source: branches/samba-3.5.x/docs-xml/Samba3-HOWTO/TOSHARG-ProfileMgmt.xml@ 717

<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE chapter PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
<chapter id="ProfileMgmt">
<chapterinfo>
        &author.jht;
    <pubdate>April 3 2003</pubdate>
</chapterinfo>

<title>Desktop Profile Management</title>

<sect1>
<title>Features and Benefits</title>

<para>
<indexterm><primary>roaming profiles</primary></indexterm>
Roaming profiles are feared by some, hated by a few, loved by many, and a godsend for
some administrators.
</para>

<para>
<indexterm><primary>manage roaming profiles</primary></indexterm>
Roaming profiles allow an administrator to make available a consistent user desktop
as the user moves from one machine to another. This chapter provides much information
regarding how to configure and manage roaming profiles.
</para>

<para>
<indexterm><primary>local profiles</primary></indexterm>
While roaming profiles might sound like nirvana to some, they are a real and tangible
problem to others. In particular, users of mobile computing tools, where often there may not
be a sustained network connection, are often better served by purely local profiles.
This chapter provides information to help the Samba administrator deal with those
situations.
</para>

</sect1>

<sect1>
<title>Roaming Profiles</title>

<warning>
<para>
Roaming profiles support is different for Windows 9x/Me and Windows NT4/200x.
</para>
</warning>

<para>
Before discussing how to configure roaming profiles, it is useful to see how
Windows 9x/Me and Windows NT4/200x clients implement these features.
</para>

<para>
<indexterm><primary>NetUserGetInfo</primary></indexterm>
Windows 9x/Me clients send a NetUserGetInfo request to the server to get the user's
profiles location. However, the response does not have room for a separate
profiles location field, only the user's home share. This means that Windows 9x/Me
profiles are restricted to being stored in the user's home directory.
</para>


<para>
<indexterm><primary>NetSAMLogon</primary></indexterm>
<indexterm><primary>RPC</primary></indexterm>
Windows NT4/200x  clients send a NetSAMLogon RPC request, which contains many fields
including a separate field for the location of the user's profiles.
</para>

<sect2>
<title>Samba Configuration for Profile Handling</title>

<para>
This section documents how to configure Samba for MS Windows client profile support.
</para>

<sect3>
<title>NT4/200x User Profiles</title>

<para>
For example, to support Windows NT4/200x clients, set the following in the [global] section of the &smb.conf; file:
</para>

<smbconfblock>
        <smbconfoption name="logon path"> \\profileserver\profileshare\profilepath\%U\moreprofilepath</smbconfoption>
</smbconfblock>

<para>
This is typically implemented like:
<smbconfblock>
<smbconfoption name="logon path">\\%L\Profiles\%U</smbconfoption>
</smbconfblock>
where <quote>%L</quote> translates to the name of the Samba server and <quote>%U</quote> translates to the username.
</para>

<para>
The default for this option is <filename>\\%N\%U\profile</filename>, namely, <filename>\\sambaserver\username\profile</filename>. 
The <filename>\\%N\%U</filename> service is created automatically by the [homes] service. If you are using
a Samba server for the profiles, you must make the share that is specified in the logon path
browseable. Please refer to the man page for &smb.conf; regarding the different
semantics of <quote>%L</quote> and <quote>%N</quote>, as well as <quote>%U</quote> and <quote>%u</quote>.
</para>

<note><para>
<indexterm><primary>logons</primary></indexterm>
<indexterm><primary>disconnect a connection</primary></indexterm>
MS Windows NT/200x clients at times do not disconnect a connection to a server between logons. It is recommended
to not use the <smbconfsection name="homes"/> metaservice name as part of the profile share path.
</para></note>
</sect3>

<sect3>
<title>Windows 9x/Me User Profiles</title>

<para>
<indexterm><primary>net use /home</primary></indexterm>
<indexterm><primary>logon home</primary></indexterm>
To support Windows 9x/Me clients, you must use the <smbconfoption name="logon home"/>
parameter. Samba has been fixed so <userinput>net use /home</userinput> now works as well and it, too, relies
on the <parameter>logon home</parameter> parameter.
</para>

<para>
<indexterm><primary>logon home</primary></indexterm>
<indexterm><primary>\\%L\%U\.profiles</primary></indexterm>
<indexterm><primary>.profiles</primary></indexterm>
By using the <parameter>logon home</parameter> parameter, you are restricted to putting Windows 9x/Me profiles
in the user's home directory.  But wait! There is a trick you can use. If you set the following in the
<smbconfsection name="[global]"/> section of your &smb.conf; file:
<smbconfblock>
<smbconfoption name="logon home">\\%L\%U\.profiles</smbconfoption>
</smbconfblock>
then your Windows 9x/Me clients will dutifully put their clients in a subdirectory
of your home directory called <filename>.profiles</filename> (making them hidden).
</para>

<para>
<indexterm><primary>net use /home</primary></indexterm>
Not only that, but <userinput>net use /home</userinput> will also work because of a feature in
Windows 9x/Me. It removes any directory stuff off the end of the home directory area
and only uses the server and share portion. That is, it looks like you
specified <filename>\\%L\%U</filename> for <smbconfoption name="logon home"/>.
</para>
</sect3>

<sect3>
<title>Mixed Windows Windows 9x/Me and NT4/200x User Profiles</title>

<para>
You can support profiles for Windows 9x and Windows NT clients by setting both the
<smbconfoption name="logon home"/> and <smbconfoption name="logon path"/> parameters. For example,
</para>

<para><smbconfblock>
<smbconfoption name="logon home">\\%L\%U\.profiles</smbconfoption>
<smbconfoption name="logon path">\\%L\profiles\%U</smbconfoption>
</smbconfblock></para>

<para>
<indexterm><primary>mixed profile</primary></indexterm>
Windows 9x/Me and NT4 and later profiles should not be stored in the same location because
Windows NT4 and later will experience problems with mixed profile environments.
</para>

</sect3>
<sect3>
<title>Disabling Roaming Profile Support</title>

<para>
<indexterm><primary>disable roaming profiles</primary></indexterm>
The question often asked is, <quote>How may I enforce use of local profiles?</quote> or
<quote>How do I disable roaming profiles?</quote>
</para>

<para>
<indexterm><primary>roaming profiles</primary></indexterm>
There are three ways of doing this:
</para>

<indexterm><primary>windows registry settings</primary><secondary>roaming profiles</secondary></indexterm>

<variablelist>
        <varlistentry>
                <term>In &smb.conf;</term>:
                <listitem><para>
                Affect the following settings and ALL clients will be forced to use a local profile:
                <smbconfoption name="logon home"> </smbconfoption> and <smbconfoption name="logon path"> </smbconfoption>
                </para>

                <para>
                The arguments to these parameters must be left blank. It is necessary to include the <constant>=</constant> sign
                to specifically assign the empty value.
                </para></listitem>
        </varlistentry>

