[Samba] Roaming Profiles GPO

Christian Naumer christian.naumer at greyfish.net
Mon Dec 11 12:12:08 UTC 2023


Hi Tobias,
it does not work without "Authenticated users" because every user needs 
at least read rights to make this work. You can still apply only to a 
certain group but you have to leave "Authenticated users" at least read 
access.

Here you see how to leave read but remove "apply Group Policy:

http://1.bp.blogspot.com/_1M_GH8sd96A/SeeGdyDYm6I/AAAAAAAAACU/k0NJLdX8SNs/s1600-h/Security+Filtering4.jpg


I do not have access to an RSAT installation at them moment so I can not 
show you resent example.


Regards

Christian


Am 11.12.23 um 12:59 schrieb Pluess, Tobias via samba:
> Hi Rowland
> 
> yes, if I do it according to this guide, it works indeed, but it does so
> for all accounts. However I don't want, for example, a roaming profile for
> the Administrator and a couple other accounts. Instead, I wanted this GPO
> only applied for one specific group. Isn't that possible?
> 
> On Mon, 11 Dec 2023, 12:35 Rowland Penny via samba, <samba at lists.samba.org>
> wrote:
> 
>> On Mon, 11 Dec 2023 11:30:43 +0100
>> "Pluess, Tobias via samba" <samba at lists.samba.org> wrote:
>>
>>> Good Day,
>>>
>>> I want to use a GPO to enable roaming profiles for certain users. For
>>> this, I followed this guide:
>>>
>>>
>> https://learn.microsoft.com/en-us/windows-server/storage/folder-redirection/deploy-roaming-user-profiles#step-2-create-a-roaming-user-profiles-security-group
>>>
>>> I created in my directory the group "Roaming Profile Users" and added
>>> 2 users to it. Afterwards, I went to the GPO editor and created the
>>> GPO for the roaming profiles. I removed the "Authenticated users"
>>> from the "Security Filtering" and added the "Authenticated users"
>>> back on the "Delegation" tab.
>>> Further, I added my freshly created "Roaming Profile Users" group
>>> under "Security Filtering", because I understood it such that the GPO
>>> is only applied to the users and groups under "Security Filtering".
>>>
>>> So, according to my understanding, the configuration was correct. To
>>> make sure the GPO is in effect, I executed "gpupdate /force" and
>>> rebooted the computer. Now, when I want to login as one of the users
>>> in the "Roaming Profile Users" group, no roaming profile is created
>>> on my file share, and a normal local profile is created instead.
>>> On the other hand, when I add the "Authenticated users" to the
>>> "Security Filtering", everything works as expected, i.e. a roaming
>>> profile is created during login, but this happens for all domain
>>> users, not just for the ones I want.
>>> So obviously it seems like it does not work to apply a GPO only for
>>> one group, is this as intended or is this a bug?
>>>
>>> I use Samba 4.17.12 on debian and Windows 10 N LTSC as the client.
>>>
>>> Thanks for any hints!
>>
>> Try reading this wiki page, it worked at the beginning of the month :-)
>>
>> https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles
>>
>> Rowland
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>




More information about the samba mailing list