[Samba] Roaming Profiles GPO

Rowland Penny rpenny at samba.org
Mon Dec 11 19:20:25 UTC 2023 

On Mon, 11 Dec 2023 20:03:12 +0100
Peter Milesson via samba <samba at lists.samba.org> wrote:

> 
> 
> On 11.12.2023 19:48, Rowland Penny via samba wrote:
> > On Mon, 11 Dec 2023 19:25:23 +0100
> > "Pluess, Tobias via samba" <samba at lists.samba.org> wrote:
> >
> >>   Hi Rowland,
> >>
> >> if I do it as you recommend,
> >>
> >> * You can alternatively set other groups, to enable the group
> >> members to store their user profile on the share. When using
> >> different groups, apply the permissions as displayed for Domain
> >> Users in the previous example.
> >>
> >> then it sort-of works: YES, a user that is not in the "Roaming
> >> Profile Users" group gets not created a roaming user profile on
> >> the file server, which is good, but he gets, on every login on
> >> Windows, the warning message from the "User Profile Service", that
> >> his/her profile cannot be synced with the server.
> >>
> >> To me this makes 100% sense, because the GPO is applied to
> >> "Authenticated Users", but if the user in question is not member of
> >> the "Roaming User Profiles" group, he/she cannot access the share
> >> on the file server.
> >>
> > I think using 'Authenticated Users' is the problem.
> >  From my understanding, this is a group that contains any user that
> > has authenticated, so the GPO is running for ALL users.
> > However, the actual profile isn't created unless the user is a
> > member of the group you created.
> >    
> > Rowland
> >
> Hi Tobias,
> 
> I had a similar problem when setting up redirected folders.
> 
> Authenticated users includes both users and domain computers.

That makes sense, when you consider that a computer in AD is just a
user with an extra objectclass.

> So I 
> created a group "Redir users" and then applied "Security filtering"
> only to "Domain computers" and "Redir users". Don't forget to run
> samba-tool ntacl sysvolcheck and then samba-tool ntacl sysvolreset if
> you get any errors. As I mentioned, gpupdate /force under Windows
> doesn't work. The last thing is to reboot the Windows machines. Just
> logoff and logon is not sufficient.
> 

I think you are saying, use another group instead of 'Authenticated
Users'.

Rowland

More information about the samba mailing list