        <varlistentry>
                <term>MS Windows Registry:</term>
                <listitem><para>
<indexterm><primary>MMC</primary></indexterm>
<indexterm><primary>local profile</primary></indexterm>
                Use the Microsoft Management Console (MMC) <command>gpedit.msc</command> to instruct your MS Windows XP
                machine to use only a local profile. This, of course, modifies registry settings. The full
                path to the option is:
<screen>
Local Computer Policy\
        Computer Configuration\
                Administrative Templates\
                        System\
                                User Profiles\

Disable: Only Allow Local User Profiles 
Disable: Prevent Roaming Profile Change from Propagating to the Server
</screen>
        </para></listitem>
        </varlistentry>

        <varlistentry>
                <term>Change of Profile Type:</term>
<indexterm><primary>Profile Type</primary></indexterm>
                <listitem><para>From the start menu right-click on the <guiicon>My Computer</guiicon> icon,
                select <guimenuitem>Properties</guimenuitem>, click on the <guilabel>User Profiles</guilabel>
                tab, select the profile you wish to change from
                <guimenu>Roaming</guimenu> type to <guimenu>Local</guimenu>, and click on
                <guibutton>Change Type</guibutton>.
                </para></listitem>
        </varlistentry>
</variablelist>

<para>
Consult the MS Windows registry guide for your particular MS Windows version for more information
about which registry keys to change to enforce use of only local user profiles.
</para>

<note><para>
<indexterm><primary>Windows Resource Kit</primary></indexterm>
The specifics of how to convert a local profile to a roaming profile, or a roaming profile
to a local one, vary according to the version of MS Windows you are running. Consult the Microsoft MS
Windows Resource Kit for your version of Windows for specific information.
</para></note>

</sect3>
</sect2>

<sect2>
<title>Windows Client Profile Configuration Information</title>

<sect3>
<title>Windows 9x/Me Profile Setup</title>

<para>
When a user first logs in on Windows 9x, the file user.DAT is created, as are folders <filename>Start
Menu</filename>, <filename>Desktop</filename>, <filename>Programs</filename>, and
<filename>Nethood</filename>. These directories and their contents will be merged with the local versions
stored in <filename>c:\windows\profiles\username</filename> on subsequent logins, taking the most recent from
each.   You will need to use the <smbconfsection name="[global]"/> options <smbconfoption name="preserve
case">yes</smbconfoption>, <smbconfoption name="short preserve case">yes</smbconfoption>, and <smbconfoption
name="case sensitive">no</smbconfoption> in order to maintain capital letters in shortcuts in any of the
profile folders.
</para>

<para>
<indexterm><primary>user.DAT</primary></indexterm>
<indexterm><primary>user.MAN</primary></indexterm>
The <filename>user.DAT</filename> file contains all the user's preferences. If you wish to enforce a set of preferences,
rename their <filename>user.DAT</filename> file to <filename>user.MAN</filename>, and deny them write access to this file.
</para>

<orderedlist>
        <listitem> <para>
        On the Windows 9x/Me machine, go to <guimenu>Control Panel</guimenu> ->
        <guimenuitem>Passwords</guimenuitem> and select the <guilabel>User Profiles</guilabel> tab.
        Select the required level of roaming preferences. Press <guibutton>OK</guibutton>, but do not
        allow the computer to reboot.
        </para> </listitem>

        <listitem> <para>
        On the Windows 9x/Me machine, go to <guimenu>Control Panel</guimenu> ->
        <guimenuitem>Network</guimenuitem> -> <guimenuitem>Client for Microsoft Networks</guimenuitem>
        -> <guilabel>Preferences</guilabel>. Select <guilabel>Log on to NT Domain</guilabel>.   Then,
        ensure that the Primary Logon is <guilabel>Client for Microsoft Networks</guilabel>. Press
        <guibutton>OK</guibutton>, and this time allow the computer to reboot.
        </para> </listitem>
</orderedlist>

<para>
<indexterm><primary>Primary Logon</primary></indexterm>
<indexterm><primary>Client for Novell Networks</primary></indexterm>
<indexterm><primary>Novell</primary></indexterm>
<indexterm><primary>Windows Logon</primary></indexterm>
Under Windows 9x/Me, profiles are downloaded from the Primary Logon. If you have the Primary Logon
as <quote>Client for Novell Networks</quote>, then the profiles and logon script will be downloaded from
your Novell server. If you have the Primary Logon as <quote>Windows Logon</quote>, then the profiles will
be loaded from the local machine &smbmdash; a bit against the concept of roaming profiles, it would seem! 
</para>

<para>
<indexterm><primary>domain logon server</primary></indexterm>
You will now find that the Microsoft Networks Login box contains <constant>[user, password, domain]</constant> instead
of just <constant>[user, password]</constant>. Type in the Samba server's domain name (or any other domain known to exist,
but bear in mind that the user will be authenticated against this domain and profiles downloaded from it
if that domain logon server supports it), user name and user's password. 
</para>

<para>
Once the user has been successfully validated, the Windows 9x/Me machine informs you that
<computeroutput>The user has not logged on before</computeroutput> and asks <computeroutput>Do you
wish to save the user's preferences?</computeroutput> Select <guibutton>Yes</guibutton>.
</para>

<para>
Once the Windows 9x/Me client comes up with the desktop, you should be able to examine the
contents of the directory specified in the <smbconfoption name="logon path"/> on
the Samba server and verify that the <filename>Desktop</filename>, <filename>Start Menu</filename>,
<filename>Programs</filename>, and <filename>Nethood</filename> folders have been created.
</para>

<para>
<indexterm><primary>cached locally</primary></indexterm>
<indexterm><primary>shortcuts</primary></indexterm>
<indexterm><primary>profile directory</primary></indexterm>
These folders will be cached locally on the client and updated when the user logs off (if
you haven't made them read-only by then). You will find that if the user creates further folders or
shortcuts, the client will merge the profile contents downloaded with the contents of the profile
directory already on the local client, taking the newest folders and shortcut from each set.
</para>

<para>
<indexterm><primary>local profile</primary></indexterm>
<indexterm><primary>remote profile</primary></indexterm>
<indexterm><primary>ownership rights</primary></indexterm>
<indexterm><primary>profile directory</primary></indexterm>
If you have made the folders/files read-only on the Samba server, then you will get errors from
the Windows 9x/Me machine on logon and logout as it attempts to merge the local and remote profile.
Basically, if you have any errors reported by the Windows 9x/Me machine, check the UNIX file permissions
and ownership rights on the profile directory contents, on the Samba server.
</para>

