pGina pgSMB2 Plugin Documentation
- Plugin Name: pgSMB2
- Plugin Type: Gateway, Notification
- Version: 220.127.116.11
How it Works
The pgSMB2 plugin is a clone of the pGina 1.x pgFTP plugin. It’s purpose is to implement a raoming profile stored in a compressed file on an SMB server.
What is this god for?
The main problem is the unreliable windows internal roaming. There is no guaranty that a user profile is entirely uploaded to the server, especially on slow network connections. That doesnt matter if users are always using the same machine, but if they dont you are running into a problem. This plugin does make sure that profiles are up- an down-loaded to the server and if there is an error a mail is send to an administrator.
Whats going on?
As soon as a user has logged of, even if he/she had chosen to shutdown, the profile is compressed and uploaded to an SMB share. If someone is trying to logon the profile is decompressed localy to the station and winlogon.exe is continuing the logon process.
Windows 8 and 10
There is a bug in Windows 8 and 10 related to long login delays. As you can imagine extracting a profile from a remote source can take a while, but that bug is preventing a sucessfully logon.
- if the logon require more than 2 min. on Windows 8 with activated “CTRL+ALT+DEL required before logon”
- if a logon take longer than 30 sec. on Windows 10 (14393) with activated Lock screen
- in Windows 8 you need to disable “CTRL+ALT+DEL required before logon”
- in Windows 10 you need to disable the Lock Screen
- reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\Personalization /v NoLockScreen /t REG_DWORD /d 1 /f
Another problem arise with “Fast Startup”. If a user is selecting shutdown from the startmenu, the system is put into hibernation and there is no way to prevent it. As a result the user profile can’t be uploaded.
To disable “Fast Startup” run
reg.exe add “HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power” /v HiberbootEnabled /t REG_DWORD /d 0 /f
In the gateway stage the plugin will create the user on the local system and keep track of this user by his profile description “pGina created pgSMB2”. Than extract the compressed profile from the SMB share *, adapt the ACL to fit the new user SID and let windows do the rest. If the user doesn’t pass the gateway stage he is still able to login but will receive a temporary profile. No, not a windows temp profile, he/she is getting a new user profile. You can detect such a profile by calling
net user %username% | find /I “pGina created pgSMB2 tmp” && @echo I’m a temp user
Such a user recieves “pGina created pgSMB2 tmp” as description instead of “pGina created pgSMB2” and this tmp marked profile is excluded from the profile upload procedure.
Is there a problem during the gateway stage the plugin will retry as often as you specified in the configuration, if the procedure failed an email is generated designated to the global mail addresses you’ve entered in the pGina configuration UI.
If the user still owns a local profile, like after a BSOD, the plugin will check the timestamps of
the local users ntuser.dat and the remote %f (Filename). Is ntuser.dat newer (UTC) than the remote %f, the profile wont be downloaded.
You still need the Local Machine plugin to do the group membership!
The plugin gateway order need to be pgSMB2 before Local Machine.
Its a good idea to created a new folder to store compressed user profiles (TempComp).
C:\Users\Public does fit well, but if you prefer a more secure structure
c:\roaming NT AUTHORITY\SYSTEM:(OI)(CI)F BUILTIN\Administrators:(OI)(CI)F
You can apply these settings using this view lines
powershell $sddl = 'O:BAG:SYD:PAI(A;OICI;FA;;;SY)(A;OICI;FA;;;BA)' $sd = Get-Acl C:\roaming $sd.SetSecurityDescriptorSddlForm($sddl) $sd.Sddl Set-Acl C:\roaming $sd
The login script is triggered by the login event received from the pGina service, also the max profile space value is applied in this stage.
The logoff procedure is triggered by a logoff event. First a new thread is created than this thread will wait until the user has logged off. If so, the profile will be compressed and pushed into an SMB share. The plugin keeps a backup of the older profile on the share called %f.bak (Filename). Is there a problem during compressing or pushing, the plugin will retry as often as you specified in the configuration. If the procedure failed, an email is generated designated to the mail addresses you’ve entered in the pGina configuration UI. If the error occurred during the fileupload, the compressed profile keeps stored at %d (TempComp) named %f (Filename).
value in parenthesis – represent the regkey value
%? – is a macro variable for this value
The SMB share to connect – The path to the share which the plugin will try to connect to
to be overridden by Attribute converter pgSMB_SMBshare
Where to store the compressed Profile – This is the place where the compressed profile will be stored
to be overridden by Attribute converter usri4_profile
The name and extension of the Profile – How do you want to name the compressed profile
to be overridden by Attribute converter pgSMB_Filename
Where to locally store the compressed Profile – The locally compressed profile will be compressed to this location as defined in CompressCLI
Try n times to connect/extract/compress – How often shall the plugin try to get a task done
The Program to un-compress the Profile – What program to use for (de)compression
- If you use ImagexEX.exe you also need Imagex from Microsoft. Download ADK 8.1 1.36Mbyte.
- Run it an select only “Deployment Tools”, you then find the binaries at
- C:\Program Files (x86)\Windows Kits\8.1\Assessment and Deployment Kit\Deployment Tools\<x86 and amd64>\DISM.
- Place imagex.exe in the pGina main installation folder (C:\Program Files\pGina.fork)
The command to uncompress the Profile – The command line for the decompress call
The command to compress the Profile – The command line for the compress call
The user HomeDir – The path to the home share
to be overridden by the Attribute converter usri4_home_dir
The user HomedirDrive – The drive name of this share
to be overridden by Attribute converter usri4_home_dir_drive
Script Path – The script to run in the user context during a login
to be overridden by Attribute converter LoginScript
make sure that a remote share is registered under Local intranet pages IE/Options/Security
The user quota in kbytes – limit the profile size
A Profile that has reached its limit wont be uploaded, and an email is generated.
to be overridden by Attribute converter usri4_max_storage
Exclude profile directories from quota as regex – This folders are excluded from the quota
Proquota Ballontip and MessageBox Text – You are able to set your own quota text informations, warnings and errors.