Roaming Windows User Profiles
Microsoft Windows User Profiles
Every user on your network prefers to work on their computer in a different ways. Some users prefer certain settings one way, others prefer it another way. An operating system's job is to retain these user's settings without clobbering other user's settings.
In the Unix/Linux world, these systems provide "Home Directories" for it's users. These "Home Directories" store all of the program settings, documents, and other files for each individual user. It is trivial to offer "Network Wide" home directories for all of your users using NFS (Network File System). When properly implemented, this system is transparent to the user and provides a nice way to centralize data storage and allow any user to log into any workstation using their own preferences and settings and have all of their data readily available.
In the Microsoft Windows world, these systems provide "User Profiles" for all of it's users settings. These "User Profiles" store all the registry settings, program settings, documents and other files for each individual user. Unfortunately, sometimes it is not trivial to offer "Network Wide" user profiles for all of your users.
To help maintain your sanity (and to help you keep your job), these wikis will focus on the wonderful world of Microsoft's User Profiles. They will cover how profiles work, the different options you have in implementing profiles, how to configure Samba for "Network-Side (Roaming) Profiles" or "Local Profiles", and various tips and tricks to get the most out of user profiles.
Windows Profile Basics
Implementing Local Profiles with Samba
The easiest type of profile to implement with Samba is the Local Profile. Local Profiles are stored on each individual computer and are not centrally located on a server. To utilize Local Profiles simply set the following directives to nothing:
- logon path =
- logon home =
NOTE: When using Local Profiles, Samba's "logon drive" directive has no meaning. If you still want the user's home directory on a Samba server set to a drive letter, you must set it with a Logon Script.
Even though local profiles are stored on the User's computer, it is still a good idea to redirect certain folders within their profile to a Samba Share, such as the "Documents" folder. To do this see the wiki article on implementing Windows Policies.
Implementing Roaming Profiles with Samba
To implement Roaming Profiles with Samba a few things must happen. First you must create a share to store these profiles, then you must set a few Samba directives to enable roaming profiles.
NOTE: You can theoretically store profiles within the users home directory, unfortunately Windows does not release a share immediately after logging out. So if you do store user's profiles within the home directories and another user logs into a machine immediately after another user logs out, the newly logged in user could invariably use the other users profile resulting in a possible security issue, as well as other issues. It is best to simply store all of the user profiles within a separate Samba share.
To create a Samba share to use for your user's profiles simply add something similar to your share section of the smb.conf file:
- comment = Network Profiles Share
- path = /srv/samba/profiles
- read only = No
- store dos attributes = Yes
- create mask = 0600
- directory mask = 0700
- browseable = no
- guest ok = no
- printable = no
- hide files = /desktop.ini/outlook*.lnk/*Briefcase*/
Then ensure that everyone has write access to the directory listed as the path:
- chmod o+rw /srv/samba/profiles
Setting relevant directives for Roaming Profiles
The smb.conf settings required to use Roaming Profiles by default are:
- logon path = \\%L\profiles\%U
- logon home = \\%L\%U\.9xprofile
- logon drive = P:
The logon home directive is only used if you have any Windows 9x based machines on your Domain, otherwise it does not need to be set. The logon drive specifies the Drive Letter Windows will assign your home directory, this alleviates the need to create a logon script that essentially would do the same thing.
The logon path directive is where you actually setup roaming profiles. This directive should contain a Windows Network path to the location of the profile for each user. If the user's profile directory does not exist, one will be created at that location (as long as the user has write access to that directory).
You can also take full advantage of Samba's Variable Substitutions and further separate User's profiles, such as by architecture. Using the directive:
- logon path = \\%L\profiles\%U\%a
will separate the user's profiles relating to each version of Windows, such as WinXP, WinNT, etc. This is extremely helpful if you have users that jump from computer to computer that have different versions of Windows on them. This can solve a whole slew of problems relating to the registry on different versions of Windows, especially when running different version of Internet Explorer. Separating profiles in this way can be a very powerful feature, especially when you include Folder Redirection into the mix.