<para>
<indexterm><primary>windows registry settings</primary></indexterm>
<indexterm><primary>profile path</primary></indexterm>
<indexterm><primary>user profiles</primary></indexterm>
<indexterm><primary>desktop cache</primary></indexterm>
<indexterm><primary>windows registry settings</primary><secondary>profile path</secondary></indexterm>
If you have problems creating user profiles, you can reset the user's local desktop cache, as shown below.
When this user next logs in, the user will be told that he/she is logging in <quote>for the first
time</quote>.
</para>


<orderedlist>
        <listitem><para>
        Instead of logging in under the [user, password, domain] dialog, press <guibutton>escape</guibutton>.
        </para> </listitem>

        <listitem><para>
        Run the <command>regedit.exe</command> program, and look in:
        </para>

        <para>
        <filename>HKEY_LOCAL_MACHINE\Windows\CurrentVersion\ProfileList</filename>
        </para>

        <para>
        You will find an entry for each user of ProfilePath. Note the contents of this key
        (likely to be <filename>c:\windows\profiles\username</filename>), then delete the key
        <parameter>ProfilePath</parameter> for the required user.
        </para></listitem>

        <listitem><para>
        Exit the registry editor.
        </para></listitem>

        <listitem><para>
        Search for the user's .PWL password-caching file in the <filename>c:\windows</filename> directory, and delete it.
        </para></listitem>

        <listitem><para>
        Log off the Windows 9x/Me client.
        </para></listitem>

        <listitem><para>
        Check the contents of the profile path (see <smbconfoption name="logon path"/>
        described above) and delete the <filename>user.DAT</filename> or <filename>user.MAN</filename>
        file for the user, making a backup if required. 
        </para></listitem>
</orderedlist>

<warning><para>
<indexterm><primary>ProfilePath</primary></indexterm>
Before deleting the contents of the directory listed in the <parameter>ProfilePath</parameter>
(this is likely to be <filename>c:\windows\profiles\username)</filename>, ask whether the owner has
any important files stored on his or her desktop or start menu. Delete the contents of the
directory <parameter>ProfilePath</parameter> (making a backup if any of the files are needed).
</para>

<para>
This will have the effect of removing the local (read-only hidden system file) <filename>user.DAT</filename>
in their profile directory, as well as the local <quote>desktop,</quote> <quote>nethood,</quote>
<quote>start menu,</quote> and <quote>programs</quote> folders.
</para></warning>

<para>
<indexterm><primary>log level</primary></indexterm>
<indexterm><primary>packet sniffer</primary></indexterm>
<indexterm><primary>ethereal</primary></indexterm>
<indexterm><primary>netmon.exe</primary></indexterm>
If all else fails, increase Samba's debug log levels to between 3 and 10, and/or run a packet
sniffer program such as ethereal or <command>netmon.exe</command>, and look for error messages.
</para>

<para>
<indexterm><primary>roaming profiles</primary></indexterm>
<indexterm><primary>packet trace</primary></indexterm>
If you have access to an Windows NT4/200x server, then first set up roaming profiles and/or
netlogons on the Windows NT4/200x server. Make a packet trace, or examine the example packet traces
provided with Windows NT4/200x server, and see what the differences are with the equivalent Samba trace.
</para>

</sect3>

<sect3>
<title>Windows NT4 Workstation</title>

<para>
When a user first logs in to a Windows NT workstation, the profile NTuser.DAT is created. The profile
location can be now specified through the <smbconfoption name="logon path"/> parameter.
</para>

<para>
There is a parameter that is now available for use with NT Profiles: <smbconfoption name="logon drive"/>. 
This should be set to <filename>H:</filename> or any other drive, and should be used in conjunction with
the new <smbconfoption name="logon home"/> parameter.
</para>

<para>
<indexterm><primary>.PDS extension</primary></indexterm>
<indexterm><primary>profile path</primary></indexterm>
The entry for the NT4 profile is a directory, not a file. The NT help on profiles mentions that a
directory is also created with a .PDS extension. The user, while logging in, must have write permission
to create the full profile path (and the folder with the .PDS extension for those situations where it
might be created). 
</para>

<para>
<indexterm><primary>NTuser.DAT</primary></indexterm>
In the profile directory, Windows NT4 creates more folders than Windows 9x/Me. It creates
<filename>Application Data</filename> and others, as well as <filename>Desktop</filename>,
<filename>Nethood</filename>, <filename>Start Menu,</filename> and <filename>Programs</filename>.
The profile itself is stored in a file <filename>NTuser.DAT</filename>. Nothing appears to be stored
in the .PDS directory, and its purpose is currently unknown.
</para>

<para>
<indexterm><primary>NTuser.DAT</primary></indexterm>
<indexterm><primary>NTuser.MAN</primary></indexterm>
You can use the <application>System Control Panel</application> to copy a local profile onto
a Samba server (see NT help on profiles; it is also capable of firing up the correct location in the
<application>System Control Panel</application> for you). The NT help file also mentions that renaming
<filename>NTuser.DAT</filename> to <filename>NTuser.MAN</filename> turns a profile into a mandatory one.
</para>

<para>
The case of the profile is significant. The file must be called <filename>NTuser.DAT</filename>
or, for a mandatory profile, <filename>NTuser.MAN</filename>.
</para>

</sect3>

<sect3>
<title>Windows 2000/XP Professional</title>

<para>
You must first convert the profile from a local profile to a domain profile on the MS Windows
workstation as follows: </para>

<procedure>
        <step><para> Log on as the <emphasis>local</emphasis> workstation administrator. </para></step>

        <step><para> Right-click on the <guiicon>My Computer</guiicon> icon, and select
        <guimenuitem>Properties</guimenuitem>.</para></step>

        <step><para> Click on the <guilabel>User Profiles</guilabel> tab.</para></step>

        <step><para> Select the profile you wish to convert (click it once).</para></step>

        <step><para> Click on the <guibutton>Copy To</guibutton> button.</para></step>

        <step><para> In the <guilabel>Permitted to use</guilabel> box, click on the
        <guibutton>Change</guibutton> button. </para></step>

        <step><para> Click on the <guilabel>Look in</guilabel> area that lists the machine name. When you click here, it will
        open up a selection box. Click on the domain to which the profile must be accessible. </para>

        <note><para>You will need to log on if a logon box opens up. 
        For example, connect as <replaceable>DOMAIN</replaceable>\root, password:
        <replaceable>mypassword</replaceable>.</para></note> </step>

        <step><para> To make the profile capable of being used by anyone, select <quote>Everyone</quote>. </para></step>

        <step><para> Click on <guibutton>OK</guibutton> and the Selection box will close. </para></step>

        <step><para> Now click on <guibutton>OK</guibutton> to create the profile in the path
        you nominated.  </para></step>
</procedure>

<para>
Done. You now have a profile that can be edited using the Samba <command>profiles</command> tool.
</para>

<note><para>
Under Windows NT/200x, the use of mandatory profiles forces the use of MS Exchange storage of mail
data and keeps it out of the desktop profile. That keeps desktop profiles from becoming unusable.
</para></note>

