samba - Feb 2005 - Creating mandatory profiles (not making profiles mandatory)

Hi,
is it possible to create the user profiles by copying a template, change 
file ownership and modify the SID in NTUSER.DAT using the profile tool?
We have many problems with broken profiles. This has become time 
consuming and frustrating - when a user experiences an error or weird 
behaviour of an application I can never be sure wether the cause is a 
"wrong user error", a broken profile or defect in installation. If I 
want all users or groups of users to have the same profile I should be 
able to create it for them.
I already use the "default user", but with that I only can make a 
profile mandatory after the user's first logoff.
I could try myself, but I sometimes experience that "tricks" that work
at first and look good have some side effects I didn't think of, so I 
would appreciate comments from people who tried that, or maybe someone 
knows why this is rather a bad idea.

With kind regards,
Malte Mueller

Ilia Chipitsine schrieb:
>> Hi,
>> is it possible to create the user profiles by copying a template, 
>> change file ownership and modify the SID in NTUSER.DAT using the 
>> profile tool?
>> We have many problems with broken profiles. This has become time 
>> consuming
>
>                           ^^^^^^^^^^^^^^^
> there're few tips which I came to after using roaming profiles for 
> several years, those tips will significately reduce number of problems 
> with roaming profiles:
>
> 1) watch that profiles are less than 30Mb (number of files also is 
> important)
>
> 2) when user first logs in, if there no profile exists, "Default
User"
> profile is taken from \\$LOGONSERVER\NETLOGON, so you can have special 
> default profile for new users. otherwise local "Default User"
profile
> is taken.
>
> 3) redirect common folders like Desktop, My Documents out of roaming 
> profile. they can live on network share in user's home directory, but 
> not in the roaming profile. this can be achived either by manipulating 
> registry directly or by using nt4 style domain policies, I can even 
> send You custom ADM template for that.
>
> Outlook.pst can also be redirected out of roaming profile.
> simply move it to another place and start MS Outlook, it will ask You 
> where to find outlook.pst
>
> 4) be careful with terminal services. samba doesn't understand 
> separate profiles for terminal services, so you can ruin roaming profile.
>
> 5) make sure you are using the same version of Windows on all computers.
> w2k <--> xp can also break many things in profile
>
> 6) make sure other things than Windows are the same on all computers.
> particularly MS Office.
>
> 7) You can create "profile backup system",
>
> put, for example
>
> regedit /e \\SERVER\share\%UserName%-of2k3.reg 
> "HKEY_CURRENT_USER\Software\Microsoft\Office\11.0"
>
> at logon script and after that You can easily delete broken profile 
> and restore required things from backup.
>
> 8) xp behave weird on roaming profiles.
> even if You reqiure "delete cached copies of roaming profiles on 
> exit", xp leaves copy and !!! if You delete network copy of roaming 
> profile (in order to create profile from "Default User"), xp
picks up
> local cached copy. so, in such case You need to remove both network 
> and local cached copy of profile. no idea how to make xp delete it on 
> exit.
>
>> and frustrating - when a user experiences an error or weird behaviour 
>> of an application I can never be sure wether the cause is a "wrong
>> user error", a broken profile or defect in installation. If I want
>> all users or groups of users to have the same profile I should be 
>> able to create it for them.
>> I already use the "default user", but with that I only can
make a
>> profile mandatory after the user's first logoff.
>> I could try myself, but I sometimes experience that "tricks"
that
>> work at first and look good have some side effects I didn't think
of,
>> so I would appreciate comments from people who tried that, or maybe 
>> someone knows why this is rather a bad idea.
>>
>> With kind regards,
>> Malte Mueller
>>
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/listinfo/samba
>>
>
>
Thanks a lot Ilia!

We have 200 PC and nearly all have a reborn-card or such, which prevents 
any lokal changes, so local copies of profiles do not exist. Users log 
in very often to different Computers and need to have a defined 
environment i.e. an available profile. I already use a "default 
user"-profile and redirected folders (thanks John, the book helped a 
lot). Nevertheless I feel that I cannot rely on the profiles' integrety 
once a user had a chance to modify it. Making a registry copy is a good 
tip, i will use that, at least for some users. But rather than backing 
up I would very much appreciate to set up a defined profile for each 
user. I think it would make life a lot easier for me (and the users).

With kind regards
Malte Mueller

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

|> 5) make sure you are using the same version of Windows on all computers.
|> w2k <--> xp can also break many things in profile

Use %a in your path names to fix this.  %a will be replaced with the
architecture of your system, i.e. Win2K,WinXP,WinNT etc. etc.

Jim C.
- --
- -----------------------------------------------------------------
| I can be reached on the following Instant Messenger services: |
|---------------------------------------------------------------|
| MSN: j_c_llings @ hotmail.com  AIM: WyteLi0n  ICQ: 123291844  |
|---------------------------------------------------------------|
| Y!: j_c_llings            Jabber: jcllings @ njs.netlab.cz	|
- -----------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCAcEL57L0B7uXm9oRAiUBAJ9zjr8eiR08/o4W3AqgfcpgeTq9nQCfd0I5
xiI7TSGlqElu+GvbaUnhEmc=Jq4t
-----END PGP SIGNATURE-----

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> |> 5) make sure you are using the same version of Windows on all
computers.
> |> w2k <--> xp can also break many things in profile
>
> Use %a in your path names to fix this.  %a will be replaced with the
> architecture of your system, i.e. Win2K,WinXP,WinNT etc. etc.
>
hmm, people usually expect to see the same profile even under different 
OSes. it will be pain in the ass especially if You have hundreds users.
> Jim C.
> - --
> - -----------------------------------------------------------------
> | I can be reached on the following Instant Messenger services: |
> |---------------------------------------------------------------|
> | MSN: j_c_llings @ hotmail.com  AIM: WyteLi0n  ICQ: 123291844  |
> |---------------------------------------------------------------|
> | Y!: j_c_llings            Jabber: jcllings @ njs.netlab.cz	|
> - -----------------------------------------------------------------
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.5 (MingW32)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
> iD8DBQFCAcEL57L0B7uXm9oRAiUBAJ9zjr8eiR08/o4W3AqgfcpgeTq9nQCfd0I5
> xiI7TSGlqElu+GvbaUnhEmc> =Jq4t
> -----END PGP SIGNATURE-----
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>