Shared roaming profiles for all users (XP)?

John H Terpstra jht at
Sat Nov 23 08:02:00 GMT 2002

On 23 Nov 2002, Andrew Bartlett wrote:

> On Sat, 2002-11-23 at 14:46, xfesty wrote:
> > Hash: SHA1
> >
> > Hiya.
> >
> > Is there anyway to make non changable roaming profiles for all users
> > with XP workstations, and Samba 3.0HEAD from CVS acting as a PDC?
> >
> > I'm setting up a bunch of workstations for an internet cafe, and all
> > users need to basically have the same settings (i.e. desktop icons,
> > Internet Explorer settings, start menu items, etc.) as others, yet not
> > be able to change them.
> >
> > I tried setting the profile dir to the same for all users, and making
> > it read only, but I'm experiencing two problems -
> >
> > (1) XP will refuse to load the profile if its read-only, and
> > (2) XP won't load the profile if it wasn't created by the same user.
> >
> > I'm also finding cookies in IE sometimes aren't being properly set,
> > people can't view hotmail attachments, MSN messenger refuses to work,
> > and a bunch of other oddities.
> >
> > Anyway past this?  I remember back when I was using Windows 2K Server
> > as a PDC, it was possible to have this.
> If the ntuser.dat is renamed, and you make the profile owned
> by root, read-only to the suer, and you set root to have rid 500 in
> LDAP, does it work?
> (ie add root to ldap, then change the RID).

The SID is stred inside the NTUser.DAT file. Access control (the ACE) is
stored inside the file. That is what Rishard Sharpe was working on
decoding recently. When his work is done we will be able to set our own
ACE's inside the NTUser.DAT file and thus create from any profile a global
per group or a global group mandatory profile.

Just setting file ownership and permissions does not get one past the
hurdle of the ACE inside the file.

- John T.

> I think this is the standard way this is done on NT.
> Andrew Bartlett

John H Terpstra
Email: jht at

More information about the samba-technical mailing list