Limit access for users.

Eric Wallace Eric.Wallace at
Thu Nov 1 08:36:21 GMT 2001


What you're looking for are standard features of NT domains. You can't use Samba to create these settings, but if you are using Samba as a domain controller it can enforce these settings for you.

The following are centralized administration techniques for NT domains. This will definitely work for NT Workstation clients, but if you're using Windoze 95/98 as clients, some of this doesn't work at all, and it will not be easy to enforce (sorry, I can't help you much there).

1.) Mandatory Profiles -- Configure a user with the settings you want and logout of that account. Save the user profile to the server's profile share (whatever you specified), but rename the user's registry hive from NTUSER.DAT to NTUSER.MAN. Specify this user profile path in the user's configuration with User Manager for Domains (if you're using an NT Server as the PDC) or in Samba (if Samba is the PDC).

2.) Restricted "Desktop" Folder -- There are several possibilities for this. You can change the NTFS permissions on the default user profile's "Desktop" directory to read-only for the users, or you can use Policy Editor to change the location of the default user's "Desktop" directory to a writeable spot in their roaming profile. (Don't forget to put the NTCONFIG.POL file in your domain controller's NETLOGON share.)

These are just simple explanations--you're going to have to read up on the subject in order to get this to work right. I highly recommend buying a good book on NT administration, or searching the archives at "Windows 2000 Magazine" ( for short articles on these subjects ("mandatory profiles", "Policy Editor", etc.). Email me off the list (eric.wallace at if you'd like more suggestions for reading material.

	~eric w. wallace
	   national semiconductor/maine
	   i.s. infrastructure senior system engineer

More information about the samba-ntdom mailing list