• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 365
  • Last Modified:

Setting up Roaming Profiles

Hello everyone,

I am having a problem with roaming profiles. This is a small business that has just purchased a new Standard Edition 2003 server. We have 15 XP Pro clients. Active directory has been set up as well as DNS and a few other server roles. I added the users and computer accounts. I want the users to have a roaming profile. For each user I have the roaming profile path set to \\severname\profile$\%username%. I have also set the home path to H: then \\servername\homedir\%username%. The profile$ share permissions have been set to give admin full control and everyone else read and write. Same for the homedir share.

First I logged into a workstation and created a test account and configured it like I wanted. Then I logged in as admin, went to control panel>system>users and found the profile that I just created. I gave Everyone full control and copied the profile to my server.

On my server, when I open the shared folders snap in the netlogon share shows a path of C:\WINDOWS\SYSVOL\sysvol\mydomain.com\SCRIPTS. So when I copied the profile I used C:\WINDOWS\SYSVOL\sysvol\mydomain.com\SCRIPTS\Default User.

If I open the netlogon share I can see my default user profile and by looking at the shortcuts in the desktop folder I know this is the folder I copied.

Now when I log a user into the domain for the first time I get an error message "Windows cannot locate the server copy of your roaming profile is attempting to locate your local profile. Of course this test user has not logged into the workstation either so no local profile is found and I get the corresponding error message "Local profile cannot be located, a temp will be created for you. All changes will be lost when you log off".

One thing to note is that I can get the profile to loggon to the domain if I set up a local account on the workstation but only if I give it admin rights. Plus that does not setup the default profile I built.

So how do I setup a roaming profile that will enable a user who has never logged into a workstation. I don't want to have to manually add each user to the workstation nor do want to give them admin rights. What have I done wrong??? I thought I did this by the book. Any help would be great.

  • 4
  • 4
1 Solution
Lee W, MVPTechnology and Business Process AdvisorCommented:
The first time a user logs on, if the profile does not exist on the network, Windows creates it based on the "Default Profile" in c:\documents and settings.
Hello mmcmillin,

Can you please answer/check a couple of things:

- In active directory, on the user accounts properties, is the profile path set to correct location ? \\severname\profile$\%username% <-- From a workstation, can you resolve the name servername ? Also, can you actually map a drive as that user from any workstation to \\servername\profiles$\hisusernamehere ?
- For the profiles share on your server, I know you have said that the share permissions are everyone = FC, however, what about NTFS permissions ? Do users have proper NTFS permissions enabled to get to their right profiles ?
- I am not sure why are you using the Netlogon share for ? Netlogon share is just meant to keep their "logon scripts" are you keeping something related to their profile there ? Can you please elaborate ?
- When a user logs on to a domain, and his account in DC has a romaing profile, the profile should get downloaded to his machine, irrespective of the fact what the default profile is , or if he has ever logged on to that machine.
- On your local machines, on the C:\documents and settings folder, have you actually made changes to the defualt security permissions ?

Please post back - Thanks
Following articles also might be useful to you:

To create the profiles:

How to create profiles on W2K. VERY IMPORTANT IN HERE: When you are copying a default profile as a "base" profile, make sure you use the "permission to use" permissions correctly. Please follow and review this article:

WIndows Cant locate a server copy of your profile error:

Thanks and Good Luck :)

Cloud Class® Course: Certified Penetration Testing

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

mmcmillinAuthor Commented:
Hi KaliKoder,

Thanks for your response. I'll break down the responsed to each of your questions to make it a bit easier to follow.

In AD is the profile path set correctly? Yep verified this.

I can map a network drive from a workstation to the users home drive on the server.

I can ping the server by both IP address and name and get a good response.

I am using the netlogon share to setup a base default user profile so that everyone can start from the same uniform profile. Every book I read said this was how to do it. Create a profile just the way you like it, then copy it to the netlogon share.

On my local machines I did change the permissions of default users folder. This improved things in that when I tried to logon, I still get the cannot locate server copy of default profile, but it did then use the correct local profile.

