[Samba] few idea about dealing with "Large Roaming Profiles"
ilia at cgu.chel.su
Tue Feb 26 07:08:11 GMT 2002
I put it here. All the experience gained in about-half-an-year-management
of Samba-PDC + numerous NT4 workstations is included. Also, I'd be glad to
hear from you what did I miss!
1) when NT4-workstations are organised into "domain", there's some
action assosiated to this: "to log into domain".
samba ain such case acts as PDC (primary domain controller),
it does the "password checking" task
2) two things about "domain logons", well, actually three things:
a) system policies
b) user profile (roaming profile)
c) logon script
when particular users logs "into domain" following occurs:
a) "registry propagation rules" apply.
this is called "system policies", but that is obviously less
descriptive. WinNT registry contains HKEY_LOCAL_MACHINE and
HKEY_CURRENT_USER branches, so you may define "system policies"
on "per user/per machine" basis.
tool for editing policies is called poledit.exe,
(run "servicepackbinary.exe /x" in order to obtain poledit.exe)
you may either use "adm" files that are shipped with poledit.exe
or use custom "adm" files (see examples below)
create file "ntconfig.pol" with poledit.exe and put it to
"netlogon" share (that share is defined in smb.conf, see below)
+-> Windows NT User Profiles
[x] Exclude directories in roaming profile
(Temporary Internet Files; Temp)
+-> Windows NT User Profiles
[x] Delete cached copies of roaming profiles
[x] Choose default profile operation
this keeps profile size from being obscene LARGE...
b) define special directory for roaming profile (see smb.conf included
below), DO NOT put anything else into that directory (i.e. games,
movies, songs, etc), every single byte counts!
profile contains file NTuser.dat (which is just a registry dump)
and numerous directories.
if you rename NTuser.dat -> NTuser.man, such profile means "mandatory",
it won't be ever changed, also it won't be corrupted.
(when profile grows large, file NTuser.dat sometimes become
corrupted which is very bad)
c) certain script is executed upon every "logon", you may put
commands to save particular registry branches (for easier
recovery after profile corruption)
regedit /e \\SOL\thebat\batsave\%UserName%-batsave.reg
(notice that "logon script" must be edited using DOS editors!)
invalid users = root
time server = true
workgroup = solar
netbios name = SOL
encrypt passwords = yes
domain admin group = @nt_adm
log file = /dev/null
security = user
interfaces = 192.168.100.1/24 192.168.200.1/24 127.0.0.1/8
min protocol = NT1
local master = yes
os level = 255
domain master = yes
preferred master = yes
domain logons = yes
logon script = s.bat
logon path = \\%L\%U\profile
logon home = \\%L\%U\profile
wins support = yes
path = /home/netlogon
valid users = @users
guest ok = yes
read only = yes
browseable = no
2) custom "adm" files for use with poledit.exe
a) (this is not "roaming profile" related, just to illustrate here)
CATEGORY "MSWord - 97"
POLICY "protect from macro-viruses"
POLICY "use RTF by default"
KEYNAME "Software\Microsoft\Office\8.0\Word\Default Save"
VALUENAME "Default Format"
b) another "adm" example
CATEGORY "Internet Explorer 5.X"
POLICY "enable proxy"
KEYNAME "Software\Microsoft\Windows\CurrentVersion\Internet Settings"
PART "Use proxy server" CHECKBOX DEFCHECKED
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
PART "address of proxy server" EDITTEXT
PART "specify as proxy.domain.com:1234" TEXT END PART
POLICY "Home page"
KEYNAME "Software\Microsoft\Internet Explorer\Main"
PART "Server" EDITTEXT
VALUENAME "Start Page"
Regards, (Наилучшие пожелания)
Ilia Chipitsine (Илья Шипицин)
More information about the samba