[Samba] Roaming Profiles GPO

Peter Milesson miles at atmos.eu
Mon Dec 11 19:46:16 UTC 2023



On 11.12.2023 20:20, Rowland Penny via samba wrote:
> On Mon, 11 Dec 2023 20:03:12 +0100
> Peter Milesson via samba <samba at lists.samba.org> wrote:
>
>>
>> On 11.12.2023 19:48, Rowland Penny via samba wrote:
>>> On Mon, 11 Dec 2023 19:25:23 +0100
>>> "Pluess, Tobias via samba" <samba at lists.samba.org> wrote:
>>>
>>>>    Hi Rowland,
>>>>
>>>> if I do it as you recommend,
>>>>
>>>> * You can alternatively set other groups, to enable the group
>>>> members to store their user profile on the share. When using
>>>> different groups, apply the permissions as displayed for Domain
>>>> Users in the previous example.
>>>>
>>>> then it sort-of works: YES, a user that is not in the "Roaming
>>>> Profile Users" group gets not created a roaming user profile on
>>>> the file server, which is good, but he gets, on every login on
>>>> Windows, the warning message from the "User Profile Service", that
>>>> his/her profile cannot be synced with the server.
>>>>
>>>> To me this makes 100% sense, because the GPO is applied to
>>>> "Authenticated Users", but if the user in question is not member of
>>>> the "Roaming User Profiles" group, he/she cannot access the share
>>>> on the file server.
>>>>
>>> I think using 'Authenticated Users' is the problem.
>>>   From my understanding, this is a group that contains any user that
>>> has authenticated, so the GPO is running for ALL users.
>>> However, the actual profile isn't created unless the user is a
>>> member of the group you created.
>>>     
>>> Rowland
>>>
>> Hi Tobias,
>>
>> I had a similar problem when setting up redirected folders.
>>
>> Authenticated users includes both users and domain computers.
> That makes sense, when you consider that a computer in AD is just a
> user with an extra objectclass.
>
>> So I
>> created a group "Redir users" and then applied "Security filtering"
>> only to "Domain computers" and "Redir users". Don't forget to run
>> samba-tool ntacl sysvolcheck and then samba-tool ntacl sysvolreset if
>> you get any errors. As I mentioned, gpupdate /force under Windows
>> doesn't work. The last thing is to reboot the Windows machines. Just
>> logoff and logon is not sufficient.
>>
> I think you are saying, use another group instead of 'Authenticated
> Users'.
>
> Rowland
>
>
>
Hi Rowland,

Yes, you read my mind. I have got another domain, where I applied just 
that. But that was a long time ago, and I almost forgot it. No use to 
have redirected folders on servers that only work with technical stuff.

Best regards,

Peter





More information about the samba mailing list