After talking to jht today, I've finally got a *much* better understanding about how mandatory profiles really work...
Because WinNT uses the NT ACLs on the profile in creating the local mirror, the users and groups that use the profile must have *write* access to the profile. Or at least they must appear to! I need to try this out, and see if I'm missing something here, but I'm thinking that we should be able to write a pretty simple VFS module, that fakes up the ACLs, replacing say 'admin' with 'target group' as read by the client. This should make Win2k set the local profile permissions 'correctly', while not allowing users to put porn on a college-wide desktop... How does this sound? Am I at least slightly close to the mark? Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net
signature.asc
Description: This is a digitally signed message part
