[Samba] Controlling use of roaming profiles

John H Terpstra jht at samba.org
Wed Feb 5 01:20:01 GMT 2003 

On Wed, 5 Feb 2003, Jonathan Gowland wrote:

> We are using a system running Red Hat Linux 7.0 with Samba 2.2.7a as
> our PDC.
>
> For the most part, we want to use roaming profiles, so that users'
> settings are backed up via the PDC, and are available if they need to
> change or reinstall their Windows desktop machine.  However, there are
> a few Windows systems (running NT 4.0 or Windows 2000) for which
> we would like to be able to disable roaming profiles.
>
> Atlas is a system running Windows 2000 server.  It is a member of the
> domain.
>
> On a system running Windows NT 4.0 Terminal Server edition I did the
> following:
>
> - Logged on as local administrator.
>
> - Ran poledit.exe.
>
> - Added machine Atlas.
>
> - Double-clicked Atlas icon.  Under "Windows NT User Profiles"->"Choose
>    profile default operation", selected "Use local profile".
>
> - Saved as NTConfig.pol and copied to the root directory of the netlogon
>     share.
>
> When a user does a domain logon on Atlas, the Samba log log.atlas does
> not show NTConfig.pol being accessed.  When the user logs off, updates
> to the user's profiles are saved.
>
> Agrigento is a system running Windows 2000 Workstation, and is also a
> member of the domain.  I ran poledit.exe as above, but added a computer
> entry for Agrigento, and saved NTConfig.pol.
>
> When a user does a domain logon on Agrigento, the Samba log
> log.agrigento shows NTConfig.pol being accessed. However, when the user
> logs off, updates to the user's profiles are saved, so the policy change
> in NTConfig.pol seems to have no effect.

You need to make the profile a mandatory profile if you want it to be
read-only. The proedure is documented in the NT4/Win2K Server Resource
kits.

>
> So what am I doing wrong?  Is it possible to disable the use of roaming
> profiles on a per-machine basis?  (I've been told that you can do this
> on a per-account basis, but this is not appropriate for our needs.)

By default all MS Windows roaming profiles are 'user' centric. I do not
know of a way to do this on a 'machine-of-origin' basis. I am working on
this for a presentation at the SambaXP conference so I am interested in
any of your findings.

- John T.
-- 
John H Terpstra
Email: jht at samba.org

More information about the samba mailing list