[Samba] few idea about dealing with "Large Roaming Profiles"
Ilia Chipitsine
ilia at cgu.chel.su
Tue Feb 26 07:08:11 GMT 2002
Well,
I put it here. All the experience gained in about-half-an-year-management
of Samba-PDC + numerous NT4 workstations is included. Also, I'd be glad to
hear from you what did I miss!
1) when NT4-workstations are organised into "domain", there's some
action assosiated to this: "to log into domain".
samba ain such case acts as PDC (primary domain controller),
it does the "password checking" task
2) two things about "domain logons", well, actually three things:
a) system policies
b) user profile (roaming profile)
c) logon script
when particular users logs "into domain" following occurs:
a) "registry propagation rules" apply.
this is called "system policies", but that is obviously less
descriptive. WinNT registry contains HKEY_LOCAL_MACHINE and
HKEY_CURRENT_USER branches, so you may define "system policies"
on "per user/per machine" basis.
tool for editing policies is called poledit.exe,
(run "servicepackbinary.exe /x" in order to obtain poledit.exe)
you may either use "adm" files that are shipped with poledit.exe
or use custom "adm" files (see examples below)
create file "ntconfig.pol" with poledit.exe and put it to
"netlogon" share (that share is defined in smb.conf, see below)
Default User
|
+-> Windows NT User Profiles
[x] Exclude directories in roaming profile
(Temporary Internet Files; Temp)
Default Computer
|
+-> Windows NT User Profiles
[x] Delete cached copies of roaming profiles
[x] Choose default profile operation
(Download profile)
this keeps profile size from being obscene LARGE...
b) define special directory for roaming profile (see smb.conf included
below), DO NOT put anything else into that directory (i.e. games,
movies, songs, etc), every single byte counts!
profile contains file NTuser.dat (which is just a registry dump)
and numerous directories.
if you rename NTuser.dat -> NTuser.man, such profile means "mandatory",
it won't be ever changed, also it won't be corrupted.
(when profile grows large, file NTuser.dat sometimes become
corrupted which is very bad)
c) certain script is executed upon every "logon", you may put
commands to save particular registry branches (for easier
recovery after profile corruption)
for example:
regedit /e \\SOL\thebat\batsave\%UserName%-batsave.reg
HKEY_CURRENT_USER\Software\RIT
(notice that "logon script" must be edited using DOS editors!)
--addons----
1) smb.conf
[global]
invalid users = root
time server = true
workgroup = solar
netbios name = SOL
encrypt passwords = yes
domain admin group = @nt_adm
log file = /dev/null
security = user
interfaces = 192.168.100.1/24 192.168.200.1/24 127.0.0.1/8
min protocol = NT1
local master = yes
os level = 255
domain master = yes
preferred master = yes
domain logons = yes
logon script = s.bat
logon path = \\%L\%U\profile
logon home = \\%L\%U\profile
wins support = yes
[netlogon]
path = /home/netlogon
valid users = @users
guest ok = yes
read only = yes
browseable = no
2) custom "adm" files for use with poledit.exe
a) (this is not "roaming profile" related, just to illustrate here)
CLASS USER
CATEGORY !!Kontur
CATEGORY "MSWord - 97"
POLICY "protect from macro-viruses"
KEYNAME "Software\Microsoft\Office\8.0\Word\Options"
VALUENAME "EnableMacroVirusProtection"
VALUEON "1"
VALUEOFF "0"
END POLICY
POLICY "use RTF by default"
KEYNAME "Software\Microsoft\Office\8.0\Word\Default Save"
VALUENAME "Default Format"
VALUEON "Rtf"
VALUEOFF ""
END POLICY
END CATEGORY
b) another "adm" example
CLASS USER
CATEGORY "Internet Explorer 5.X"
POLICY "enable proxy"
KEYNAME "Software\Microsoft\Windows\CurrentVersion\Internet Settings"
PART "Use proxy server" CHECKBOX DEFCHECKED
VALUENAME "ProxyEnable"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END PART
PART "address of proxy server" EDITTEXT
VALUENAME "ProxyServer"
END PART
PART "specify as proxy.domain.com:1234" TEXT END PART
END POLICY
POLICY "Home page"
KEYNAME "Software\Microsoft\Internet Explorer\Main"
PART "Server" EDITTEXT
VALUENAME "Start Page"
END PART
END POLICY
END CATEGORY
Regards, (Наилучшие пожелания)
Ilia Chipitsine (Илья Шипицин)
More information about the samba
mailing list