[Samba] Roaming Profiles GPO

[Pluess, Tobias]

 Hi Rowland,

if I do it as you recommend,

* You can alternatively set other groups, to enable the group members to
store their user profile on the share. When using different groups, apply
the permissions as displayed for Domain Users in the previous example.

then it sort-of works: YES, a user that is not in the "Roaming Profile
Users" group gets not created a roaming user profile on the file server,
which is good, but he gets, on every login on Windows, the warning message
from the "User Profile Service", that his/her profile cannot be synced with
the server.

To me this makes 100% sense, because the GPO is applied to "Authenticated
Users", but if the user in question is not member of the "Roaming User
Profiles" group, he/she cannot access the share on the file server.

I have uploaded a couple images to my web server to illustrate what I did:

https://hb9fsx.ch/nextcloud/s/PasbjdJGfyiaCa7

 Images 1 to 8 show how I configured my GPO. This is according to the guide
from Microsoft

https://learn.microsoft.com/en-us/windows-server/storage/folder-redirection/deploy-roaming-user-profiles#step-2-create-a-roaming-user-profiles-security-group

such that this policy should apply only to the "Roaming User Profiles"
security group. Note that "Authenticated Users" has read permission on the
policy, but does not apply the policy, and, further, "Roaming User
Profiles" has both read and apply permissions set.

Further, the share where the profiles shall be stored on is
\\files\profiles\%USERNAME%, and in the last 2 images you can see that I
configured the file share permissions as advised by that wiki page you sent
me the link to.

Now, the weird thing is, that it does absolutely not work when I set the
"Security Filtering" of the GPO to "Roaming User Profiles" group. Even
though that group has the "apply" permission set. Instead, the GPO only
works when I set the "Security Filtering" to "Authenticated Users", but
then, EVERY user that is able to login will get a roaming profile, but
since the shared folder \\files\profiles allows access only for the users
in the "Roaming User Profiles" group, one gets an error message that the
user profile could not be created successfully.



On Mon, Dec 11, 2023 at 1:15 PM Rowland Penny via samba <
samba at lists.samba.org> wrote:

> On Mon, 11 Dec 2023 12:59:58 +0100
> "Pluess, Tobias via samba" <samba at lists.samba.org> wrote:
>
> > Hi Rowland
> >
> > yes, if I do it according to this guide, it works indeed, but it does
> > so for all accounts. However I don't want, for example, a roaming
> > profile for the Administrator and a couple other accounts. Instead, I
> > wanted this GPO only applied for one specific group. Isn't that
> > possible?
> >
> > On Mon, 11 Dec 2023, 12:35 Rowland Penny via samba,
> > <samba at lists.samba.org> wrote:
> >
> > > On Mon, 11 Dec 2023 11:30:43 +0100
> > > "Pluess, Tobias via samba" <samba at lists.samba.org> wrote:
> > >
> > > > Good Day,
> > > >
> > > > I want to use a GPO to enable roaming profiles for certain users.
> > > > For this, I followed this guide:
> > > >
> > > >
> > >
> https://learn.microsoft.com/en-us/windows-server/storage/folder-redirection/deploy-roaming-user-profiles#step-2-create-a-roaming-user-profiles-security-group
> > > >
> > > > I created in my directory the group "Roaming Profile Users" and
> > > > added 2 users to it. Afterwards, I went to the GPO editor and
> > > > created the GPO for the roaming profiles. I removed the
> > > > "Authenticated users" from the "Security Filtering" and added the
> > > > "Authenticated users" back on the "Delegation" tab.
> > > > Further, I added my freshly created "Roaming Profile Users" group
> > > > under "Security Filtering", because I understood it such that the
> > > > GPO is only applied to the users and groups under "Security
> > > > Filtering".
> > > >
> > > > So, according to my understanding, the configuration was correct.
> > > > To make sure the GPO is in effect, I executed "gpupdate /force"
> > > > and rebooted the computer. Now, when I want to login as one of
> > > > the users in the "Roaming Profile Users" group, no roaming
> > > > profile is created on my file share, and a normal local profile
> > > > is created instead. On the other hand, when I add the
> > > > "Authenticated users" to the "Security Filtering", everything
> > > > works as expected, i.e. a roaming profile is created during
> > > > login, but this happens for all domain users, not just for the
> > > > ones I want. So obviously it seems like it does not work to apply
> > > > a GPO only for one group, is this as intended or is this a bug?
> > > >
> > > > I use Samba 4.17.12 on debian and Windows 10 N LTSC as the client.
> > > >
> > > > Thanks for any hints!
> > >
> > > Try reading this wiki page, it worked at the beginning of the month
> > > :-)
> > >
> > > https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles
> > >
> > > Rowland
> > >
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions:  https://lists.samba.org/mailman/options/samba
> > >
>
> First, I do not use GPOs, not much point when you only have one Windows
> computer and that is turned off more than it is on. However, I am sure
> that someone does and will be along shortly.
> In the meantime, if you read the wiki page I referred to, it uses
> Domain Users and next to it is an asterisk '*' and under the box that
> is in is this:
>
> * You can alternatively set other groups, to enable the group members
>   to store their user profile on the share. When using different
>   groups, apply the permissions as displayed for Domain Users in the
>   previous example.
>
> Or to put it another way, you started with 'Roaming Profile Users', so
> use that instead of 'Domain Users'
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>