samba - Dec 2023 - Roaming Profiles GPO

You can also take a look at my tutorial from SambaXP
https://u.pcloud.link/publink/show?code=XZ3bsRVZTShsXcE4k4m3DsgeYklEBLkP4sty

Am 11.12.23 um 11:30 schrieb Pluess, Tobias via samba:
> Good Day,
> 
> I want to use a GPO to enable roaming profiles for certain users. For this,
> I followed this guide:
> 
>
https://learn.microsoft.com/en-us/windows-server/storage/folder-redirection/deploy-roaming-user-profiles#step-2-create-a-roaming-user-profiles-security-group
> 
> I created in my directory the group "Roaming Profile Users" and
added 2
> users to it. Afterwards, I went to the GPO editor and created the GPO for
> the roaming profiles. I removed the "Authenticated users" from
the
> "Security Filtering" and added the "Authenticated
users" back on the
> "Delegation" tab.
> Further, I added my freshly created "Roaming Profile Users" group
under
> "Security Filtering", because I understood it such that the GPO
is only
> applied to the users and groups under "Security Filtering".
> 
> So, according to my understanding, the configuration was correct. To make
> sure the GPO is in effect, I executed "gpupdate /force" and
rebooted the
> computer. Now, when I want to login as one of the users in the
"Roaming
> Profile Users" group, no roaming profile is created on my file share,
and a
> normal local profile is created instead.
> On the other hand, when I add the "Authenticated users" to the
"Security
> Filtering", everything works as expected, i.e. a roaming profile is
created
> during login, but this happens for all domain users, not just for the ones
> I want.
> So obviously it seems like it does not work to apply a GPO only for one
> group, is this as intended or is this a bug?
> 
> I use Samba 4.17.12 on debian and Windows 10 N LTSC as the client.
> 
> Thanks for any hints!
-- 
Stefan Kania
Landweg 13
25693 St. Michaelisdonn


Signieren jeder E-Mail hilft Spam zu reduzieren und sch?tzt Ihre 
Privatsph?re. Ein kostenfreies Zertifikat erhalten Sie unter 
https://www.dgn.de/dgncert/index.html

Great tutorial for all of us that have been fighting with this setup over the
years. I have a couple of follow up questions though

On page 8, you mention that existing local profiles should be deleted. Is there
any pre-cautions that should be taken before doing this (to prevent data loss
for example)?
The tutorial I straight forward for a new setup, but what is your practice when
it comes to updating an existing domain with these features, again to prevent
data loss and sad users.

/A
> On Dec 11, 2023, at 13:12, Stefan Kania via samba <samba at
lists.samba.org> wrote:
> 
> You can also take a look at my tutorial from SambaXP
>
https://u.pcloud.link/publink/show?code=XZ3bsRVZTShsXcE4k4m3DsgeYklEBLkP4sty
> 
> Am 11.12.23 um 11:30 schrieb Pluess, Tobias via samba:
>> Good Day,
>> I want to use a GPO to enable roaming profiles for certain users. For
this,
>> I followed this guide:
>>
https://learn.microsoft.com/en-us/windows-server/storage/folder-redirection/deploy-roaming-user-profiles#step-2-create-a-roaming-user-profiles-security-group
>> I created in my directory the group "Roaming Profile Users"
and added 2
>> users to it. Afterwards, I went to the GPO editor and created the GPO
for
>> the roaming profiles. I removed the "Authenticated users"
from the
>> "Security Filtering" and added the "Authenticated
users" back on the
>> "Delegation" tab.
>> Further, I added my freshly created "Roaming Profile Users"
group under
>> "Security Filtering", because I understood it such that the
GPO is only
>> applied to the users and groups under "Security Filtering".
>> So, according to my understanding, the configuration was correct. To
make
>> sure the GPO is in effect, I executed "gpupdate /force" and
rebooted the
>> computer. Now, when I want to login as one of the users in the
"Roaming
>> Profile Users" group, no roaming profile is created on my file
share, and a
>> normal local profile is created instead.
>> On the other hand, when I add the "Authenticated users" to
the "Security
>> Filtering", everything works as expected, i.e. a roaming profile
is created
>> during login, but this happens for all domain users, not just for the
ones
>> I want.
>> So obviously it seems like it does not work to apply a GPO only for one
>> group, is this as intended or is this a bug?
>> I use Samba 4.17.12 on debian and Windows 10 N LTSC as the client.
>> Thanks for any hints!
> 
> -- 
> Stefan Kania
> Landweg 13
> 25693 St. Michaelisdonn
> 
> 
> Signieren jeder E-Mail hilft Spam zu reduzieren und sch?tzt Ihre
Privatsph?re. Ein kostenfreies Zertifikat erhalten Sie unter
https://www.dgn.de/dgncert/index.html
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba