[Samba] Roaming Profiles GPO

Peter Milesson miles at atmos.eu
Mon Dec 11 19:03:12 UTC 2023



On 11.12.2023 19:48, Rowland Penny via samba wrote:
> On Mon, 11 Dec 2023 19:25:23 +0100
> "Pluess, Tobias via samba" <samba at lists.samba.org> wrote:
>
>>   Hi Rowland,
>>
>> if I do it as you recommend,
>>
>> * You can alternatively set other groups, to enable the group members
>> to store their user profile on the share. When using different
>> groups, apply the permissions as displayed for Domain Users in the
>> previous example.
>>
>> then it sort-of works: YES, a user that is not in the "Roaming Profile
>> Users" group gets not created a roaming user profile on the file
>> server, which is good, but he gets, on every login on Windows, the
>> warning message from the "User Profile Service", that his/her profile
>> cannot be synced with the server.
>>
>> To me this makes 100% sense, because the GPO is applied to
>> "Authenticated Users", but if the user in question is not member of
>> the "Roaming User Profiles" group, he/she cannot access the share on
>> the file server.
>>
> I think using 'Authenticated Users' is the problem.
>  From my understanding, this is a group that contains any user that has
> authenticated, so the GPO is running for ALL users.
> However, the actual profile isn't created unless the user is a member of
> the group you created.
>    
> Rowland
>
Hi Tobias,

I had a similar problem when setting up redirected folders.

Authenticated users includes both users and domain computers. So I 
created a group "Redir users" and then applied "Security filtering" only 
to "Domain computers" and "Redir users". Don't forget to run samba-tool 
ntacl sysvolcheck and then samba-tool ntacl sysvolreset if you get any 
errors. As I mentioned, gpupdate /force under Windows  doesn't work. The 
last thing is to reboot the Windows machines. Just logoff and logon is 
not sufficient.

Best regards,

Peter





More information about the samba mailing list