<sect4>
<title>Windows XP Service Pack 1</title>
        <para>
        There is a security check new to Windows XP (or maybe only Windows XP service pack 1).
        It can be disabled via a group policy in the Active Directory. The policy is called:
<screen>
Computer Configuration\Administrative Templates\System\User Profiles\
          Do not check for user ownership of Roaming Profile Folders
</screen>
        </para>

        <para>
        This should be set to <constant>Enabled</constant>.
        </para>

        <para>
        Does the new version of Samba have an Active Directory analogue?  If so, then you may be able to set the policy through this.
        </para>

        <para>If you cannot set group policies in Samba, then you may be able to set the policy locally on
        each machine. If you want to try this, then do the following:
        </para>


<procedure>
        <step><para>On the XP workstation, log in with an administrative account.</para></step>

        <step><para>Click on <guimenu>Start</guimenu> -> <guimenuitem>Run</guimenuitem>.</para></step>
        <step><para>Type <command>mmc</command>.</para></step>
        <step><para>Click on <guibutton>OK</guibutton>.</para></step>
        <step><para>A Microsoft Management Console should appear.</para></step>
        <step><para>Click on <guimenu>File</guimenu> -> <guimenuitem>Add/Remove Snap-in</guimenuitem> -> <guimenuitem>Add</guimenuitem>.</para></step> 
        <step><para>Double-click on <guiicon>Group Policy</guiicon>.</para></step> 
        <step><para>Click on <guibutton>Finish</guibutton> -> <guibutton>Close</guibutton>.</para></step> 
        <step><para>Click on <guibutton>OK</guibutton>.</para></step>
        <step><para>In the <quote>Console Root</quote> window expand <guiicon>Local Computer Policy</guiicon> ->
                <guiicon>Computer Configuration</guiicon> -> <guiicon>Administrative Templates</guiicon> -> 
                <guiicon>System</guiicon> -> <guiicon>User Profiles</guiicon>.</para></step>
        <step><para>Double-click on <guilabel>Do not check for user ownership of Roaming Profile Folders</guilabel>.</para></step>
        <step><para>Select <guilabel>Enabled</guilabel>.</para></step>
        <step><para>Click on <guibutton>OK</guibutton>.</para></step>
        <step><para>Close the whole console. You do not need to save the settings (this refers to the
        console settings rather than the policies you have changed).</para></step>
        <step><para>Reboot.</para></step>
</procedure>
</sect4>
</sect3>
</sect2>

<sect2>
<title>User Profile Hive Cleanup Service</title>

<para>
There are certain situations that cause a cached local copy of roaming profile not to be deleted on exit, even if
the policy to force such deletion is set. To deal with that situation, a special service was created. The application 
<command>UPHClean</command> (User Profile Hive Cleanup) can be installed as a service on Windows NT4/2000/XP Professional
and Windows 2003.
</para>

<para>
The UPHClean software package can be downloaded from the User Profile Hive Cleanup
Service<footnote><para>http://www.microsoft.com/downloads/details.aspx?FamilyID=1B286E6D-8912-4E18-B570-42470E2F3582&amp;displaylang=en</para></footnote>
web site.
</para>

</sect2>

<sect2>
<title>Sharing Profiles between Windows 9x/Me and NT4/200x/XP Workstations</title>

<para>
<indexterm><primary>profile sharing</primary></indexterm>
<indexterm><primary>profile contents</primary></indexterm>
Sharing of desktop profiles between Windows versions is not recommended. Desktop profiles are an
evolving phenomenon, and profiles for later versions of MS Windows clients add features that may interfere
with earlier versions of MS Windows clients. Probably the more salient reason to not mix profiles is
that when logging off an earlier version of MS Windows, the older format of profile contents may overwrite
information that belongs to the newer version, resulting in loss of profile information content when that
user logs on again with the newer version of MS Windows.
</para>

<para>
If you then want to share the same Start Menu and Desktop with Windows 9x/Me, you must specify a common
location for the profiles. The &smb.conf; parameters that need to be common are 
<smbconfoption name="logon path"/> and <smbconfoption name="logon home"/>.
</para>

<para>
<indexterm><primary>user.DAT</primary></indexterm>
<indexterm><primary>NTuser.DAT</primary></indexterm>
If you have this set up correctly, you will find separate <filename>user.DAT</filename> and
<filename>NTuser.DAT</filename> files in the same profile directory.
</para>

</sect2>

<sect2>
<title>Profile Migration from Windows NT4/200x Server to Samba</title>

<para>
<indexterm><primary>encrypted passwords</primary></indexterm>
There is nothing to stop you from specifying any path that you like for the location of users' profiles.
Therefore, you could specify that the profile be stored on a Samba server or any other SMB server,
as long as that SMB server supports encrypted passwords.
</para>

<sect3 id="profilemigrn">
<title>Windows NT4 Profile Management Tools</title>

<para>
<indexterm><primary>resource kit</primary></indexterm>
Unfortunately, the resource kit information is specific to the version of MS Windows NT4/200x. The
correct resource kit is required for each platform.
</para>

<para>Here is a quick guide:</para>

<procedure>
<title>Profile Migration Procedure</title>

        <step><para> On your NT4 domain controller, right-click on <guiicon>My Computer</guiicon>, then select 
        <guilabel>Properties</guilabel>, then the tab labeled <guilabel>User Profiles</guilabel>. </para></step>

        <step><para> Select a user profile you want to migrate and click on it. </para>

        <note><para>I am using the term <quote>migrate</quote> loosely. You can copy a profile to create a group
        profile. You can give the user <parameter>Everyone</parameter> rights to the profile you copy this to. That
        is what you need to do, since your Samba domain is not a member of a trust relationship with your NT4
        PDC.</para></note></step>

        <step><para>Click on the <guibutton>Copy To</guibutton> button.</para></step>

        <step><para>In the box labeled <guilabel>Copy Profile to</guilabel> add your new path, such as,
        <filename>c:\temp\foobar</filename></para></step>

        <step><para>Click on <guibutton>Change</guibutton> in the <guilabel>Permitted to use</guilabel> box.</para></step>

        <step><para>Click on the group <quote>Everyone</quote>, click on <guibutton>OK</guibutton>. This
        closes the <quote>choose user</quote> box.</para></step>

        <step><para>Now click on <guibutton>OK</guibutton>.</para></step>
</procedure>

<para>
Follow these steps for every profile you need to migrate.
</para>

</sect3>

<sect3>
<title>Side Bar Notes</title>


<para>
<indexterm><primary>SID</primary></indexterm>
<indexterm><primary>net</primary><secondary>rpc</secondary><tertiary>info</tertiary></indexterm>
You should obtain the SID of your NT4 domain. You can use the <command>net rpc info</command> to do this.
See <link linkend="NetCommand">The Net Command Chapter</link>, <link linkend="netmisc1">Other Miscellaneous Operations</link> for more information.
</para>

