[Samba] roaming profile does not work for "Domain Admins"

?icro MEGAS micromegas at mail333.com
Thu Oct 30 08:12:01 MDT 2014

Hello list,

I am facing an issue which I cannot explain myself. The roaming profiles don't work for users that are members of the group "Domain Admins". The [profiles] share on the member server was configured exactly as explained on the wiki for roaming profiles. It works like a charm for all domain users, *BUT*: if a user is member of the group "Domain Admins" it *doesn't* :-( That means in detail:

I create a new user "test1" and assign the correct profile directory to that user (\\membersrv\profiles\test1). I add this user also to the "MYDOM\Domain Admins" group. On the windows client I login for the first time with "test1" user and I watch the content of the linux filesystem on my member server. As soon as "test1" is logged in on the client, a directory membersrv:/srv/samba/profiles/test1 is created with the appropriate mode and owner+group. Until here everything is fine, but as soon as user "test1" logs off, *NO DATA IS WRITTEN* into its roaming profile directory.

When I remove that user "test1" from the group "Domain Admins", so in result "test1" is not a member of "Domain Admins" anymore, the roaming profile works like a charm as one would expect. When the user logs off, data is written correctly to its roaming profile.

I don't suspect security issues on Windows or POSIX ACLs, because the user "test1" can create directory "something" on \\membersrv\profiles and inside \\membersrv\profiles\something he is allowed to create subdirs or files. I don't think that's the problem. I ensured that by putting "EVERYONE" to sharing and security settings for the [profiles] share, but it didn't help either.

I cannot explain myself where this is related to. I'm stuck here for many hours and have no clue where else to look at. Any help really appreciated.


More information about the samba mailing list