[Samba] Roaming Profiles GPO

Mon Dec 11 12:38:58 UTC 2023

Op 11-12-2023 om 11:30 schreef Pluess, Tobias via samba:
> Good Day,
>
> I want to use a GPO to enable roaming profiles for certain users. For this,
> I followed this guide:
>
> https://learn.microsoft.com/en-us/windows-server/storage/folder-redirection/deploy-roaming-user-profiles#step-2-create-a-roaming-user-profiles-security-group
>
> I created in my directory the group "Roaming Profile Users" and added 2
> users to it. Afterwards, I went to the GPO editor and created the GPO for
> the roaming profiles. I removed the "Authenticated users" from the
> "Security Filtering" and added the "Authenticated users" back on the
> "Delegation" tab.
> Further, I added my freshly created "Roaming Profile Users" group under
> "Security Filtering", because I understood it such that the GPO is only
> applied to the users and groups under "Security Filtering".
I am using this with 4.19.2 and I have used quite some older versions in 
the past, but it works and has worked without issues for a long time.
>
> So, according to my understanding, the configuration was correct. To make
> sure the GPO is in effect, I executed "gpupdate /force" and rebooted the
> computer. Now, when I want to login as one of the users in the "Roaming
> Profile Users" group, no roaming profile is created on my file share, and a
> normal local profile is created instead.
> On the other hand, when I add the "Authenticated users" to the "Security
> Filtering", everything works as expected, i.e. a roaming profile is created
> during login, but this happens for all domain users, not just for the ones
> I want.
> So obviously it seems like it does not work to apply a GPO only for one
> group, is this as intended or is this a bug?

The most logical issue is in the (filesystem) permissions. Using GPMC, 
you set permissions on the GPO objects in LDAP and in sysvol on the GPO 
filetree (on the DC where you are connected to). The filesystem 
permissions must be synced to all DCs. Not all sysvol sync mechanisms 
described on the wiki do a proper sync of permissions and "samba-tool 
ntacl sysvol-reset" does not help here (as far as I experienced it). 
Windows is very picky on wrong permissions!

On the Windows client you can check GPOs loaded with "gpresult /r"

You can also do debugging on the client:

https://learn.microsoft.com/en-us/archive/blogs/askds/a-treatise-on-group-policy-troubleshootingnow-with-gpsvc-log-analysis
And the 3rd answer in: 
https://learn.microsoft.com/en-us/answers/questions/120736/gpos-not-applied-ad-group-issue

Further GPOs on Windows are cached in (source: 
https://specopssoft.com/blog/things-work-group-policy-caching/):

     User GPO Settings – %localappdata%\GroupPolicy\DataStore
     Computer GPO Settings – %windir%\System32\GroupPolicy\DataStore

- Kees.

>
> I use Samba 4.17.12 on debian and Windows 10 N LTSC as the client.
>
> Thanks for any hints!