On Mon, 11 Dec 2023 19:25:23 +0100 "Pluess, Tobias via samba" <samba at lists.samba.org> wrote:> Hi Rowland, > > if I do it as you recommend, > > * You can alternatively set other groups, to enable the group members > to store their user profile on the share. When using different > groups, apply the permissions as displayed for Domain Users in the > previous example. > > then it sort-of works: YES, a user that is not in the "Roaming Profile > Users" group gets not created a roaming user profile on the file > server, which is good, but he gets, on every login on Windows, the > warning message from the "User Profile Service", that his/her profile > cannot be synced with the server. > > To me this makes 100% sense, because the GPO is applied to > "Authenticated Users", but if the user in question is not member of > the "Roaming User Profiles" group, he/she cannot access the share on > the file server. >I think using 'Authenticated Users' is the problem. From my understanding, this is a group that contains any user that has authenticated, so the GPO is running for ALL users. However, the actual profile isn't created unless the user is a member of the group you created. Rowland
On 11.12.2023 19:48, Rowland Penny via samba wrote:> On Mon, 11 Dec 2023 19:25:23 +0100 > "Pluess, Tobias via samba" <samba at lists.samba.org> wrote: > >> Hi Rowland, >> >> if I do it as you recommend, >> >> * You can alternatively set other groups, to enable the group members >> to store their user profile on the share. When using different >> groups, apply the permissions as displayed for Domain Users in the >> previous example. >> >> then it sort-of works: YES, a user that is not in the "Roaming Profile >> Users" group gets not created a roaming user profile on the file >> server, which is good, but he gets, on every login on Windows, the >> warning message from the "User Profile Service", that his/her profile >> cannot be synced with the server. >> >> To me this makes 100% sense, because the GPO is applied to >> "Authenticated Users", but if the user in question is not member of >> the "Roaming User Profiles" group, he/she cannot access the share on >> the file server. >> > I think using 'Authenticated Users' is the problem. > From my understanding, this is a group that contains any user that has > authenticated, so the GPO is running for ALL users. > However, the actual profile isn't created unless the user is a member of > the group you created. > > Rowland >Hi Tobias, I had a similar problem when setting up redirected folders. Authenticated users includes both users and domain computers. So I created a group "Redir users" and then applied "Security filtering" only to "Domain computers" and "Redir users". Don't forget to run samba-tool ntacl sysvolcheck and then samba-tool ntacl sysvolreset if you get any errors. As I mentioned, gpupdate /force under Windows? doesn't work. The last thing is to reboot the Windows machines. Just logoff and logon is not sufficient. Best regards, Peter
Am 11.12.23 um 19:48 schrieb Rowland Penny via samba:> On Mon, 11 Dec 2023 19:25:23 +0100 > "Pluess, Tobias via samba" <samba at lists.samba.org> wrote: > >> Hi Rowland, >> >> if I do it as you recommend, >> >> * You can alternatively set other groups, to enable the group members >> to store their user profile on the share. When using different >> groups, apply the permissions as displayed for Domain Users in the >> previous example. >> >> then it sort-of works: YES, a user that is not in the "Roaming Profile >> Users" group gets not created a roaming user profile on the file >> server, which is good, but he gets, on every login on Windows, the >> warning message from the "User Profile Service", that his/her profile >> cannot be synced with the server. >> >> To me this makes 100% sense, because the GPO is applied to >> "Authenticated Users", but if the user in question is not member of >> the "Roaming User Profiles" group, he/she cannot access the share on >> the file server. >> > > I think using 'Authenticated Users' is the problem. > From my understanding, this is a group that contains any user that has > authenticated, so the GPO is running for ALL users. > However, the actual profile isn't created unless the user is a member of > the group you created. >If you remove "authenticate users" you will get an error message that you must add doamin-computers to the ACL of the GPO. Best practice is to create an ou-structure so you can stay with "authenticated users". As I posted before. look at my tutorial from sambaxp there you will find anything to get roaming profiles with folder redirection running> Rowland >-- Stefan Kania Landweg 13 25693 St. Michaelisdonn Signieren jeder E-Mail hilft Spam zu reduzieren und sch?tzt Ihre Privatsph?re. Ein kostenfreies Zertifikat erhalten Sie unter https://www.dgn.de/dgncert/index.html Download der root-Zertifikate: https://www.dgn.de/dgncert/downloads.html Neuer GPG-Key der public key befindet sich im Anhang