| 1 | <?xml version="1.0" encoding="iso-8859-1"?> | 
|---|
| 2 | <!DOCTYPE chapter PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc"> | 
|---|
| 3 | <chapter id="ProfileMgmt"> | 
|---|
| 4 | <chapterinfo> | 
|---|
| 5 | &author.jht; | 
|---|
| 6 | <pubdate>April 3 2003</pubdate> | 
|---|
| 7 | </chapterinfo> | 
|---|
| 8 |  | 
|---|
| 9 | <title>Desktop Profile Management</title> | 
|---|
| 10 |  | 
|---|
| 11 | <sect1> | 
|---|
| 12 | <title>Features and Benefits</title> | 
|---|
| 13 |  | 
|---|
| 14 | <para> | 
|---|
| 15 | <indexterm><primary>roaming profiles</primary></indexterm> | 
|---|
| 16 | Roaming profiles are feared by some, hated by a few, loved by many, and a godsend for | 
|---|
| 17 | some administrators. | 
|---|
| 18 | </para> | 
|---|
| 19 |  | 
|---|
| 20 | <para> | 
|---|
| 21 | <indexterm><primary>manage roaming profiles</primary></indexterm> | 
|---|
| 22 | Roaming profiles allow an administrator to make available a consistent user desktop | 
|---|
| 23 | as the user moves from one machine to another. This chapter provides much information | 
|---|
| 24 | regarding how to configure and manage roaming profiles. | 
|---|
| 25 | </para> | 
|---|
| 26 |  | 
|---|
| 27 | <para> | 
|---|
| 28 | <indexterm><primary>local profiles</primary></indexterm> | 
|---|
| 29 | While roaming profiles might sound like nirvana to some, they are a real and tangible | 
|---|
| 30 | problem to others. In particular, users of mobile computing tools, where often there may not | 
|---|
| 31 | be a sustained network connection, are often better served by purely local profiles. | 
|---|
| 32 | This chapter provides information to help the Samba administrator deal with those | 
|---|
| 33 | situations. | 
|---|
| 34 | </para> | 
|---|
| 35 |  | 
|---|
| 36 | </sect1> | 
|---|
| 37 |  | 
|---|
| 38 | <sect1> | 
|---|
| 39 | <title>Roaming Profiles</title> | 
|---|
| 40 |  | 
|---|
| 41 | <warning> | 
|---|
| 42 | <para> | 
|---|
| 43 | Roaming profiles support is different for Windows 9x/Me and Windows NT4/200x. | 
|---|
| 44 | </para> | 
|---|
| 45 | </warning> | 
|---|
| 46 |  | 
|---|
| 47 | <para> | 
|---|
| 48 | Before discussing how to configure roaming profiles, it is useful to see how | 
|---|
| 49 | Windows 9x/Me and Windows NT4/200x clients implement these features. | 
|---|
| 50 | </para> | 
|---|
| 51 |  | 
|---|
| 52 | <para> | 
|---|
| 53 | <indexterm><primary>NetUserGetInfo</primary></indexterm> | 
|---|
| 54 | Windows 9x/Me clients send a NetUserGetInfo request to the server to get the user's | 
|---|
| 55 | profiles location. However, the response does not have room for a separate | 
|---|
| 56 | profiles location field, only the user's home share. This means that Windows 9x/Me | 
|---|
| 57 | profiles are restricted to being stored in the user's home directory. | 
|---|
| 58 | </para> | 
|---|
| 59 |  | 
|---|
| 60 |  | 
|---|
| 61 | <para> | 
|---|
| 62 | <indexterm><primary>NetSAMLogon</primary></indexterm> | 
|---|
| 63 | <indexterm><primary>RPC</primary></indexterm> | 
|---|
| 64 | Windows NT4/200x  clients send a NetSAMLogon RPC request, which contains many fields | 
|---|
| 65 | including a separate field for the location of the user's profiles. | 
|---|
| 66 | </para> | 
|---|
| 67 |  | 
|---|
| 68 | <sect2> | 
|---|
| 69 | <title>Samba Configuration for Profile Handling</title> | 
|---|
| 70 |  | 
|---|
| 71 | <para> | 
|---|
| 72 | This section documents how to configure Samba for MS Windows client profile support. | 
|---|
| 73 | </para> | 
|---|
| 74 |  | 
|---|
| 75 | <sect3> | 
|---|
| 76 | <title>NT4/200x User Profiles</title> | 
|---|
| 77 |  | 
|---|
| 78 | <para> | 
|---|
| 79 | For example, to support Windows NT4/200x clients, set the following in the [global] section of the &smb.conf; file: | 
|---|
| 80 | </para> | 
|---|
| 81 |  | 
|---|
| 82 | <smbconfblock> | 
|---|
| 83 | <smbconfoption name="logon path"> \\profileserver\profileshare\profilepath\%U\moreprofilepath</smbconfoption> | 
|---|
| 84 | </smbconfblock> | 
|---|
| 85 |  | 
|---|
| 86 | <para> | 
|---|
| 87 | This is typically implemented like: | 
|---|
| 88 | <smbconfblock> | 
|---|
| 89 | <smbconfoption name="logon path">\\%L\Profiles\%U</smbconfoption> | 
|---|
| 90 | </smbconfblock> | 
|---|
| 91 | where <quote>%L</quote> translates to the name of the Samba server and <quote>%U</quote> translates to the username. | 
|---|
| 92 | </para> | 
|---|
| 93 |  | 
|---|
| 94 | <para> | 
|---|
| 95 | The default for this option is <filename>\\%N\%U\profile</filename>, namely, <filename>\\sambaserver\username\profile</filename>. | 
|---|
| 96 | The <filename>\\%N\%U</filename> service is created automatically by the [homes] service. If you are using | 
|---|
| 97 | a Samba server for the profiles, you must make the share that is specified in the logon path | 
|---|
| 98 | browseable. Please refer to the man page for &smb.conf; regarding the different | 
|---|
| 99 | semantics of <quote>%L</quote> and <quote>%N</quote>, as well as <quote>%U</quote> and <quote>%u</quote>. | 
|---|
| 100 | </para> | 
|---|
| 101 |  | 
|---|
| 102 | <note><para> | 
|---|
| 103 | <indexterm><primary>logons</primary></indexterm> | 
|---|
| 104 | <indexterm><primary>disconnect a connection</primary></indexterm> | 
|---|
| 105 | MS Windows NT/200x clients at times do not disconnect a connection to a server between logons. It is recommended | 
|---|
| 106 | to not use the <smbconfsection name="homes"/> metaservice name as part of the profile share path. | 
|---|
| 107 | </para></note> | 
|---|
| 108 | </sect3> | 
|---|
| 109 |  | 
|---|
| 110 | <sect3> | 
|---|
| 111 | <title>Windows 9x/Me User Profiles</title> | 
|---|
| 112 |  | 
|---|
| 113 | <para> | 
|---|
| 114 | <indexterm><primary>net use /home</primary></indexterm> | 
|---|
| 115 | <indexterm><primary>logon home</primary></indexterm> | 
|---|
| 116 | To support Windows 9x/Me clients, you must use the <smbconfoption name="logon home"/> | 
|---|
| 117 | parameter. Samba has been fixed so <userinput>net use /home</userinput> now works as well and it, too, relies | 
|---|
| 118 | on the <parameter>logon home</parameter> parameter. | 
|---|
| 119 | </para> | 
|---|
| 120 |  | 
|---|
| 121 | <para> | 
|---|
| 122 | <indexterm><primary>logon home</primary></indexterm> | 
|---|
| 123 | <indexterm><primary>\\%L\%U\.profiles</primary></indexterm> | 
|---|
| 124 | <indexterm><primary>.profiles</primary></indexterm> | 
|---|
| 125 | By using the <parameter>logon home</parameter> parameter, you are restricted to putting Windows 9x/Me profiles | 
|---|
| 126 | in the user's home directory.  But wait! There is a trick you can use. If you set the following in the | 
|---|
| 127 | <smbconfsection name="[global]"/> section of your &smb.conf; file: | 
|---|
| 128 | <smbconfblock> | 
|---|
| 129 | <smbconfoption name="logon home">\\%L\%U\.profiles</smbconfoption> | 
|---|
| 130 | </smbconfblock> | 
|---|
| 131 | then your Windows 9x/Me clients will dutifully put their clients in a subdirectory | 
|---|
| 132 | of your home directory called <filename>.profiles</filename> (making them hidden). | 
|---|
| 133 | </para> | 
|---|
| 134 |  | 
|---|
| 135 | <para> | 
|---|
| 136 | <indexterm><primary>net use /home</primary></indexterm> | 
|---|
| 137 | Not only that, but <userinput>net use /home</userinput> will also work because of a feature in | 
|---|
| 138 | Windows 9x/Me. It removes any directory stuff off the end of the home directory area | 
|---|
| 139 | and only uses the server and share portion. That is, it looks like you | 
|---|
| 140 | specified <filename>\\%L\%U</filename> for <smbconfoption name="logon home"/>. | 
|---|
| 141 | </para> | 
|---|
| 142 | </sect3> | 
|---|
| 143 |  | 
|---|
| 144 | <sect3> | 
|---|
| 145 | <title>Mixed Windows Windows 9x/Me and NT4/200x User Profiles</title> | 
|---|
| 146 |  | 
|---|
| 147 | <para> | 
|---|
| 148 | You can support profiles for Windows 9x and Windows NT clients by setting both the | 
|---|
| 149 | <smbconfoption name="logon home"/> and <smbconfoption name="logon path"/> parameters. For example, | 
|---|
| 150 | </para> | 
|---|
| 151 |  | 
|---|
| 152 | <para><smbconfblock> | 
|---|
| 153 | <smbconfoption name="logon home">\\%L\%U\.profiles</smbconfoption> | 
|---|
| 154 | <smbconfoption name="logon path">\\%L\profiles\%U</smbconfoption> | 
|---|
| 155 | </smbconfblock></para> | 
|---|
| 156 |  | 
|---|
| 157 | <para> | 
|---|
| 158 | <indexterm><primary>mixed profile</primary></indexterm> | 
|---|
| 159 | Windows 9x/Me and NT4 and later profiles should not be stored in the same location because | 
|---|
| 160 | Windows NT4 and later will experience problems with mixed profile environments. | 
|---|
| 161 | </para> | 
|---|
| 162 |  | 
|---|
| 163 | </sect3> | 
|---|
| 164 | <sect3> | 
|---|
| 165 | <title>Disabling Roaming Profile Support</title> | 
|---|
| 166 |  | 
|---|
| 167 | <para> | 
|---|
| 168 | <indexterm><primary>disable roaming profiles</primary></indexterm> | 
|---|
| 169 | The question often asked is, <quote>How may I enforce use of local profiles?</quote> or | 
|---|
| 170 | <quote>How do I disable roaming profiles?</quote> | 
|---|
| 171 | </para> | 
|---|
| 172 |  | 
|---|
| 173 | <para> | 
|---|
| 174 | <indexterm><primary>roaming profiles</primary></indexterm> | 
|---|
| 175 | There are three ways of doing this: | 
|---|
| 176 | </para> | 
|---|
| 177 |  | 
|---|
| 178 | <indexterm><primary>windows registry settings</primary><secondary>roaming profiles</secondary></indexterm> | 
|---|
| 179 |  | 
|---|
| 180 | <variablelist> | 
|---|
| 181 | <varlistentry> | 
|---|
| 182 | <term>In &smb.conf;</term>: | 
|---|
| 183 | <listitem><para> | 
|---|
| 184 | Affect the following settings and ALL clients will be forced to use a local profile: | 
|---|
| 185 | <smbconfoption name="logon home"> </smbconfoption> and <smbconfoption name="logon path"> </smbconfoption> | 
|---|
| 186 | </para> | 
|---|
| 187 |  | 
|---|
| 188 | <para> | 
|---|
