Roaming Profiles Not Being Created or Used

Hi folks!

Roaming profiles problem. Got a Windows Server 2003-based Active Directory domain. We are currently using roaming profiles for all users, and existing users are having no difficulty. I'm adding a batch of new users, however, and cannot get their roaming profiles to work. I've tried creating them manually through AD Users and Computers as well as using dsadd, and neither works.

Basically, I create a user and specify the network location for their profile directory, which in our case is something like \\fileserver\profiles$\username. Ordinarily, based on my past experience, the first time the user logs in, their profile and profile directory are automatically created. This doesn't happen. No directory created. So I tried creating the profile directory manually myself in advance. Still makes no difference. Nothing is actually copied to the directory when the user logs in.

I have verified that permissions are all correct at both the share level and the NTFS level for the profiles$ share. I've also logged in as the user and manually accessed the \\fileserver\profiles$ share and am able to access it, create directories, create files, etc. So permissions do not seem to be an issue. As I said, I've tried both AD Users and Computers and dsadd. No luck either way.

Any thoughts?

- Ithizar
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mike KlineCommented:
are you using username or %username%
Do you get an error when the user logs on indicating that it can't find or can't access the roaming profile?  I know you said you checked the security already, but, to error on the side of completeness, here is a link describing how those settings should be configured. there any information in the event log?  Can you provide a screen shot of the user profile tab where the roaming profile information is configured?Also, here are steps to increase logging for the local workstation.  Post sanitized userenv.log information.Hive: HKEY_LOCAL_MACHINEKey: SOFTWARE\Microsoft\Windows\CurrentVersion\policies\systemName: VerboseStatusType: REG_DWORDValue: 1 default=0Note: Status messages will not display if the following key is present and the value is set to 1: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableStatusMessages2) Reboot disconnected.  Note the time.  Watch the status messages to see where it is hanging.3) After it finally boots, check the Event Log for relevant messages that were logged during the boot process and post them here if you can't identify the problem from the verbose messages and Event log errors.Having problems with login scripts and Group Policies? You can enable verbose logging to track all changes and settings applied using Group Policy and its extension to the local computer and to users who log on to the computer. The log file, userenv.log, will be written into the %windir%\debug folder. This folder is a hidden folder. To enable verbose logging (Userenv.log):Hive: HKEY_LOCAL_MACHINEKey: Software\Microsoft\Windows NT\Current Version\WinlogonName: UserenvDebugLevelType: REG_DWORDSet UserenvDebugLevel=30002 is for verbose logging, UserenvDebugLevel=30001 is for errors and warnings only, and UserenvDebugLevel=30000 logs nothing.
IthizarAuthor Commented:
Sorry, when I said "username" I meant an actual username. I started out trying the %username% variable, but then thinking something might be wrong with that, I've been trying to manually create accounts entering the actual username. So, for example, for jdoe I would have:

Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Mike KlineCommented:
Double check the permissions again just to be safe

Try logging on with one of these new users from a few machines to make sure it is not a machine issue.

...honestly sounds like you did everything right.
yes...the variable should have as part of the profile path should have worked.  i never create this without it as i'm afraid of misspelling the user's name.
IthizarAuthor Commented:
digitap: There are no errors at boot up or log in currently displayed, and there are no errors in the event log either. It's as if it's totally ignoring the fact that a profile path has been specified in the first place.

I enabled verbose logging as you suggested and rebooted the machine, as well as logged into the network. This time, I did get a roaming profile error at log on. Specifically:

"Windows cannot locate the server copy of your roaming profile and is attempting to log you on with your local profile. Changes to the profile will not be copied to the server when you logoff. Possible causes of this error include network problems or insufficient security rights. If this problem persists, contact your network administrator.

DETAIL - Access is denied."

However, if I put the UNC path of the profile folder for this user into the Run dialog, it is able to pull up the path and I have full access to add, change, and delete files and folders. I also have checked the permissions both at the share and NTFS levels, and everything appears to be correct. I cannot figure out where the "access is denied" error would be coming from.

