Roaming Windows User Profiles

From SambaWiki
Revision as of 00:19, 11 March 2017 by Mmuehlfeld (talk | contribs) (Mmuehlfeld moved page Implementing roaming profiles to Roaming Windows User Profiles: Rename to a better fitting title)


Roaming profiles are server side stored settings, that are "downloaded" to a Windows host when the user logs on and "uploaded" back to the server at log off. For more details about roaming profiles, see the same-titled section on the The different Windows profile types page.

A roaming profile share can be setup in two ways: Using Windows ACLs (recommended) or via POSIX ACLs.

Creating a profiles share and setting permissions

Profile share using Windows ACLs

  • Set the following ACLs on the root of the Profiles share according to [Setting_up_a_Share_Using_Windows_ACLs#Setting_Share_Permissions_and_ACLs|Setting Share Permissions and ACLs]].
  • Click "Advanced" and then the "Change permissions" button for a more granular way to edit the share permissions
File:Advanced share settings.png
  • Set the permissions as shown in the following table
Name Permissions Apply to
Administrator Full control This folder, subfolders and files
Domain Users Traverse folder/execute file, List folder/read data, Create folder/append data This folder only
CREATOR OWNER Full control Subfolders and files only
On a Samba share, you can omit the SYSTEM account in the file system ACLs. For details, see The SYSTEM Account.
The above settings allow the auto-creation of new profile folders for users being member of "Domain users", but preventing them to access any profile of a different user. The domain administrator has full control on all profile folders.
File:Profile share permissions for group.png
  • Save the new permissions by closing the windows with "OK".

Profile share using POSIX ACLs

  • Create a folder for the roaming profiles and set the following ACLs
# mkdir -p /srv/samba/Profiles/
# chmod 1770 /srv/samba/Profiles/
# chgrp "Domain Users" /srv/samba/Profiles/
  • Add the Profiles share to your smb.conf
       path = /srv/samba/Profiles/
       read only = no
       store dos attributes = Yes
       create mask = 0600
       directory mask = 0700
       profile acls = yes
       csc policy = disable
See the smb.conf man page for further details on the uses parameters.
  • Reload Samba:
# smbcontrol all reload-config

Setting roaming profiles for a user

In an AD environment

In an AD environment, you can setup individual roaming profiles for every user.

  • Open ADUC
  • Right-click to an user account and choose "Properties"
  • Go to the "Profile" tab and fill the path with the one to the users profile
ADUC profile share.png
Using the windows variable %USERNAME% allows setting profile paths on multiple accounts at once
Note: Newer Windows version use different profile versions, that are indicated by an appended .V* (like username.V5 for Windows 10 profiles). You only fill the path to the users base profile folder here. The version is appended automatically by Windows!

In a NT4 domain

In a NT4 environment, you can only setup roaming profiles globally for all users on the Samba PDC.

  • Add the following directive to your smb.conf:
logon path = \\%L\Profiles\%U
The logon path directive is where you actually set up roaming profiles. This directive should contain a Windows network path to the location of the profile for each user. If the users profile directory does not exist, it will be created on that location (as long as the user has write access to that directory).
You can also take full advantage of Samba's variable substitutions (see the "variable substitutions" section of the smb.conf man page).
  • Reload Samba:
# smbcontrol all reload-config

Troubleshooting roaming profiles

The registry contains information about each user's profile and should your Samba infrastructure change, like the network location of users profiles, Windows might be unable to find it. The list of user profiles is located at:


Deleting the correct subkey (user SID) will force Windows to look up the user's profile setting from the domain controller and restore the profile when the next login happens.