| 189 | The arguments to these parameters must be left blank. It is necessary to include the <constant>=</constant> sign | 
|---|
| 190 | to specifically assign the empty value. | 
|---|
| 191 | </para></listitem> | 
|---|
| 192 | </varlistentry> | 
|---|
| 193 |  | 
|---|
| 194 | <varlistentry> | 
|---|
| 195 | <term>MS Windows Registry:</term> | 
|---|
| 196 | <listitem><para> | 
|---|
| 197 | <indexterm><primary>MMC</primary></indexterm> | 
|---|
| 198 | <indexterm><primary>local profile</primary></indexterm> | 
|---|
| 199 | Use the Microsoft Management Console (MMC) <command>gpedit.msc</command> to instruct your MS Windows XP | 
|---|
| 200 | machine to use only a local profile. This, of course, modifies registry settings. The full | 
|---|
| 201 | path to the option is: | 
|---|
| 202 | <screen> | 
|---|
| 203 | Local Computer Policy\ | 
|---|
| 204 | Computer Configuration\ | 
|---|
| 205 | Administrative Templates\ | 
|---|
| 206 | System\ | 
|---|
| 207 | User Profiles\ | 
|---|
| 208 |  | 
|---|
| 209 | Disable: Only Allow Local User Profiles | 
|---|
| 210 | Disable: Prevent Roaming Profile Change from Propagating to the Server | 
|---|
| 211 | </screen> | 
|---|
| 212 | </para></listitem> | 
|---|
| 213 | </varlistentry> | 
|---|
| 214 |  | 
|---|
| 215 | <varlistentry> | 
|---|
| 216 | <term>Change of Profile Type:</term> | 
|---|
| 217 | <indexterm><primary>Profile Type</primary></indexterm> | 
|---|
| 218 | <listitem><para>From the start menu right-click on the <guiicon>My Computer</guiicon> icon, | 
|---|
| 219 | select <guimenuitem>Properties</guimenuitem>, click on the <guilabel>User Profiles</guilabel> | 
|---|
| 220 | tab, select the profile you wish to change from | 
|---|
| 221 | <guimenu>Roaming</guimenu> type to <guimenu>Local</guimenu>, and click on | 
|---|
| 222 | <guibutton>Change Type</guibutton>. | 
|---|
| 223 | </para></listitem> | 
|---|
| 224 | </varlistentry> | 
|---|
| 225 | </variablelist> | 
|---|
| 226 |  | 
|---|
| 227 | <para> | 
|---|
| 228 | Consult the MS Windows registry guide for your particular MS Windows version for more information | 
|---|
| 229 | about which registry keys to change to enforce use of only local user profiles. | 
|---|
| 230 | </para> | 
|---|
| 231 |  | 
|---|
| 232 | <note><para> | 
|---|
| 233 | <indexterm><primary>Windows Resource Kit</primary></indexterm> | 
|---|
| 234 | The specifics of how to convert a local profile to a roaming profile, or a roaming profile | 
|---|
| 235 | to a local one, vary according to the version of MS Windows you are running. Consult the Microsoft MS | 
|---|
| 236 | Windows Resource Kit for your version of Windows for specific information. | 
|---|
| 237 | </para></note> | 
|---|
| 238 |  | 
|---|
| 239 | </sect3> | 
|---|
| 240 | </sect2> | 
|---|
| 241 |  | 
|---|
| 242 | <sect2> | 
|---|
| 243 | <title>Windows Client Profile Configuration Information</title> | 
|---|
| 244 |  | 
|---|
| 245 | <sect3> | 
|---|
| 246 | <title>Windows 9x/Me Profile Setup</title> | 
|---|
| 247 |  | 
|---|
| 248 | <para> | 
|---|
| 249 | When a user first logs in on Windows 9x, the file user.DAT is created, as are folders <filename>Start | 
|---|
| 250 | Menu</filename>, <filename>Desktop</filename>, <filename>Programs</filename>, and | 
|---|
| 251 | <filename>Nethood</filename>. These directories and their contents will be merged with the local versions | 
|---|
| 252 | stored in <filename>c:\windows\profiles\username</filename> on subsequent logins, taking the most recent from | 
|---|
| 253 | each.   You will need to use the <smbconfsection name="[global]"/> options <smbconfoption name="preserve | 
|---|
| 254 | case">yes</smbconfoption>, <smbconfoption name="short preserve case">yes</smbconfoption>, and <smbconfoption | 
|---|
| 255 | name="case sensitive">no</smbconfoption> in order to maintain capital letters in shortcuts in any of the | 
|---|
| 256 | profile folders. | 
|---|
| 257 | </para> | 
|---|
| 258 |  | 
|---|
| 259 | <para> | 
|---|
| 260 | <indexterm><primary>user.DAT</primary></indexterm> | 
|---|
| 261 | <indexterm><primary>user.MAN</primary></indexterm> | 
|---|
| 262 | The <filename>user.DAT</filename> file contains all the user's preferences. If you wish to enforce a set of preferences, | 
|---|
| 263 | rename their <filename>user.DAT</filename> file to <filename>user.MAN</filename>, and deny them write access to this file. | 
|---|
| 264 | </para> | 
|---|
| 265 |  | 
|---|
| 266 | <orderedlist> | 
|---|
| 267 | <listitem> <para> | 
|---|
| 268 | On the Windows 9x/Me machine, go to <guimenu>Control Panel</guimenu> -> | 
|---|
| 269 | <guimenuitem>Passwords</guimenuitem> and select the <guilabel>User Profiles</guilabel> tab. | 
|---|
| 270 | Select the required level of roaming preferences. Press <guibutton>OK</guibutton>, but do not | 
|---|
| 271 | allow the computer to reboot. | 
|---|
| 272 | </para> </listitem> | 
|---|
| 273 |  | 
|---|
| 274 | <listitem> <para> | 
|---|
| 275 | On the Windows 9x/Me machine, go to <guimenu>Control Panel</guimenu> -> | 
|---|
| 276 | <guimenuitem>Network</guimenuitem> -> <guimenuitem>Client for Microsoft Networks</guimenuitem> | 
|---|
| 277 | -> <guilabel>Preferences</guilabel>. Select <guilabel>Log on to NT Domain</guilabel>.   Then, | 
|---|
| 278 | ensure that the Primary Logon is <guilabel>Client for Microsoft Networks</guilabel>. Press | 
|---|
| 279 | <guibutton>OK</guibutton>, and this time allow the computer to reboot. | 
|---|
| 280 | </para> </listitem> | 
|---|
| 281 | </orderedlist> | 
|---|
| 282 |  | 
|---|
| 283 | <para> | 
|---|
| 284 | <indexterm><primary>Primary Logon</primary></indexterm> | 
|---|
| 285 | <indexterm><primary>Client for Novell Networks</primary></indexterm> | 
|---|
| 286 | <indexterm><primary>Novell</primary></indexterm> | 
|---|
| 287 | <indexterm><primary>Windows Logon</primary></indexterm> | 
|---|
| 288 | Under Windows 9x/Me, profiles are downloaded from the Primary Logon. If you have the Primary Logon | 
|---|
| 289 | as <quote>Client for Novell Networks</quote>, then the profiles and logon script will be downloaded from | 
|---|
| 290 | your Novell server. If you have the Primary Logon as <quote>Windows Logon</quote>, then the profiles will | 
|---|
| 291 | be loaded from the local machine &smbmdash; a bit against the concept of roaming profiles, it would seem! | 
|---|
| 292 | </para> | 
|---|
| 293 |  | 
|---|
| 294 | <para> | 
|---|
| 295 | <indexterm><primary>domain logon server</primary></indexterm> | 
|---|
| 296 | You will now find that the Microsoft Networks Login box contains <constant>[user, password, domain]</constant> instead | 
|---|
| 297 | of just <constant>[user, password]</constant>. Type in the Samba server's domain name (or any other domain known to exist, | 
|---|
| 298 | but bear in mind that the user will be authenticated against this domain and profiles downloaded from it | 
|---|
| 299 | if that domain logon server supports it), user name and user's password. | 
|---|
| 300 | </para> | 
|---|
| 301 |  | 
|---|
| 302 | <para> | 
|---|
| 303 | Once the user has been successfully validated, the Windows 9x/Me machine informs you that | 
|---|
| 304 | <computeroutput>The user has not logged on before</computeroutput> and asks <computeroutput>Do you | 
|---|
| 305 | wish to save the user's preferences?</computeroutput> Select <guibutton>Yes</guibutton>. | 
|---|
| 306 | </para> | 
|---|
| 307 |  | 
|---|
| 308 | <para> | 
|---|
| 309 | Once the Windows 9x/Me client comes up with the desktop, you should be able to examine the | 
|---|
| 310 | contents of the directory specified in the <smbconfoption name="logon path"/> on | 
|---|
| 311 | the Samba server and verify that the <filename>Desktop</filename>, <filename>Start Menu</filename>, | 
|---|
| 312 | <filename>Programs</filename>, and <filename>Nethood</filename> folders have been created. | 
|---|
| 313 | </para> | 
|---|
| 314 |  | 
|---|
| 315 | <para> | 
|---|
| 316 | <indexterm><primary>cached locally</primary></indexterm> | 
|---|
| 317 | <indexterm><primary>shortcuts</primary></indexterm> | 
|---|
| 318 | <indexterm><primary>profile directory</primary></indexterm> | 
|---|
| 319 | These folders will be cached locally on the client and updated when the user logs off (if | 
|---|
| 320 | you haven't made them read-only by then). You will find that if the user creates further folders or | 
|---|
| 321 | shortcuts, the client will merge the profile contents downloaded with the contents of the profile | 
|---|
| 322 | directory already on the local client, taking the newest folders and shortcut from each set. | 
|---|
| 323 | </para> | 
|---|
| 324 |  | 
|---|
| 325 | <para> | 
|---|
| 326 | <indexterm><primary>local profile</primary></indexterm> | 
|---|
| 327 | <indexterm><primary>remote profile</primary></indexterm> | 
|---|
| 328 | <indexterm><primary>ownership rights</primary></indexterm> | 
|---|
| 329 | <indexterm><primary>profile directory</primary></indexterm> | 
|---|
| 330 | If you have made the folders/files read-only on the Samba server, then you will get errors from | 
|---|
| 331 | the Windows 9x/Me machine on logon and logout as it attempts to merge the local and remote profile. | 
|---|
| 332 | Basically, if you have any errors reported by the Windows 9x/Me machine, check the UNIX file permissions | 
|---|
| 333 | and ownership rights on the profile directory contents, on the Samba server. | 
|---|
| 334 | </para> | 
|---|
| 335 |  | 
|---|
| 336 | <para> | 
|---|
| 337 | <indexterm><primary>windows registry settings</primary></indexterm> | 
|---|
| 338 | <indexterm><primary>profile path</primary></indexterm> | 
|---|
| 339 | <indexterm><primary>user profiles</primary></indexterm> | 
|---|
| 340 | <indexterm><primary>desktop cache</primary></indexterm> | 
|---|
| 341 | <indexterm><primary>windows registry settings</primary><secondary>profile path</secondary></indexterm> | 
|---|