</sect3>

<sect3>
<title>moveuser.exe</title>

<para>
<indexterm><primary>moveuser.exe</primary></indexterm>
The Windows 200x professional resource kit has <command>moveuser.exe</command>.
<command>moveuser.exe</command> changes the security of a profile from one user to another. This allows the
account domain to change and/or the username to change.
</para>

<para>
This command is like the Samba <command>profiles</command> tool.
</para>

</sect3>

<sect3>
<title>Get SID</title>

<para>
<indexterm><primary>SID</primary></indexterm>
<indexterm><primary>GetSID.exe</primary></indexterm>
You can identify the SID by using <command>GetSID.exe</command> from the Windows NT Server 4.0 Resource Kit.
</para>

<para>
Windows NT 4.0 stores the local profile information in the registry under the following key:
<filename>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList</filename>
</para>

<para>
Under the ProfileList key, there will be subkeys named with the SIDs of the users who have logged
on to this computer. (To find the profile information for the user whose locally cached profile you want
to move, find the SID for the user with the <command>GetSID.exe</command> utility.) Inside the appropriate user's subkey,
you will see a string value named <parameter>ProfileImagePath</parameter>.
</para>

</sect3>
</sect2>
</sect1>

<sect1>
<title>Mandatory Profiles</title>

<para>
<indexterm><primary>mandatory profiles</primary></indexterm>
A mandatory profile is a profile that the user does not have the ability to overwrite. During the
user's session, it may be possible to change the desktop environment; however, as the user logs out, all changes
made will be lost. If it is desired to not allow the user any ability to change the desktop environment,
then this must be done through policy settings. See <link linkend="PolicyMgmt">System and Account
Policies</link>.
</para>

<note><para> 
<indexterm><primary>fake-permissions module</primary></indexterm>
<indexterm><primary>VFS module</primary></indexterm>
<indexterm><primary>fake_perms</primary></indexterm>
Under NO circumstances should the profile directory (or its contents) be made read-only because this may
render the profile unusable.  Where it is essential to make a profile read-only within the UNIX file system,
this can be done, but then you absolutely must use the <command>fake-permissions</command> VFS module to
instruct MS Windows NT/200x/XP clients that the Profile has write permission for the user.  See <link
linkend="fakeperms">fake_perms VFS module</link>.
</para></note>

<para>
<indexterm><primary>NTUser.MAN</primary></indexterm>
<indexterm><primary>NTUser.DAT</primary></indexterm>
For MS Windows NT4/200x/XP, the procedure shown in <link linkend="profilemigrn">Profile Migration from Windows
NT4/200x Server to Samba</link> can also be used to create mandatory profiles. To convert a group profile into
a mandatory profile, simply locate the <filename>NTUser.DAT</filename> file in the copied profile and rename
it to <filename>NTUser.MAN</filename>.
</para>

<para>
<indexterm><primary>User.MAN</primary></indexterm>
For MS Windows 9x/Me, it is the <filename>User.DAT</filename> file that must be renamed to
<filename>User.MAN</filename> to effect a mandatory profile.
</para>

</sect1>

<sect1>
<title>Creating and Managing Group Profiles</title>

<para>
<indexterm><primary>group profiles</primary></indexterm>
<indexterm><primary>template</primary></indexterm>
<indexterm><primary>profile migration tool</primary></indexterm>
<indexterm><primary>profile access rights</primary></indexterm>
Most organizations are arranged into departments. There is a nice benefit in this fact, since usually
most users in a department require the same desktop applications and the same desktop layout. MS
Windows NT4/200x/XP will allow the use of group profiles. A group profile is a profile that is created
first using a template (example) user. Then using the profile migration tool (see above), the profile is
assigned access rights for the user group that needs to be given access to the group profile.
</para>

<para>
<indexterm><primary>User Manager</primary></indexterm>
The next step is rather important. Instead of assigning a group profile to users (Using User Manager)
on a <quote>per-user</quote> basis, the group itself is assigned the now modified profile.
</para>

<note><para>
Be careful with group profiles. If the user who is a member of a group also has a personal
profile, then the result will be a fusion (merge) of the two.
</para></note>

</sect1>

<sect1>
<title>Default Profile for Windows Users</title>

<para>
<indexterm><primary>default profile</primary></indexterm>
<indexterm><primary>registry keys</primary></indexterm>
MS Windows 9x/Me and NT4/200x/XP will use a default profile for any user for whom a profile
does not already exist. Armed with a knowledge of where the default profile is located on the Windows
workstation, and knowing which registry keys affect the path from which the default profile is created,
it is possible to modify the default profile to one that has been optimized for the site. This has
significant administrative advantages.
</para>

<sect2>
<title>MS Windows 9x/Me</title>

<para>
<indexterm><primary>System Policy Editor</primary></indexterm>
<indexterm><primary>registry</primary></indexterm>
To enable default per-use profiles in Windows 9x/Me, you can either use the <application>Windows
98 System Policy Editor</application> or change the registry directly.
</para>

<para>
To enable default per-user profiles in Windows 9x/Me, launch the <application>System Policy
Editor</application>, then select <guimenu>File</guimenu> -> <guimenuitem>Open Registry</guimenuitem>.
Next click on the <guiicon>Local Computer</guiicon> icon, click on <guilabel>Windows 98 System</guilabel>,
select <guilabel>User Profiles</guilabel>, and click on the enable box. Remember to save the registry
changes.
</para>

<para>
<indexterm><primary>regedit.exe</primary></indexterm>
To modify the registry directly, launch the <application>Registry Editor</application>
(<command>regedit.exe</command>) and select the hive <filename>HKEY_LOCAL_MACHINE\Network\Logon</filename>.
Now add a DWORD type key with the name <quote>User Profiles.</quote> To enable user profiles to set the value
to 1; to disable user profiles set it to 0.
</para>

<sect3>
<title>User Profile Handling with Windows 9x/Me</title>

<para>
When a user logs on to a Windows 9x/Me machine, the local profile path,
<filename>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ProfileList</filename>, is checked
for an existing entry for that user.
</para>

<para>
If the user has an entry in this registry location, Windows 9x/Me checks for a locally cached
version of the user profile. Windows 9x/Me also checks the user's home directory (or other specified
directory if the location has been modified) on the server for the user profile. If a profile exists
in both locations, the newer of the two is used. If the user profile exists on the server but does not
exist on the local machine, the profile on the server is downloaded and used. If the user profile only
exists on the local machine, that copy is used.
</para>

<para>
If a user profile is not found in either location, the default user profile from the Windows
9x/Me machine is used and copied to a newly created folder for the logged on user. At log off, any
changes that the user made are written to the user's local profile. If the user has a roaming profile,
the changes are written to the user's profile on the server.
</para>

