[Samba] Laptop users as domain members; profiles

Thu Sep 4 22:36:00 GMT 2003

Sounds great.  Thanks.  But are you also confirming that I have to use
roaming profiles to use cached credentials?  I have read some of the
possible scenarios where roaming profiles can cause loss of information.  It
also seems that to keep these profiles to a reasonable size and thus keep
logon times within reason, I might want to remap My Documents, Outlook
Express store folder, Outlook .pst files, and possibly others.  Do you have
any thoughts on these issues?

Also, I am still concerned about what appears to me to be a limit on caching
50 logons.  Windows 2000 security policy default is to limit the user to
caching 10 previous logons with a maximum of 50.  Perhaps I misunderstand
this policy.

Thanks again.

----- Original Message -----
From: "Doug MacFarlane" <madmac at orbent.com>
To: "Scott Werschke" <scott at werschkes.com>; <samba at lists.samba.org>
Sent: Thursday, September 04, 2003 3:25 PM
Subject: Re: [Samba] Laptop users as domain members; profiles

>
> Go ahead and add them to the domain.
>
> Once they have logged on to the domain once, they can disconnect from the
> domain and still log onto it.  They will get a message that "No Domain
> Controller Was Available to Authenticate Your Logon .  .  . You have been
> logged on with cached information."
>
> Profiles will get handled properly - when they come back to the domain,
the
> local profile is newer than the server-based one, so it will use the local
> one, and write it back to the server when they log off.
>
> madmac
>
>
> ----- Original Message -----
> From: "Scott Werschke" <scott at werschkes.com>
> To: <samba at lists.samba.org>
> Sent: Thursday, September 04, 2003 4:28 PM
> Subject: [Samba] Laptop users as domain members; profiles
>
>
> I would like to implement Samba as a PDC in our organization, but am
> wrestling with how to handle laptop users.
>
> If I join them to the domain and give them a domain account, I will still
> need to allow them a local account so that they can logon on the road.
This
> means that they will have two distinct accounts and two distinct profiles.
> I could initially make the two profiles identical by copying the existing
> profile to the domain profile or copying the existing profile to the
default
> profile before the domain profile is created, but subsequent changes to
the
> local profile would not be reflected in the domain profile and vice versa.
> I anticipate that this could cause great headaches for users and
> administrators.  If a user created or edited documents, added e-mail
> contacts or messages in outlook express or outlook, etc. as a domain user
> while in the office, these changes would not be seen when they logged in
on
> the road as a local user.  I am aware that I could have the users login on
> the road as domain users using cached credentials, but to my knowledge
(and
> experiments seem to verify this) caching domain credentials is limited to
> the use of roaming profiles.  I would like to avoid what seem to me to be
a
> lot of headaches with roaming profiles, i.e., potential loss of data,
> extensive logon time, etc.  Further, there appears to be a limit to the
> number of previous logons to cache - 50.  I don't have the power to limit
> the time of the trips our executives take or the number of times they are
> allowed to logon on the road.
>
> The best solution I can come up with now is to remap there My Documents
> folder, Oulook express store folder and Outlook .pst files for both
accounts
> to locations outside of the profiles.  This is O.K. except the additional
> work in setting up the client, the potential that I have missed something
> critical that should be "non-exclusive" to the two profiles, and that I
> don't have anyway of forcing them to login to the domain when they are in
> the office.  They could accidentally or intentionally login as a local
user
> in the office, and I would not be able to track usage in the office or
> utilize logon scripts.
>
> I am aware that some organizations seem to have a policy of simply not
> adding laptops to the domain, but with Samba this would also prevent me
from
> utilizing logon scripts.
>
> Any ideas would be appreciated.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
>
>