| 342 | If you have problems creating user profiles, you can reset the user's local desktop cache, as shown below. | 
|---|
| 343 | When this user next logs in, the user will be told that he/she is logging in <quote>for the first | 
|---|
| 344 | time</quote>. | 
|---|
| 345 | </para> | 
|---|
| 346 |  | 
|---|
| 347 |  | 
|---|
| 348 | <orderedlist> | 
|---|
| 349 | <listitem><para> | 
|---|
| 350 | Instead of logging in under the [user, password, domain] dialog, press <guibutton>escape</guibutton>. | 
|---|
| 351 | </para> </listitem> | 
|---|
| 352 |  | 
|---|
| 353 | <listitem><para> | 
|---|
| 354 | Run the <command>regedit.exe</command> program, and look in: | 
|---|
| 355 | </para> | 
|---|
| 356 |  | 
|---|
| 357 | <para> | 
|---|
| 358 | <filename>HKEY_LOCAL_MACHINE\Windows\CurrentVersion\ProfileList</filename> | 
|---|
| 359 | </para> | 
|---|
| 360 |  | 
|---|
| 361 | <para> | 
|---|
| 362 | You will find an entry for each user of ProfilePath. Note the contents of this key | 
|---|
| 363 | (likely to be <filename>c:\windows\profiles\username</filename>), then delete the key | 
|---|
| 364 | <parameter>ProfilePath</parameter> for the required user. | 
|---|
| 365 | </para></listitem> | 
|---|
| 366 |  | 
|---|
| 367 | <listitem><para> | 
|---|
| 368 | Exit the registry editor. | 
|---|
| 369 | </para></listitem> | 
|---|
| 370 |  | 
|---|
| 371 | <listitem><para> | 
|---|
| 372 | Search for the user's .PWL password-caching file in the <filename>c:\windows</filename> directory, and delete it. | 
|---|
| 373 | </para></listitem> | 
|---|
| 374 |  | 
|---|
| 375 | <listitem><para> | 
|---|
| 376 | Log off the Windows 9x/Me client. | 
|---|
| 377 | </para></listitem> | 
|---|
| 378 |  | 
|---|
| 379 | <listitem><para> | 
|---|
| 380 | Check the contents of the profile path (see <smbconfoption name="logon path"/> | 
|---|
| 381 | described above) and delete the <filename>user.DAT</filename> or <filename>user.MAN</filename> | 
|---|
| 382 | file for the user, making a backup if required. | 
|---|
| 383 | </para></listitem> | 
|---|
| 384 | </orderedlist> | 
|---|
| 385 |  | 
|---|
| 386 | <warning><para> | 
|---|
| 387 | <indexterm><primary>ProfilePath</primary></indexterm> | 
|---|
| 388 | Before deleting the contents of the directory listed in the <parameter>ProfilePath</parameter> | 
|---|
| 389 | (this is likely to be <filename>c:\windows\profiles\username)</filename>, ask whether the owner has | 
|---|
| 390 | any important files stored on his or her desktop or start menu. Delete the contents of the | 
|---|
| 391 | directory <parameter>ProfilePath</parameter> (making a backup if any of the files are needed). | 
|---|
| 392 | </para> | 
|---|
| 393 |  | 
|---|
| 394 | <para> | 
|---|
| 395 | This will have the effect of removing the local (read-only hidden system file) <filename>user.DAT</filename> | 
|---|
| 396 | in their profile directory, as well as the local <quote>desktop,</quote> <quote>nethood,</quote> | 
|---|
| 397 | <quote>start menu,</quote> and <quote>programs</quote> folders. | 
|---|
| 398 | </para></warning> | 
|---|
| 399 |  | 
|---|
| 400 | <para> | 
|---|
| 401 | <indexterm><primary>log level</primary></indexterm> | 
|---|
| 402 | <indexterm><primary>packet sniffer</primary></indexterm> | 
|---|
| 403 | <indexterm><primary>ethereal</primary></indexterm> | 
|---|
| 404 | <indexterm><primary>netmon.exe</primary></indexterm> | 
|---|
| 405 | If all else fails, increase Samba's debug log levels to between 3 and 10, and/or run a packet | 
|---|
| 406 | sniffer program such as ethereal or <command>netmon.exe</command>, and look for error messages. | 
|---|
| 407 | </para> | 
|---|
| 408 |  | 
|---|
| 409 | <para> | 
|---|
| 410 | <indexterm><primary>roaming profiles</primary></indexterm> | 
|---|
| 411 | <indexterm><primary>packet trace</primary></indexterm> | 
|---|
| 412 | If you have access to an Windows NT4/200x server, then first set up roaming profiles and/or | 
|---|
| 413 | netlogons on the Windows NT4/200x server. Make a packet trace, or examine the example packet traces | 
|---|
| 414 | provided with Windows NT4/200x server, and see what the differences are with the equivalent Samba trace. | 
|---|
| 415 | </para> | 
|---|
| 416 |  | 
|---|
| 417 | </sect3> | 
|---|
| 418 |  | 
|---|
| 419 | <sect3> | 
|---|
| 420 | <title>Windows NT4 Workstation</title> | 
|---|
| 421 |  | 
|---|
| 422 | <para> | 
|---|
| 423 | When a user first logs in to a Windows NT workstation, the profile NTuser.DAT is created. The profile | 
|---|
| 424 | location can be now specified through the <smbconfoption name="logon path"/> parameter. | 
|---|
| 425 | </para> | 
|---|
| 426 |  | 
|---|
| 427 | <para> | 
|---|
| 428 | There is a parameter that is now available for use with NT Profiles: <smbconfoption name="logon drive"/>. | 
|---|
| 429 | This should be set to <filename>H:</filename> or any other drive, and should be used in conjunction with | 
|---|
| 430 | the new <smbconfoption name="logon home"/> parameter. | 
|---|
| 431 | </para> | 
|---|
| 432 |  | 
|---|
| 433 | <para> | 
|---|
| 434 | <indexterm><primary>.PDS extension</primary></indexterm> | 
|---|
| 435 | <indexterm><primary>profile path</primary></indexterm> | 
|---|
| 436 | The entry for the NT4 profile is a directory, not a file. The NT help on profiles mentions that a | 
|---|
| 437 | directory is also created with a .PDS extension. The user, while logging in, must have write permission | 
|---|
| 438 | to create the full profile path (and the folder with the .PDS extension for those situations where it | 
|---|
| 439 | might be created). | 
|---|
| 440 | </para> | 
|---|
| 441 |  | 
|---|
| 442 | <para> | 
|---|
| 443 | <indexterm><primary>NTuser.DAT</primary></indexterm> | 
|---|
| 444 | In the profile directory, Windows NT4 creates more folders than Windows 9x/Me. It creates | 
|---|
| 445 | <filename>Application Data</filename> and others, as well as <filename>Desktop</filename>, | 
|---|
| 446 | <filename>Nethood</filename>, <filename>Start Menu,</filename> and <filename>Programs</filename>. | 
|---|
| 447 | The profile itself is stored in a file <filename>NTuser.DAT</filename>. Nothing appears to be stored | 
|---|
| 448 | in the .PDS directory, and its purpose is currently unknown. | 
|---|
| 449 | </para> | 
|---|
| 450 |  | 
|---|
| 451 | <para> | 
|---|
| 452 | <indexterm><primary>NTuser.DAT</primary></indexterm> | 
|---|
| 453 | <indexterm><primary>NTuser.MAN</primary></indexterm> | 
|---|
| 454 | You can use the <application>System Control Panel</application> to copy a local profile onto | 
|---|
| 455 | a Samba server (see NT help on profiles; it is also capable of firing up the correct location in the | 
|---|
| 456 | <application>System Control Panel</application> for you). The NT help file also mentions that renaming | 
|---|
| 457 | <filename>NTuser.DAT</filename> to <filename>NTuser.MAN</filename> turns a profile into a mandatory one. | 
|---|
| 458 | </para> | 
|---|
| 459 |  | 
|---|
| 460 | <para> | 
|---|
| 461 | The case of the profile is significant. The file must be called <filename>NTuser.DAT</filename> | 
|---|
| 462 | or, for a mandatory profile, <filename>NTuser.MAN</filename>. | 
|---|
| 463 | </para> | 
|---|
| 464 |  | 
|---|
| 465 | </sect3> | 
|---|
| 466 |  | 
|---|
| 467 | <sect3> | 
|---|
| 468 | <title>Windows 2000/XP Professional</title> | 
|---|
| 469 |  | 
|---|
| 470 | <para> | 
|---|
| 471 | You must first convert the profile from a local profile to a domain profile on the MS Windows | 
|---|
| 472 | workstation as follows: </para> | 
|---|
| 473 |  | 
|---|
| 474 | <procedure> | 
|---|
| 475 | <step><para> Log on as the <emphasis>local</emphasis> workstation administrator. </para></step> | 
|---|
| 476 |  | 
|---|
| 477 | <step><para> Right-click on the <guiicon>My Computer</guiicon> icon, and select | 
|---|
| 478 | <guimenuitem>Properties</guimenuitem>.</para></step> | 
|---|
| 479 |  | 
|---|
| 480 | <step><para> Click on the <guilabel>User Profiles</guilabel> tab.</para></step> | 
|---|
| 481 |  | 
|---|
| 482 | <step><para> Select the profile you wish to convert (click it once).</para></step> | 
|---|
| 483 |  | 
|---|
| 484 | <step><para> Click on the <guibutton>Copy To</guibutton> button.</para></step> | 
|---|
| 485 |  | 
|---|
| 486 | <step><para> In the <guilabel>Permitted to use</guilabel> box, click on the | 
|---|
| 487 | <guibutton>Change</guibutton> button. </para></step> | 
|---|
| 488 |  | 
|---|
| 489 | <step><para> Click on the <guilabel>Look in</guilabel> area that lists the machine name. When you click here, it will | 
|---|
| 490 | open up a selection box. Click on the domain to which the profile must be accessible. </para> | 
|---|
| 491 |  | 
|---|
| 492 | <note><para>You will need to log on if a logon box opens up. | 
|---|
| 493 | For example, connect as <replaceable>DOMAIN</replaceable>\root, password: | 
|---|
| 494 | <replaceable>mypassword</replaceable>.</para></note> </step> | 
|---|
| 495 |  | 
|---|
| 496 | <step><para> To make the profile capable of being used by anyone, select <quote>Everyone</quote>. </para></step> | 
|---|
| 497 |  | 
|---|
| 498 | <step><para> Click on <guibutton>OK</guibutton> and the Selection box will close. </para></step> | 
|---|
| 499 |  | 
|---|
| 500 | <step><para> Now click on <guibutton>OK</guibutton> to create the profile in the path | 
|---|
| 501 | you nominated.  </para></step> | 
|---|
| 502 | </procedure> | 
|---|
| 503 |  | 
|---|
| 504 | <para> | 
|---|
| 505 | Done. You now have a profile that can be edited using the Samba <command>profiles</command> tool. | 
|---|
| 506 | </para> | 
|---|
| 507 |  | 
|---|
| 508 | <note><para> | 
|---|
| 509 | Under Windows NT/200x, the use of mandatory profiles forces the use of MS Exchange storage of mail | 
|---|
| 510 | data and keeps it out of the desktop profile. That keeps desktop profiles from becoming unusable. | 
|---|
| 511 | </para></note> | 
|---|
| 512 |  | 
|---|
| 513 | <sect4> | 
|---|
| 514 | <title>Windows XP Service Pack 1</title> | 
