" back to the server at log off. For more details about roaming profiles, see the same-titled section on the The different Windows profile types page.

A roaming profile share can be setup in two ways: Using Windows ACLs (recommended) or via POSIX ACLs.


Creating a profiles share and setting permissions

Profile share using Windows ACLs

  • Click "Advanced" and then the "Change permissions" button for a more granular way to edit the share permissions
File:Advanced share settings.png
  • Set the permissions as shown in the following table
Name Permissions Apply to
Administrator Full control This folder, subfolders and files
Domain Users Traverse folder/execute file, List folder/read data, Create folder/append data This folder only
CREATOR OWNER Full control Subfolders and files only
The above settings allow the auto-creation of new profile folders for users being member of "Domain users", but preventing them to access any profile of a different user. The domain administrator has full control on all profile folders.
File:Profile share permissions for group.png
  • Save the new permissions by closing the windows with "OK".


Profile share using POSIX ACLs

  • Create a folder for the roaming profiles and set the following ACLs
# mkdir -p /srv/samba/Profiles/
# chmod 1770 /srv/samba/Profiles/
# chgrp "Domain Users" /srv/samba/Profiles/
  • Add the Profiles share to your smb.conf
[Profiles]
       path = /srv/samba/Profiles/
       read only = no
       store dos attributes = Yes
       create mask = 0600
       directory mask = 0700
       profile acls = yes
       csc policy = disable
See the smb.conf man page for further details on the uses parameters.
  • Reload Samba:
# smbcontrol all reload-config



Setting roaming profiles for a user

In an AD environment

In an AD environment, you can setup individual roaming profiles for every user.

  • Open ADUC
  • Right-click to an user account and choose "Properties"
  • Go to the "Profile" tab and fill the path with the one to the users profile
ADUC profile share.png
Using the windows variable %USERNAME% allows setting profile paths on multiple accounts at once
Note: Newer Windows version use different profile versions, that are indicated by an appended .V* (like username.V5 for Windows 10 profiles). You only fill the path to the users base profile folder here. The version is appended automatically by Windows!


In a NT4 domain

In a NT4 environment, you can only setup roaming profiles globally for all users on the Samba PDC.

  • Add the following directive to your smb.conf:
logon path = \\%L\Profiles\%U
The logon path directive is where you actually set up roaming profiles. This directive should contain a Windows network path to the location of the profile for each user. If the users profile directory does not exist, it will be created on that location (as long as the user has write access to that directory).
You can also take full advantage of Samba's variable substitutions (see the "variable substitutions" section of the smb.conf man page).
  • Reload Samba:
# smbcontrol all reload-config



Troubleshooting roaming profiles

The registry contains information about each user's profile and should your Samba infrastructure change, like the network location of users profiles, Windows might be unable to find it. The list of user profiles is located at:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ProfileList

Deleting the correct subkey (user SID) will force Windows to look up the user's profile setting from the domain controller and restore the profile when the next login happens.