profile directory

Samba-Central samba at aquasoft.com.au
Sun Sep 13 02:09:53 GMT 1998


On Sun, 13 Sep 1998, Gerald Carter wrote:

> At 09:16 AM 9/13/98 +1000, Samba-Central wrote:
> 
> >Under NT4 if you want to use a shared profile among a group of users then
> >you have to go through some hoops to make that possible. We need to
> >understand this, else we will see the types of problems some on this list
> >have complained about.
> 
> The way I understand this, the problem remains in the profile ACL 
> which requires a matching for for names to SID (lsaLookupNames).

Gents, the determining ACL is not on the users' profile directory, it
appears to be something set inside the NTUser.DAT file itself.

In one of my NT Server courses I took a user profile and copied it off the
NT workstation to the profile share, the I took ownership of the user
profile from the point \\server\profiles\myuser as administrator, then I
set the ACL to Everyone (Full Control). Surprise, the user whom I
configured to use this new profile could not use it.

The procedure I outlined in my previous message does work. This strongly
(to me anyhow) suggests that the information NT uses is inside the
NTUser.dat file.

The NTUser.DAT file contains a distillation of System registry entries and
NTConfig.POL determinants. One thing that really got one of my delegates
was that they had a NT Workstation that had totally restrictive registry
settings. After loggin onto that machine he could no longer access half
the stuff on his own workstation. In other words, once a restriction has
been set in the users' NTUser.DAT file it never gets released again. This
is one of the most awful attributes of the NT profile system.

Condensing this:
===============

1) We ought NOT to create a file called "User_Name" but instead a
directory by that name as the top point of the share.

2) We need to come to terms with the contents of the NTUser.DAT file.

Cheers,
John H Terpstra



More information about the samba-ntdom mailing list