|---|
| 515 | <para> | 
|---|
| 516 | There is a security check new to Windows XP (or maybe only Windows XP service pack 1). | 
|---|
| 517 | It can be disabled via a group policy in the Active Directory. The policy is called: | 
|---|
| 518 | <screen> | 
|---|
| 519 | Computer Configuration\Administrative Templates\System\User Profiles\ | 
|---|
| 520 | Do not check for user ownership of Roaming Profile Folders | 
|---|
| 521 | </screen> | 
|---|
| 522 | </para> | 
|---|
| 523 |  | 
|---|
| 524 | <para> | 
|---|
| 525 | This should be set to <constant>Enabled</constant>. | 
|---|
| 526 | </para> | 
|---|
| 527 |  | 
|---|
| 528 | <para> | 
|---|
| 529 | Does the new version of Samba have an Active Directory analogue?  If so, then you may be able to set the policy through this. | 
|---|
| 530 | </para> | 
|---|
| 531 |  | 
|---|
| 532 | <para>If you cannot set group policies in Samba, then you may be able to set the policy locally on | 
|---|
| 533 | each machine. If you want to try this, then do the following: | 
|---|
| 534 | </para> | 
|---|
| 535 |  | 
|---|
| 536 |  | 
|---|
| 537 | <procedure> | 
|---|
| 538 | <step><para>On the XP workstation, log in with an administrative account.</para></step> | 
|---|
| 539 |  | 
|---|
| 540 | <step><para>Click on <guimenu>Start</guimenu> -> <guimenuitem>Run</guimenuitem>.</para></step> | 
|---|
| 541 | <step><para>Type <command>mmc</command>.</para></step> | 
|---|
| 542 | <step><para>Click on <guibutton>OK</guibutton>.</para></step> | 
|---|
| 543 | <step><para>A Microsoft Management Console should appear.</para></step> | 
|---|
| 544 | <step><para>Click on <guimenu>File</guimenu> -> <guimenuitem>Add/Remove Snap-in</guimenuitem> -> <guimenuitem>Add</guimenuitem>.</para></step> | 
|---|
| 545 | <step><para>Double-click on <guiicon>Group Policy</guiicon>.</para></step> | 
|---|
| 546 | <step><para>Click on <guibutton>Finish</guibutton> -> <guibutton>Close</guibutton>.</para></step> | 
|---|
| 547 | <step><para>Click on <guibutton>OK</guibutton>.</para></step> | 
|---|
| 548 | <step><para>In the <quote>Console Root</quote> window expand <guiicon>Local Computer Policy</guiicon> -> | 
|---|
| 549 | <guiicon>Computer Configuration</guiicon> -> <guiicon>Administrative Templates</guiicon> -> | 
|---|
| 550 | <guiicon>System</guiicon> -> <guiicon>User Profiles</guiicon>.</para></step> | 
|---|
| 551 | <step><para>Double-click on <guilabel>Do not check for user ownership of Roaming Profile Folders</guilabel>.</para></step> | 
|---|
| 552 | <step><para>Select <guilabel>Enabled</guilabel>.</para></step> | 
|---|
| 553 | <step><para>Click on <guibutton>OK</guibutton>.</para></step> | 
|---|
| 554 | <step><para>Close the whole console. You do not need to save the settings (this refers to the | 
|---|
| 555 | console settings rather than the policies you have changed).</para></step> | 
|---|
| 556 | <step><para>Reboot.</para></step> | 
|---|
| 557 | </procedure> | 
|---|
| 558 | </sect4> | 
|---|
| 559 | </sect3> | 
|---|
| 560 | </sect2> | 
|---|
| 561 |  | 
|---|
| 562 | <sect2> | 
|---|
| 563 | <title>User Profile Hive Cleanup Service</title> | 
|---|
| 564 |  | 
|---|
| 565 | <para> | 
|---|
| 566 | There are certain situations that cause a cached local copy of roaming profile not to be deleted on exit, even if | 
|---|
| 567 | the policy to force such deletion is set. To deal with that situation, a special service was created. The application | 
|---|
| 568 | <command>UPHClean</command> (User Profile Hive Cleanup) can be installed as a service on Windows NT4/2000/XP Professional | 
|---|
| 569 | and Windows 2003. | 
|---|
| 570 | </para> | 
|---|
| 571 |  | 
|---|
| 572 | <para> | 
|---|
| 573 | The UPHClean software package can be downloaded from the User Profile Hive Cleanup | 
|---|
| 574 | Service<footnote>http://www.microsoft.com/downloads/details.aspx?FamilyID=1B286E6D-8912-4E18-B570-42470E2F3582&displaylang=en</footnote> | 
|---|
| 575 | web site. | 
|---|
| 576 | </para> | 
|---|
| 577 |  | 
|---|
| 578 | </sect2> | 
|---|
| 579 |  | 
|---|
| 580 | <sect2> | 
|---|
| 581 | <title>Sharing Profiles between Windows 9x/Me and NT4/200x/XP Workstations</title> | 
|---|
| 582 |  | 
|---|
| 583 | <para> | 
|---|
| 584 | <indexterm><primary>profile sharing</primary></indexterm> | 
|---|
| 585 | <indexterm><primary>profile contents</primary></indexterm> | 
|---|
| 586 | Sharing of desktop profiles between Windows versions is not recommended. Desktop profiles are an | 
|---|
| 587 | evolving phenomenon, and profiles for later versions of MS Windows clients add features that may interfere | 
|---|
| 588 | with earlier versions of MS Windows clients. Probably the more salient reason to not mix profiles is | 
|---|
| 589 | that when logging off an earlier version of MS Windows, the older format of profile contents may overwrite | 
|---|
| 590 | information that belongs to the newer version, resulting in loss of profile information content when that | 
|---|
| 591 | user logs on again with the newer version of MS Windows. | 
|---|
| 592 | </para> | 
|---|
| 593 |  | 
|---|
| 594 | <para> | 
|---|
| 595 | If you then want to share the same Start Menu and Desktop with Windows 9x/Me, you must specify a common | 
|---|
| 596 | location for the profiles. The &smb.conf; parameters that need to be common are | 
|---|
| 597 | <smbconfoption name="logon path"/> and <smbconfoption name="logon home"/>. | 
|---|
| 598 | </para> | 
|---|
| 599 |  | 
|---|
| 600 | <para> | 
|---|
| 601 | <indexterm><primary>user.DAT</primary></indexterm> | 
|---|
| 602 | <indexterm><primary>NTuser.DAT</primary></indexterm> | 
|---|
| 603 | If you have this set up correctly, you will find separate <filename>user.DAT</filename> and | 
|---|
| 604 | <filename>NTuser.DAT</filename> files in the same profile directory. | 
|---|
| 605 | </para> | 
|---|
| 606 |  | 
|---|
| 607 | </sect2> | 
|---|
| 608 |  | 
|---|
| 609 | <sect2> | 
|---|
| 610 | <title>Profile Migration from Windows NT4/200x Server to Samba</title> | 
|---|
| 611 |  | 
|---|
| 612 | <para> | 
|---|
| 613 | <indexterm><primary>encrypted passwords</primary></indexterm> | 
|---|
| 614 | There is nothing to stop you from specifying any path that you like for the location of users' profiles. | 
|---|
| 615 | Therefore, you could specify that the profile be stored on a Samba server or any other SMB server, | 
|---|
| 616 | as long as that SMB server supports encrypted passwords. | 
|---|
| 617 | </para> | 
|---|
| 618 |  | 
|---|
| 619 | <sect3 id="profilemigrn"> | 
|---|
| 620 | <title>Windows NT4 Profile Management Tools</title> | 
|---|
| 621 |  | 
|---|
| 622 | <para> | 
|---|
| 623 | <indexterm><primary>resource kit</primary></indexterm> | 
|---|
| 624 | Unfortunately, the resource kit information is specific to the version of MS Windows NT4/200x. The | 
|---|
| 625 | correct resource kit is required for each platform. | 
|---|
| 626 | </para> | 
|---|
| 627 |  | 
|---|
| 628 | <para>Here is a quick guide:</para> | 
|---|
| 629 |  | 
|---|
| 630 | <procedure> | 
|---|
| 631 | <title>Profile Migration Procedure</title> | 
|---|
| 632 |  | 
|---|
| 633 | <step><para> On your NT4 domain controller, right-click on <guiicon>My Computer</guiicon>, then select | 
|---|
| 634 | <guilabel>Properties</guilabel>, then the tab labeled <guilabel>User Profiles</guilabel>. </para></step> | 
|---|
| 635 |  | 
|---|
| 636 | <step><para> Select a user profile you want to migrate and click on it. </para> | 
|---|
| 637 |  | 
|---|
| 638 | <note><para>I am using the term <quote>migrate</quote> loosely. You can copy a profile to create a group | 
|---|
| 639 | profile. You can give the user <parameter>Everyone</parameter> rights to the profile you copy this to. That | 
|---|
| 640 | is what you need to do, since your Samba domain is not a member of a trust relationship with your NT4 | 
|---|
| 641 | PDC.</para></note></step> | 
|---|
| 642 |  | 
|---|
| 643 | <step><para>Click on the <guibutton>Copy To</guibutton> button.</para></step> | 
|---|
| 644 |  | 
|---|
| 645 | <step><para>In the box labeled <guilabel>Copy Profile to</guilabel> add your new path, such as, | 
|---|
| 646 | <filename>c:\temp\foobar</filename></para></step> | 
|---|
| 647 |  | 
|---|
| 648 | <step><para>Click on <guibutton>Change</guibutton> in the <guilabel>Permitted to use</guilabel> box.</para></step> | 
|---|
| 649 |  | 
|---|
| 650 | <step><para>Click on the group <quote>Everyone</quote>, click on <guibutton>OK</guibutton>. This | 
|---|
| 651 | closes the <quote>choose user</quote> box.</para></step> | 
|---|
| 652 |  | 
|---|
| 653 | <step><para>Now click on <guibutton>OK</guibutton>.</para></step> | 
|---|
| 654 | </procedure> | 
|---|
| 655 |  | 
|---|
| 656 | <para> | 
|---|
| 657 | Follow these steps for every profile you need to migrate. | 
|---|
| 658 | </para> | 
|---|
| 659 |  | 
|---|
| 660 | </sect3> | 
|---|
| 661 |  | 
|---|
| 662 | <sect3> | 
|---|
| 663 | <title>Side Bar Notes</title> | 
|---|
| 664 |  | 
|---|
| 665 |  | 
|---|
| 666 | <para> | 
|---|
| 667 | <indexterm><primary>SID</primary></indexterm> | 
|---|
| 668 | <indexterm><primary>net</primary><secondary>rpc</secondary><tertiary>info</tertiary></indexterm> | 
|---|
| 669 | You should obtain the SID of your NT4 domain. You can use the <command>net rpc info</command> to do this. | 
|---|
| 670 | See <link linkend="NetCommand">The Net Command Chapter</link>, <link linkend="netmisc1">Other Miscellaneous Operations</link> for more information. | 
|---|
| 671 | </para> | 
|---|
| 672 |  | 
|---|
| 673 | </sect3> | 
|---|
| 674 |  | 
|---|
| 675 | <sect3> | 
|---|
| 676 | <title>moveuser.exe</title> | 
|---|
| 677 |  | 
|---|
| 678 | <para> | 
|---|
| 679 | <indexterm><primary>moveuser.exe</primary></indexterm> | 
|---|
| 680 | The Windows 200x professional resource kit has <command>moveuser.exe</command>. | 
|---|
| 681 | <command>moveuser.exe</command> changes the security of a profile from one user to another. This allows the | 
