Mandatory Profiles

Dave J. Andruczyk dave at
Thu Oct 8 18:55:10 GMT 1998

> I run a few computer labs with a total of about 120 computers.  I would
> like each computer and thus each user to all use one profile for ease of
> maintanence.  First off, is this the way to do mandatory profiles?  I
> mean, do I point "logon path" and a non variable location?  Also, is it
> okay to have this location be read only?  
> I tried doing this.  I copied an exisiting "Default User" profile to a
> read only samba share, renamed the dat's to man's, and set the logon path
> to point to this share.  However, after doing this, the policies do not
> take affect (however the links get downloaded okay) and I cannot use the
> NT resource kit utility "SETX" to modify the environment in the profile.
> Is there anyone who has mandatory profiles implemented under a samba PDC
> who can help me out.

yep.  I've done it several times..

the MAIN thing you gotta do, is to install policy editor, and create a
"CONFIG.POL" file on your "netlogon" share of your samba PDC.

this file must be edited in windoze, unfortunately with policy editor. 
(you can install it, as its on the win95 cd in \admin\apptools\poledit),
it has to be installed via the control panel (add/remove apps->Windows
Setup->Have Disk sequence).

once you have policy editor opened, you gotta  create a NEW FILE,
(File->New), then add, a "user" who is the same username as your generic
user that you have for your site. (I use "netscape" for all my netscape
only machines).  after you creat this, edit the security settings as far
as you want.  
TIP: it is VERY WISE to set the paths for Custom Folders, to point to the
user's logon drive. 
i.e. I set:

under the "Shell->Custom Folders" for my restricted users:

Custom Program Folder = y:\Start Menu Programs
Custom Desktop Icons  = y:\Desktop
Custom Startup Folder = y:\Startup
Custom Network Neighborhood = y:\NetHood
Custom Start Menu     = y:\Start Menu

and in their logon script:

a net use y: \\pdcserver\profiles

"profiles" is a variable path location on the PDC that is something like
path = /samba/profiles/%U

YOU MUST INITIALLY setup write permission for this dir, so that windoze
can creat the profile, on its own, after that, you gotta fiddle with
windows a bit, (change some settings, so that it will save the person's
profile when they logout), and then the "user.dat" file should appear in
their profile share (/samba/profiles/%U/user.dat).  When you have all
settings the way you want,( including the way a window looks when it
starts, i.e (the shape and position of "my computer", is stored in the
registry, and the users profile), renme the file on the profile share to
"" and it will become a MANDATORY profile, that windowse will use.

Then you can set the permissions to be read only so the user can't modify
their start menu, or even their desktop icons.

If you need more help/pointers.  feel free, as I've done this some many
times..    IT sure beats windows NT, as they hide it all under the gui,
and most of it is a real bitch to find.. (in NT)

Dave J. Andruczyk
Linux Systems Admin
Buffalo State college

More information about the samba-ntdom mailing list