Good Day, I want to use a GPO to enable roaming profiles for certain users. For this, I followed this guide: https://learn.microsoft.com/en-us/windows-server/storage/folder-redirection/deploy-roaming-user-profiles#step-2-create-a-roaming-user-profiles-security-group I created in my directory the group "Roaming Profile Users" and added 2 users to it. Afterwards, I went to the GPO editor and created the GPO for the roaming profiles. I removed the "Authenticated users" from the "Security Filtering" and added the "Authenticated users" back on the "Delegation" tab. Further, I added my freshly created "Roaming Profile Users" group under "Security Filtering", because I understood it such that the GPO is only applied to the users and groups under "Security Filtering". So, according to my understanding, the configuration was correct. To make sure the GPO is in effect, I executed "gpupdate /force" and rebooted the computer. Now, when I want to login as one of the users in the "Roaming Profile Users" group, no roaming profile is created on my file share, and a normal local profile is created instead. On the other hand, when I add the "Authenticated users" to the "Security Filtering", everything works as expected, i.e. a roaming profile is created during login, but this happens for all domain users, not just for the ones I want. So obviously it seems like it does not work to apply a GPO only for one group, is this as intended or is this a bug? I use Samba 4.17.12 on debian and Windows 10 N LTSC as the client. Thanks for any hints!
On Mon, 11 Dec 2023 11:30:43 +0100 "Pluess, Tobias via samba" <samba at lists.samba.org> wrote:> Good Day, > > I want to use a GPO to enable roaming profiles for certain users. For > this, I followed this guide: > > https://learn.microsoft.com/en-us/windows-server/storage/folder-redirection/deploy-roaming-user-profiles#step-2-create-a-roaming-user-profiles-security-group > > I created in my directory the group "Roaming Profile Users" and added > 2 users to it. Afterwards, I went to the GPO editor and created the > GPO for the roaming profiles. I removed the "Authenticated users" > from the "Security Filtering" and added the "Authenticated users" > back on the "Delegation" tab. > Further, I added my freshly created "Roaming Profile Users" group > under "Security Filtering", because I understood it such that the GPO > is only applied to the users and groups under "Security Filtering". > > So, according to my understanding, the configuration was correct. To > make sure the GPO is in effect, I executed "gpupdate /force" and > rebooted the computer. Now, when I want to login as one of the users > in the "Roaming Profile Users" group, no roaming profile is created > on my file share, and a normal local profile is created instead. > On the other hand, when I add the "Authenticated users" to the > "Security Filtering", everything works as expected, i.e. a roaming > profile is created during login, but this happens for all domain > users, not just for the ones I want. > So obviously it seems like it does not work to apply a GPO only for > one group, is this as intended or is this a bug? > > I use Samba 4.17.12 on debian and Windows 10 N LTSC as the client. > > Thanks for any hints!Try reading this wiki page, it worked at the beginning of the month :-) https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles Rowland
You can also take a look at my tutorial from SambaXP https://u.pcloud.link/publink/show?code=XZ3bsRVZTShsXcE4k4m3DsgeYklEBLkP4sty Am 11.12.23 um 11:30 schrieb Pluess, Tobias via samba:> Good Day, > > I want to use a GPO to enable roaming profiles for certain users. For this, > I followed this guide: > > https://learn.microsoft.com/en-us/windows-server/storage/folder-redirection/deploy-roaming-user-profiles#step-2-create-a-roaming-user-profiles-security-group > > I created in my directory the group "Roaming Profile Users" and added 2 > users to it. Afterwards, I went to the GPO editor and created the GPO for > the roaming profiles. I removed the "Authenticated users" from the > "Security Filtering" and added the "Authenticated users" back on the > "Delegation" tab. > Further, I added my freshly created "Roaming Profile Users" group under > "Security Filtering", because I understood it such that the GPO is only > applied to the users and groups under "Security Filtering". > > So, according to my understanding, the configuration was correct. To make > sure the GPO is in effect, I executed "gpupdate /force" and rebooted the > computer. Now, when I want to login as one of the users in the "Roaming > Profile Users" group, no roaming profile is created on my file share, and a > normal local profile is created instead. > On the other hand, when I add the "Authenticated users" to the "Security > Filtering", everything works as expected, i.e. a roaming profile is created > during login, but this happens for all domain users, not just for the ones > I want. > So obviously it seems like it does not work to apply a GPO only for one > group, is this as intended or is this a bug? > > I use Samba 4.17.12 on debian and Windows 10 N LTSC as the client. > > Thanks for any hints!-- Stefan Kania Landweg 13 25693 St. Michaelisdonn Signieren jeder E-Mail hilft Spam zu reduzieren und sch?tzt Ihre Privatsph?re. Ein kostenfreies Zertifikat erhalten Sie unter https://www.dgn.de/dgncert/index.html