|---|
| 682 | account domain to change and/or the username to change. | 
|---|
| 683 | </para> | 
|---|
| 684 |  | 
|---|
| 685 | <para> | 
|---|
| 686 | This command is like the Samba <command>profiles</command> tool. | 
|---|
| 687 | </para> | 
|---|
| 688 |  | 
|---|
| 689 | </sect3> | 
|---|
| 690 |  | 
|---|
| 691 | <sect3> | 
|---|
| 692 | <title>Get SID</title> | 
|---|
| 693 |  | 
|---|
| 694 | <para> | 
|---|
| 695 | <indexterm><primary>SID</primary></indexterm> | 
|---|
| 696 | <indexterm><primary>GetSID.exe</primary></indexterm> | 
|---|
| 697 | You can identify the SID by using <command>GetSID.exe</command> from the Windows NT Server 4.0 Resource Kit. | 
|---|
| 698 | </para> | 
|---|
| 699 |  | 
|---|
| 700 | <para> | 
|---|
| 701 | Windows NT 4.0 stores the local profile information in the registry under the following key: | 
|---|
| 702 | <filename>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList</filename> | 
|---|
| 703 | </para> | 
|---|
| 704 |  | 
|---|
| 705 | <para> | 
|---|
| 706 | Under the ProfileList key, there will be subkeys named with the SIDs of the users who have logged | 
|---|
| 707 | on to this computer. (To find the profile information for the user whose locally cached profile you want | 
|---|
| 708 | to move, find the SID for the user with the <command>GetSID.exe</command> utility.) Inside the appropriate user's subkey, | 
|---|
| 709 | you will see a string value named <parameter>ProfileImagePath</parameter>. | 
|---|
| 710 | </para> | 
|---|
| 711 |  | 
|---|
| 712 | </sect3> | 
|---|
| 713 | </sect2> | 
|---|
| 714 | </sect1> | 
|---|
| 715 |  | 
|---|
| 716 | <sect1> | 
|---|
| 717 | <title>Mandatory Profiles</title> | 
|---|
| 718 |  | 
|---|
| 719 | <para> | 
|---|
| 720 | <indexterm><primary>mandatory profiles</primary></indexterm> | 
|---|
| 721 | A mandatory profile is a profile that the user does not have the ability to overwrite. During the | 
|---|
| 722 | user's session, it may be possible to change the desktop environment; however, as the user logs out, all changes | 
|---|
| 723 | made will be lost. If it is desired to not allow the user any ability to change the desktop environment, | 
|---|
| 724 | then this must be done through policy settings. See <link linkend="PolicyMgmt">System and Account | 
|---|
| 725 | Policies</link>. | 
|---|
| 726 | </para> | 
|---|
| 727 |  | 
|---|
| 728 | <note><para> | 
|---|
| 729 | <indexterm><primary>fake-permissions module</primary></indexterm> | 
|---|
| 730 | <indexterm><primary>VFS module</primary></indexterm> | 
|---|
| 731 | <indexterm><primary>fake_perms</primary></indexterm> | 
|---|
| 732 | Under NO circumstances should the profile directory (or its contents) be made read-only because this may | 
|---|
| 733 | render the profile unusable.  Where it is essential to make a profile read-only within the UNIX file system, | 
|---|
| 734 | this can be done, but then you absolutely must use the <command>fake-permissions</command> VFS module to | 
|---|
| 735 | instruct MS Windows NT/200x/XP clients that the Profile has write permission for the user.  See <link | 
|---|
| 736 | linkend="fakeperms">fake_perms VFS module</link>. | 
|---|
| 737 | </para></note> | 
|---|
| 738 |  | 
|---|
| 739 | <para> | 
|---|
| 740 | <indexterm><primary>NTUser.MAN</primary></indexterm> | 
|---|
| 741 | <indexterm><primary>NTUser.DAT</primary></indexterm> | 
|---|
| 742 | For MS Windows NT4/200x/XP, the procedure shown in <link linkend="profilemigrn">Profile Migration from Windows | 
|---|
| 743 | NT4/200x Server to Samba</link> can also be used to create mandatory profiles. To convert a group profile into | 
|---|
| 744 | a mandatory profile, simply locate the <filename>NTUser.DAT</filename> file in the copied profile and rename | 
|---|
| 745 | it to <filename>NTUser.MAN</filename>. | 
|---|
| 746 | </para> | 
|---|
| 747 |  | 
|---|
| 748 | <para> | 
|---|
| 749 | <indexterm><primary>User.MAN</primary></indexterm> | 
|---|
| 750 | For MS Windows 9x/Me, it is the <filename>User.DAT</filename> file that must be renamed to | 
|---|
| 751 | <filename>User.MAN</filename> to effect a mandatory profile. | 
|---|
| 752 | </para> | 
|---|
| 753 |  | 
|---|
| 754 | </sect1> | 
|---|
| 755 |  | 
|---|
| 756 | <sect1> | 
|---|
| 757 | <title>Creating and Managing Group Profiles</title> | 
|---|
| 758 |  | 
|---|
| 759 | <para> | 
|---|
| 760 | <indexterm><primary>group profiles</primary></indexterm> | 
|---|
| 761 | <indexterm><primary>template</primary></indexterm> | 
|---|
| 762 | <indexterm><primary>profile migration tool</primary></indexterm> | 
|---|
| 763 | <indexterm><primary>profile access rights</primary></indexterm> | 
|---|
| 764 | Most organizations are arranged into departments. There is a nice benefit in this fact, since usually | 
|---|
| 765 | most users in a department require the same desktop applications and the same desktop layout. MS | 
|---|
| 766 | Windows NT4/200x/XP will allow the use of group profiles. A group profile is a profile that is created | 
|---|
| 767 | first using a template (example) user. Then using the profile migration tool (see above), the profile is | 
|---|
| 768 | assigned access rights for the user group that needs to be given access to the group profile. | 
|---|
| 769 | </para> | 
|---|
| 770 |  | 
|---|
| 771 | <para> | 
|---|
| 772 | <indexterm><primary>User Manager</primary></indexterm> | 
|---|
| 773 | The next step is rather important. Instead of assigning a group profile to users (Using User Manager) | 
|---|
| 774 | on a <quote>per-user</quote> basis, the group itself is assigned the now modified profile. | 
|---|
| 775 | </para> | 
|---|
| 776 |  | 
|---|
| 777 | <note><para> | 
|---|
| 778 | Be careful with group profiles. If the user who is a member of a group also has a personal | 
|---|
| 779 | profile, then the result will be a fusion (merge) of the two. | 
|---|
| 780 | </para></note> | 
|---|
| 781 |  | 
|---|
| 782 | </sect1> | 
|---|
| 783 |  | 
|---|
| 784 | <sect1> | 
|---|
| 785 | <title>Default Profile for Windows Users</title> | 
|---|
| 786 |  | 
|---|
| 787 | <para> | 
|---|
| 788 | <indexterm><primary>default profile</primary></indexterm> | 
|---|
| 789 | <indexterm><primary>registry keys</primary></indexterm> | 
|---|
| 790 | MS Windows 9x/Me and NT4/200x/XP will use a default profile for any user for whom a profile | 
|---|
| 791 | does not already exist. Armed with a knowledge of where the default profile is located on the Windows | 
|---|
| 792 | workstation, and knowing which registry keys affect the path from which the default profile is created, | 
|---|
| 793 | it is possible to modify the default profile to one that has been optimized for the site. This has | 
|---|
| 794 | significant administrative advantages. | 
|---|
| 795 | </para> | 
|---|
| 796 |  | 
|---|
| 797 | <sect2> | 
|---|
| 798 | <title>MS Windows 9x/Me</title> | 
|---|
| 799 |  | 
|---|
| 800 | <para> | 
|---|
| 801 | <indexterm><primary>System Policy Editor</primary></indexterm> | 
|---|
| 802 | <indexterm><primary>registry</primary></indexterm> | 
|---|
| 803 | To enable default per-use profiles in Windows 9x/Me, you can either use the <application>Windows | 
|---|
| 804 | 98 System Policy Editor</application> or change the registry directly. | 
|---|
| 805 | </para> | 
|---|
| 806 |  | 
|---|
| 807 | <para> | 
|---|
| 808 | To enable default per-user profiles in Windows 9x/Me, launch the <application>System Policy | 
|---|
| 809 | Editor</application>, then select <guimenu>File</guimenu> -> <guimenuitem>Open Registry</guimenuitem>. | 
|---|
| 810 | Next click on the <guiicon>Local Computer</guiicon> icon, click on <guilabel>Windows 98 System</guilabel>, | 
|---|
| 811 | select <guilabel>User Profiles</guilabel>, and click on the enable box. Remember to save the registry | 
|---|
| 812 | changes. | 
|---|
| 813 | </para> | 
|---|
| 814 |  | 
|---|
| 815 | <para> | 
|---|
| 816 | <indexterm><primary>regedit.exe</primary></indexterm> | 
|---|
| 817 | To modify the registry directly, launch the <application>Registry Editor</application> | 
|---|
| 818 | (<command>regedit.exe</command>) and select the hive <filename>HKEY_LOCAL_MACHINE\Network\Logon</filename>. | 
|---|
| 819 | Now add a DWORD type key with the name <quote>User Profiles.</quote> To enable user profiles to set the value | 
|---|
| 820 | to 1; to disable user profiles set it to 0. | 
|---|
| 821 | </para> | 
|---|
| 822 |  | 
|---|
| 823 | <sect3> | 
|---|
| 824 | <title>User Profile Handling with Windows 9x/Me</title> | 
|---|
| 825 |  | 
|---|
| 826 | <para> | 
|---|
| 827 | When a user logs on to a Windows 9x/Me machine, the local profile path, | 
|---|
| 828 | <filename>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ProfileList</filename>, is checked | 
|---|
| 829 | for an existing entry for that user. | 
|---|
| 830 | </para> | 
|---|
| 831 |  | 
|---|
| 832 | <para> | 
|---|
| 833 | If the user has an entry in this registry location, Windows 9x/Me checks for a locally cached | 
|---|
| 834 | version of the user profile. Windows 9x/Me also checks the user's home directory (or other specified | 
|---|
| 835 | directory if the location has been modified) on the server for the user profile. If a profile exists | 
|---|
| 836 | in both locations, the newer of the two is used. If the user profile exists on the server but does not | 
|---|
| 837 | exist on the local machine, the profile on the server is downloaded and used. If the user profile only | 
|---|
| 838 | exists on the local machine, that copy is used. | 
|---|
| 839 | </para> | 
|---|
| 840 |  | 
|---|
| 841 | <para> | 
|---|
| 842 | If a user profile is not found in either location, the default user profile from the Windows | 
|---|
| 843 | 9x/Me machine is used and copied to a newly created folder for the logged on user. At log off, any | 
|---|
| 844 | changes that the user made are written to the user's local profile. If the user has a roaming profile, | 
