[Samba] Roaming Profiles GPO
Peter Milesson
miles at atmos.eu
Mon Dec 11 19:03:12 UTC 2023
On 11.12.2023 19:48, Rowland Penny via samba wrote:
> On Mon, 11 Dec 2023 19:25:23 +0100
> "Pluess, Tobias via samba" <samba at lists.samba.org> wrote:
>
>> Hi Rowland,
>>
>> if I do it as you recommend,
>>
>> * You can alternatively set other groups, to enable the group members
>> to store their user profile on the share. When using different
>> groups, apply the permissions as displayed for Domain Users in the
>> previous example.
>>
>> then it sort-of works: YES, a user that is not in the "Roaming Profile
>> Users" group gets not created a roaming user profile on the file
>> server, which is good, but he gets, on every login on Windows, the
>> warning message from the "User Profile Service", that his/her profile
>> cannot be synced with the server.
>>
>> To me this makes 100% sense, because the GPO is applied to
>> "Authenticated Users", but if the user in question is not member of
>> the "Roaming User Profiles" group, he/she cannot access the share on
>> the file server.
>>
> I think using 'Authenticated Users' is the problem.
> From my understanding, this is a group that contains any user that has
> authenticated, so the GPO is running for ALL users.
> However, the actual profile isn't created unless the user is a member of
> the group you created.
>
> Rowland
>
Hi Tobias,
I had a similar problem when setting up redirected folders.
Authenticated users includes both users and domain computers. So I
created a group "Redir users" and then applied "Security filtering" only
to "Domain computers" and "Redir users". Don't forget to run samba-tool
ntacl sysvolcheck and then samba-tool ntacl sysvolreset if you get any
errors. As I mentioned, gpupdate /force under Windows doesn't work. The
last thing is to reboot the Windows machines. Just logoff and logon is
not sufficient.
Best regards,
Peter
More information about the samba
mailing list