WordPress is the web's most popular CMS, but its dominance also makes it a target for attackers. Our eBook will show you how to:
Prevent costly exploits of core and plugin vulnerabilities
Repel automated attacks
Lock down your dashboard, secure your code, and protect your users
Course Of The Month
3 days, 12 hours left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
Roaming Profiles on Workgroup
Posted on 2004-10-04
I have a question about roaming profile on WORKGROUP. Now, this concept clearly makes sense on a domain setting, but maybe not on workgroup in my opinion, which is why I ask here for clarification.
The reason this concept make sense on domain is that, a domain user account conceptually belongs to the domain, and is not fixed to any particular computer in the domain. In talking about the roaming profile, you also wants the profile to "move" across computer; i.e. not fixed to any particular computer. So they are a perfect match.
But for a workgroup .... Well, say there is a user named "fred", with a LOCAL user account also named "fred" on each of 5 computers on a workgroup. He wants to move among these computers and still use the same profile. How are you going to setup?
Say a remote share \\SERVER\PROFILES has already been created to store roaming profiles.
These 5 "fred" accounts are DIFFERENT (with different SID) even the names are the same. How can the permissions on \\SERVER\PROFILES be set? What about \\SERVER\PROFILES\fred? Would it be necessary to set FIVE set of permissions to each SID of these different "fred" account (which I can make sense anyway)?
Or should I simply create another "fred" user account on SERVER? What happens if I set a password different from those 5 "fred" accounts and then I log on?
What if now "fred" wants to move to a sixth computer? Any adjustment needed on the permissions of \\SERVER\PROFILES\fred?
I ask these questions because in my notes (for 70-210 exam) and various places on the Internet, LOCAL accounts are used. I guess it means roaming profiles can be used even on workgroup ...
Thanks for your help guys!
Gating
The reason this concept make sense on domain is that, a domain user account conceptually belongs to the domain, and is not fixed to any particular computer in the domain. In talking about the roaming profile, you also wants the profile to "move" across computer; i.e. not fixed to any particular computer. So they are a perfect match.
But for a workgroup .... Well, say there is a user named "fred", with a LOCAL user account also named "fred" on each of 5 computers on a workgroup. He wants to move among these computers and still use the same profile. How are you going to setup?
Say a remote share \\SERVER\PROFILES has already been created to store roaming profiles.
These 5 "fred" accounts are DIFFERENT (with different SID) even the names are the same. How can the permissions on \\SERVER\PROFILES be set? What about \\SERVER\PROFILES\fred? Would it be necessary to set FIVE set of permissions to each SID of these different "fred" account (which I can make sense anyway)?
Or should I simply create another "fred" user account on SERVER? What happens if I set a password different from those 5 "fred" accounts and then I log on?
What if now "fred" wants to move to a sixth computer? Any adjustment needed on the permissions of \\SERVER\PROFILES\fred?
I ask these questions because in my notes (for 70-210 exam) and various places on the Internet, LOCAL accounts are used. I guess it means roaming profiles can be used even on workgroup ...
Thanks for your help guys!
Gating
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
-
4
-
2
- +1
8 Comments
No.
Roaming profiles can't be used on workgroups simple because for roaming profile you need a central location where everyone have access to store their profiles. In workgroups, it's not possible, because you can't give access to someone from other computer on your own computers. The computers don't know each other.
The only thing you can do is give access to the 'Everyone' group, and I'm sure you don't want to do that.
Local accounts are used alot, question is in what context they are used?
Roaming profiles can't be used on workgroups simple because for roaming profile you need a central location where everyone have access to store their profiles. In workgroups, it's not possible, because you can't give access to someone from other computer on your own computers. The computers don't know each other.
The only thing you can do is give access to the 'Everyone' group, and I'm sure you don't want to do that.
Local accounts are used alot, question is in what context they are used?
Thanks for the reply. The context of "Local accounts" is the creation of roaming profiles as discussed in my notes. I'll paraphrase from my notes:
1. Log on as Administrator to the LOCAL machine. (Hint 1)
2. Create a network share PROFILES on a remote computer SERVER.
3. In Administrative Tools, select Computer Management. Expand System Tools and
Expand Local Users and Groups (Hint 2). Create a new user "fred".
4. Right-click the user and choose the "Profile" Tab. In the "Profile path" box, enter the
path \\SERVER\PROFILES\%usernam
:
:
:
The point is that my notes creates roaming profiles on LOCAL user accounts ... Is it trying to use roaming profiles on workgroups (which I don't feel right)?
1. Log on as Administrator to the LOCAL machine. (Hint 1)
2. Create a network share PROFILES on a remote computer SERVER.
3. In Administrative Tools, select Computer Management. Expand System Tools and
Expand Local Users and Groups (Hint 2). Create a new user "fred".
4. Right-click the user and choose the "Profile" Tab. In the "Profile path" box, enter the
path \\SERVER\PROFILES\%usernam
:
:
:
The point is that my notes creates roaming profiles on LOCAL user accounts ... Is it trying to use roaming profiles on workgroups (which I don't feel right)?
As you say, it is posssible to use roaming profiles, but it is going to be a complete pain in the neck to administer.
You will have to manually keep the usernames and passwords in sync on all machines, (server and workstations)
You will have to manually create a new user and configure that user to use a roaming profile on every new workstation.
