Shared roaming profiles for all users (XP)?

Sat Nov 23 17:36:00 GMT 2002

On Sat, 23 Nov 2002, John H Terpstra wrote:

> On 23 Nov 2002, Andrew Bartlett wrote:
> 
> > On Sat, 2002-11-23 at 19:01, John H Terpstra wrote:
> > > On 23 Nov 2002, Andrew Bartlett wrote:
> > >
> > > > On Sat, 2002-11-23 at 14:46, xfesty wrote:
> > > > > -----BEGIN PGP SIGNED MESSAGE-----
> > > > > Hash: SHA1
> > > > >
> > > > > Hiya.
> > > > >
> > > > > Is there anyway to make non changable roaming profiles for all users
> > > > > with XP workstations, and Samba 3.0HEAD from CVS acting as a PDC?
> > > > >
> > > > > I'm setting up a bunch of workstations for an internet cafe, and all
> > > > > users need to basically have the same settings (i.e. desktop icons,
> > > > > Internet Explorer settings, start menu items, etc.) as others, yet not
> > > > > be able to change them.
> > > > >
> > > > > I tried setting the profile dir to the same for all users, and making
> > > > > it read only, but I'm experiencing two problems -
> > > > >
> > > > > (1) XP will refuse to load the profile if its read-only, and
> > > > > (2) XP won't load the profile if it wasn't created by the same user.
> > > > >
> > > > > I'm also finding cookies in IE sometimes aren't being properly set,
> > > > > people can't view hotmail attachments, MSN messenger refuses to work,
> > > > > and a bunch of other oddities.
> > > > >
> > > > > Anyway past this?  I remember back when I was using Windows 2K Server
> > > > > as a PDC, it was possible to have this.
> > > >
> > > > If the ntuser.dat is renamed ntuser.man, and you make the profile owned
> > > > by root, read-only to the suer, and you set root to have rid 500 in
> > > > LDAP, does it work?
> > > >
> > > > (ie add root to ldap, then change the RID).
> > >
> > > The SID is stred inside the NTUser.DAT file. Access control (the ACE) is
> > > stored inside the file. That is what Rishard Sharpe was working on
> > > decoding recently. When his work is done we will be able to set our own
> > > ACE's inside the NTUser.DAT file and thus create from any profile a global
> > > per group or a global group mandatory profile.
> > >
> > > Just setting file ownership and permissions does not get one past the
> > > hurdle of the ACE inside the file.
> >
> > But if we take a 'normal' profile, change the ownership to admin, but
> > don't change the SIDs, can we use it as a mandatory profile for a single
> > user?
> 
> Last attempt to get this across: No!
> 
> Win NT/2K/XP checks access right on the ACE inside the file as it loads
> the profile and goes belly up if it does not have access permission for
> the current user.

That is correct. If you use the profiles command on NTUSER.DAT, it will 
show you all the ACEs on the profiles.

Regards
-----
Richard Sharpe, rsharpe[at]ns.aus.com, rsharpe[at]samba.org, 
sharpe[at]ethereal.com, http://www.richardsharpe.com