[debian-edu-commits] [Debian Wiki] Update of "DebianEdu/Documentation/Buster/HowTo/NetworkClients" by WolfgangSchweer
Debian Wiki
wiki at debian.org
Wed Apr 4 10:57:17 BST 2018
Dear Wiki user,
You have subscribed to a wiki page or wiki category on "Debian Wiki" for change notification.
The "DebianEdu/Documentation/Buster/HowTo/NetworkClients" page has been changed by WolfgangSchweer:
https://wiki.debian.org/DebianEdu/Documentation/Buster/HowTo/NetworkClients?action=diff&rev1=1&rev2=2
Comment:
remove outdated information about Windows client configuration
/!\ Joining a domain with a Windows client requires the steps described in the [[DebianEdu/Documentation/Buster/HowTo/Samba|Debian Edu Buster Samba Howto]].
Windows will sync the profiles of domain users on every Windows login and logout. Depending on how much data is stored in the profile, this could take some time. To minimise the time needed, deactivate things like local cache in browsers (you can use the Squid proxy cache installed on the main server instead) and save files into the H: volume rather than under "My Documents".
-
- ==== User groups in Windows ====
-
- If you want to check user groups on Windows, you need to download the tool {{{IFMEMBER.EXE}}} from Microsoft. Then you can use this for example in the logon script which resides on the main server in {{{/etc/samba/netlogon/LOGON.BAT}}}.
-
- === XP home ===
-
- Users bringing in their XP laptops from home can still connect to the main server using their skolelinux credentials, provided the workgroup is set to SKOLELINUX. However, they may need to disable the Windows firewall before the main server will appear in Network Neighbourhood (or whatever it's called now).
-
- === Managing roaming profiles ===
-
- Roaming profiles contain user work environments which include desktop items and settings. Examples include personal files, desktop icons and menus, screen colours, mouse settings, window size and position, application configurations, and network and printer connections. Roaming profiles are available wherever the user logs on, provided the server is available.
-
- Since the profile is copied from the server to the machine during logon, and copied back to the server during logout, a large profile can make Windows login/logout painfully slow. There can be many reasons for a large profile, but the most common problem is that users save their files on the Windows desktop or in the "My Documents" folder instead of in their home directory. Also, some badly designed programs use the profile to store data and as scratch space.
-
- ''The educational approach'': one way to deal with overlarge profiles is to explain the situation to the users. Tell them not to store huge files on the desktop, and if they fail to listen, it's their own fault when login is slow.
-
- ''Tweaking the profile'': a different approach to dealing with the problem is to remove parts of the profile, and redirect other parts to regular file storage. This moves the workload from the users to the administrator, while adding complexity to the installation. There are at least three ways to edit the parts that are removed from the roaming profile.
-
- ==== Example smb.conf files for roaming profiles ====
-
- FIXME: Maybe it is better to purge the examples. People who want to use roaming profiles should know what they are doing ...
-
- /!\ '''Note''' The examples are outdated since in wheezy kerberos was configured for samba too!<<BR>>
-
- You might find an example smb.conf in your preferred language delivered by the installation on the main server under `/usr/share/doc/debian-edu-config/examples/`. The source file is in English and is called `smb-roaming-profiles-en.conf`; look for a file with the appropriate code in the filename (the German translation, for example, will be named `smb-roaming-profiles-de.conf`). Inside the config file are a lot of explanations which you should have a look at.
-
- ==== Machine policies for roaming profiles ====
-
- Machine policies can be edited and copied to all the other computers.
-
- 1. Pick a freshly installed Windows computer, and run `gpedit.msc`
- 1. Under the selection "User Configuration" -> "Administrative Templates" -> "System" -> "User Profiles" -> "Exclude directories in roaming profile", you can enter a semicolon-separated list of directories to exclude from the profile. The directories are internationalised and must be written in your own language the way they are in the profile. Examples of directories to exclude are:
- * log
- * Locale settings
- * Temporary Internet Files
- * My Documents
- * Application Data
- * Temporary Internet Files
- 1. Save your changes, and exit the editor.
