My Watches Print This Page   

[8253] *How to set up roaming profiles on a Guardian OS powered Snap Server.    « Back to Category
Author: Todd Rodrigues, Created on: Nov 13, 2009 3:42 PM
Keywords: active directory, AD, domain, guardian os, roaming profiles
Language: English
Permissions: Public
Product (s): General Information

Roaming profiles will work on any Snap server share, however we do not support Group Policy Objects (GPOs) which can be problematic if you need to manage your profile stores. In order to work around this issue, you can utilize Roaming profiles in conjunction with Guardian OS' implementation of home directories.

Home directories create a virtual share that is accessible only by the user and the administrator. These permissions will replicate throughout the sub-tree enabling you to manage any directories created within them.

Make sure your Snap server is joined to the domain.

Next on the Snap server create a share or use the default root level Share1:

|-- Share1 (This is the root level share and should be administrator access only)

Enable home directories

Security -> Home Directories

Volume: Volume you created your profile store on
Path: Accept the default /home_dir location.
Click OK.

Select the protocols you wish to enable home directories for. At a minimum you must select Windows (SMB).

On your Domain Controller do the following:

1. Start -> Control Panel -> Active Directory Users and Computers
2. Right click on a user and select properties
3. click on the Profile tab
4. In the Profile path enter in: \\your_snap_server_name_or_ip\%username%\

When your user logs into the domain, Active Directory will automatically log in and create this location with the appropriate permissions.

To manage your profile store, log into the root share over SMB using the Snap local admin account. You can then copy a default profile and use this as a template. When setting security on the template, remove any permissions that are inherited and instead copy them. Remove read rights and special rights for the everyone group. Then add in full rights for the user who's profile it is intended to be. At this point the user will be able to log in and immediately use the new profile.

Related Documents
No Related Documents