Hi Rowland,
if I do it as you recommend,
* You can alternatively set other groups, to enable the group members to
store their user profile on the share. When using different groups, apply
the permissions as displayed for Domain Users in the previous example.
then it sort-of works: YES, a user that is not in the "Roaming Profile
Users" group gets not created a roaming user profile on the file server,
which is good, but he gets, on every login on Windows, the warning message
from the "User Profile Service", that his/her profile cannot be synced
with
the server.
To me this makes 100% sense, because the GPO is applied to "Authenticated
Users", but if the user in question is not member of the "Roaming User
Profiles" group, he/she cannot access the share on the file server.
I have uploaded a couple images to my web server to illustrate what I did:
https://hb9fsx.ch/nextcloud/s/PasbjdJGfyiaCa7
Images 1 to 8 show how I configured my GPO. This is according to the guide
from Microsoft
https://learn.microsoft.com/en-us/windows-server/storage/folder-redirection/deploy-roaming-user-profiles#step-2-create-a-roaming-user-profiles-security-group
such that this policy should apply only to the "Roaming User Profiles"
security group. Note that "Authenticated Users" has read permission on
the
policy, but does not apply the policy, and, further, "Roaming User
Profiles" has both read and apply permissions set.
Further, the share where the profiles shall be stored on is
\\files\profiles\%USERNAME%, and in the last 2 images you can see that I
configured the file share permissions as advised by that wiki page you sent
me the link to.
Now, the weird thing is, that it does absolutely not work when I set the
"Security Filtering" of the GPO to "Roaming User Profiles"
group. Even
though that group has the "apply" permission set. Instead, the GPO
only
works when I set the "Security Filtering" to "Authenticated
Users", but
then, EVERY user that is able to login will get a roaming profile, but
since the shared folder \\files\profiles allows access only for the users
in the "Roaming User Profiles" group, one gets an error message that
the
user profile could not be created successfully.
On Mon, Dec 11, 2023 at 1:15?PM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Mon, 11 Dec 2023 12:59:58 +0100
> "Pluess, Tobias via samba" <samba at lists.samba.org>
wrote:
>
> > Hi Rowland
> >
> > yes, if I do it according to this guide, it works indeed, but it does
> > so for all accounts. However I don't want, for example, a roaming
> > profile for the Administrator and a couple other accounts. Instead, I
> > wanted this GPO only applied for one specific group. Isn't that
> > possible?
> >
> > On Mon, 11 Dec 2023, 12:35 Rowland Penny via samba,
> > <samba at lists.samba.org> wrote:
> >
> > > On Mon, 11 Dec 2023 11:30:43 +0100
> > > "Pluess, Tobias via samba" <samba at
lists.samba.org> wrote:
> > >
> > > > Good Day,
> > > >
> > > > I want to use a GPO to enable roaming profiles for certain
users.
> > > > For this, I followed this guide:
> > > >
> > > >
> > >
>
https://learn.microsoft.com/en-us/windows-server/storage/folder-redirection/deploy-roaming-user-profiles#step-2-create-a-roaming-user-profiles-security-group
> > > >
> > > > I created in my directory the group "Roaming Profile
Users" and
> > > > added 2 users to it. Afterwards, I went to the GPO editor
and
> > > > created the GPO for the roaming profiles. I removed the
> > > > "Authenticated users" from the "Security
Filtering" and added the
> > > > "Authenticated users" back on the
"Delegation" tab.
> > > > Further, I added my freshly created "Roaming Profile
Users" group
> > > > under "Security Filtering", because I understood
it such that the
> > > > GPO is only applied to the users and groups under
"Security
> > > > Filtering".
> > > >
> > > > So, according to my understanding, the configuration was
correct.
> > > > To make sure the GPO is in effect, I executed "gpupdate
/force"
> > > > and rebooted the computer. Now, when I want to login as one
of
> > > > the users in the "Roaming Profile Users" group, no
roaming
> > > > profile is created on my file share, and a normal local
profile
> > > > is created instead. On the other hand, when I add the
> > > > "Authenticated users" to the "Security
Filtering", everything
> > > > works as expected, i.e. a roaming profile is created during
> > > > login, but this happens for all domain users, not just for
the
> > > > ones I want. So obviously it seems like it does not work to
apply
> > > > a GPO only for one group, is this as intended or is this a
bug?
> > > >
> > > > I use Samba 4.17.12 on debian and Windows 10 N LTSC as the
client.
> > > >
> > > > Thanks for any hints!
> > >
> > > Try reading this wiki page, it worked at the beginning of the
month
> > > :-)
> > >
> > > https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles
> > >
> > > Rowland
> > >
> > > --
> > > To unsubscribe from this list go to the following URL and read
the
> > > instructions: https://lists.samba.org/mailman/options/samba
> > >
>
> First, I do not use GPOs, not much point when you only have one Windows
> computer and that is turned off more than it is on. However, I am sure
> that someone does and will be along shortly.
> In the meantime, if you read the wiki page I referred to, it uses
> Domain Users and next to it is an asterisk '*' and under the box
that
> is in is this:
>
> * You can alternatively set other groups, to enable the group members
> to store their user profile on the share. When using different
> groups, apply the permissions as displayed for Domain Users in the
> previous example.
>
> Or to put it another way, you started with 'Roaming Profile Users',
so
> use that instead of 'Domain Users'
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>