</sect3>
</sect2>

<sect2>
<title>MS Windows NT4 Workstation</title>

<para>
On MS Windows NT4, the default user profile is obtained from the location
<filename>%SystemRoot%\Profiles</filename>, which in a default installation will translate to
<filename>C:\Windows NT\Profiles</filename>. Under this directory on a clean install, there will be three
directories: <filename>Administrator</filename>, <filename>All
Users,</filename> and <filename>Default
User</filename>.
</para>

<para>
The <filename>All Users</filename> directory contains menu settings that are common across all
system users. The <filename>Default User</filename> directory contains menu entries that are customizable
per user depending on the profile settings chosen/created.
</para>

<para>
When a new user first logs onto an MS Windows NT4 machine, a new profile is created from:
</para>

<itemizedlist>
        <listitem><para>All Users settings.</para></listitem>
        <listitem><para>Default User settings (contains the default <filename>NTUser.DAT</filename> file).</para></listitem>
</itemizedlist>

<para>
<indexterm><primary>NTConfig.POL</primary></indexterm>
When a user logs on to an MS Windows NT4 machine that is a member of a Microsoft security domain,
the following steps are followed for profile handling: 
</para>

<procedure>
        <step> <para> The user's account information that is obtained during the logon process
        contains the location of the user's desktop profile. The profile path may be local to
        the machine or it may be located on a network share. If there exists a profile at the
        location of the path from the user account, then this profile is copied to the location
        <filename>%SystemRoot%\Profiles\%USERNAME%</filename>. This profile then inherits the settings
        in the <filename>All Users</filename> profile in the <filename>%SystemRoot%\Profiles</filename>
        location. </para> </step>

        <step> <para> If the user account has a profile path, but at its location a profile does not
        exist, then a new profile is created in the <filename>%SystemRoot%\Profiles\%USERNAME%</filename>
        directory from reading the <filename>Default User</filename> profile. </para> </step>

        <step> <para>
<indexterm><primary>NTConfig.POL</primary></indexterm>
<indexterm><primary>NETLOGON</primary></indexterm>
<indexterm><primary>authenticating server</primary></indexterm>
<indexterm><primary>logon server</primary></indexterm>
<indexterm><primary>HKEY_CURRENT_USER</primary></indexterm>
        If the NETLOGON share on the authenticating server (logon server) contains
        a policy file (<filename>NTConfig.POL</filename>), then its contents are applied to the
        <filename>NTUser.DAT</filename>, which is applied to the <filename>HKEY_CURRENT_USER</filename>
        part of the registry. 
        </para> </step>

        <step> <para> When the user logs out, if the profile is set to be a roaming profile, it will be
        written out to the location of the profile. The <filename>NTuser.DAT</filename> file is then
        re-created from the contents of the <filename>HKEY_CURRENT_USER</filename> contents. Thus,
        should there not exist in the NETLOGON share an <filename>NTConfig.POL</filename> at the next
        logon, the effect of the previous <filename>NTConfig.POL</filename> will still be held in the
        profile. The effect of this is known as tattooing.
        </para> </step>
</procedure>

<para>
MS Windows NT4 profiles may be <emphasis>local</emphasis> or <emphasis>roaming</emphasis>. A local
profile is stored in the <filename>%SystemRoot%\Profiles\%USERNAME%</filename> location. A roaming
profile will also remain stored in the same way, unless the following registry key is created:
<screen>
HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\Windows NT\CurrentVersion\
winlogon\"DeleteRoamingCache"=dword:0000000
</screen>
In this case, the local copy (in <filename>%SystemRoot%\Profiles\%USERNAME%</filename>) will be deleted
on logout.
</para>

<para>
<indexterm><primary>regedt32</primary></indexterm>
Under MS Windows NT4, default locations for common resources like <filename>My Documents</filename>
may be redirected to a network share by modifying the following registry keys. These changes may be
made via use of the System Policy Editor. To do so may require that you create your own template
extension for the Policy Editor to allow this to be done through the GUI. Another way to do this is by
first creating a default user profile, then while logged in as that user, running <command>regedt32</command> to edit
the key settings.
</para>

<para>
The Registry Hive key that affects the behavior of folders that are part of the default user
profile are controlled by entries on Windows NT4 is:
<screen>
HKEY_CURRENT_USER
        \Software
                \Microsoft
                        \Windows
                                \CurrentVersion
                                        \Explorer
                                                \User Shell Folders
</screen>
<indexterm><primary>windows registry settings</primary><secondary>default profile locations</secondary></indexterm>
</para>

<para>  The above hive key contains a list of automatically managed
folders. The default entries are shown in <link linkend="ProfileLocs">the next table</link>.
</para>

<table frame="all" id="ProfileLocs">
        <title>User Shell Folder Registry Keys Default Values</title>
        <tgroup cols="2">
                <colspec align="left"/>
                <colspec align="left"/>
        <thead>
                <row><entry>Name</entry><entry>Default Value</entry></row>
        </thead>
        <tbody>
                <row><entry>AppData</entry><entry>%USERPROFILE%\Application Data</entry></row>
                <row><entry>Desktop</entry><entry>%USERPROFILE%\Desktop</entry></row>
                <row><entry>Favorites</entry><entry>%USERPROFILE%\Favorites</entry></row>
                <row><entry>NetHood</entry><entry>%USERPROFILE%\NetHood</entry></row>
                <row><entry>PrintHood</entry><entry>%USERPROFILE%\PrintHood</entry></row>
                <row><entry>Programs</entry><entry>%USERPROFILE%\Start Menu\Programs</entry></row>
                <row><entry>Recent</entry><entry>%USERPROFILE%\Recent</entry></row>
                <row><entry>SendTo</entry><entry>%USERPROFILE%\SendTo</entry></row>
                <row><entry>Start Menu </entry><entry>%USERPROFILE%\Start Menu</entry></row>
                <row><entry>Startup</entry><entry>%USERPROFILE%\Start Menu\Programs\Startup</entry></row>
        </tbody>
        </tgroup>
</table>

<para> The registry key that contains the location of the default profile settings is:
<screen>
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
User Shell Folders
</screen>
</para>

<para>
The default entries are shown in <link linkend="regkeys">Defaults of Profile Settings Registry Keys</link>.
</para>

<table frame="all" id="regkeys">
        <title>Defaults of Profile Settings Registry Keys</title>
        <tgroup cols="2">
                <colspec align="left"/>
                <colspec align="left"/>
        <tbody>
                <row><entry>Common Desktop</entry><entry>%SystemRoot%\Profiles\All Users\Desktop</entry></row>
                <row><entry>Common Programs</entry><entry>%SystemRoot%\Profiles\All Users\Programs</entry></row>
                <row><entry>Common Start Menu</entry><entry>%SystemRoot%\Profiles\All Users\Start Menu</entry></row>
                <row><entry>Common Startup</entry><entry>%SystemRoot%\Profiles\All Users\Start Menu\Programs\Startup</entry></row>
        </tbody>
        </tgroup>
</table>

