[Samba] Re: Group Policy for Win2k/XP

Dragan Krnic dkrnic at lycos.com
Fri Jun 27 13:34:19 GMT 2003

>The thing that I have been having great difficulty 
>understanding, and this could be because of lack of 
>Windows knowledge but bear with me, is how you can 
>have DIFFERENT policy files based on... well, 

Shouldn't it be possible to add some macros like %m
to the "path =" parameter in [netlogon] stanza? I
haven't used the trick myself, but it sounds like
this is what you really want:

        path = /local/%m/netlogon
        write list = root
        browseable = No

>I know group support is limited... how about even 
>based on NetBIOS name as I can easily get that from 
>%m at least. I know, for example, the profile of a 
>Win2k machine will be located in 
>\\SERVER\NETLOGON\Default Profile, but what if
>I want to have one for lab PC's and one for Office 
>PC's, and for some remote sites, none at all, just 
>authentication? I know how to implement policies per 
>user, too, but I don't want to have to login as the 

Now that you mention it, can you share some of your
experiences? Which tool do you use? What is your
typical set of rules?

This is one area where I'm still having problems.
When a PC is added to a samba domain DOM I can see
that the local Administrators group gets a new member
DOM\Administrators and the Local Users group gets
DOM\Users. Everyone who can authenticat himself as
a DOM\User can use the PC. However, there is very
little they can do with their own environment. They
can't change the Wallpaper, they can't change Explorer
properties, the mounted shares are not carried forward
to a new session etc. Even if I add DOM\Users to the
group of local Power Users, no further privileges can
be seen.

So how do you set up such things with the group

>user, set the policy and then save the policy and log 
>out. How can I apply a policy to a user based on some 
>arbitrary information? Is the logon script early
>enough to do some work behind the scenes to smylink 
>the proper files into the right place, or... am I 
>totally off track here? I'm sure this is something 
>everyone does, but I can't for the life of me figure 
>out the way to make this stuff apply to different >users differently.

If privileges are right, you can do much with the
logon script (which is in [netlogon]). If you
configure the path to be dependent upon both %m
and %u then you can use links to set up any 
combination of machines getting their own profiles
and users getting their profiles too.

Get advanced SPAM filtering on Webmail or POP Mail ... Get Lycos Mail!

More information about the samba mailing list