profiles.txt (fwd)
Luke Kenneth Casson Leighton
lkcl at switchboard.net
Thu Jul 2 17:44:13 GMT 1998
Johan Thank you very much!!
I have forwarded this tot he appropriate people (see above)
---------- Forwarded message ----------
Date: Thu, 02 Jul 1998 10:03:01 +0100
From: Johan Meiring <tntjjmerin at tsnxt.co.uk>
Reply-To: jjm at iname.com
To: lkcl at switchboard.net
Subject: profiles.txt
Hi Luke,
I talked about an updated profiles.txt approximately 2 months ago.
Unfortunately I will not have any time to work on it, as I am going on a
very extended holiday, and will probably not even have access to a PC.
It is nearly complete.
The only issue still to be addressed is the samba instructions for
setting up the roaming profile share. This is the logon path/logon
home/profile path ? global variables.
Unfortunately I do not have access to a samba server at the moment, so I
could not test it. This was simply written by looking at 'man
smb.conf'.
As far as I remember, a 'profile path' variable was mentioned on the
samba mailing list, but I can't remember. The important thing is that
for WINNT the profile is stored in "PROFILE PATH" under User Manager for
Domains, and on Win95 under the "HOME DIRECTORY".
I attach the profiles.txt file. Please use it as you see fit. (Consider
it contributed, I do _not_ wish to retain copyright on it. If you use
it, mention my name, etc.)
Johan Meiring
PS: It you reply, reply direct as I am no londer on the samba mailing
list.
PPS: it you need do download the file, it is available form
ftp://users.iafrica.com/p/pc/pcs/profiles.txt
PPPS: Sorry for bugging you witht his direct, but I did not want to sent
all the text to the samba mailing list.
-------------- next part --------------
Subject: Roaming user profiles
----------------------------------------------------------------------
Authors:
Johan Meiring <jjm at iname.com>
Copright (C) 1998 Johan Meiring
This file is based on the original POLICIES.txt by the following
contributors.
Bruce Cook <BC3-AU at bigfoot.com>
Copyright (C) 1998 Bruce Cook
John Terpsta <samba-bugs at samba.anu.edu.au>
Copyright (C) 1998 John H. Terpstra
Wolfgang Ratzka <ratzka at hrz.uni-marburg.de>
Copyright (C) 1998 Wolfgang Ratzka
Created: 11 April, 1998
Modified: 12 May 1998
Version: 0.1
----------------------------------------------------------------------
First a general discussion on roaming profiles for both Windows 95 and NT.
Thereafter, more spesific about the two products.
Windows NT and Windows 95 stores all user setting in the registry. This was
designed to have a few main registry ?hives?. The important two for this
discussion is the HKEY_LOCAL_MACHINE and the HKEY_CURRENT_USER hive.
The HKEY_LOCAL_MACHINE hive is for settings that will not change when a
different user logs on, examples are:
a) Which fonts are installed
b) Should the machine display the name of the last user that logged on
c) What hardware is installed
d) Path to executables (Where is MS Word installed?)
e) etc
The HKEY_CURRENT_USER hive is for setting user dependant settings. Examples
are:
a) What is the background colour of the users desktop
b) What is the users POP3, IMAP4 settings for Internet explorer
c) etc
When a user logs into Win 95 or NT, the idea is that the machine loads the
HKEY_CURRENT_USER hive for every different user. A machine default hive
exists, and if a new user logs in, this is copied for him, and thereafter he
can modify it as he wants. When he logs out, it is saved until the same user
logs in again.
This hive is stored locally on the computer in a file called NTUSER.DAT for
NT users and USER.DAT for 95 users.
If the user has a ?roaming? profile, the file is also copied to a server when
the user logs off and copied from a server before the user logs on.
MS has also set up a thing called a policy. This is basically a bunch of
registry changes that must be applied to any user after he has logged in.
When any user logs in, then, after the hive has been loaded into the
registry, the ?policy is applied?. This means that any registry settings
specified in the policy is made to the users machine. Some of this changes
will be to the HKEY_LOCAL_MACHINE hive and some will be to the
HKEY_LOCAL_USER hive.
These changes sit on the netlogon share in a file for Windows NT called
ntconfig.pol and for 95 config.pol.
It is worth mentioning that a policy need only be applied once to a spesific
machine. After that, the changes will be incorporated into the user's
HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE hives. The fact that the workstation
still sees these changes does not mean that it can still see the config.pol or
ntconfig.pol file. Deleting the file will also _NOT_ restore the workstation
to the state before the file got applied.
The Start menu and Desktop is also different for all users.
On Windows NT you have a start menu for each user, and a common start menu.
These are both displayed seperated by a line when the user clicks on start.
