Roaming Windows User Profiles

From SambaWiki
Revision as of 06:36, 8 September 2015 by Hortimech (talk | contribs) (→‎Profile share with using POSIX ACLs: change capital P to lowercase p)
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Creating a profiles share and setting permissions

The following sections describe how to setup a profile share stored on a Samba server.

There are different ways to setup the share, depending on using Windows ACLs (recommended) or POSIX ACLs:



Profile share using Windows ACLs

  • Create a folder for the roaming profiles, Note: These commands must be run by the 'root' user or with 'sudo'
# mkdir -p /srv/samba/Profiles/
  • Add a new share to your smb.conf:
[profiles]
     path = /srv/samba/Profiles/
     read only = no
  • Reload Samba:
# smbcontrol all reload-config
  • Log on to a Windows machine as Domain Administrator
  • Go to „\\Servername“. You'll see the newly added share.
Shares view.png
  • Right-click the share name, choose „Properties“ and go to the „Security“ tab.
  • Click „Advanced“ and then the „Change permissions“ button for a more granular way to edit the share permissions.
File:Advanced share settings.png
  • Set the permissions as shown in the following table
Name Permissions Apply to
Administrator Full control This folder, subfolders and files
Domain Users Traverse folder/execute file, List folder/read data, Create folder/append data This folder only
CREATOR OWNER Full control Subfolders and files only
File:Profile share permissions for group.png
You can replace "Domain Users" with another group name, if you want to use that group to store profiles on the share. You can add multiple groups, just use the same recommended group permissions for "Domain Users".
  • Save the new permissions by closing the windows with „OK“.


Profile share with using POSIX ACLs

  • Create a folder for the roaming profiles and set permissions
# mkdir -p /srv/samba/profiles/
# chmod 1770 /srv/samba/profiles
# chgrp „Domain Users“ /srv/samba/profiles
  • Add a new share to your smb.conf:
[profiles]
 path = /srv/samba/profiles/
 read only = no
 store dos attributes = Yes
 create mask = 0600
 directory mask = 0700
 profile acls = yes
 csc policy = disable
  • Reload Samba:
# smbcontrol all reload-config

Configuring roaming profiles for a user

In an AD environment

In an AD environment, you can setup individual roaming profiles for every user.

  • Open ADUC.
  • Right-click to an user account and choose „Properties“.
  • Go to the „Profile“ tab, and fill the path to the users profile.
ADUC profile share.png
If you use the %USERNAME% variable, you can set the profile path to multiple accounts at once, too.
Windows Vista up to Windows 8.0 create .V2 folders for their profiles. Windows 8.1 starts using .V4 folders and Windows 10 .V5. This is appended automatically if a profile from those systems is uploaded to the server.


In a NT4 domain

In a NT4 environment, you can setup roaming profiles globally for all users on the Samba PDC.

  • Add the following directive to your smb.conf:
logon path = \\%L\Profiles\%U
The logon path directive is where you actually set up roaming profiles. This directive should contain a Windows network path to the location of the profile for each user. If the users profile directory does not exist, it will be created on that location (as long as the user has write access to that directory).
You can also take full advantage of Samba's variable substitutions (see „man smb.conf“ in the „variable substitutions“ section).
  • Reload Samba:
# smbcontrol all reload-config



Troubleshooting roaming profiles

The registry contains information about each user's profile and should your Samba infrastructure change, like the network location of users profiles, Windows might be unable to find it. The list of user profiles is located at:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ProfileList

Deleting the correct subkey (user SID) will force Windows to look up the user's profile setting from the domain controller and restore the profile when the next login happens.