</sect2>

<sect2>
<title>MS Windows 200x/XP</title>

<note><para>
<indexterm><primary>GPOs</primary></indexterm>
<indexterm><primary>Windows XP Home Edition</primary></indexterm>
<indexterm><primary>ADS</primary></indexterm>
<indexterm><primary>domain security</primary></indexterm>
MS Windows XP Home Edition does use default per-user profiles, but cannot participate
in domain security, cannot log onto an NT/ADS-style domain, and thus can obtain the profile only
from itself. While there are benefits in doing this, the beauty of those MS Windows clients that
can participate in domain logon processes is that they allow the administrator to create a global default
profile and enforce it through the use of Group Policy Objects (GPOs).
</para></note>

<para>
<indexterm><primary>Default User</primary></indexterm>
When a new user first logs onto an MS Windows 200x/XP machine, the default profile is obtained from
<filename>C:\Documents and Settings\Default User</filename>. The administrator can modify or change the
contents of this location, and MS Windows 200x/XP will gladly use it. This is far from the optimum arrangement,
since it will involve copying a new default profile to every MS Windows 200x/XP client workstation.
</para>

<para>
<indexterm><primary>NETLOGON</primary></indexterm>
When MS Windows 200x/XP participates in a domain security context, and if the default user profile is not
found, then the client will search for a default profile in the NETLOGON share of the authenticating server.
In MS Windows parlance, it is <filename>%LOGONSERVER%\NETLOGON\Default User,</filename>
and if one exists there, it will copy this to the workstation in the <filename>C:\Documents and
Settings\</filename> under the Windows login name of the use.
</para>

<note> <para> This path translates, in Samba parlance, to the &smb.conf;
<smbconfsection name="[NETLOGON]"/> share. The directory should be created at the root
of this share and must be called <filename>Default User</filename>.
</para> </note>

<para> If a default profile does not exist in this location, then MS Windows 200x/XP will use the local
default profile. </para>

<para> On logging out, the user's desktop profile is stored to the location specified in the registry
settings that pertain to the user. If no specific policies have been created or passed to the client
during the login process (as Samba does automatically), then the user's profile is written to the
local machine only under the path <filename>C:\Documents and Settings\%USERNAME%</filename>. </para>

<para> Those wishing to modify the default behavior can do so through these three methods: </para>

<itemizedlist>
        <listitem> <para> Modify the registry keys on the local machine manually and place the new
        default profile in the NETLOGON share root. This is not recommended because it is maintenance intensive.
        </para> </listitem>

        <listitem> <para> Create an NT4-style NTConfig.POL file that specifies this behavior and locate
        this file in the root of the NETLOGON share along with the new default profile. </para> </listitem>

        <listitem> <para> Create a GPO that enforces this through Active Directory, and place the new
        default profile in the NETLOGON share.  </para> </listitem>
</itemizedlist>

<para>The registry hive key that affects the behavior of folders that are part of the default user
profile are controlled by entries on Windows 200x/XP is: </para>

<para> <filename>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell
Folders\</filename> </para>

<para>
This hive key contains a list of automatically managed folders. The default entries are shown
in <link linkend="defregpthkeys">the next table</link>
<indexterm><primary>windows registry settings</primary><secondary>default profile locations</secondary></indexterm>
</para>


<table frame="all" id="defregpthkeys">
        <title>Defaults of Default User Profile Paths Registry Keys</title>
        <tgroup cols="2">
                <colspec align="left"/>
                <colspec align="left"/>
        <thead>
                <row><entry>Name</entry><entry>Default Value</entry></row>
        </thead>
        <tbody>
                <row><entry>AppData</entry><entry>%USERPROFILE%\Application Data</entry></row>
                <row><entry>Cache</entry><entry>%USERPROFILE%\Local Settings\Temporary Internet Files</entry></row>
                <row><entry>Cookies</entry><entry>%USERPROFILE%\Cookies</entry></row>
                <row><entry>Desktop</entry><entry>%USERPROFILE%\Desktop</entry></row>
                <row><entry>Favorites</entry><entry>%USERPROFILE%\Favorites</entry></row>
                <row><entry>History</entry><entry>%USERPROFILE%\Local Settings\History</entry></row>
                <row><entry>Local AppData</entry><entry>%USERPROFILE%\Local Settings\Application Data</entry></row>
                <row><entry>Local Settings</entry><entry>%USERPROFILE%\Local Settings</entry></row>
                <row><entry>My Pictures</entry><entry>%USERPROFILE%\My Documents\My Pictures</entry></row>
                <row><entry>NetHood</entry><entry>%USERPROFILE%\NetHood</entry></row>
                <row><entry>Personal</entry><entry>%USERPROFILE%\My Documents</entry></row>
                <row><entry>PrintHood</entry><entry>%USERPROFILE%\PrintHood</entry></row>
                <row><entry>Programs</entry><entry>%USERPROFILE%\Start Menu\Programs</entry></row>
                <row><entry>Recent</entry><entry>%USERPROFILE%\Recent</entry></row>
                <row><entry>SendTo</entry><entry>%USERPROFILE%\SendTo</entry></row>
                <row><entry>Start Menu</entry><entry>%USERPROFILE%\Start Menu</entry></row>
                <row><entry>Startup</entry><entry>%USERPROFILE%\Start Menu\Programs\Startup</entry></row>
                <row><entry>Templates</entry><entry>%USERPROFILE%\Templates</entry></row>
        </tbody>
        </tgroup>
</table>

<para> There is also an entry called <quote>Default</quote> that has no value set. The default entry is
of type <constant>REG_SZ</constant>; all the others are of type <constant>REG_EXPAND_SZ</constant>. </para>

<para> It makes a huge difference to the speed of handling roaming user profiles if all the folders are
stored on a dedicated location on a network server. This means that it will not be necessary to write
the Outlook PST file over the network for every login and logout. </para>

<para>
To set this to a network location, you could use the following examples:
<screen>
%LOGONSERVER%\%USERNAME%\Default Folders
</screen>
This stores the folders in the user's home directory under a directory called <filename>Default
Folders</filename>. You could also use:
<screen>
\\<replaceable>SambaServer</replaceable>\<replaceable>FolderShare</replaceable>\%USERNAME%
</screen>
</para>

<para>
in which case the default folders are stored in the server named <replaceable>SambaServer</replaceable>
in the share called <replaceable>FolderShare</replaceable> under a directory that has the name of the
MS Windows user as seen by the Linux/UNIX file system.  </para>

<para> Please note that once you have created a default profile share, you <emphasis>must</emphasis> migrate a user's profile
(default or custom) to it. </para>

<para> MS Windows 200x/XP profiles may be <emphasis>local</emphasis> or <emphasis>roaming</emphasis>.
        A roaming profile is cached locally unless the following registry key is created: 