On Win 95, this is not possible, so you have two choices: All users use
the same start menu, or all users have a different start menu. If all users
have a different start menu, a new user gets a copy of a default start menu
when he logs in the first time, and thereafter he can modify is the way he
wants. Note that therefore, if a user is created and after that the default
start menu is modified, that change will not apply to an already created
user.
The same applies to the desktop for the users on Windows NT and 95.
If you have Windows 95 OSR2 with IE4, it follows the same
start menu/all users concept as Windows NT.
It is possible to have both Windows 95 and NT to look at the same start menu
for a specific user, because the start menu directory structure under
Windows 95 is essentially a subset of the one under Windows NT. This is not
recommended by Microsoft though. The profiles for Windows 95 and NT will
then be stored to the same place. NTUser.DAT will be loaded for NT and
USER.DAT for Windows 95.
The basic steps when a user logs in that does not have a roaming profile
under Windows NT and 95 is as follows. (The exact differences is discussed
later)
1) The user logs in.
2) The machine checks whether is already knows about the users profile.
These settings are stored in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Currentversion\Profilelist
under Windows 95 and
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Profilelist
under Windows NT.
3) Under Windows 95 there is a key for each profile that this machine knows
about by USERNAME. Under Windows NT there is a key for each user profile
under the users SID.
4) It then checks this setting for the user and tries to load the users
profile from this specified path.
5) If a key does not exist for the user, a new key is created and a new
profile will be created for the user. The default profile is copied for
the user. Under 95 is is %WINDIR%\USER.DAT. Under NT it is
%SYSTEMROOT%\PROFILES\DEFAULT USER\NTUSER.DAT.
6) The profile is loaded for the user into HKEY_CURRENT_USER.
Note that %WINDIR% in step 5 above refers to your Windows 95 installation
directory (normally C:\WINDOWS). %SYSTEMROOT% refers to the Windows NT
installation directory (normally C:\WINNT).
The basic steps when the user has a roaming profile is very similar:
1) The user logs in.
2) The machine checks whether is already knows about the users profile.
These settings are stored in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Currentversion\Profilelist
under Windows 95 and
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Profilelist
under Windows NT.
3) Under Windows 95 there is a key for each profile that this machine knows
about by USERNAME. Under Windows NT there is a key for each user profile
under the users SID.
4) It then checks this setting for the user and tries to copy the users
profile from the remote profile to the local drive.
5) If a key does not exist for the user, a new key is created.
6) If profile exists in the remote location is is copied to the local
machine, otherwise a new profile is created locally for the user in the
same manner as above.
7) This profile is copied back to the profile server when the user logs off.
The location for the ?roaming profile? is specified in ?USER MANAGER for
DOMAINS? on the PDC.
Under Windows NT, the ?profile path? is used. Under 95 the ?home diretory?
is used. Note that the ?profile path? is ignored under Windows 95.
If you want to create policies as mentioned above, you have to create them
using the ?System policy editor?. For Windows NT you have to load the
default .ADM files for NT and save the file as ntconfig.pol to the netlogon
share. For Windows 95 you _HAVE_ to load Windows 95?s .ADM files. This is
because of the differences between the Windows 95 and the Windows NT registry.
For Windows 95 you have to save the file as config.pol to the netlogon share.
There has been rumours and reports that the file name for Windows NT is case
sensitive. It your workstations do not pick up your policy, I suggest that
you try one of the following four: ntconfig.pol NTconfig.Pol NTconfig.pol
NTConfig.pol. Otherwise, make sure that the 'case sensitive' paramater is
set to 'no' for the netlogon share.
The System Policy Editor is installed by default under Windows NT. Under 95
can install it using "Control Panel"/"Add Remove software"/"Windows Setup"/
"Have Disk" and then point to CDROM:\admin\apptools\poledit.
The following shows more detailed steps that happens when a user logs in.
NT and win 95 handles it in a similar, though in a completely
different way.
WinNT
=====
All references below to %SYSTEMROOT% means the directory where NT is
installed (usually C:\WINNT).
NT does not have to be enabled to use ?roaming? profiles. It will do so
automatically as long as it knows where to store this ?roaming? profile.
This path is supplied to the NT workstation by the PDC and set using
USER MANAGER FOR DOMAINS / smb.conf.
If the supplied path is blank. (i.e. no roaming profiles). The following
will happen when a user logs into the machine.
1) The user type in his login name.
2) The machine checks
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Profilelist
for the user that has just logged in?s SID.
3) If it exists, a path to the users profile will be specified there.
4) It it does not exist, an entry is created and the profile path is set to
%SYSTEMROOT%\PROFILES\USERNAME
5) The NTUser.DAT file is located in the above mentioned profile path and
loaded into the HK_LOCAL_USERS\SID branch. This is the same as the
HKEY_CURRENT_USER branch from the currently logged in user?s point of
view.
