<para>
Done. You now have a profile that can be editted using the samba-3.0.0
-profiles tool.
+<filename>profiles</filename> tool.
</para>
<note>
<title>Mandatory profiles</title>
<para>
-The above method can be used to create mandatory profiles also. To convert
-a group profile into a mandatory profile simply locate the NTUser.DAT file
-in the copied profile and rename it to NTUser.MAN.
+A Mandatory Profile is a profile that the user does NOT have the ability to overwrite.
+During the user's session it may be possible to change the desktop environment, but
+as the user logs out all changes made will be lost. If it is desired to NOT allow the
+user any ability to change the desktop environment then this must be done through
+policy settings. See previous chapter.
+</para>
+
+<note>
+<para>
+Under NO circumstances should the profile directory (or it's contents) be made read-only
+as this may render the profile un-usable.
+</para>
+</note>
+
+<para>
+For MS Windows NT4/200x/XP the above method can be used to create mandatory profiles
+also. To convert a group profile into a mandatory profile simply locate the NTUser.DAT
+file in the copied profile and rename it to NTUser.MAN.
+</para>
+
+<para>
+For MS Windows 9x / Me it is the User.DAT file that must be renamed to User.MAN to
+affect a mandatory profile.
</para>
</sect1>
<title>Creating/Managing Group Profiles</title>
<para>
-Blah goes here.
+Most organisations are arranged into departments. There is a nice benenfit in
+this fact since usually most users in a department will require the same desktop
+applications and the same desktop layout. MS Windows NT4/200x/XP will allow the
+use of Group Profiles. A Group Profile is a profile that is created firstly using
+a template (example) user. Then using the profile migration tool (see above) the
+profile is assigned access rights for the user group that needs to be given access
+to the group profile.
+</para>
+
+<para>
+The next step is rather important. PLEASE NOTE: Instead of assigning a group profile
+to users (ie: Using User Manager) on a "per user" basis, the group itself is assigned
+the now modified profile.
</para>
+
+<note>
+ <para>
+ Be careful with group profiles, if the user who is a member of a group also
+ has a personal profile, then the result will be a fusion (merge) of the two.
+ </para>
+</note>
+
</sect1>
+
+<sect1>
+<title>Default Profile for Windows Users</title>
+
+<para>
+MS Windows 9x / Me and NT4/200x/XP will use a default profile for any user for whom
+a profile does not already exist. Armed with a knowledge of where the default profile
+is located on the Windows workstation, and knowing which registry keys affect the path
+from which the default profile is created, it is possible to modify the default profile
+to one that has been optimised for the site. This has significant administrative
+advantages.
+<para>
+
+<sect2>
+<title>MS Windows 9x/Me</title>
+
+<para>
+To enable default per use profiles in Windows 9x / Me you can either use the Windows 98 System
+Policy Editor or change the registry directly.
+</para>
+
+<para>
+To enable default per user profiles in Windows 9x / Me, launch the System Policy Editor, then
+select File -> Open Registry, then click on the Local Computer icon, click on Windows 98 System,
+select User Profiles, click on the enable box. Do not forget to save the registry changes.
+</para>
+
+<para>
+To modify the registry directly, launch the Registry Editor (regedit.exe), select the hive
+<filename>HKEY_LOCAL_MACHINE\Network\Logon</filename>. Now add a DWORD type key with the name
+"User Profiles", to enable user profiles set the value to 1, to disable user profiles set it to 0.
+</para>
+
+</sect2>
+
+<sect2>
+<title>MS Windows NT4 Workstation</title>
+
+<para>
+Document NT4 default profile handling stuff here! Someone - please contribute appropriate
+material here. Email your contribution to jht@samba.org.
+</para>
+
+</sect2>
+
+<sect2>
+<title>MS Windows 200x/XP</title>
+
+ <note>
+ <para>
+ MS Windows XP Home Edition does use default per user profiles, but can not participate
+ in domain security, can not log onto an NT/ADS style domain, and thus can obtain the profile
+ only from itself. While there are benefits in doing this the beauty of those MS Windows
+ clients that CAN participate in domain logon processes allows the administrator to create
+ a global default profile and to enforce it through the use of Group Policy Objects (GPOs).
+ </para>
+ </note>
+
+<para>
+When a new user first logs onto MS Windows 200x/XP machine the default profile is obtained from
+<filename>C:\Documents and Settings\Default User</filename>. The administrator can modify (or change
+the contents of this location and MS Windows 200x/XP will gladly user it. This is far from the optimum
+arrangement since it will involve copying a new default profile to every MS Windows 200x/XP client
+workstation.