|---|
| 845 | the changes are written to the user's profile on the server. | 
|---|
| 846 | </para> | 
|---|
| 847 |  | 
|---|
| 848 | </sect3> | 
|---|
| 849 | </sect2> | 
|---|
| 850 |  | 
|---|
| 851 | <sect2> | 
|---|
| 852 | <title>MS Windows NT4 Workstation</title> | 
|---|
| 853 |  | 
|---|
| 854 | <para> | 
|---|
| 855 | On MS Windows NT4, the default user profile is obtained from the location | 
|---|
| 856 | <filename>%SystemRoot%\Profiles</filename>, which in a default installation will translate to | 
|---|
| 857 | <filename>C:\Windows NT\Profiles</filename>. Under this directory on a clean install, there will be three | 
|---|
| 858 | directories: <filename>Administrator</filename>, <filename>All | 
|---|
| 859 | Users,</filename> and <filename>Default | 
|---|
| 860 | User</filename>. | 
|---|
| 861 | </para> | 
|---|
| 862 |  | 
|---|
| 863 | <para> | 
|---|
| 864 | The <filename>All Users</filename> directory contains menu settings that are common across all | 
|---|
| 865 | system users. The <filename>Default User</filename> directory contains menu entries that are customizable | 
|---|
| 866 | per user depending on the profile settings chosen/created. | 
|---|
| 867 | </para> | 
|---|
| 868 |  | 
|---|
| 869 | <para> | 
|---|
| 870 | When a new user first logs onto an MS Windows NT4 machine, a new profile is created from: | 
|---|
| 871 | </para> | 
|---|
| 872 |  | 
|---|
| 873 | <itemizedlist> | 
|---|
| 874 | <listitem><para>All Users settings.</para></listitem> | 
|---|
| 875 | <listitem><para>Default User settings (contains the default <filename>NTUser.DAT</filename> file).</para></listitem> | 
|---|
| 876 | </itemizedlist> | 
|---|
| 877 |  | 
|---|
| 878 | <para> | 
|---|
| 879 | <indexterm><primary>NTConfig.POL</primary></indexterm> | 
|---|
| 880 | When a user logs on to an MS Windows NT4 machine that is a member of a Microsoft security domain, | 
|---|
| 881 | the following steps are followed for profile handling: | 
|---|
| 882 | </para> | 
|---|
| 883 |  | 
|---|
| 884 | <procedure> | 
|---|
| 885 | <step> <para> The user's account information that is obtained during the logon process | 
|---|
| 886 | contains the location of the user's desktop profile. The profile path may be local to | 
|---|
| 887 | the machine or it may be located on a network share. If there exists a profile at the | 
|---|
| 888 | location of the path from the user account, then this profile is copied to the location | 
|---|
| 889 | <filename>%SystemRoot%\Profiles\%USERNAME%</filename>. This profile then inherits the settings | 
|---|
| 890 | in the <filename>All Users</filename> profile in the <filename>%SystemRoot%\Profiles</filename> | 
|---|
| 891 | location. </para> </step> | 
|---|
| 892 |  | 
|---|
| 893 | <step> <para> If the user account has a profile path, but at its location a profile does not | 
|---|
| 894 | exist, then a new profile is created in the <filename>%SystemRoot%\Profiles\%USERNAME%</filename> | 
|---|
| 895 | directory from reading the <filename>Default User</filename> profile. </para> </step> | 
|---|
| 896 |  | 
|---|
| 897 | <step> <para> | 
|---|
| 898 | <indexterm><primary>NTConfig.POL</primary></indexterm> | 
|---|
| 899 | <indexterm><primary>NETLOGON</primary></indexterm> | 
|---|
| 900 | <indexterm><primary>authenticating server</primary></indexterm> | 
|---|
| 901 | <indexterm><primary>logon server</primary></indexterm> | 
|---|
| 902 | <indexterm><primary>HKEY_CURRENT_USER</primary></indexterm> | 
|---|
| 903 | If the NETLOGON share on the authenticating server (logon server) contains | 
|---|
| 904 | a policy file (<filename>NTConfig.POL</filename>), then its contents are applied to the | 
|---|
| 905 | <filename>NTUser.DAT</filename>, which is applied to the <filename>HKEY_CURRENT_USER</filename> | 
|---|
| 906 | part of the registry. | 
|---|
| 907 | </para> </step> | 
|---|
| 908 |  | 
|---|
| 909 | <step> <para> When the user logs out, if the profile is set to be a roaming profile, it will be | 
|---|
| 910 | written out to the location of the profile. The <filename>NTuser.DAT</filename> file is then | 
|---|
| 911 | re-created from the contents of the <filename>HKEY_CURRENT_USER</filename> contents. Thus, | 
|---|
| 912 | should there not exist in the NETLOGON share an <filename>NTConfig.POL</filename> at the next | 
|---|
| 913 | logon, the effect of the previous <filename>NTConfig.POL</filename> will still be held in the | 
|---|
| 914 | profile. The effect of this is known as tattooing. | 
|---|
| 915 | </para> </step> | 
|---|
| 916 | </procedure> | 
|---|
| 917 |  | 
|---|
| 918 | <para> | 
|---|
| 919 | MS Windows NT4 profiles may be <emphasis>local</emphasis> or <emphasis>roaming</emphasis>. A local | 
|---|
| 920 | profile is stored in the <filename>%SystemRoot%\Profiles\%USERNAME%</filename> location. A roaming | 
|---|
| 921 | profile will also remain stored in the same way, unless the following registry key is created: | 
|---|
| 922 | <screen> | 
|---|
| 923 | HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\Windows NT\CurrentVersion\ | 
|---|
| 924 | winlogon\"DeleteRoamingCache"=dword:0000000 | 
|---|
| 925 | </screen> | 
|---|
| 926 | In this case, the local copy (in <filename>%SystemRoot%\Profiles\%USERNAME%</filename>) will be deleted | 
|---|
| 927 | on logout. | 
|---|
| 928 | </para> | 
|---|
| 929 |  | 
|---|
| 930 | <para> | 
|---|
| 931 | <indexterm><primary>regedt32</primary></indexterm> | 
|---|
| 932 | Under MS Windows NT4, default locations for common resources like <filename>My Documents</filename> | 
|---|
| 933 | may be redirected to a network share by modifying the following registry keys. These changes may be | 
|---|
| 934 | made via use of the System Policy Editor. To do so may require that you create your own template | 
|---|
| 935 | extension for the Policy Editor to allow this to be done through the GUI. Another way to do this is by | 
|---|
| 936 | first creating a default user profile, then while logged in as that user, running <command>regedt32</command> to edit | 
|---|
| 937 | the key settings. | 
|---|
| 938 | </para> | 
|---|
| 939 |  | 
|---|
| 940 | <para> | 
|---|
| 941 | The Registry Hive key that affects the behavior of folders that are part of the default user | 
|---|
| 942 | profile are controlled by entries on Windows NT4 is: | 
|---|
| 943 | <screen> | 
|---|
| 944 | HKEY_CURRENT_USER | 
|---|
| 945 | \Software | 
|---|
| 946 | \Microsoft | 
|---|
| 947 | \Windows | 
|---|
| 948 | \CurrentVersion | 
|---|
| 949 | \Explorer | 
|---|
| 950 | \User Shell Folders | 
|---|
| 951 | </screen> | 
|---|
| 952 | <indexterm><primary>windows registry settings</primary><secondary>default profile locations</secondary></indexterm> | 
|---|
| 953 | </para> | 
|---|
| 954 |  | 
|---|
| 955 | <para>  The above hive key contains a list of automatically managed | 
|---|
| 956 | folders. The default entries are shown in <link linkend="ProfileLocs">the next table</link>. | 
|---|
| 957 | </para> | 
|---|
| 958 |  | 
|---|
| 959 | <table frame="all" id="ProfileLocs"> | 
|---|
| 960 | <title>User Shell Folder Registry Keys Default Values</title> | 
|---|
| 961 | <tgroup cols="2"> | 
|---|
| 962 | <colspec align="left"/> | 
|---|
| 963 | <colspec align="left"/> | 
|---|
| 964 | <thead> | 
|---|
| 965 | <row><entry>Name</entry><entry>Default Value</entry></row> | 
|---|
| 966 | </thead> | 
|---|
| 967 | <tbody> | 
|---|
| 968 | <row><entry>AppData</entry><entry>%USERPROFILE%\Application Data</entry></row> | 
|---|
| 969 | <row><entry>Desktop</entry><entry>%USERPROFILE%\Desktop</entry></row> | 
|---|
| 970 | <row><entry>Favorites</entry><entry>%USERPROFILE%\Favorites</entry></row> | 
|---|
| 971 | <row><entry>NetHood</entry><entry>%USERPROFILE%\NetHood</entry></row> | 
|---|
| 972 | <row><entry>PrintHood</entry><entry>%USERPROFILE%\PrintHood</entry></row> | 
|---|
| 973 | <row><entry>Programs</entry><entry>%USERPROFILE%\Start Menu\Programs</entry></row> | 
|---|
| 974 | <row><entry>Recent</entry><entry>%USERPROFILE%\Recent</entry></row> | 
|---|
| 975 | <row><entry>SendTo</entry><entry>%USERPROFILE%\SendTo</entry></row> | 
|---|
| 976 | <row><entry>Start Menu </entry><entry>%USERPROFILE%\Start Menu</entry></row> | 
|---|
| 977 | <row><entry>Startup</entry><entry>%USERPROFILE%\Start Menu\Programs\Startup</entry></row> | 
|---|
| 978 | </tbody> | 
|---|
| 979 | </tgroup> | 
|---|
| 980 | </table> | 
|---|
| 981 |  | 
|---|
| 982 | <para> The registry key that contains the location of the default profile settings is: | 
|---|
| 983 | <screen> | 
|---|
| 984 | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ | 
|---|
| 985 | User Shell Folders | 
|---|
| 986 | </screen> | 
|---|
| 987 | </para> | 
|---|
| 988 |  | 
|---|
| 989 | <para> | 
|---|
| 990 | The default entries are shown in <link linkend="regkeys">Defaults of Profile Settings Registry Keys</link>. | 
|---|
| 991 | </para> | 
|---|
| 992 |  | 
|---|
| 993 | <table frame="all" id="regkeys"> | 
|---|
| 994 | <title>Defaults of Profile Settings Registry Keys</title> | 
|---|
| 995 | <tgroup cols="2"> | 
|---|
| 996 | <colspec align="left"/> | 
|---|
| 997 | <colspec align="left"/> | 
|---|
| 998 | <tbody> | 
|---|
| 999 | <row><entry>Common Desktop</entry><entry>%SystemRoot%\Profiles\All Users\Desktop</entry></row> | 
|---|
| 1000 | <row><entry>Common Programs</entry><entry>%SystemRoot%\Profiles\All Users\Programs</entry></row> | 
|---|
| 1001 | <row><entry>Common Start Menu</entry><entry>%SystemRoot%\Profiles\All Users\Start Menu</entry></row> | 
|---|
| 1002 | <row><entry>Common Startup</entry><entry>%SystemRoot%\Profiles\All Users\Start Menu\Programs\Startup</entry></row> | 
|---|
| 1003 | </tbody> | 
|---|
| 1004 | </tgroup> | 
|---|
| 1005 | </table> | 
|---|
| 1006 |  | 
|---|
| 1007 | </sect2> | 
|---|
| 1008 |  | 
|---|
| 1009 | <sect2> | 
|---|
| 1010 | <title>MS Windows 200x/XP</title> | 
|---|
| 1011 |  | 
|---|
| 1012 | <note><para> | 
|---|