6) If the NTUser.DAT file does not exist (because a profile for the user
does not exist yet), is is copied from
%SYSTEMROOT%\PROFILES\Default User\NTUser.DAT)
7) The users start menu is set to ?the above mentioned path?\Start menu.
8) Again it is copied from ?%SYSTEMROOT%\profiles\default user\Start menu?
if it is a new profile.
9) When the user logs off, the HKEY_CURRENT_USER hive is written back to the
NTUser.DAT file.
10) A way to ensure that the user can not change his profile, is to rename
the NTUser.DAT file to NTUser.MAN
11) This will still allow the user to change his registry while logged on,
but it will not be saved when he logs off.
12) Another point to note is that you can also specify a ?home directory? in
?USER MANAGER FOR DOMAINS?. If this is not specified, the
?home directory? will be set to ?profile path?\personal.
13) If it is specified the ?home directory? will be set to that. Under WinNT,
the only user for the home directory is that it is the ?default directory?
for saving files under OFFICE applications, and the directory a command
prompt will start up in.
14) If the home directory is not on the current machine, it will also be
mapped to the Z: drive on login (The drive can also be specified in
USER MANAGER FOR DOMAINS).
15) This is the ONLY use for the home directory under NT.
The following will happen is a profile path IS specified.
1) The user type in his login name.
2) The machine checks
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Profilelist
for the user that has just logged in?s SID.
3) If there is no entry there, one is created. The will specify the path to
the remote profile. The also specifies the path to a local copy of the
profile.
4) The remote profile, is the path as specified in USER MANAGER FOR
DOMAINS. The local copy path will be %SYSTEMROOT%\profiles\username.
5) The machine then checks the roaming (remote) path if a profiles exists.
If it does, it will copy the remote profile to the local profile. It
will then load the local profile and log the user in. Note that is will
overwrite the local copy of the profile if one exists.
6) If the remote path does not exist. It will create a directory for the
user, \\SERVER\profiles\username, and create a profile locally in the
same manner as specified above (without roaming profiles).
7) The profile is loaded to HKEY_CURRENT_USER. (HKEY_USERS\SID).
8) The ntconfig.pol from netlogon share is applied.
9) When the user logs off, the profile will first be saved to the local
copy, and then copied to the roaming profile.
The main difference between roaming and local profiles, is that the roaming
profile is copied to the local machine before anything happens, and the
finally as a last step the profile is copied back to the server.
The following is worth mentioning.
1) When the profile is copied to or from the server, the destination profile
is deleted and overwritten by the copy.
2) If the the users profile is set to roaming and the PC can not find a
remote profile to copy, (share not accesable, server down, notebook
disconnected from network) the machine will tell you that is can not
find your roaming profile and use the local copy instead.
3) Note this is different if it is a new roaming profile. This is why the
PC creates a roaming profile directory for you. Ability to create a
directory means ?new profile?. If it can not do that, it means ?roaming
profile not available?.
4) If a local copy of the profile has been used on a machine, while the
server was down, notebook disconnected, etc., the local copy of the
NTUser.DAT file will have a newer timestamp that the one on the server.
The machine will then ask the user if the local or roaming profile should
be used.
5) Do not use the [homes] share to store profiles on. NT doesn't disconnect
the profile share bewteen logon sessions. This will lead to unpredictable
results.
Roaming profiles can lead to a lot of profiles being cached locally, if a
lot of users roam between different PC?s. You can force the PC to delete
the local copy of the profile after it has been copied back to the server.
Set the following value:
HKLOCAL_MACHINE\Software\Windows NT\Currentversion\winlogon
DeleteRoamingCache = DWORD:1
You should probably set this using the System Policy editor though. See
explanation above on how to set up the System Policy editor.
This has a much ?neater? setup, but can lead to a problem.
a) User logs already has a roaming profile on the server.
b) User logs into another workstation that he has never logged on to before,
while this workstation can not see the server storing the profiles.
c) A new local profile is created.
d) The user logs off.
e) The user logs onto the same workstation while seeing the profile server.
f) The machine see that the local profile is newer and asks the user if the
local profile should be used.
g) The default is yes, and is ?times out? to yes after approx 30 seconds.
h) When the user logs off, the original profile is overwritten deleting any
files the user might have stored on his desktop previously.
i) YOU HAVE BEEN WARNED
To setup Windows NT to use roaming profiles, do the following:
1) Create a profiles share. Make sure it is world writable. Eg.
[profiles]
path = /usr/profiles/%U
writeable = yes
2) Specify the following in the General Section of the smb.conf
logon path = //sambaserver/profiles/%U
4) NT roaming profiles should work.