+</para>
+
+<para>
+When MS Windows 200x/XP participate in a domain security context, and if the default user
+profile is not found, then the client will search for a default profile in the NETLOGON share
+of the authenticating server. ie: In MS Windows parlance:
+<filename>%LOGONSERVER%\NETLOGON\Default User</filename> and if one exits there it will copy this
+to the workstation to the <filename>C:\Documents and Settings\</filename> under the Windows
+login name of the user.
+</para>
+
+ <note>
+ <para>
+ This path translates, in Samba parlance, to the smb.conf [NETLOGON] share. The directory
+ should be created at the root of this share and msut be called <filename>Default Profile</filename>.
+ </para>
+ </note>
+
+<para>
+If a default profile does not exist in this location then MS Windows 200x/XP will use the local
+default profile.
+</para>
+
+<para>
+On loging out, the users' desktop profile will be stored to the location specified in the registry
+settings that pertain to the user. If no specific policies have been created, or passed to the client
+during the login process (as Samba does automatically), then the user's profile will be written to
+the local machine only under the path <filename>C:\Documents and Settings\%USERNAME%</filename>.
+</para>
+
+<para>
+Those wishing to modify the default behaviour can do so through up to three methods:
+</para>
+
+<itemizedlist>
+ <listitem>
+ <para>
+ Modify the registry keys on the local machine manually and place the new default profile in the
+ NETLOGON share root - NOT recommended as it is maintenance intensive.
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ Create an NT4 style NTConfig.POL file that specified this behaviour and locate this file
+ in the root of the NETLOGON share along with the new default profile.
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ Create a GPO that enforces this through Active Directory, and place the new default profile
+ in the NETLOGON share.
+ </para>
+ </listitem>
+</itemizedlist>
+
+<para>
+The Registry Hive key that affects the behaviour of folders that are part of the default user profile
+are controlled by entries on Windows 200x/XP is:
+</para>
+
+<para>
+<programlisting>
+ HKEY_CURRENT_USER
+ \Software
+ \Microsoft
+ \Windows NT
+ \CurrentVersion
+ \Explorer
+ \User Shell Folders\
+</programlisting>
+</para>
+
+<para>
+The above hive key contains a list of automatically managed folders. The default entries are:
+</para>
+
+ <para>
+ <programlisting>
+ Name Default Value
+ -------------- -----------------------------------------
+ AppData %USERPROFILE%\Application Data
+ Cache %USERPROFILE%\Local Settings\Temporary Internet Files
+ Cookies %USERPROFILE%\Cookies
+ Desktop %USERPROFILE%\Desktop
+ Favorites %USERPROFILE%\Favorites
+ History %USERPROFILE%\Local Settings\History
+ Local AppData %USERPROFILE%\Local Settings\Application Data
+ Local Settings %USERPROFILE%\Local Settings
+ My Pictures %USERPROFILE%\My Documents\My Pictures
+ NetHood %USERPROFILE%\NetHood
+ Personal %USERPROFILE%\My Documents
+ PrintHood %USERPROFILE%\PrintHood
+ Programs %USERPROFILE%\Start Menu\Programs
+ Recent %USERPROFILE%\Recent
+ SendTo %USERPROFILE%\SendTo
+ Start Menu %USERPROFILE%\Start Menu
+ Startup %USERPROFILE%\Start Menu\Programs\Startup
+ Templates %USERPROFILE%\Templates
+ </programlisting>
+ </para>
+
+<para>
+There is also an entry called "Default" that has no value set. The default entry is of type REG_SZ, all
+the others are of type REG_EXPAND_SZ.
+</para>
+
+<para>
+It makes a huge difference to the speed of handling roaming user profiles if all the folders are
+stored on a dedicated location on a network server. This means that it will NOT be necessary to
+write Outlook PST file over the network for every login and logout.
+</para>
+
+<para>
+To set this to a network location you could use the followin examples:
+
+ %LOGONSERVER%\%USERNAME%\Default Folders
+
+This would store the folders in the user's home directory under a directory called "Default Folders"
+
+You could also use:
+
+ \\SambaServer\FolderShare\%USERNAME%
+
+in which case the default folders will be stored in the server named <emphasis>SambaServer</emphasis>
+in the share called <emphasis>FolderShare</emphasis> under a directory that has the name of the MS Windows
+user as seen by the Linux/Unix file system.
+</para>
+
+<para>
+Please note that once you have created a default profile share, you MUST migrate a user's profile
+(default or custom) to it.
+</para>
+
+</sect2
+</sect1>
+
</chapter>
git.samba.org / kai / samba.git / commitdiff