[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 7707
  • Last Modified:

Windows 7 Professional will not load roaming profile from domain server

I'm running a Windows 2003 R2 domain with Windows XP clients. Redirected folders and roaming profiles work perfectly.

We are now testing a roll-out of Windows 7 and having trouble with the roaming profiles. Win7 reports that the roaming profile could not be accessed and is using a temp profile.

I have searched Google and Microsoft high and low for a solution - nothing. Here are the details of the error on the Win7 client.

ERROR #1
---
Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.
---

ERROR #2
---
Windows cannot locate the server copy of your roaming profile and is attempting to log you on with your local profile. Changes to the profile will not be copied to the server when you log off. This error may be caused by network problems or insufficient security rights.

DETAIL - Access is denied.
---

Since this error is present for existing user accounts I created a new user that hadn't logged in anywhere. The same error was generated.

The user accounts have Full Control permission for their profile folder on the server.

I have duplicated this error on two different installations of Windows 7 with different user accounts. No amount of "logoff and login" will get the roaming profile to work.

The server-based profile folder can be viewed/accessed using the Command Prompt or Windows Explorer. It's difficult to believe this is an "access is denied" error as Event Viewer suggests. Perhaps it is an issue of the application of GPO between Windows Server 2003 and Windows 7.

Any idea what's going on here? Thanks for your help.
0
ebrodeur
Asked:
ebrodeur
  • 4
  • 2
  • 2
  • +1
1 Solution
 
TeethingCommented:
Ensure that the user is the OWNER of the their profile folder and domain users will need full control of the root folder so that a new folder can be created.

If you are migrating exisiting XP users, there will be a new profile folder created because windows vista and above use new user profile configs that are <username>.V2 on the server.

For instance, in our network we have a network share \\server\user.profiles$ and then all users have a subfolder under here.  The Domain Users group has full control on the \\server\user.profiles$ folder and then they have full control and are the owner of their \\server\user.profiles$\username and \\server\user.profiles$\username.v2
0
 
arixsinCommented:
0
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

 
ebrodeurAuthor Commented:
Thanks for answering and I'll try our proposed solution this week.

It's been a long delay due to the holidays and my work schedule.
0
 
ebrodeurAuthor Commented:
@teething:

Your solution resolved the problem. What follows is my walk through of the solution.

The root of my profile folder share (Profiles) did not assign Full Control to anyone except the Administrators group. For my domain I use a global group called "Users_Domain_All" which I assigned to the root of the Profiles folder; I did so using Advanced settings such that Full Control was assigned to "This folder only."

Upon login of a normal user account, the respective "username.V2" profile folder was created on the file server, taking its contents from the original (Windows XP) profile folder (username).

The ownership of the original profile folder is Administrators and had no bearing (good or bad) on the creation of the V2 profile folder. The owner of the V2 folder was set to that of the domain user account which logged in.

Subsequent user logins (via Windows 7) were successful. I did not attempt login from a Windows XP client to witness the changes that might occur between the two profile folders.

There were follow-up items relating to Group Policy that I implemented. Mostly done to remove the warning message about Windows Libraries being inaccessible due to non-indexed network resources.

Thanks for your help. You nailed it.
0
 
lisafamfCommented:
I am having the same exact problem as above, and I have very limited knowledge of all of this so bear with me please....

"Ensure that the user is the OWNER of the their profile folder and domain users will need full control of the root folder so that a new folder can be created."

However, the user does have full control and ownership.  This in on the server level, do I need permission settings on the W7 machine?  It seems as if that was the only issue and once that was resolved the problem was resolved, but since there is already full control and ownership, I am confused as to why it is not working for me>

I'm not sure what I would do differently in regards to the username.v2?  Is this something automatic, or do I have to do something with that?

The local machine is Windows 7 Ultimate
My server is W2003 standard edition Svc pack 2
I have installed Symantec Endpoint protection on this machine.  Never used it before, so don't know if there is an issue there, with some kind of firewall?

I am just testing this on the users new machine, she is still on XP,  still connecting to her roaming profile on this machine, until I have the 7 machine up and running.  Will that be an issue?

I am on the low end of the knowledge base here, so feel free to answer as if you are talking to a 3 year old! :)
Thanks in andvance for any help, even though this question has been closed, it is the one the describes my issue to a T.
Lisa

0
 
ebrodeurAuthor Commented:
@lisafamf,

You state that your domain user has Ownership of their profile folder but what you don't mention is if the Domain Users group has [Full Control] on the root profile folder. This is the most critical part because without it, the V2 folder may not be created properly.
0
 
lisafamfCommented:
Oh ok, that is the difference.  What are the ramifications of the domain users group having [full control] on the root profile folder, and how do you do that?

Also, should I be testing this with a newly created fake user, instead of the person who is still using their XP machine while I'm setting up this machine?

Thanks so much for taking the time to look at this question again!

Lisa
0
 
ebrodeurAuthor Commented:
I don't intend to avoid answering your question but the ramifications are moot if you need to get this working properly. Regardless of the [Full Control] at the profile root folder, they cannot access any subfolders which is most important.

I'm not in front of a Windows computer (I use a Mac because, well, no one pays me to maintain my own computer) and can't recall the exact steps to assign [Full Control] but it may accessed via the Advanced button. Edit the Domain Users [Full Control] ACL such that it gives permission to "This folder only".

The typical ACL will be "This folder, subfolders, and files" which is NOT what you want. It must say "This folder only" because anything else will expose user data in the subfolders.

If you need help assigning NTFS permissions please search Experts Exchange or open a new ticket.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 4
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now