Windows 95
==========
All references to %WINDIR% below refer to the directory Windows 95 is
installed in (usually C:\WINDOWS).
In Windows 95 the idea is pretty much the same, but there are important
differences.
Windows 95 as installed by default, does not make provision for roaming
profiles. You have to enable it by going to
"Control Panel"\"Passwords"\"User Profiles".
You have to set ?enable different user profiles? for this machine.
You can include the start menu and the users desktop in the users
profile by clicking the relevant options.
If you did not enable different profiles, all users will get a
HKEY_CURRENT_USER profile from %WINDIR%\USER.DAT
If you did enable it, the Profile will come from
%WINDIR%\Profiles\Username\USER.DAT.
If you did not enable Start menu, it will come from %WINDIR%\Start Menu,
if you did, it will come from %WINDIR%\Profiles\USERNAME\Start Menu
Same if you did not enable roaming Desktop, it will come from
%WINDIR%\Desktop. If you did, it will come from
%WINDIR%\Profiles\USERNAME\Desktop
Windows 95 does _NOT_ use the ?profile path? as specifed by the PDC/USER
MANAGER FOR DOMAINS. It uses the ?home directory? setting.
When a user logs in with no ?home directory set? the following happens.
1) User types in login name.
2) The
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Currentversion\Profilelist
is checked to see if the user exists. If not, an entry is created with
the users _NAME_ and the profile directory is created under
%WINDIR%\Profiles\USERNAME. The default %WINDIR%\USER.DAT is copied
for the user to %WINDIR%\Profiles\USERNAME\USER.DAT
3) The default profile (%WINDIR%\USER.DAT) is used is loaded to
HKEY_USERS\.Default
4) The login script is executed.
5) The users profile (%WINDIR%\Profiles\USERNAME\USER.DAT) is loaded to
HKEY_USERS\USERNAME.
6) The config.pol from the netlogon share is applied.
7) If any needed settings resides in HKEY_USERS\USERNAME, it will override
settings in HKEY_USERS\.Default. (Depending on the application
programmer, this is the idea anyway)
8) When the user logs off, the profile is copied back to
%WINDIR%\PROFILES\USERNAME\USER.DAT
If the user logs in and a ?home directory' is received from the PDC, the
following happens.
1) The user types in his login name
2) The
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Currentversion\Profilelist
is checked to see if the user exists. If not, the extry is created and
the remote profile is _MERGED_ with the current local profile if one
exists.
3) The rest then happens as above (without ?home directory set?)
Note that in a previous version of PROFILES.txt it is claimed that the 95
machine will not find the USER.DAT file in the home directory, if the
'net use x: /home' command is not used for some reason. As far as I know,
this is not true. It will not find it if a home directory is not received
from the PDC. (I might be wrong though. I do not have acces to a PDC and
Windows 95 workstation to check this). If I am wrong, this document should
be modified to include references to ?you have to map the home using
'net use x: /home?. See the following:
http://support.microsoft.com/support/kb/articles/q132/8/18.asp
http://support.microsoft.com/support/kb/articles/q138/0/46.asp
To me it looks like it should be _POSSIBLE_ to use the 'net use x: /home'
command, not that you _HAVE_ to use it.
If is worth noting the following:
1) In Windows 95, the user?s profile is not loaded until _after_ the login
script has been executed. You can therefore not make changes to the
users HKEY_CURRENT_USER hive in the login script. Ways around this is
to copy a link to the users start menu\startup directory, of making the
machine execute a script from the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Currentversion\?Runonce or run?
registry setting.
2) In Windows 95 the remote profile is _MERGED_ with the local copy of the
profile. This is done by datestamps. It is not overwritten as with NT.
Setting up romaing profiles for Windows 95 machines - Step by Step
------------------------------------------------------------------
1) Make sure roaming profiles is enabled on your Windows 95 machine.
Go to "Control Panel"/"Passwords"/"User Profiles". Set ?enable
different user profiles? for this machine.
2) Create a profiles share. Make sure it is world writable. Eg.
[profiles]
path = /usr/profiles/%U
writeable = yes
3) Specify the following in the General Section of the smb.conf
logon drive = X:
logon home = /usr/profiles/%U
4) Note that Windows NT will mount the above directory if the same user
logs into Windows NT.
REFERENCES
==========
A good document can be found at
http://www.microsoft.com/ntserver/library/prof_policies.exe
It is a microsoft whitepaper on roaming profiles. It is a self
extracting executable that contains a Word Document.
See also
http://www.usyd.edu.au/su/is/dts/DTSwinNTProfiles.html
on Windows NT roaming profiles and policies.
More information about the samba-technical
mailing list