Hi Rowland yes, if I do it according to this guide, it works indeed, but it does so for all accounts. However I don't want, for example, a roaming profile for the Administrator and a couple other accounts. Instead, I wanted this GPO only applied for one specific group. Isn't that possible? On Mon, 11 Dec 2023, 12:35 Rowland Penny via samba, <samba at lists.samba.org> wrote:> On Mon, 11 Dec 2023 11:30:43 +0100 > "Pluess, Tobias via samba" <samba at lists.samba.org> wrote: > > > Good Day, > > > > I want to use a GPO to enable roaming profiles for certain users. For > > this, I followed this guide: > > > > > https://learn.microsoft.com/en-us/windows-server/storage/folder-redirection/deploy-roaming-user-profiles#step-2-create-a-roaming-user-profiles-security-group > > > > I created in my directory the group "Roaming Profile Users" and added > > 2 users to it. Afterwards, I went to the GPO editor and created the > > GPO for the roaming profiles. I removed the "Authenticated users" > > from the "Security Filtering" and added the "Authenticated users" > > back on the "Delegation" tab. > > Further, I added my freshly created "Roaming Profile Users" group > > under "Security Filtering", because I understood it such that the GPO > > is only applied to the users and groups under "Security Filtering". > > > > So, according to my understanding, the configuration was correct. To > > make sure the GPO is in effect, I executed "gpupdate /force" and > > rebooted the computer. Now, when I want to login as one of the users > > in the "Roaming Profile Users" group, no roaming profile is created > > on my file share, and a normal local profile is created instead. > > On the other hand, when I add the "Authenticated users" to the > > "Security Filtering", everything works as expected, i.e. a roaming > > profile is created during login, but this happens for all domain > > users, not just for the ones I want. > > So obviously it seems like it does not work to apply a GPO only for > > one group, is this as intended or is this a bug? > > > > I use Samba 4.17.12 on debian and Windows 10 N LTSC as the client. > > > > Thanks for any hints! > > Try reading this wiki page, it worked at the beginning of the month :-) > > https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Tobias, i experienced exactly the same thing, file server for the shares is 4.18 and the clients windows 10 pro, so you are not alone (if that is any comfort). m?n 11 dec. 2023 kl. 13:01 skrev Pluess, Tobias via samba < samba at lists.samba.org>:> Hi Rowland > > yes, if I do it according to this guide, it works indeed, but it does so > for all accounts. However I don't want, for example, a roaming profile for > the Administrator and a couple other accounts. Instead, I wanted this GPO > only applied for one specific group. Isn't that possible? > > On Mon, 11 Dec 2023, 12:35 Rowland Penny via samba, <samba at lists.samba.org > > > wrote: > > > On Mon, 11 Dec 2023 11:30:43 +0100 > > "Pluess, Tobias via samba" <samba at lists.samba.org> wrote: > > > > > Good Day, > > > > > > I want to use a GPO to enable roaming profiles for certain users. For > > > this, I followed this guide: > > > > > > > > > https://learn.microsoft.com/en-us/windows-server/storage/folder-redirection/deploy-roaming-user-profiles#step-2-create-a-roaming-user-profiles-security-group > > > > > > I created in my directory the group "Roaming Profile Users" and added > > > 2 users to it. Afterwards, I went to the GPO editor and created the > > > GPO for the roaming profiles. I removed the "Authenticated users" > > > from the "Security Filtering" and added the "Authenticated users" > > > back on the "Delegation" tab. > > > Further, I added my freshly created "Roaming Profile Users" group > > > under "Security Filtering", because I understood it such that the GPO > > > is only applied to the users and groups under "Security Filtering". > > > > > > So, according to my understanding, the configuration was correct. To > > > make sure the GPO is in effect, I executed "gpupdate /force" and > > > rebooted the computer. Now, when I want to login as one of the users > > > in the "Roaming Profile Users" group, no roaming profile is created > > > on my file share, and a normal local profile is created instead. > > > On the other hand, when I add the "Authenticated users" to the > > > "Security Filtering", everything works as expected, i.e. a roaming > > > profile is created during login, but this happens for all domain > > > users, not just for the ones I want. > > > So obviously it seems like it does not work to apply a GPO only for > > > one group, is this as intended or is this a bug? > > > > > > I use Samba 4.17.12 on debian and Windows 10 N LTSC as the client. > > > > > > Thanks for any hints! > > > > Try reading this wiki page, it worked at the beginning of the month :-) > > > > https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles > > > > Rowland > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Hi Tobias, it does not work without "Authenticated users" because every user needs at least read rights to make this work. You can still apply only to a certain group but you have to leave "Authenticated users" at least read access. Here you see how to leave read but remove "apply Group Policy: http://1.bp.blogspot.com/_1M_GH8sd96A/SeeGdyDYm6I/AAAAAAAAACU/k0NJLdX8SNs/s1600-h/Security+Filtering4.jpg I do not have access to an RSAT installation at them moment so I can not show you resent example. Regards Christian Am 11.12.23 um 12:59 schrieb Pluess, Tobias via samba:> Hi Rowland > > yes, if I do