NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Tutorial: Setting up Roaming Profiles from scratch!
Mini-tutorial on roaming profiles:
This is on a Windows 2003 Server, we have not purchased our ReadyNAS NV yet, so this thread will be updated once we have one for ReadyNAS specific options/settings. Perhaps one of the Infranet folks want to chime in and tell the differences in setup.
If you want to setup roaming profiles in a non-server environement, you may go here: http://computertips.toups.info/roaming/RoamingXPPro.htm
1 - Initial Sharepoint Creation
Lets create our sharepoint for the profiles:
2 - Share Permissions
First thing we do is remove all default share permissions from the
share, and add the "Authenticated Users" group with read/write access.
It's important to remember the difference here between the share permissions and the security permissions on the folder. If you don't give them write permission at the share level, they won't be able to even write to their own profile directory!
3 - Security Settings for our Sharepoint
Next we go into advanced security settings for the "profiles" folder, unchecking inherited permission settings from the parent folder and making sure only "Authenticated Users" can read (not write!) this directory. Don't forget to make the administration the owners of this shared directory and give them full rights.
4 - Our first roaming profile
Lets create a profile for Bob whom happens to have the account name "bob" with the subdirectory "profile" because Windows will explode if you don't.
5 - Security Settings for the profile
We go into the advanced security settings for the bob folder and again uncheck "Allow inheritable permissions from the parent..", and then give "bob" and the administration team full access to this directory.
6 - Changing Bob's account properties
Set Bob's profile to "\\server\profiles\bob\profile"....
Trick: You can put %username% in where the username is and it will automatically replace it when you click the apply/ok button with his account name in the AD Management Console.
7 - And finally...
Login as Bob once to prep the account, log out... and your done!
We do not recommend a share per user as it becomes very tricky to manage and goes down hill from there.
//NOTE// I'd add images but it's 5am. Sorry, maybe if I got a discount from Infrant when purchasing our NV *wink wink nudge nudge say no more* :D
//NOTE2// This would also fit under the AD forum I guess.
This is on a Windows 2003 Server, we have not purchased our ReadyNAS NV yet, so this thread will be updated once we have one for ReadyNAS specific options/settings. Perhaps one of the Infranet folks want to chime in and tell the differences in setup.
If you want to setup roaming profiles in a non-server environement, you may go here: http://computertips.toups.info/roaming/RoamingXPPro.htm
1 - Initial Sharepoint Creation
Lets create our sharepoint for the profiles:
\\server\profiles\Trick: If you are using a DFS folder (\\server\dfs-root\profiles\) or are simply paranoid you can hide the "real" profiles share by adding a $ at the end of the share name when it's being created so it doesn't show up in the normal network share listings.
2 - Share Permissions
First thing we do is remove all default share permissions from the
share, and add the "Authenticated Users" group with read/write access.
It's important to remember the difference here between the share permissions and the security permissions on the folder. If you don't give them write permission at the share level, they won't be able to even write to their own profile directory!
3 - Security Settings for our Sharepoint
Next we go into advanced security settings for the "profiles" folder, unchecking inherited permission settings from the parent folder and making sure only "Authenticated Users" can read (not write!) this directory. Don't forget to make the administration the owners of this shared directory and give them full rights.
4 - Our first roaming profile
Lets create a profile for Bob whom happens to have the account name "bob" with the subdirectory "profile" because Windows will explode if you don't.
\\server\profiles\bob\profileNote: I seriously don't remember the reasoning behind the subdirectory for the profile, just trust me on this one
5 - Security Settings for the profile
We go into the advanced security settings for the bob folder and again uncheck "Allow inheritable permissions from the parent..", and then give "bob" and the administration team full access to this directory.
6 - Changing Bob's account properties
Set Bob's profile to "\\server\profiles\bob\profile"....
Trick: You can put %username% in where the username is and it will automatically replace it when you click the apply/ok button with his account name in the AD Management Console.
7 - And finally...
Login as Bob once to prep the account, log out... and your done!
We do not recommend a share per user as it becomes very tricky to manage and goes down hill from there.
//NOTE// I'd add images but it's 5am. Sorry, maybe if I got a discount from Infrant when purchasing our NV *wink wink nudge nudge say no more* :D
//NOTE2// This would also fit under the AD forum I guess.
8 Replies
- Thanks for the quick tutorial. I'll move this to the User Sumitted Tips.
P.S. We always keep track of key forum contributors and will from time-to-time give out some goodies 8) - Unfortunately, this works well on when it's a Windows Server, but not as a ReadyNAS device.
I'm currently in the process of trying to get it to work... - I run roaming profiles from my Readynas without a problem.
I would suspect a permissions issue. By default XP clients will only use a roaming profile if they are the owner of the directory. Also if the client creates the profile directory it will give the user exclusive rights to the profile directory.
Both settings can be changed via Group Policy etc. - 'Authenticated Users' doesn't port over from the Win2K3 Domain when you list the groups, therefore you cannot set it as part of the groups.
That's what was holding me up. On the setup steps it was a permissions issue, which was solved via the ownership tag.
Computer Configuration > Administrative Templates > System > User Profiles
Do not check for user ownership of Roaming Profile Folders = Enabled
Thank you mister. - Also, if you have the advanced CIFS permissions enabled, you will not be able to change folder permissions from Windows. This isn't necessarily a problem, if you have one person's roaming profile per share and set each one's permissions from the NAS.
However, we wanted to create a default share for all roaming profiles for that department and each folder was inheriting the permissions from the parent folder. This isn't a problem, if you don't mind everyone having access to everyone else's profile, but I trust my users about as far as I can throw our server room (I'm sure you all feel similarly). If you disable the Advanced CIFS permissions, you can just drop the entire profile in a folder on the share and then change the permissions on each profile from windows.
Granted, you would have to have enabled the advanced permissions for this to be a problem, but I forgot I had enabled it and was stuck for a bit. - Can someone elaborate on how to setup the permissions on the NAS? I don't understand how this is supposed to work. (I've setup roaming profiles before on W2K3).
Where do I add the groups from AD? It doesn't have all the groups? Where does it allow me to choose a particular group to give it permissions etc? - Trying to use ReadyNAS/DUO for roaming user profiles in Win/XP Pro environment. I have looked at the write-up at http://computertips.toups.info/roaming/RoamingXPPro.htm but it does not seem to apply to a ReadyNAS environment (i.e. security settings do not apply). Can someone please provide a detailed guideline (or summary) how to establish a common share with folders for each roaming user profile on the DUO.
ticklemeozmo wrote: 'Authenticated Users' doesn't port over from the Win2K3 Domain when you list the groups, therefore you cannot set it as part of the groups.
That's what was holding me up. On the setup steps it was a permissions issue, which was solved via the ownership tag.
Computer Configuration > Administrative Templates > System > User Profiles
Do not check for user ownership of Roaming Profile Folders = Enabled
Thank you mister.
I have set this policy for some test users in my AD, yet windows will still freak out if I manually create the users' folders for their profile. The only way I can get roaming profiles to work is to let the user account create the profile folder itself. This isn't quite an issue because I'm still able to access the folders despite them being owned by a specific user and the users can't access each other's folders.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