| 1013 | <indexterm><primary>GPOs</primary></indexterm> | 
|---|
| 1014 | <indexterm><primary>Windows XP Home Edition</primary></indexterm> | 
|---|
| 1015 | <indexterm><primary>ADS</primary></indexterm> | 
|---|
| 1016 | <indexterm><primary>domain security</primary></indexterm> | 
|---|
| 1017 | MS Windows XP Home Edition does use default per-user profiles, but cannot participate | 
|---|
| 1018 | in domain security, cannot log onto an NT/ADS-style domain, and thus can obtain the profile only | 
|---|
| 1019 | from itself. While there are benefits in doing this, the beauty of those MS Windows clients that | 
|---|
| 1020 | can participate in domain logon processes is that they allow the administrator to create a global default | 
|---|
| 1021 | profile and enforce it through the use of Group Policy Objects (GPOs). | 
|---|
| 1022 | </para></note> | 
|---|
| 1023 |  | 
|---|
| 1024 | <para> | 
|---|
| 1025 | <indexterm><primary>Default User</primary></indexterm> | 
|---|
| 1026 | When a new user first logs onto an MS Windows 200x/XP machine, the default profile is obtained from | 
|---|
| 1027 | <filename>C:\Documents and Settings\Default User</filename>. The administrator can modify or change the | 
|---|
| 1028 | contents of this location, and MS Windows 200x/XP will gladly use it. This is far from the optimum arrangement, | 
|---|
| 1029 | since it will involve copying a new default profile to every MS Windows 200x/XP client workstation. | 
|---|
| 1030 | </para> | 
|---|
| 1031 |  | 
|---|
| 1032 | <para> | 
|---|
| 1033 | <indexterm><primary>NETLOGON</primary></indexterm> | 
|---|
| 1034 | When MS Windows 200x/XP participates in a domain security context, and if the default user profile is not | 
|---|
| 1035 | found, then the client will search for a default profile in the NETLOGON share of the authenticating server. | 
|---|
| 1036 | In MS Windows parlance, it is <filename>%LOGONSERVER%\NETLOGON\Default User,</filename> | 
|---|
| 1037 | and if one exists there, it will copy this to the workstation in the <filename>C:\Documents and | 
|---|
| 1038 | Settings\</filename> under the Windows login name of the use. | 
|---|
| 1039 | </para> | 
|---|
| 1040 |  | 
|---|
| 1041 | <note> <para> This path translates, in Samba parlance, to the &smb.conf; | 
|---|
| 1042 | <smbconfsection name="[NETLOGON]"/> share. The directory should be created at the root | 
|---|
| 1043 | of this share and must be called <filename>Default User</filename>. | 
|---|
| 1044 | </para> </note> | 
|---|
| 1045 |  | 
|---|
| 1046 | <para> If a default profile does not exist in this location, then MS Windows 200x/XP will use the local | 
|---|
| 1047 | default profile. </para> | 
|---|
| 1048 |  | 
|---|
| 1049 | <para> On logging out, the user's desktop profile is stored to the location specified in the registry | 
|---|
| 1050 | settings that pertain to the user. If no specific policies have been created or passed to the client | 
|---|
| 1051 | during the login process (as Samba does automatically), then the user's profile is written to the | 
|---|
| 1052 | local machine only under the path <filename>C:\Documents and Settings\%USERNAME%</filename>. </para> | 
|---|
| 1053 |  | 
|---|
| 1054 | <para> Those wishing to modify the default behavior can do so through these three methods: </para> | 
|---|
| 1055 |  | 
|---|
| 1056 | <itemizedlist> | 
|---|
| 1057 | <listitem> <para> Modify the registry keys on the local machine manually and place the new | 
|---|
| 1058 | default profile in the NETLOGON share root. This is not recommended because it is maintenance intensive. | 
|---|
| 1059 | </para> </listitem> | 
|---|
| 1060 |  | 
|---|
| 1061 | <listitem> <para> Create an NT4-style NTConfig.POL file that specifies this behavior and locate | 
|---|
| 1062 | this file in the root of the NETLOGON share along with the new default profile. </para> </listitem> | 
|---|
| 1063 |  | 
|---|
| 1064 | <listitem> <para> Create a GPO that enforces this through Active Directory, and place the new | 
|---|
| 1065 | default profile in the NETLOGON share.  </para> </listitem> | 
|---|
| 1066 | </itemizedlist> | 
|---|
| 1067 |  | 
|---|
| 1068 | <para>The registry hive key that affects the behavior of folders that are part of the default user | 
|---|
| 1069 | profile are controlled by entries on Windows 200x/XP is: </para> | 
|---|
| 1070 |  | 
|---|
| 1071 | <para> <filename>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell | 
|---|
| 1072 | Folders\</filename> </para> | 
|---|
| 1073 |  | 
|---|
| 1074 | <para> | 
|---|
| 1075 | This hive key contains a list of automatically managed folders. The default entries are shown | 
|---|
| 1076 | in <link linkend="defregpthkeys">the next table</link> | 
|---|
| 1077 | <indexterm><primary>windows registry settings</primary><secondary>default profile locations</secondary></indexterm> | 
|---|
| 1078 | </para> | 
|---|
| 1079 |  | 
|---|
| 1080 |  | 
|---|
| 1081 | <table frame="all" id="defregpthkeys"> | 
|---|
| 1082 | <title>Defaults of Default User Profile Paths Registry Keys</title> | 
|---|
| 1083 | <tgroup cols="2"> | 
|---|
| 1084 | <colspec align="left"/> | 
|---|
| 1085 | <colspec align="left"/> | 
|---|
| 1086 | <thead> | 
|---|
| 1087 | <row><entry>Name</entry><entry>Default Value</entry></row> | 
|---|
| 1088 | </thead> | 
|---|
| 1089 | <tbody> | 
|---|
| 1090 | <row><entry>AppData</entry><entry>%USERPROFILE%\Application Data</entry></row> | 
|---|
| 1091 | <row><entry>Cache</entry><entry>%USERPROFILE%\Local Settings\Temporary Internet Files</entry></row> | 
|---|
| 1092 | <row><entry>Cookies</entry><entry>%USERPROFILE%\Cookies</entry></row> | 
|---|
| 1093 | <row><entry>Desktop</entry><entry>%USERPROFILE%\Desktop</entry></row> | 
|---|
| 1094 | <row><entry>Favorites</entry><entry>%USERPROFILE%\Favorites</entry></row> | 
|---|
| 1095 | <row><entry>History</entry><entry>%USERPROFILE%\Local Settings\History</entry></row> | 
|---|
| 1096 | <row><entry>Local AppData</entry><entry>%USERPROFILE%\Local Settings\Application Data</entry></row> | 
|---|
| 1097 | <row><entry>Local Settings</entry><entry>%USERPROFILE%\Local Settings</entry></row> | 
|---|
| 1098 | <row><entry>My Pictures</entry><entry>%USERPROFILE%\My Documents\My Pictures</entry></row> | 
|---|
| 1099 | <row><entry>NetHood</entry><entry>%USERPROFILE%\NetHood</entry></row> | 
|---|
| 1100 | <row><entry>Personal</entry><entry>%USERPROFILE%\My Documents</entry></row> | 
|---|
| 1101 | <row><entry>PrintHood</entry><entry>%USERPROFILE%\PrintHood</entry></row> | 
|---|
| 1102 | <row><entry>Programs</entry><entry>%USERPROFILE%\Start Menu\Programs</entry></row> | 
|---|
| 1103 | <row><entry>Recent</entry><entry>%USERPROFILE%\Recent</entry></row> | 
|---|
| 1104 | <row><entry>SendTo</entry><entry>%USERPROFILE%\SendTo</entry></row> | 
|---|
| 1105 | <row><entry>Start Menu</entry><entry>%USERPROFILE%\Start Menu</entry></row> | 
|---|
| 1106 | <row><entry>Startup</entry><entry>%USERPROFILE%\Start Menu\Programs\Startup</entry></row> | 
|---|
| 1107 | <row><entry>Templates</entry><entry>%USERPROFILE%\Templates</entry></row> | 
|---|
| 1108 | </tbody> | 
|---|
| 1109 | </tgroup> | 
|---|
| 1110 | </table> | 
|---|
| 1111 |  | 
|---|
| 1112 | <para> There is also an entry called <quote>Default</quote> that has no value set. The default entry is | 
|---|
| 1113 | of type <constant>REG_SZ</constant>; all the others are of type <constant>REG_EXPAND_SZ</constant>. </para> | 
|---|
| 1114 |  | 
|---|
| 1115 | <para> It makes a huge difference to the speed of handling roaming user profiles if all the folders are | 
|---|
| 1116 | stored on a dedicated location on a network server. This means that it will not be necessary to write | 
|---|
| 1117 | the Outlook PST file over the network for every login and logout. </para> | 
|---|
| 1118 |  | 
|---|
| 1119 | <para> | 
|---|
| 1120 | To set this to a network location, you could use the following examples: | 
|---|
| 1121 | <screen> | 
|---|
| 1122 | %LOGONSERVER%\%USERNAME%\Default Folders | 
|---|
| 1123 | </screen> | 
|---|
| 1124 | This stores the folders in the user's home directory under a directory called <filename>Default | 
|---|
| 1125 | Folders</filename>. You could also use: | 
|---|
| 1126 | <screen> | 
|---|
| 1127 | \\<replaceable>SambaServer</replaceable>\<replaceable>FolderShare</replaceable>\%USERNAME% | 
|---|
| 1128 | </screen> | 
|---|
| 1129 | </para> | 
|---|
| 1130 |  | 
|---|
| 1131 | <para> | 
|---|
| 1132 | in which case the default folders are stored in the server named <replaceable>SambaServer</replaceable> | 
|---|
| 1133 | in the share called <replaceable>FolderShare</replaceable> under a directory that has the name of the | 
|---|
| 1134 | MS Windows user as seen by the Linux/UNIX file system.  </para> | 
|---|
| 1135 |  | 
|---|
| 1136 | <para> Please note that once you have created a default profile share, you <emphasis>must</emphasis> migrate a user's profile | 
|---|
| 1137 | (default or custom) to it. </para> | 
|---|
| 1138 |  | 
|---|
| 1139 | <para> MS Windows 200x/XP profiles may be <emphasis>local</emphasis> or <emphasis>roaming</emphasis>. | 
|---|
| 1140 | A roaming profile is cached locally unless the following registry key is created: | 
|---|
| 1141 |  | 
|---|
| 1142 | <indexterm><primary>delete roaming profiles</primary></indexterm> | 
|---|
| 1143 | </para> | 
|---|
| 1144 |  | 
|---|
| 1145 |  | 
|---|
| 1146 | <para> <programlisting> HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\Windows NT\CurrentVersion\ | 
|---|
| 1147 | winlogon\"DeleteRoamingCache"=dword:00000001</programlisting></para> | 
|---|
| 1148 |  | 
|---|
| 1149 | <para> | 
|---|
| 1150 | In this case, the local cache copy is deleted on logout. | 
|---|
| 1151 | </para> | 
|---|
| 1152 | </sect2> | 
|---|
| 1153 | </sect1> | 
|---|
| 1154 |  | 
|---|
| 1155 | <sect1> <title>Common Errors</title> | 
|---|
| 1156 |  | 
|---|
| 1157 | <para> | 
|---|
