Shared roaming profiles for all users (XP)?
Richard Sharpe
rsharpe at ns.aus.com
Sat Nov 23 08:11:01 GMT 2002
On Sat, 23 Nov 2002, John H Terpstra wrote:
> On 23 Nov 2002, Andrew Bartlett wrote:
>
> > On Sat, 2002-11-23 at 14:46, xfesty wrote:
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA1
> > >
> > > Hiya.
> > >
> > > Is there anyway to make non changable roaming profiles for all users
> > > with XP workstations, and Samba 3.0HEAD from CVS acting as a PDC?
> > >
> > > I'm setting up a bunch of workstations for an internet cafe, and all
> > > users need to basically have the same settings (i.e. desktop icons,
> > > Internet Explorer settings, start menu items, etc.) as others, yet not
> > > be able to change them.
> > >
> > > I tried setting the profile dir to the same for all users, and making
> > > it read only, but I'm experiencing two problems -
> > >
> > > (1) XP will refuse to load the profile if its read-only, and
> > > (2) XP won't load the profile if it wasn't created by the same user.
> > >
> > > I'm also finding cookies in IE sometimes aren't being properly set,
> > > people can't view hotmail attachments, MSN messenger refuses to work,
> > > and a bunch of other oddities.
> > >
> > > Anyway past this? I remember back when I was using Windows 2K Server
> > > as a PDC, it was possible to have this.
> >
> > If the ntuser.dat is renamed ntuser.man, and you make the profile owned
> > by root, read-only to the suer, and you set root to have rid 500 in
> > LDAP, does it work?
> >
> > (ie add root to ldap, then change the RID).
>
> The SID is stred inside the NTUser.DAT file. Access control (the ACE) is
> stored inside the file. That is what Rishard Sharpe was working on
> decoding recently. When his work is done we will be able to set our own
> ACE's inside the NTUser.DAT file and thus create from any profile a global
> per group or a global group mandatory profile.
You can already do that with the profiles command. That is, you can change
the owner or group SIDs, etc. What you can't do is add elements to the
ACL, as I don't properly handle the format of NTUSER.DAT. That will
require more work.
You can, of course, edit the ACL, with Windows tools.
> Just setting file ownership and permissions does not get one past the
> hurdle of the ACE inside the file.
>
> - John T.
>
> >
> > I think this is the standard way this is done on NT.
> >
> > Andrew Bartlett
> >
> >
>
>
--
Regards
-----
Richard Sharpe, rsharpe[at]ns.aus.com, rsharpe[at]samba.org,
sharpe[at]ethereal.com, http://www.richardsharpe.com
More information about the samba-technical
mailing list