[Samba] Roaming Profiles GPO
Rowland Penny
rpenny at samba.org
Mon Dec 11 12:14:57 UTC 2023
On Mon, 11 Dec 2023 12:59:58 +0100
"Pluess, Tobias via samba" <samba at lists.samba.org> wrote:
> Hi Rowland
>
> yes, if I do it according to this guide, it works indeed, but it does
> so for all accounts. However I don't want, for example, a roaming
> profile for the Administrator and a couple other accounts. Instead, I
> wanted this GPO only applied for one specific group. Isn't that
> possible?
>
> On Mon, 11 Dec 2023, 12:35 Rowland Penny via samba,
> <samba at lists.samba.org> wrote:
>
> > On Mon, 11 Dec 2023 11:30:43 +0100
> > "Pluess, Tobias via samba" <samba at lists.samba.org> wrote:
> >
> > > Good Day,
> > >
> > > I want to use a GPO to enable roaming profiles for certain users.
> > > For this, I followed this guide:
> > >
> > >
> > https://learn.microsoft.com/en-us/windows-server/storage/folder-redirection/deploy-roaming-user-profiles#step-2-create-a-roaming-user-profiles-security-group
> > >
> > > I created in my directory the group "Roaming Profile Users" and
> > > added 2 users to it. Afterwards, I went to the GPO editor and
> > > created the GPO for the roaming profiles. I removed the
> > > "Authenticated users" from the "Security Filtering" and added the
> > > "Authenticated users" back on the "Delegation" tab.
> > > Further, I added my freshly created "Roaming Profile Users" group
> > > under "Security Filtering", because I understood it such that the
> > > GPO is only applied to the users and groups under "Security
> > > Filtering".
> > >
> > > So, according to my understanding, the configuration was correct.
> > > To make sure the GPO is in effect, I executed "gpupdate /force"
> > > and rebooted the computer. Now, when I want to login as one of
> > > the users in the "Roaming Profile Users" group, no roaming
> > > profile is created on my file share, and a normal local profile
> > > is created instead. On the other hand, when I add the
> > > "Authenticated users" to the "Security Filtering", everything
> > > works as expected, i.e. a roaming profile is created during
> > > login, but this happens for all domain users, not just for the
> > > ones I want. So obviously it seems like it does not work to apply
> > > a GPO only for one group, is this as intended or is this a bug?
> > >
> > > I use Samba 4.17.12 on debian and Windows 10 N LTSC as the client.
> > >
> > > Thanks for any hints!
> >
> > Try reading this wiki page, it worked at the beginning of the month
> > :-)
> >
> > https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles
> >
> > Rowland
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> >
First, I do not use GPOs, not much point when you only have one Windows
computer and that is turned off more than it is on. However, I am sure
that someone does and will be along shortly.
In the meantime, if you read the wiki page I referred to, it uses
Domain Users and next to it is an asterisk '*' and under the box that
is in is this:
* You can alternatively set other groups, to enable the group members
to store their user profile on the share. When using different
groups, apply the permissions as displayed for Domain Users in the
previous example.
Or to put it another way, you started with 'Roaming Profile Users', so
use that instead of 'Domain Users'
Rowland
More information about the samba
mailing list