I'm still playing with getting NTFS permissions on the PROFILES share on my server. Right now when I navigate to my PROFILES folder and right click it and select sharing & security this is what i have.

Administrators (mydomain\administrators) - full control
Creator - Owner - read & execute\list\read
System - full control
Everyone - full control
Users (mydomain\users) - full control

You stated that when a user with a roaming profile logs in to a DC the profile should get downloaded to his machine irrespective of the fact what the default profile is, or if he has ever logged into that machine before.

Can you elaborate a bit more. Where is this profile coming from? Why isn't it looking for my netologn default profile?

Thanks a lot. Look forward to your response.
mmcmillinAuthor Commented:
Hello Again Kalikoder,

I think I have fixed the problem. Turned out to be permissions on the profile$ share. I also uncovered another problem that I have yet to solve.

One of the problems was that my test user could not log on. I created the test account and then in the profiles tab set the path to \\server\profile$\test. However a folder for the test user is not created in the profile$ share. When I set the path to the home drive as \\server\HomeDir\Test a folder for the test user is created just fine in the HomeDir share.

I cannot figure out why the test folder is not being created in the profile$ share. When I origninally set up my users, they all automatically showed up just fine. These users can login with their roaming profile just fine. My problem now seems to be creating new users.

Hello Mike :)

Good thing it worked out to you. I had thought it would be something related to the permissions, and thats why it was one of the first things I had asked you to check.

Now, I know you are using a Netlogon share for making a roaming profile, however, this is something I have never done, I am not even sure if this recommended practice ? I know everyone's method can be different, but here is what I have followed:

- Create a share on a network called profiles$, give this share everyone FC permission
- Create a "base" profile as indicated in the article http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/q243/4/20.asp&NoWebContent=1 
- In Control Panel, double-click System, and then click the User Profiles tab. Under Profiles Stored On This Computer, click the profile that you want to copy, and then click Copy To.  In the Copy Profile To dialog box, type the network path to the folder. Under Permitted to Use, click Change and type the "EVERYONE" group on here!!
- Now on a network somewhere, you would have a "base roaming profile" . Save this copy in some place safe.
- When you setup a new user, copy this base profile folder to the \\server\profiles$\ folder and call that the newusername. \\server\profiles$\newusername
- Make sure that path is reflected in users Active Directory properties
- Make sure that the \\server\profiles$\newusername have the desired permissions for the new user

Thats all you need. I know what I explained above seems a lot of work, however it may not be. We have the same exact procedure, and we run a single batch file that runs and does all the above. There is no room for error, and its time tested. All we have to enter is a username at the batchfile prompt, it uses the CACLs command, the Net Groups command, Mkdir, SCOPY command etc to do all the work. If you are looking to have romaing profiles work good, and have a lot of users come and go, or support a lot many machines, it might be worthwhile to spend all this time once, get the process perfect :-) trust me! it would save you hours later!!

Thanks :)
mmcmillinAuthor Commented:
Hello KaliKoder,

Thanks again for getting back to me. I appreciate the information.

It sounds like we are doing the same thing, except I am coping the default user to the netlogon share and you are directing to put it in the profile$ share. As far as what is the recommned practice I cannot say. Only that putting it in the logon share is described in several books such as MS Press - Managing & Maintaining a MS WIndows 2003 Server, Mark Minasi - Mastering Server 2003 and several web references on Microsofts website.

The second thing I would like to add is that I am very new to this. This is the first server I have ever set up. My skills using batch files are zero. Perhaps how to write batch files or something like it will be the next book i pick up. If you have any good references I'de be happy to here them.

Thanks for your help.

Sure Mike! I am not at my office right now, once I am there, I would post you a copy perhaps. Its a very long and cumbersome file, but its "hard work done once, that works everytime" :) In the meanwhile, if you have some questions as to how to do certain things using batch files, please dont hessitate to ask.

Thanks :)
mmcmillinAuthor Commented:
Hey that would be great! If you want we can exchange personal email addresses too. Thanks again for all of your help!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now