As soon as you start to think about implementing these things, setting up a domain begins to look extremely attractive - more pain in the short term, but long term no contest.
HTH
You will have to manually keep the usernames and passwords in sync on all machines, (server and workstations)
You will have to manually create a new user and configure that user to use a roaming profile on every new workstation.
As soon as you start to think about implementing these things, setting up a domain begins to look extremely attractive - more pain in the short term, but long term no contest.
HTH
To stardust126:
\\Server\Profiles\%usernam
For the sake of argument, say the user account is "fred" and the computer "CLIENT" is used to logon.
\\SERVER\Profiles has "full control" share and NTFS permissions for everyone.
I logon as "fred" on CLIENT. An error message was displayed about insufficient permissions to access the folder \\SERVER\Profiles\fred. I checked the subfolder "fred" was NOT created under \\SERVER\Profiles.
It turned out I must create "fred" account on SERVER. Then I created such account. The error message was "improved" to be about "improper permissions on the folder \\SERVER\Profiles\fred".
Now the subfolder "fred" was indeed created under \\SERVER\Profiles, but the ownership was very weird: it was not owned by SERVER\fred, but by CLIENT\fred. Of course, local accounts are not visible to remote computers, so it was not displayed as CLIENT\fred, but as the SID of CLIENT\fred.
I changed the owner to SERVER\Administrators group and grant SERVER\fred full control rights. Then things were OK.
With domain environment and with domain user account, things worked like a breeze - there was no error messages; no ownership or permissions needed to be "corrected".
There are "workarounds" of course - e.g. to create \\SERVER\Profiles\fred and setup permissions in advance. But my gut feeling says it is not the way to go - maybe roaming profiles do not make sense for workgroups?
\\Server\Profiles\%usernam
For the sake of argument, say the user account is "fred" and the computer "CLIENT" is used to logon.
\\SERVER\Profiles has "full control" share and NTFS permissions for everyone.
I logon as "fred" on CLIENT. An error message was displayed about insufficient permissions to access the folder \\SERVER\Profiles\fred. I checked the subfolder "fred" was NOT created under \\SERVER\Profiles.
It turned out I must create "fred" account on SERVER. Then I created such account. The error message was "improved" to be about "improper permissions on the folder \\SERVER\Profiles\fred".
Now the subfolder "fred" was indeed created under \\SERVER\Profiles, but the ownership was very weird: it was not owned by SERVER\fred, but by CLIENT\fred. Of course, local accounts are not visible to remote computers, so it was not displayed as CLIENT\fred, but as the SID of CLIENT\fred.
I changed the owner to SERVER\Administrators group and grant SERVER\fred full control rights. Then things were OK.
With domain environment and with domain user account, things worked like a breeze - there was no error messages; no ownership or permissions needed to be "corrected".
There are "workarounds" of course - e.g. to create \\SERVER\Profiles\fred and setup permissions in advance. But my gut feeling says it is not the way to go - maybe roaming profiles do not make sense for workgroups?
BTW, I need to know not because I am going to implement roaming profiles, but because I am revising MCSE and my notes are doing it in a Workgroup environment. This is conceptually problematic. (If the notes get it wrong, I will have troubles ......)
to answer your question simply, NO you cannot set up roaming profiles. -- plain and simple. (like stardust already said)
if you create a workgroup server which gives access to a bunch of different local account "freds", this is still not romaing profiles, this is a huge headache.
ROAMING PROFILES ARE ONLY AVAILABLE IN A DOMAIN ENVIRONMENT
if you create a workgroup server which gives access to a bunch of different local account "freds", this is still not romaing profiles, this is a huge headache.
ROAMING PROFILES ARE ONLY AVAILABLE IN A DOMAIN ENVIRONMENT
Does Microsoft say anything on this subject?
If not, then I will conclude:
swinterborn recommended strongly a domain environment, but did not completely defy workgroups.
stardust126 said NO, internetsavant said a very definite NO.
If there are no more response, I am going to assign 40 to each of stardust126 and internetsavant; 20 to swinterborn, unless somebody can point out a Microsoft article on this matter. So I'll wait for one day or two.
Thanks a lot guys!
If not, then I will conclude:
swinterborn recommended strongly a domain environment, but did not completely defy workgroups.
stardust126 said NO, internetsavant said a very definite NO.
If there are no more response, I am going to assign 40 to each of stardust126 and internetsavant; 20 to swinterborn, unless somebody can point out a Microsoft article on this matter. So I'll wait for one day or two.
Thanks a lot guys!
Featured Post
Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.
One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
Introduction
How to create multiboot configuration with XP\Vista and Windows 7 on it? And most important question - how to do this correctly so not to have any kind of nightmares we get when system gets screwed?
First of all one should realize t…
In this article we will discuss all things related to StageFright bug, the most vulnerable bug of android devices.
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Hi friends,
in this video I'll show you how new windows 10 user can learn the using of windows 10.
Thank you.
Suggested Courses
Course of the Month3 days, 12 hours left to enroll
Earn Certification
CompTIA Linux+ (LX0-103 & LX0-104)
$147.00$132.30
Earn Certification
70-742: Identity with Windows Server 2016
$197.00$177.30
691 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.