<indexterm><primary>delete roaming profiles</primary></indexterm>
</para>


<para> <programlisting> HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\Windows NT\CurrentVersion\
        winlogon\"DeleteRoamingCache"=dword:00000001</programlisting></para>

<para>
In this case, the local cache copy is deleted on logout.
</para> 
</sect2> 
</sect1>

<sect1> <title>Common Errors</title>

<para>
The following are some typical errors, problems, and questions that have been asked on the Samba mailing lists.
</para>

<sect2>
<title>Configuring Roaming Profiles for a Few Users or Groups</title>

<para>
With Samba-2.2.x, the choice you have is to enable or disable roaming profiles support. It is a
global-only setting. The default is to have roaming profiles, and the default path will locate them in
the user's home directory.
</para>

<para>
If disabled globally, then no one will have roaming profile ability. If enabled and you want it
to apply only to certain machines, then on those machines on which roaming profile support is not wanted,
it is necessary to disable roaming profile handling in the registry of each such machine.
</para>

<para>
With Samba-3, you can have a global profile setting in &smb.conf;, and you can override this by
per-user settings using the Domain User Manager (as with MS Windows NT4/200x). </para>

<para> In any case, you can configure only one profile per user. That profile can be either: </para>

<itemizedlist>
        <listitem><para>A profile unique to that user.</para></listitem>
        <listitem><para>A mandatory profile (one the user cannot change).</para></listitem>
        <listitem><para>A group profile (really should be mandatory &smbmdash; that is, unchangable).</para></listitem>
</itemizedlist>

</sect2>

<sect2> <title>Cannot Use Roaming Profiles</title>

<para> A user requested the following: <quote> I do not want roaming profiles to be implemented. I want
to give users a local profile alone. I am totally lost with this error. For the past
two days I tried everything, I googled around but found no useful pointers. Please help me. </quote></para>

<para> The choices are: </para>

<variablelist>
        <varlistentry>
                <term>Local profiles</term> <listitem><para> I know of no registry keys that will allow
                autodeletion of LOCAL profiles on log out.</para></listitem>
        </varlistentry>

        <varlistentry>
                <term>Roaming profiles</term> <listitem><para> As a user logs onto the network, a centrally
                stored profile is copied to the workstation to form a local profile. This local profile
                will persist (remain on the workstation disk) unless a registry key is changed that will
                cause this profile to be automatically deleted on logout. </para></listitem>
        </varlistentry>
</variablelist>

<para>The roaming profile choices are: </para>

<variablelist>
        <varlistentry>
                <term>Personal roaming profiles</term> <listitem><para> These are typically stored in
                a profile share on a central (or conveniently located local) server. </para>

                <para> Workstations cache (store) a local copy of the profile. This cached
                copy is used when the profile cannot be downloaded at next logon. </para></listitem>
        </varlistentry>

        <varlistentry>
                <term>Group profiles</term> <listitem><para>These are loaded from a central profile
                server.</para></listitem>
        </varlistentry>

        <varlistentry>
                <term>Mandatory profiles</term> <listitem><para> Mandatory profiles can be created for
                a user as well as for any group that a user is a member of. Mandatory profiles cannot be
                changed by ordinary users. Only the administrator can change or reconfigure a mandatory
                profile. </para></listitem>
        </varlistentry>
</variablelist>

<para> A Windows NT4/200x/XP profile can vary in size from 130KB to very large. Outlook PST files are
most often part of the profile and can be many gigabytes in size. On average (in a well controlled environment),
roaming profile size of 2MB is a good rule of thumb to use for planning purposes. In an undisciplined
environment, I have seen up to 2GB profiles. Users tend to complain when it takes an hour to log onto a
workstation, but they harvest the fruits of folly (and ignorance). </para>

<para> The point of this discussion is to show that roaming profiles and good controls of how they can be
changed as well as good discipline make for a problem-free site. </para>

<para> Microsoft's answer to the PST problem is to store all email in an MS Exchange Server backend. This
removes the need for a PST file. </para>

<para>Local profiles mean: </para>

<itemizedlist>
        <listitem><para>If each machine is used by many users, then much local disk storage is needed
        for local profiles.</para></listitem> <listitem><para>Every workstation the user logs into has
        its own profile; these can be very different from machine to machine.</para></listitem>
</itemizedlist>

<para> On the other hand, use of roaming profiles means: </para>

<itemizedlist>
        <listitem><para>The network administrator can control the desktop environment of all users.</para></listitem>
        <listitem><para>Use of mandatory profiles drastically reduces network management overheads.</para></listitem>
        <listitem><para>In the long run, users will experience fewer problems.</para></listitem>
</itemizedlist>

</sect2>

<sect2>
<title>Changing the Default Profile</title>

<para><quote>When the client logs onto the domain controller, it searches
for a profile to download. Where do I put this default profile?</quote></para>

<para>
<indexterm><primary>default profile</primary></indexterm>
First, the Samba server needs to be configured as a domain controller. This can be done by
setting in &smb.conf;: </para>

<smbconfblock>
<smbconfoption name="security">user</smbconfoption>
<smbconfoption name="os level">32 (or more)</smbconfoption>
<smbconfoption name="domain logons">Yes</smbconfoption>
</smbconfblock>

<para> There must be a <smbconfsection name="[netlogon]"/> share that is world readable. It is
a good idea to add a logon script to preset printer and drive connections. There is also a facility
for automatically synchronizing the workstation time clock with that of the logon server (another good
thing to do). </para>

<note><para> To invoke autodeletion of roaming profiles from the local workstation cache (disk storage), use
the <application>Group Policy Editor</application> to create a file called <filename>NTConfig.POL</filename>
with the appropriate entries. This file needs to be located in the <smbconfsection name="netlogon"/>
share root directory.</para></note>

<para> Windows clients need to be members of the domain. Workgroup machines do not use network logons,
so they do not interoperate with domain profiles. </para>

<para> For roaming profiles, add to &smb.conf;: </para>

<smbconfblock>
<smbconfoption name="logon path">\\%N\profiles\%U</smbconfoption>
<smbconfcomment>Default logon drive is Z:</smbconfcomment>
<smbconfoption name="logon drive">H:</smbconfoption>
<smbconfcomment>This requires a PROFILES share that is world writable.</smbconfcomment>
</smbconfblock>

</sect2>

<sect2>
<title>Debugging Roaming Profiles and NT4-style Domain Policies</title>

<para>
Roaming profiles and domain policies are implemented via <command>USERENV.DLL</command>. 
Microsoft Knowledge Base articles <ulink
url="http://support.microsoft.com/default.aspx?scid=kb;en-us;221833">221833</ulink> and 
<ulink url="http://support.microsoft.com/default.aspx?scid=kb;en-us;154120">154120</ulink>
 describe how to instruct that DLL to debug the login process.
</para>

</sect2>
</sect1>
</chapter>