Solved

Moving Terminal Services Profiles

Posted on 2008-06-26
19
1,105 Views
Last Modified: 2013-11-21
I am trying to move our Terminal Services Profiles from one server to the other. Here is what i have done:
Created the share on the new server and gave Everyone Full share access
Added the Domain users group to the folder access lisst with the default rights.
Copied the users profile from the old server to the new and deleted the old profile.

When I log in as that user they log in with a brand enw profile. when they log off there is a new fiolder on the old server with their newly created profile.
For some reason it is ignoring the newly created profile completely.
0
Comment
Question by:mwalker-mdb
19 Comments
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 21880055
have you changed the location on the actual account?
0
 

Author Comment

by:mwalker-mdb
ID: 21880060
Yes and it still doesn't move.
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 21880090
its premissions, you should have used xcopy to copy them over as your permissions are now screwed

test one account for me. Grant Authentication users full control share permissions on the root. On the users profile, grant the user full control in security settings, as well as making sure they are the owner
0
 

Author Comment

by:mwalker-mdb
ID: 21880179
No difference. It still re-creates the profile directory on the old server. It totally ignores the settings in AD.
Is it possible it is a setting in a Group Policy? I don't know if you can set that through a policy.
I will check that out. Any other ideas?

0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 21880229
you can set roaming profile stuff through GPO yeah....but if you set an account setting it overrides anyway
0
 

Author Comment

by:mwalker-mdb
ID: 21880231
Yeah and I checked all the GPO's and there is no setting. I thought this was going to be easy.
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 21880267
have you got multiple DC's?
0
 

Author Comment

by:mwalker-mdb
ID: 21880273
Three DC's.
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 21880275
has replication occured on all DC's?
0
How does your email signature look on mobiles?

Do your employees use mobile devices to reply to emails? With mobile becoming increasingly important to the business world, it is in your best interest to make sure that your email signature looks great across all types of devices.

 

Author Comment

by:mwalker-mdb
ID: 21880284
Yes. I forced replication.
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 21880307
can you confirm the settings have taken on each server (just confirm the prof path for me)
0
 

Author Comment

by:mwalker-mdb
ID: 21880314
The change is on all servers
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 21880331
in that case i have no idea, usually a profile path is a simple process to move over - i have done it beyond count - sorry mate
0
 

Author Comment

by:mwalker-mdb
ID: 21880337
I know. I thought this was supposed to be easy. Thanks for the input. If you come across anything please let me know.
0
 
LVL 3

Expert Comment

by:PoorImpulseControl
ID: 22075403
I've fixed this problem before by deleting the profile registry entry on the Citrix /TS server(s).

Each user gets an entry under
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
The key name is the user's SID, and values include the roaming profile path. I've occasionally had Citrix/TS that don't "see" the new path.

Fix is simple:
- identify the affected user's SID (I like psgetsid.exe from SysInternals/Microsoft's PSTools kit)
- delete the matching key from the registry

** Usual disclaimer about you're on your own: editing the registry may cause your server to crash, locusts to infest the Empire state Building, and a 3rd party candidate to hijack a close election. I'm not responsible. Really. Just ask my wife.**

when the user logs on again, the TS is forced to read the new entry from AD.

As far as permissions, Microsft has a technet entry on permissions for redirecting "My Documents", and I've successfully used the same permissions for roaming profile directories.
http://technet2.microsoft.com/windowsserver/en/library/a1b7ce04-708b-4145-830a-cadfc003acd31033.mspx?mfr=true

Here's part of a shell script I wrote that sets up permissions based on the KB. It requires the marvelous SETACL.EXE utility from sourceforge.net

set new-dir=%baseDataDir%\MyDocs
mkdir "%new-dir%"
      rem //
      rem // backup existing DACL
setacl -ot file -on "%new-dir%" -actn list -lst "i:n;f:sddl" -bckp "%new-dir%.acl"
      rem //
      rem // set DACL to inherit perms (np - "no protection")
setacl -ot file -on "%new-dir%" -actn setprot -op "dacl:np"
      rem //
      rem // clear any explicit DACL permissions assignments
setacl -ot file -on "%new-dir%" -actn clear -clr dacl
      rem //
      rem // display DACL explicit assignments
      rem // - should be empty
setacl -ot file -on "%new-dir%" -actn list -lst "i:n;f:tab"
      rem //
      rem // set DACL to "do not allow to inherit" and copy existing perms
      rem // then set explicit ACE for "domain users"
      rem //       traverse: Traverse folder / execute file
      rem //       list_dir: List folder / read data
      rem //       read_attr: Read attributes
      rem //       add_subdir: Create folders / append data
      rem //      
setacl -ot file -on "%new-dir%" -actn setprot -op "dacl:p_c" -actn ace -ace "n:domain users;p:traverse,list_dir,read_attr,add_subdir,;i:np;m:set"
      rem //
      rem // display results in tab-separated format
setacl -ot file -on "%new-dir%" -actn list -lst "i:n;f:tab"
net share MyDocs$="%new-dir%" /grant:"Domain Admins",full /grant:"SYSTEM",full /grant:"Domain Users",change /cache:documents

0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
ID: 22084838
PAQed with points refunded (250)

Computer101
EE Admin
0
 

Expert Comment

by:tbs07
ID: 22780441
If you want to stick to local user profiles on the Terminal Server, here's the procedure to move them to the new server:

   1. Create a test user account
   2. Log on to the old server with the test user account and make a couple of changes in the user environment. Write them down and logoff
   3. Start regedit on the old server and export the following 2 registry keys:

          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileGuid
          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

   4. Start regedit on the new server and export the same keys, as a backup copy
   5. Copy the exported keys (the .reg files) from the old server to the new server and import them, by double-clicking on them
   6. Use robocopy to copy the user profiles. In the following example robocopy is run from the new server:

          robocopy "\\old_server\c$\documents and settings" "c:\documents and settings"
             /COPYALL /S
             /XD "\\old_server\c$\documents and settings\Administrator"
                 "\\old_server\c$\documents and settings\LocalService"
                 "\\old_server\c$\documents and settings\NetworkService"
                 "\\old_server\c$\documents and settings\Default User"
                 "\\old_server\c$\documents and settings\All Users"

   7. That's it! Log on with the test user account and check the changes you made in step 2 to verify that your profile is loaded properly
0
 

Author Comment

by:mwalker-mdb
ID: 22781223
Thank you for the response but this was resolved months ago
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Join & Write a Comment

Citrix XenDesktop 7.6 Citrix Policies Audio
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now