it according to this guide, it works indeed, but it does so > for all accounts. However I don't want, for example, a roaming profile for > the Administrator and a couple other accounts. Instead, I wanted this GPO > only applied for one specific group. Isn't that possible? > > On Mon, 11 Dec 2023, 12:35 Rowland Penny via samba, <samba at lists.samba.org> > wrote: > >> On Mon, 11 Dec 2023 11:30:43 +0100 >> "Pluess, Tobias via samba" <samba at lists.samba.org> wrote: >> >>> Good Day, >>> >>> I want to use a GPO to enable roaming profiles for certain users. For >>> this, I followed this guide: >>> >>> >> https://learn.microsoft.com/en-us/windows-server/storage/folder-redirection/deploy-roaming-user-profiles#step-2-create-a-roaming-user-profiles-security-group >>> >>> I created in my directory the group "Roaming Profile Users" and added >>> 2 users to it. Afterwards, I went to the GPO editor and created the >>> GPO for the roaming profiles. I removed the "Authenticated users" >>> from the "Security Filtering" and added the "Authenticated users" >>> back on the "Delegation" tab. >>> Further, I added my freshly created "Roaming Profile Users" group >>> under "Security Filtering", because I understood it such that the GPO >>> is only applied to the users and groups under "Security Filtering". >>> >>> So, according to my understanding, the configuration was correct. To >>> make sure the GPO is in effect, I executed "gpupdate /force" and >>> rebooted the computer. Now, when I want to login as one of the users >>> in the "Roaming Profile Users" group, no roaming profile is created >>> on my file share, and a normal local profile is created instead. >>> On the other hand, when I add the "Authenticated users" to the >>> "Security Filtering", everything works as expected, i.e. a roaming >>> profile is created during login, but this happens for all domain >>> users, not just for the ones I want. >>> So obviously it seems like it does not work to apply a GPO only for >>> one group, is this as intended or is this a bug? >>> >>> I use Samba 4.17.12 on debian and Windows 10 N LTSC as the client. >>> >>> Thanks for any hints! >> >> Try reading this wiki page, it worked at the beginning of the month :-) >> >> https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles >> >> Rowland >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >>
On Mon, 11 Dec 2023 12:59:58 +0100 "Pluess, Tobias via samba" <samba at lists.samba.org> wrote:> Hi Rowland > > yes, if I do it according to this guide, it works indeed, but it does > so for all accounts. However I don't want, for example, a roaming > profile for the Administrator and a couple other accounts. Instead, I > wanted this GPO only applied for one specific group. Isn't that > possible? > > On Mon, 11 Dec 2023, 12:35 Rowland Penny via samba, > <samba at lists.samba.org> wrote: > > > On Mon, 11 Dec 2023 11:30:43 +0100 > > "Pluess, Tobias via samba" <samba at lists.samba.org> wrote: > > > > > Good Day, > > > > > > I want to use a GPO to enable roaming profiles for certain users. > > > For this, I followed this guide: > > > > > > > > https://learn.microsoft.com/en-us/windows-server/storage/folder-redirection/deploy-roaming-user-profiles#step-2-create-a-roaming-user-profiles-security-group > > > > > > I created in my directory the group "Roaming Profile Users" and > > > added 2 users to it. Afterwards, I went to the GPO editor and > > > created the GPO for the roaming profiles. I removed the > > > "Authenticated users" from the "Security Filtering" and added the > > > "Authenticated users" back on the "Delegation" tab. > > > Further, I added my freshly created "Roaming Profile Users" group > > > under "Security Filtering", because I understood it such that the > > > GPO is only applied to the users and groups under "Security > > > Filtering". > > > > > > So, according to my understanding, the configuration was correct. > > > To make sure the GPO is in effect, I executed "gpupdate /force" > > > and rebooted the computer. Now, when I want to login as one of > > > the users in the "Roaming Profile Users" group, no roaming > > > profile is created on my file share, and a normal local profile > > > is created instead. On the other hand, when I add the > > > "Authenticated users" to the "Security Filtering", everything > > > works as expected, i.e. a roaming profile is created during > > > login, but this happens for all domain users, not just for the > > > ones I want. So obviously it seems like it does not work to apply > > > a GPO only for one group, is this as intended or is this a bug? > > > > > > I use Samba 4.17.12 on debian and Windows 10 N LTSC as the client. > > > > > > Thanks for any hints! > > > > Try reading this wiki page, it worked at the beginning of the month > > :-) > > > > https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles > > > > Rowland > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > >First, I do not use GPOs, not much point when you only have one Windows computer and that is turned off more than it is on. However, I am sure that someone does and will be along shortly. In the meantime, if you read the wiki page I referred to, it uses Domain Users and next to it is an asterisk '*' and under the box that is in is this: * You can alternatively set other groups, to enable the group members to store their user profile on the share. When using different groups, apply the permissions as displayed for Domain Users in the previous example. Or to put it another way, you started with 'Roaming Profile Users', so use that instead of 'Domain Users' Rowland