Shared roaming profiles for all users (XP)?
John H Terpstra
jht at samba.org
Sat Nov 23 16:28:00 GMT 2002
On 23 Nov 2002, Andrew Bartlett wrote:
> On Sat, 2002-11-23 at 19:01, John H Terpstra wrote:
> > On 23 Nov 2002, Andrew Bartlett wrote:
> >
> > > On Sat, 2002-11-23 at 14:46, xfesty wrote:
> > > > -----BEGIN PGP SIGNED MESSAGE-----
> > > > Hash: SHA1
> > > >
> > > > Hiya.
> > > >
> > > > Is there anyway to make non changable roaming profiles for all users
> > > > with XP workstations, and Samba 3.0HEAD from CVS acting as a PDC?
> > > >
> > > > I'm setting up a bunch of workstations for an internet cafe, and all
> > > > users need to basically have the same settings (i.e. desktop icons,
> > > > Internet Explorer settings, start menu items, etc.) as others, yet not
> > > > be able to change them.
> > > >
> > > > I tried setting the profile dir to the same for all users, and making
> > > > it read only, but I'm experiencing two problems -
> > > >
> > > > (1) XP will refuse to load the profile if its read-only, and
> > > > (2) XP won't load the profile if it wasn't created by the same user.
> > > >
> > > > I'm also finding cookies in IE sometimes aren't being properly set,
> > > > people can't view hotmail attachments, MSN messenger refuses to work,
> > > > and a bunch of other oddities.
> > > >
> > > > Anyway past this? I remember back when I was using Windows 2K Server
> > > > as a PDC, it was possible to have this.
> > >
> > > If the ntuser.dat is renamed ntuser.man, and you make the profile owned
> > > by root, read-only to the suer, and you set root to have rid 500 in
> > > LDAP, does it work?
> > >
> > > (ie add root to ldap, then change the RID).
> >
> > The SID is stred inside the NTUser.DAT file. Access control (the ACE) is
> > stored inside the file. That is what Rishard Sharpe was working on
> > decoding recently. When his work is done we will be able to set our own
> > ACE's inside the NTUser.DAT file and thus create from any profile a global
> > per group or a global group mandatory profile.
> >
> > Just setting file ownership and permissions does not get one past the
> > hurdle of the ACE inside the file.
>
> But if we take a 'normal' profile, change the ownership to admin, but
> don't change the SIDs, can we use it as a mandatory profile for a single
> user?
Last attempt to get this across: No!
Win NT/2K/XP checks access right on the ACE inside the file as it loads
the profile and goes belly up if it does not have access permission for
the current user.
- John T.
--
John H Terpstra
Email: jht at samba.org
More information about the samba-technical
mailing list