Op 11-12-2023 om 11:30 schreef Pluess, Tobias via samba:> Good Day, > > I want to use a GPO to enable roaming profiles for certain users. For this, > I followed this guide: > > https://learn.microsoft.com/en-us/windows-server/storage/folder-redirection/deploy-roaming-user-profiles#step-2-create-a-roaming-user-profiles-security-group > > I created in my directory the group "Roaming Profile Users" and added 2 > users to it. Afterwards, I went to the GPO editor and created the GPO for > the roaming profiles. I removed the "Authenticated users" from the > "Security Filtering" and added the "Authenticated users" back on the > "Delegation" tab. > Further, I added my freshly created "Roaming Profile Users" group under > "Security Filtering", because I understood it such that the GPO is only > applied to the users and groups under "Security Filtering".I am using this with 4.19.2 and I have used quite some older versions in the past, but it works and has worked without issues for a long time.> > So, according to my understanding, the configuration was correct. To make > sure the GPO is in effect, I executed "gpupdate /force" and rebooted the > computer. Now, when I want to login as one of the users in the "Roaming > Profile Users" group, no roaming profile is created on my file share, and a > normal local profile is created instead. > On the other hand, when I add the "Authenticated users" to the "Security > Filtering", everything works as expected, i.e. a roaming profile is created > during login, but this happens for all domain users, not just for the ones > I want. > So obviously it seems like it does not work to apply a GPO only for one > group, is this as intended or is this a bug?The most logical issue is in the (filesystem) permissions. Using GPMC, you set permissions on the GPO objects in LDAP and in sysvol on the GPO filetree (on the DC where you are connected to). The filesystem permissions must be synced to all DCs. Not all sysvol sync mechanisms described on the wiki do a proper sync of permissions and "samba-tool ntacl sysvol-reset" does not help here (as far as I experienced it). Windows is very picky on wrong permissions! On the Windows client you can check GPOs loaded with "gpresult /r" You can also do debugging on the client: https://learn.microsoft.com/en-us/archive/blogs/askds/a-treatise-on-group-policy-troubleshootingnow-with-gpsvc-log-analysis And the 3rd answer in: https://learn.microsoft.com/en-us/answers/questions/120736/gpos-not-applied-ad-group-issue Further GPOs on Windows are cached in (source: https://specopssoft.com/blog/things-work-group-policy-caching/): ??? User GPO Settings ? %localappdata%\GroupPolicy\DataStore ??? Computer GPO Settings ? %windir%\System32\GroupPolicy\DataStore - Kees.> > I use Samba 4.17.12 on debian and Windows 10 N LTSC as the client. > > Thanks for any hints!
On 11.12.2023 11:30, Pluess, Tobias via samba wrote:> Good Day, > > I want to use a GPO to enable roaming profiles for certain users. For this, > I followed this guide: > > https://learn.microsoft.com/en-us/windows-server/storage/folder-redirection/deploy-roaming-user-profiles#step-2-create-a-roaming-user-profiles-security-group > > I created in my directory the group "Roaming Profile Users" and added 2 > users to it. Afterwards, I went to the GPO editor and created the GPO for > the roaming profiles. I removed the "Authenticated users" from the > "Security Filtering" and added the "Authenticated users" back on the > "Delegation" tab. > Further, I added my freshly created "Roaming Profile Users" group under > "Security Filtering", because I understood it such that the GPO is only > applied to the users and groups under "Security Filtering". > > So, according to my understanding, the configuration was correct. To make > sure the GPO is in effect, I executed "gpupdate /force" and rebooted the > computer. Now, when I want to login as one of the users in the "Roaming > Profile Users" group, no roaming profile is created on my file share, and a > normal local profile is created instead. > On the other hand, when I add the "Authenticated users" to the "Security > Filtering", everything works as expected, i.e. a roaming profile is created > during login, but this happens for all domain users, not just for the ones > I want. > So obviously it seems like it does not work to apply a GPO only for one > group, is this as intended or is this a bug? > > I use Samba 4.17.12 on debian and Windows 10 N LTSC as the client. > > Thanks for any hints!Hi Tobias, I have tried out the GPO handling quite extensively, and last time with Samba 4.18.6. If you are using RSAT, you can define the GPOs, but gpupdate probably will not work.? You need to open your Samba DCs and run samba-gpupdate --force You may also need to make a sysvolcheck and sysvolreset. I'm now on Samba 4.19.3, but I haven't had time to check if the GPO problems persist. It's not that often I need to set GPOs HTH. Best regards, Peter