How to set up roaming profiles on a GuardianOS powered SnapServer.

Version 1

    Roaming profiles will work on any SnapServer share, however we do not support Group Policy Objects (GPOs) which can be problematic if you need to manage your profile stores.  In order to work around this issue, you can utilize Roaming profiles in conjunction with Guardian OS' implementation of home directories.

     

    Home directories create a virtual share that is accessible only by the user and the administrator.  These permissions will replicate throughout the sub-tree enabling you to manage any directories created within them.

     

    Make sure your SnapServer is joined to the domain.

     

    Next on the SnapServer create a share or use the default root level Share1:

     

    \--VOL0

    |

    |-- Share1 (This is the root level share and should be administrator access only)

     

     

    Enable home directories

     

    Security -> Home Directories

     

    Volume: Volume you created your profile store on

    Path: Accept the default /home_dir location.

    Click OK.

     

    Select the protocols you wish to enable home directories for.  At a minimum you must select Windows (SMB).

     

     

    On your Domain Controller do the following:

     

     

    1. Start -> Control Panel -> Active Directory Users and Computers

    2. Right click on a user and select properties

    3. click on the Profile tab

    4. In the Profile path enter in:  \\your_snap_server_name_or_ip\%username%\

     

    When your user logs into the domain, Active Directory will automatically log in and create this location with the appropriate permissions.

     

    To manage your profile store, log into the root share over SMB using the Snap local admin account.  You can then copy a default profile and use this as a template.  When setting security on the template, remove any permissions that are inherited and instead copy them. Remove read rights and special rights for the everyone group. Then add in full rights for the user who's profile it is intended to be.  At this point the user will be able to log in and immediately use the new profile.