[Samba] roaming profile does ­not ­work for "Domain Adm­ins"

steve steve at steve-ss.com
Fri Oct 31 01:29:43 MDT 2014

On 30/10/14 23:37, Rowland Penny wrote:
> On 30/10/14 22:25, ?icro MEGAS wrote:
>> I am facing an issue which I cannot explain myself. The roaming
>> profiles don't work for users that are members of the group "Domain
>> Admins". The [profiles] share on the member server was configured
>> exactly as explained on the wiki for roaming profiles. It works like a
>> charm for all domain users, *BUT*: if a user is member of the group
>> "Domain Admins" it *doesn't* :-( That means in detail:
>> I create a new user "test1" and assign the correct profile directory
>> to that user (\\membersrv\profiles\test1). I add this user also to the
>> "MYDOM\Domain Admins" group. On the windows client I login for the
>> first time with "test1" user and I watch the content of the linux
>> filesystem on my member server. As soon as "test1" is logged in on the
>> client, a directory membersrv:/srv/samba/profiles/test1 is created
>> with the appropriate mode and owner+group. Until here everything is
>> fine, but as soon as user "test1" logs off, *NO DATA IS WRITTEN* into
>> its roaming profile directory.
>> When I remove that user "test1" from the group "Domain Admins", so in
>> result "test1" is not a member of "Domain Admins" anymore, the roaming
>> profile works like a charm as one would expect. When the user logs
>> off, data is written correctly to its roaming profile.
>> I don't suspect security issues on Windows or POSIX ACLs, because the
>> user "test1" can create directory "something" on \\membersrv\profiles
>> and inside \\membersrv\profiles\something he is allowed to create
>> subdirs or files. I don't think that's the problem. I ensured that by
>> putting "EVERYONE" to sharing and security settings for the [profiles]
>> share, but it didn't help either.
>> I cannot explain myself where this is related to. I'm stuck here for
>> many hours and have no clue where else to look at. Any help really
>> appreciated.
>> Mirco
>> Meanwhile I spent about 12 hours (!) on that problem and still didn't
>> solve it. It's really frustrating me :( The problem occurs with
>> Windows XP workstation as well on Win7 workstation. Even when I "mkdir
>> -p /new/dir" on the member server, and create a new share in smb.conf,
>> then have "Everyone" in sharing settings, and "Everyone" in security
>> settings with FULL access, and assign the profile of user "johndoe" to
>> \\membersrv\newshare\johndoe" it doesn't work. As I said before, I
>> don't suspect security/file permission, because the user can access
>> that particular directory and read/write directories+files in there.
>> And as said before: when I remove "johndoe" from "Domain Admins" group
>> it works fine. So what the hell is causing that problem? I also
>> checked my GPO if there's something active but there is not. I only
>> have the "default domain controller policy" and default domain
>> policy". The latter one is empty, there are no objects. And even when
>> I check with "gpresult" on the w
> in
>>   dows clients, there are no settings applied to that workstations. I
>> installed a completely new Win7 workstation just some minutes before
>> and tried with the new machine, no luck, same problem! :-( I also
>> tried by creating new users in my AD, but it didn't help either. As
>> long as these users are not members of "Domain Admins" it works, but
>> when they are members in "Domain Admins" it doesn't work and they
>> cannot use roaming profiles.
>> It's really really getting on my nerves meanwhile. What the hell is
>> going on there? Why cannot members of "MYDOM\Domain Admins" use
>> roaming profiles? Please if anyone has an idea where to look at, I'd
>> really appreciate it. Thanks a lot in advance.
>> Mirco
> HI Mirco, Isn't samba4 AD wonderful, the way it works just like a
> windows AD DC :-)
> Yes, the problem you having isn't a problem, it is the way that
> microsoft designed it, see here:
> https://social.technet.microsoft.com/Forums/windowsserver/en-US/7f03c07e-5a71-4ff3-abc1-50d3c14bf982/why-do-roaming-profiles-exclude-domain-admin-access?forum=winserverGP
> Rowland
Why do admins think they can enter people's private areas? It's nothing 
to do with you. You are merely there to make sure the computers work. So 
do just that. You do not dictate what others put in their profile. Just 
leave your users alone. When they have a problem they will tell you. 
Otherwise stay out.

More information about the samba mailing list