[Samba] ntuser.dat

Sherwood Botsford sbotsford at sjsa.ab.ca
Wed Feb 7 18:54:30 GMT 2007

Keith Lynn wrote:
> What are the implications of locking the ntuser.dat file on the user's 
> server profile? That is, if I make the ntuser.dat file read-only, what 
> affects will that have on the client?
The follwoing is worth what you paid for it.  Maybe.

The client machine will fuss when the user logs out, and complain that 
it cannot copy the profle back.  Sometimes this means that other stuff 
in the profile directory won't get copied back too.

If you don't want the users to mess with the profile, then rename it 
from .dat to .man.
This creates a mandatory profile.  I think win clients know that this is 
not changeable and don't try. Users can make changes in the local copy,  
but they don't stick.  This is usually more hassle than it's worth, as 
some programs use the registry to save state.  (E.g. Nikon View saves 
the last open folder, and brings you back to that point on the next 

A third way to do it is to let the users have their individual profiles 
initially, then
run a script that copies a standard profile over the user profile every 
night.  This has to be
a profile usable by everyone, or has to be that user's profile from 

A fourth way to this is to make user that your netlogon share has the 
profile you want users to use, then just delete the ntuser.dat files 
every night.  The client saves the file without a problem, but the next 
day, it's not there so the default user profile is loaded instead.

The best way, I think would be to script the editing of the user's 
ntuser.dat file to reset the keys that you want set.  Probably can be 
done with policies too.  I'm just learning about policies.

More information about the samba mailing list