On Mon, 11 Dec 2023 20:03:12 +0100
Peter Milesson via samba <samba at lists.samba.org> wrote:
>
>
> On 11.12.2023 19:48, Rowland Penny via samba wrote:
> > On Mon, 11 Dec 2023 19:25:23 +0100
> > "Pluess, Tobias via samba" <samba at lists.samba.org>
wrote:
> >
> >> Hi Rowland,
> >>
> >> if I do it as you recommend,
> >>
> >> * You can alternatively set other groups, to enable the group
> >> members to store their user profile on the share. When using
> >> different groups, apply the permissions as displayed for Domain
> >> Users in the previous example.
> >>
> >> then it sort-of works: YES, a user that is not in the
"Roaming
> >> Profile Users" group gets not created a roaming user profile
on
> >> the file server, which is good, but he gets, on every login on
> >> Windows, the warning message from the "User Profile
Service", that
> >> his/her profile cannot be synced with the server.
> >>
> >> To me this makes 100% sense, because the GPO is applied to
> >> "Authenticated Users", but if the user in question is
not member of
> >> the "Roaming User Profiles" group, he/she cannot access
the share
> >> on the file server.
> >>
> > I think using 'Authenticated Users' is the problem.
> > From my understanding, this is a group that contains any user that
> > has authenticated, so the GPO is running for ALL users.
> > However, the actual profile isn't created unless the user is a
> > member of the group you created.
> >
> > Rowland
> >
> Hi Tobias,
>
> I had a similar problem when setting up redirected folders.
>
> Authenticated users includes both users and domain computers.
That makes sense, when you consider that a computer in AD is just a
user with an extra objectclass.
> So I
> created a group "Redir users" and then applied "Security
filtering"
> only to "Domain computers" and "Redir users". Don't
forget to run
> samba-tool ntacl sysvolcheck and then samba-tool ntacl sysvolreset if
> you get any errors. As I mentioned, gpupdate /force under Windows
> doesn't work. The last thing is to reboot the Windows machines. Just
> logoff and logon is not sufficient.
>
I think you are saying, use another group instead of 'Authenticated
Users'.
Rowland