troubleshooting Question

Terminal Service User Profile Problem - No other profile other than the default be specified - it won't load the ntuser.dat for the specified user profile or apply group policy

Avatar of dahelpdesk
dahelpdeskFlag for United States of America asked on
Operating SystemsMicrosoft Server OS
7 Comments1 Solution375 ViewsLast Modified:
I find it hard to explain the nature of this problem - so let me explain how I can reproduce this issue which I hope will present the problem clearly:

We have a few Windows 2003 Terminal Services Servers and would like to move a bunch of users to Terminal Services instead of using Roaming profiles.

We are storing the user profiles for TS on a file share server - so the path we put in the "Profile Path" field on the "Terminal Services Profile" tab is \\server\share\%username%.

When the user logs in, a default profile is created at that path, everything works great.

However, we would like to take the current roaming profiles and use them on the TS so that the users continue to have their desktop and documents that currently roam to each workstation for them.  They have been using these roaming profiles for years, so I would really like to let them continue to use them.

Here is where I encounter the problem:

If I specify in the same field on the same tab \\server\roamingprofileshare\username\profilefolder and then log into the TS, the documents and files from the roaming profile path download as the user profile, but the registry is not read or used at all - no toolbars, no desktop colors, no group policy. If I open the registry and try to create a value in the HKCU hive, I get "access denied."

Here are some steps I've taken to further narrow down the exact problem:

With a test account I have logged into a PC with a local profile, thus creating a default profile for this user. (no roaming profile)
Then, using this same test account I have logged into the TS  with the profile path on the "Terminal Services Profile" tab set to \\server\share\%username% thus creating a profile at that location.

I then log out of the TS and simply copy the ntuser.dat that was created in the first step over the top of the ntuser.dat that was created in the second step.  

I then check the permissions and make sure they are still the same - the test account has full control of the file and is the owner of the file.

I then log into TS with the test account and I have the same problem I had with the roaming profile:  no toolbars, no desktop colors, no group policy. If I open the registry and try to create a value in the HKCU hive, I get access denied.

I also run into this same problem if i try to specify a common profile for a number of locked down users - I wanted to use a common mandatory profile for a number of limited users who have a very restrictive group policy applied to them, but with the terminal service profile path pointed to the common profile, I get no toolbars, no dekstop colors, and no group policy!!! which seems like a security risk as I intend for these users to be very locked down by group policy.

bottom line it seems that the only ntuser.dat that the terminal services server will load as a part of the user profile is the one that was created specifically for that user on initial login - no others.

So, I have assigned 500 points to this because it seems quite difficult - I've spent hours already trying different ways of setting the path, the permissions on the folders and files, all to no avail.

your help will be greatly appreciated!

Thanks!


ASKER CERTIFIED SOLUTION
DarthMod

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Join our community to see this answer!
Unlock 1 Answer and 7 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 7 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros