[Samba] Roaming Profiles GPO

Peter Milesson miles at atmos.eu
Mon Dec 11 14:10:24 UTC 2023 


On 11.12.2023 11:30, Pluess, Tobias via samba wrote:
> Good Day,
>
> I want to use a GPO to enable roaming profiles for certain users. For this,
> I followed this guide:
>
> https://learn.microsoft.com/en-us/windows-server/storage/folder-redirection/deploy-roaming-user-profiles#step-2-create-a-roaming-user-profiles-security-group
>
> I created in my directory the group "Roaming Profile Users" and added 2
> users to it. Afterwards, I went to the GPO editor and created the GPO for
> the roaming profiles. I removed the "Authenticated users" from the
> "Security Filtering" and added the "Authenticated users" back on the
> "Delegation" tab.
> Further, I added my freshly created "Roaming Profile Users" group under
> "Security Filtering", because I understood it such that the GPO is only
> applied to the users and groups under "Security Filtering".
>
> So, according to my understanding, the configuration was correct. To make
> sure the GPO is in effect, I executed "gpupdate /force" and rebooted the
> computer. Now, when I want to login as one of the users in the "Roaming
> Profile Users" group, no roaming profile is created on my file share, and a
> normal local profile is created instead.
> On the other hand, when I add the "Authenticated users" to the "Security
> Filtering", everything works as expected, i.e. a roaming profile is created
> during login, but this happens for all domain users, not just for the ones
> I want.
> So obviously it seems like it does not work to apply a GPO only for one
> group, is this as intended or is this a bug?
>
> I use Samba 4.17.12 on debian and Windows 10 N LTSC as the client.
>
> Thanks for any hints!
Hi Tobias,

I have tried out the GPO handling quite extensively, and last time with 
Samba 4.18.6. If you are using RSAT, you can define the GPOs, but 
gpupdate probably will not work.  You need to open your Samba DCs and run

samba-gpupdate --force

You may also need to make a sysvolcheck and sysvolreset.

I'm now on Samba 4.19.3, but I haven't had time to check if the GPO 
problems persist. It's not that often I need to set GPOs

HTH.

Best regards,

Peter

More information about the samba mailing list