| 1158 | The following are some typical errors, problems, and questions that have been asked on the Samba mailing lists. | 
|---|
| 1159 | </para> | 
|---|
| 1160 |  | 
|---|
| 1161 | <sect2> | 
|---|
| 1162 | <title>Configuring Roaming Profiles for a Few Users or Groups</title> | 
|---|
| 1163 |  | 
|---|
| 1164 | <para> | 
|---|
| 1165 | With Samba-2.2.x, the choice you have is to enable or disable roaming profiles support. It is a | 
|---|
| 1166 | global-only setting. The default is to have roaming profiles, and the default path will locate them in | 
|---|
| 1167 | the user's home directory. | 
|---|
| 1168 | </para> | 
|---|
| 1169 |  | 
|---|
| 1170 | <para> | 
|---|
| 1171 | If disabled globally, then no one will have roaming profile ability. If enabled and you want it | 
|---|
| 1172 | to apply only to certain machines, then on those machines on which roaming profile support is not wanted, | 
|---|
| 1173 | it is necessary to disable roaming profile handling in the registry of each such machine. | 
|---|
| 1174 | </para> | 
|---|
| 1175 |  | 
|---|
| 1176 | <para> | 
|---|
| 1177 | With Samba-3, you can have a global profile setting in &smb.conf;, and you can override this by | 
|---|
| 1178 | per-user settings using the Domain User Manager (as with MS Windows NT4/200x). </para> | 
|---|
| 1179 |  | 
|---|
| 1180 | <para> In any case, you can configure only one profile per user. That profile can be either: </para> | 
|---|
| 1181 |  | 
|---|
| 1182 | <itemizedlist> | 
|---|
| 1183 | <listitem><para>A profile unique to that user.</para></listitem> | 
|---|
| 1184 | <listitem><para>A mandatory profile (one the user cannot change).</para></listitem> | 
|---|
| 1185 | <listitem><para>A group profile (really should be mandatory &smbmdash; that is, unchangable).</para></listitem> | 
|---|
| 1186 | </itemizedlist> | 
|---|
| 1187 |  | 
|---|
| 1188 | </sect2> | 
|---|
| 1189 |  | 
|---|
| 1190 | <sect2> <title>Cannot Use Roaming Profiles</title> | 
|---|
| 1191 |  | 
|---|
| 1192 | <para> A user requested the following: <quote> I do not want roaming profiles to be implemented. I want | 
|---|
| 1193 | to give users a local profile alone. I am totally lost with this error. For the past | 
|---|
| 1194 | two days I tried everything, I googled around but found no useful pointers. Please help me. </quote></para> | 
|---|
| 1195 |  | 
|---|
| 1196 | <para> The choices are: </para> | 
|---|
| 1197 |  | 
|---|
| 1198 | <variablelist> | 
|---|
| 1199 | <varlistentry> | 
|---|
| 1200 | <term>Local profiles</term> <listitem><para> I know of no registry keys that will allow | 
|---|
| 1201 | autodeletion of LOCAL profiles on log out.</para></listitem> | 
|---|
| 1202 | </varlistentry> | 
|---|
| 1203 |  | 
|---|
| 1204 | <varlistentry> | 
|---|
| 1205 | <term>Roaming profiles</term> <listitem><para> As a user logs onto the network, a centrally | 
|---|
| 1206 | stored profile is copied to the workstation to form a local profile. This local profile | 
|---|
| 1207 | will persist (remain on the workstation disk) unless a registry key is changed that will | 
|---|
| 1208 | cause this profile to be automatically deleted on logout. </para></listitem> | 
|---|
| 1209 | </varlistentry> | 
|---|
| 1210 | </variablelist> | 
|---|
| 1211 |  | 
|---|
| 1212 | <para>The roaming profile choices are: </para> | 
|---|
| 1213 |  | 
|---|
| 1214 | <variablelist> | 
|---|
| 1215 | <varlistentry> | 
|---|
| 1216 | <term>Personal roaming profiles</term> <listitem><para> These are typically stored in | 
|---|
| 1217 | a profile share on a central (or conveniently located local) server. </para> | 
|---|
| 1218 |  | 
|---|
| 1219 | <para> Workstations cache (store) a local copy of the profile. This cached | 
|---|
| 1220 | copy is used when the profile cannot be downloaded at next logon. </para></listitem> | 
|---|
| 1221 | </varlistentry> | 
|---|
| 1222 |  | 
|---|
| 1223 | <varlistentry> | 
|---|
| 1224 | <term>Group profiles</term> <listitem><para>These are loaded from a central profile | 
|---|
| 1225 | server.</para></listitem> | 
|---|
| 1226 | </varlistentry> | 
|---|
| 1227 |  | 
|---|
| 1228 | <varlistentry> | 
|---|
| 1229 | <term>Mandatory profiles</term> <listitem><para> Mandatory profiles can be created for | 
|---|
| 1230 | a user as well as for any group that a user is a member of. Mandatory profiles cannot be | 
|---|
| 1231 | changed by ordinary users. Only the administrator can change or reconfigure a mandatory | 
|---|
| 1232 | profile. </para></listitem> | 
|---|
| 1233 | </varlistentry> | 
|---|
| 1234 | </variablelist> | 
|---|
| 1235 |  | 
|---|
| 1236 | <para> A Windows NT4/200x/XP profile can vary in size from 130KB to very large. Outlook PST files are | 
|---|
| 1237 | most often part of the profile and can be many gigabytes in size. On average (in a well controlled environment), | 
|---|
| 1238 | roaming profile size of 2MB is a good rule of thumb to use for planning purposes. In an undisciplined | 
|---|
| 1239 | environment, I have seen up to 2GB profiles. Users tend to complain when it takes an hour to log onto a | 
|---|
| 1240 | workstation, but they harvest the fruits of folly (and ignorance). </para> | 
|---|
| 1241 |  | 
|---|
| 1242 | <para> The point of this discussion is to show that roaming profiles and good controls of how they can be | 
|---|
| 1243 | changed as well as good discipline make for a problem-free site. </para> | 
|---|
| 1244 |  | 
|---|
| 1245 | <para> Microsoft's answer to the PST problem is to store all email in an MS Exchange Server backend. This | 
|---|
| 1246 | removes the need for a PST file. </para> | 
|---|
| 1247 |  | 
|---|
| 1248 | <para>Local profiles mean: </para> | 
|---|
| 1249 |  | 
|---|
| 1250 | <itemizedlist> | 
|---|
| 1251 | <listitem><para>If each machine is used by many users, then much local disk storage is needed | 
|---|
| 1252 | for local profiles.</para></listitem> <listitem><para>Every workstation the user logs into has | 
|---|
| 1253 | its own profile; these can be very different from machine to machine.</para></listitem> | 
|---|
| 1254 | </itemizedlist> | 
|---|
| 1255 |  | 
|---|
| 1256 | <para> On the other hand, use of roaming profiles means: </para> | 
|---|
| 1257 |  | 
|---|
| 1258 | <itemizedlist> | 
|---|
| 1259 | <listitem><para>The network administrator can control the desktop environment of all users.</para></listitem> | 
|---|
| 1260 | <listitem><para>Use of mandatory profiles drastically reduces network management overheads.</para></listitem> | 
|---|
| 1261 | <listitem><para>In the long run, users will experience fewer problems.</para></listitem> | 
|---|
| 1262 | </itemizedlist> | 
|---|
| 1263 |  | 
|---|
| 1264 | </sect2> | 
|---|
| 1265 |  | 
|---|
| 1266 | <sect2> | 
|---|
| 1267 | <title>Changing the Default Profile</title> | 
|---|
| 1268 |  | 
|---|
| 1269 | <para><quote>When the client logs onto the domain controller, it searches | 
|---|
| 1270 | for a profile to download. Where do I put this default profile?</quote></para> | 
|---|
| 1271 |  | 
|---|
| 1272 | <para> | 
|---|
| 1273 | <indexterm><primary>default profile</primary></indexterm> | 
|---|
| 1274 | First, the Samba server needs to be configured as a domain controller. This can be done by | 
|---|
| 1275 | setting in &smb.conf;: </para> | 
|---|
| 1276 |  | 
|---|
| 1277 | <smbconfblock> | 
|---|
| 1278 | <smbconfoption name="security">user</smbconfoption> | 
|---|
| 1279 | <smbconfoption name="os level">32 (or more)</smbconfoption> | 
|---|
| 1280 | <smbconfoption name="domain logons">Yes</smbconfoption> | 
|---|
| 1281 | </smbconfblock> | 
|---|
| 1282 |  | 
|---|
| 1283 | <para> There must be a <smbconfsection name="[netlogon]"/> share that is world readable. It is | 
|---|
| 1284 | a good idea to add a logon script to preset printer and drive connections. There is also a facility | 
|---|
| 1285 | for automatically synchronizing the workstation time clock with that of the logon server (another good | 
|---|
| 1286 | thing to do). </para> | 
|---|
| 1287 |  | 
|---|
| 1288 | <note><para> To invoke autodeletion of roaming profiles from the local workstation cache (disk storage), use | 
|---|
| 1289 | the <application>Group Policy Editor</application> to create a file called <filename>NTConfig.POL</filename> | 
|---|
| 1290 | with the appropriate entries. This file needs to be located in the <smbconfsection name="netlogon"/> | 
|---|
| 1291 | share root directory.</para></note> | 
|---|
| 1292 |  | 
|---|
| 1293 | <para> Windows clients need to be members of the domain. Workgroup machines do not use network logons, | 
|---|
| 1294 | so they do not interoperate with domain profiles. </para> | 
|---|
| 1295 |  | 
|---|
| 1296 | <para> For roaming profiles, add to &smb.conf;: </para> | 
|---|
| 1297 |  | 
|---|
| 1298 | <smbconfblock> | 
|---|
| 1299 | <smbconfoption name="logon path">\\%N\profiles\%U</smbconfoption> | 
|---|
| 1300 | <smbconfcomment>Default logon drive is Z:</smbconfcomment> | 
|---|
| 1301 | <smbconfoption name="logon drive">H:</smbconfoption> | 
|---|
| 1302 | <smbconfcomment>This requires a PROFILES share that is world writable.</smbconfcomment> | 
|---|
| 1303 | </smbconfblock> | 
|---|
| 1304 |  | 
|---|
| 1305 | </sect2> | 
|---|
| 1306 |  | 
|---|
| 1307 | <sect2> | 
|---|
| 1308 | <title>Debugging Roaming Profiles and NT4-style Domain Policies</title> | 
|---|
| 1309 |  | 
|---|
| 1310 | <para> | 
|---|
| 1311 | Roaming profiles and domain policies are implemented via <command>USERENV.DLL</command>. | 
|---|
| 1312 | Microsoft Knowledge Base articles <ulink | 
|---|
| 1313 | url="http://support.microsoft.com/default.aspx?scid=kb;en-us;221833">221833</ulink> and | 
|---|
| 1314 | <ulink url="http://support.microsoft.com/default.aspx?scid=kb;en-us;154120">154120</ulink> | 
|---|
| 1315 | describe how to instruct that DLL to debug the login process. | 
|---|
| 1316 | </para> | 
|---|
| 1317 |  | 
|---|
| 1318 | </sect2> | 
|---|
| 1319 | </sect1> | 
|---|
| 1320 | </chapter> | 
|---|