Profiles, roaming and roving profiles (longish)

Michael Breuer mbreuer at
Thu Jan 11 18:56:32 GMT 2001

Some observations about profiles... from painful experience.

On W2K (perhaps NT4 as well), the nature of "local" and "roaming" differ slightly depending on whether the computer is part of a
domain or workgroup, and seem to depend on proper security settings to function.

FYI: These observations were made on W2K Professional... they probably apply to NT, but I can't say for sure.

    Local is the locally cached user profile, whether or not roaming is set.
    Roaming is a reference to a user's profile to be loaded at login, and saved at logout.  The profile is cached at login to the
"local" location.  On W2K, that is by default c:\Documents and Settings\<username>[.<local machine name>[.<seq>]].  The "roaming"
location is specified in the "profile" section of the user account info, and can be a directory on the local machine.  In order to
function correctly, the roaming directory must provide the user "full control."  By default, the roaming profile is owned by the
user (problematic if copied by an administrator, but can be repaired on NT using "subinacl.exe"), with "Creator/Owner" having full
control of subdirectories & files only.  Additionally, and extremely important, the 'ntuser.dat' registry hive MUST have internal
permissions for the user set to "full control" and also the user should be the owner of the registry.  This can be done using
regedt32->load hive & security options.

When the default location for the profile is used, W2K will assume that the directory is a local profile for the user (cache or
otherwise) if the above noted permissions are set.  If they're not set, W2K creates the ...<username>.<server> profile.  If that too
is existing, then a new profile is created with a sequence number extension.

In the event that the roaming profile's permissions are not correct, it is possible to create the local cache, but not be able to
properly access it, or save when logging off. Many weird things can happen when the permissions are not properly set.

If local profiles are not cached, then it seems that a "TEMP" directory is created... although that doesn't seem to me to be


    Most of the domain rules seem similar to workgroup.  The major exception is that all machines accessing the roaming profile MUST
have the same SID for the user across the domain.  A local account with the same name may or may not exist... where things get
screwy is that the local account can reference the same roaming profile.  Most likely with insufficient permissions.  This can
happen if you first log into the W2K box on the domain, and then create a local account with the same username.  The first time you
log in locally, an attempt will be made to use the locally cached profile of the domain login... assuming it was created without the
"domain" suffix.  Conversly, if you first log in locally and then log into the domain, the reverse is true.  Either way, things are
not necessarily good.  As far as I can tell, the best way to deal with this is either turn off local caching (bad for laptops &
dial-up), or make certain that the profile without the suffix is properly permissioned and not accessible at all to the other
logon.  Note, if you're talking about the domain administrator account, this seems rather difficult to accomplish.  Alternatively,
when logged in with a different administrative account, you can create a dummy entry for the user's local profile before the first
login.  Then deny all access to the folder for that user.  To do this for administrator, you have to create a second administrative
account.  I suspect that using the "subinacl.exe" utility this process could be automated.

Note that by expanding permissions, it is possible to share a local and domain (roaming) profile between the two SID's (both must
have full control of the profile directory and registry contained within).  I can't say this is a good idea, but it does work.

Lastly, the roaming profile can reside on ANY machine to which the account (and machine) have access... including the local
machine.  This "feature" can be used to repair damaged profiles.  Just copy the cached (damaged) profile to some other place on the
machine... I use c:\documents and settings\<user>.old.  Then, fix up the profile... subinacl, regedt32, whatever.  Delete the
locally cached profile, and set the roaming profile to the fixed profile.  A new local profile will be cached (created) from the
repaired version.  You can then reset the roaming profile settings to the PDC (samba server?), or any other place... or you can
change to a local profile.

Armand Welsh wrote:

> *This message was transferred with a trial version of CommuniGate(tm) Pro*
> there are essentially three types of profiles for NT
> Local, Roaming, & Mandatory
> Microsoft defines them as:
> (see Microsoft KnowledgeBase articles Q161334, Q185587, Q185588, Q185589,
> Q158590,Q185591 - Guide To Windows NT 4.0 Profiles and Policies (Parts
> 1-6) )
> Local Profile
> A local profile is specific to a computer. A user who has a local profile
> on a particular computer can gain access to that profile only while logged
> on to that computer.
> Roaming Profile
> A roaming profile is stored on a network share and can be accessed from
> any computer. A user who has a roaming profile can log on to any computer
> for which that profile is valid and access the profile. (Note that a
> profile is only valid on the platform for which it was created-for
> example, a Windows NT 4.0 profile cannot be used on a Windows 95
> computer.)
> Mandatory Profile
> A mandatory profile is a preconfigured roaming profile that the user
> cannot change. In most cases, these are assigned to a person or a group of
> people for whom a common interface and standard configuration is required.
> A Roaving profile doesn't exist.  So I can't tell you what samba defines it
> as.
> ----- Original Message -----
> From: <ctrlsoft at>
> To: <samba-ntdom at>
> Sent: Tuesday, January 09, 2001 4:19 AM
> Subject: Profiles, roaming and roving profiles
> > *This message was transferred with a trial version of CommuniGate(tm) Pro*
> >
> > Hi,
> >
> > I have been reading the samba site and the docs. Everything
> > works fine here, except I get the message 'Couldn't load
> > your profile' when trying to log in.
> >
> > What is the difference between 'profiles','roaming
> > profiles' and 'roving profiles' and which are supported by
> > samba?
> >
> > Jelmer
> >
> >
> >

More information about the samba-ntdom mailing list