On Sat, 23 Nov 2002, John H Terpstra wrote: > On 23 Nov 2002, Andrew Bartlett wrote: > > > On Sat, 2002-11-23 at 19:01, John H Terpstra wrote: > > > On 23 Nov 2002, Andrew Bartlett wrote: > > > > > > > On Sat, 2002-11-23 at 14:46, xfesty wrote: > > > > > -----BEGIN PGP SIGNED MESSAGE----- > > > > > Hash: SHA1 > > > > > > > > > > Hiya. > > > > > > > > > > Is there anyway to make non changable roaming profiles for all users > > > > > with XP workstations, and Samba 3.0HEAD from CVS acting as a PDC? > > > > > > > > > > I'm setting up a bunch of workstations for an internet cafe, and all > > > > > users need to basically have the same settings (i.e. desktop icons, > > > > > Internet Explorer settings, start menu items, etc.) as others, yet not > > > > > be able to change them. > > > > > > > > > > I tried setting the profile dir to the same for all users, and making > > > > > it read only, but I'm experiencing two problems - > > > > > > > > > > (1) XP will refuse to load the profile if its read-only, and > > > > > (2) XP won't load the profile if it wasn't created by the same user. > > > > > > > > > > I'm also finding cookies in IE sometimes aren't being properly set, > > > > > people can't view hotmail attachments, MSN messenger refuses to work, > > > > > and a bunch of other oddities. > > > > > > > > > > Anyway past this? I remember back when I was using Windows 2K Server > > > > > as a PDC, it was possible to have this. > > > > > > > > If the ntuser.dat is renamed ntuser.man, and you make the profile owned > > > > by root, read-only to the suer, and you set root to have rid 500 in > > > > LDAP, does it work? > > > > > > > > (ie add root to ldap, then change the RID). > > > > > > The SID is stred inside the NTUser.DAT file. Access control (the ACE) is > > > stored inside the file. That is what Rishard Sharpe was working on > > > decoding recently. When his work is done we will be able to set our own > > > ACE's inside the NTUser.DAT file and thus create from any profile a global > > > per group or a global group mandatory profile. > > > > > > Just setting file ownership and permissions does not get one past the > > > hurdle of the ACE inside the file. > > > > But if we take a 'normal' profile, change the ownership to admin, but > > don't change the SIDs, can we use it as a mandatory profile for a single > > user? > > Last attempt to get this across: No! > > Win NT/2K/XP checks access right on the ACE inside the file as it loads > the profile and goes belly up if it does not have access permission for > the current user.
That is correct. If you use the profiles command on NTUSER.DAT, it will show you all the ACEs on the profiles. Regards ----- Richard Sharpe, rsharpe[at]ns.aus.com, rsharpe[at]samba.org, sharpe[at]ethereal.com, http://www.richardsharpe.com