I'm in the process of setting up a linux/samba server to replace a netware server at the school where I work. The problem I have is that I would like to be able to enable something along the lines of novell's volatile dynamic local user. I want to be able to set groups so that teacher/staff logins are non-volatile, but student logins are.

We've also considered just using roaming profiles, but we would want to be able to set it so there isn't a copy of the profile kept locally. Even if the profiles aren't saved on the local machine roaming profiles could still be a pain for us with teachers and students saving large files in their my documents folders.

I did something like that some time ago for an Internet cafe. All clients (Win2K) used the same profile and could not save any changes to the profile.

1. Make sure clients don't save local copies of profile: I don't exactly remember where that was set up. You have to use mmc on the Windows client and sift through the settings. It's somewhere in there. (And there you'll also find some other interesting restriction-possibilites for a setup like yours.)

2. Create a "superclient" user with roaming profile and admin rights. Use this user to setup everything for the client. Also remember for the future to always use this superclient to install software etc. Use the normal admin account only for things that don't/shouldn't influence the clients' profiles.

3. When done, as the superclient copy the profile to a template directory. (put this template directory in the same server directory where the real profiles are kept). Use Windows' profile copying function for that, don't just copy the files (somewhere in Workplace-Properties). Set permissions to allow Everyone. (You might have to create the directory on the server, first. Not sure). Set file permissions for the template directory so that clients can read only, superclient has full permissions.

4. Here comes the magic: In the template profile, rename ntconfig.pol to ntconfig.man. This effectively makes the profile read only. (Gotta love that one...) -- Obviously, don't do this in the superclient profile yet, but only after copying it to the template directory.

5. On the server create symbolic links to the template profile for every user. (Except for the teachers, of course -- they get their own "real" profile directories)

6. Done.

This goes together well with cloned workstations.

When you later make updates to the profile, make sure that you first delete all files/directories in the template profile before copying your new superclient profile. And don't forget to rename ntconfig.pol!

You can still give the clients a "real" home directory so that they can save some files there.

As you can tell, my memory of how I did that is slightly fuzzy, but this should roughly be it.

Cheers

Rupert

Some more info...

You also need to configure Windows not to check ownership of the profile, otherwise login will fail. This is also done via mmc.

The relevant snap-in for mmc (I'm using a German version, so these are my back-translations, actual wording may be different): "Policies for Local Machine".

Inside the snap-in you need:
- Administrative Templates
- System
- User Profiles

Rupert