- 1. Copy {{{c:\windows\system32\GroupPolicy}}} to all other Windows machines.
- * It's a good idea to copy it to your Windows OS deployment system to have it included at install time.
-
- ==== Global policies for roaming profiles ====
-
- By using the legacy Windows policy editor (`poledit.exe`), you can create a Policy file (NTConfig.pol) and put it in your netlogon share on the main server. This has the advantage of working almost instantly on all Windows machines.
-
- For some time, the policy editor standalone download has been removed from the Microsoft web site, but it's still available as part of the ORK Tools.
-
- With `poledit.exe` you can create .pol files. If you put such a file on the main server as `/etc/samba/netlogon/NTLOGON.POL` it will automatically be read by Windows machines and temporarily overwrite the registry, thus applying the changes.
-
- To make sensible use of `poledit.exe` you also need to download appropriate .adm files for your operating system and applications; otherwise you cannot define many settings in `poledit.exe`.
-
- Be aware that the new group policy tools, {{{gpedit.msc}}} and {{{gpmc.msc}}}, cannot create .pol files; they either only work for the local machine or need an Active Directory server.
-
- If you understand German, http://gruppenrichtlinien.de is a very good web site on this topic.
-
- ==== Editing Windows registry ====
-
- You can edit the registry of the local computer, and copy this registry key to other computers
-
- 1. Start the Registry Editor.
- 1. Navigate to {{{HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon}}}
- 1. Use the menu "Edit menu" -> "New" -> "String Value".
- 1. Call it {{{ExcludeProfileDirs}}}
- 1. Enter a semicolon-separated list of paths to exclude (in the same way as for a machine policy)
- 1. Now you can choose to export this registry key as a .reg file. Mark a selection, right-click, and select "Export".
- 1. Save the file and you can double click it, or add it to a script to spread it to other machines.
-
- Sources:
-
- * http://technet2.microsoft.com/windowsserver/en/technologies/featured/gp/default.mspx
- * http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/PolicyMgmt.html
- * http://isg.ee.ethz.ch/tools/realmen/det/skel.en.html
- * http://www.css.taylor.edu/~nehresma/samba.html
-
- === Redirecting profile directories ===
-
- Sometimes just removing directories from the profile is not enough. You may find that users lose files because they mistakenly save things into "My Documents" when this is not saved in the profiles. You may also want to redirect the directories used by some badly programmed applications to normal network shares.
-
- ==== Redirecting using machine policies ====
-
- All the instructions given above about machine policies apply here too. You can use `gpedit.msc` to edit the policy and copy it to all machines. The redirection should be available under "User Configuration" -> "Windows Settings" -> "Folder Redirection". Directories that it can be useful to redirect include "Desktop" and "My Documents".
-
- One thing to remember is that if you enable folder redirection, those folders are automatically added to the synchronised folders list. If you do not want this, you should disable it via one of the following routes:
-
- * "User Configuration" -> "Administrative Templates" -> "Network" -> "Offline Files"
- * "Computer Configuration" -> "Administrative Templates" -> "Network" -> "Offline Files"
-
- ==== Redirecting using global policies ====
-
- FIXME: explain how to use profiles from global policies for Windows machines in the skolelinux network
-
- === Avoiding roaming profiles ===
-
- ==== Disabling roaming using a local policy ====
- Using local policies, you can disable the roaming profile on individual machines. This is often wanted on special machines - for instance on dedicated machines, or machines that have lower than usual bandwith.
-
- You can use the machine policy method describe above; the key is in "Administrative Templates" -> "System" -> "User Profiles" -> "Only allow local profiles".
-
- ==== Disabling roaming using global policies ====
- FIXME: describe roaming profile key for the global policy editor here
-
- ==== Disabling roaming in smb.conf ====
- If, perhaps, everyone has their own dedicated machine, and nobody else is allowed to touch it, editing the Samba configuration will let you disable roaming profiles for the entire network. You can alter the `smb.conf` file on the main server, unsetting the "logon path" and "logon home" variables, then restart samba.
-
- {{{
- logon path = ""
- logon home = ""
- }}}
== Remote Desktop ==
More information about the debian-edu-commits
mailing list