- Ithizar
hmmm...curious.  you can login on the SAME computer with an older account and it logs on errors?  delete the user and recreate?
IthizarAuthor Commented:
Yes, older accounts are unaffected. The computer I am doing this testing from is regularly used by another employee all day long, and she has no issues what-so-ever.

As an experiment, I temporarily made this new user account a member of the Administrators and Domain Admins group on the domain. I then logged into the computer again. The error did not recur. I logged out and then checked the user's profile directory. The profile had been copied to the appropriate directory.

I'm afraid that doesn't clear it up for me, though. That does seem to confirm a permissions error of some sort. But I don't understand how there could be a permissions error when I can log in as the user and manually access the profile directory and have full access.

- Ithizar
have you configured the profile share exactly as the links we provided and without any custom security groups?

you could even create a new "test" share and apply the security per the links above and try again.
IthizarAuthor Commented:
I double checked both the NTFS security settings and the share permissions and compared to them to the TechNet link that was given above. All of the settings match exactly, except that the Administrators and Domain Admins group have Full Control rights to the profiles share at the share level. All other permissions specified, such as the security group permissions, Everyone permissions, local system permissions, etc. are correct.

After making sure those matched, I created a brand new test user account named "John Q. Public" with a username of jpublic. I created this account manually through Active Directory Users and Computers. I double checked that all settings were correct.

And, yet, still having the same problem.

I am attaching five screen shots of Active Directory settings and permissions to show what is what. Hopefully, you will see something I have missed.

- Ithizar
The only thing I see that's different is within the share-level.  The instructions indicate that Everyone should have full control.  I don't know if that matters.  That's the only thing I have specified when I create the share.

I'll keep looking.
IthizarAuthor Commented:
The instructions I'm looking at specify that Everyone should have no permissions. I'm getting them from this link:

Is there a different set of instructions you have that I should be following?


- Ithizar
sorry...i'm wrong.  i double checked and you're right.  i'm on the phone with a user walking them through installing a new server, switch and various network hardware at a new location.  i should wait to do this until i can give more attention....sorry.
IthizarAuthor Commented:
That's okay. I appreciate everything that you, and the others who have posted here, are doing. This is an extremely frustrating problem, and so far I've come up with no potential solution, other than making every one of our users an Administrator. :) We are a junior college and, unfortunately, our students are back in the building on Monday morning, so I don't have long to figure this issue out.
digitapCommented: more link.  I didn't think the link you were referencing looked like the one I've used before.  I thought the link below was the one I posted above, but it wasn't.  Please review below and let me know what you think:
IthizarAuthor Commented:
Well, folks, I want to thank everyone who helped, especially digitap, but I think I'm just going to have to chalk this one up to one of those inexplicable Microsoft happenings.

Today, after spending a good 2 days working on this problem, I finally decided it was time to just chuck this server and start over. The server where the profiles are being stored is nothing but a file server, so nothing complex to re-install and re-configure, and all of the data is on a separate drive from the operating system. So I wiped the OS drive and did a fresh, clean install of Server 2003, applied all the patches and updates, and then configured a brand new profiles share according to the last link provided by digitap.

Once that was done, all worked normally. I can't even begin to explain what was going on with the server, but whatever it was apparently was specific to that Windows install and was eliminated by wiping it. It was frustrating to have to go that route, but as a friend of mine once said "Sometimes it's just easier to do it the hard way." :)

None of the discussion in this thread produced an actual solution to the original problem, but digitap got me thinking in a lot of valuable directions and provided the link that I used to configure the newly installed server and its profiles share, so I'm awarding the points on this one to him.

Thanks again!

- Ithizar

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Bummer...sorry I didn't have the "golden" answer.  I was for sure it was a rights issue.  However, you got it and I appreciate the points!
By the way, above it's indicating:

Notice: Ithizar has requested that this question be closed by accepting Ithizar's comment #33438636 (0 points) as the solution for the following reason...

Meaning, your points are being awarded the way you've indicated.  They have a new system and some times points aren't being awarded as we like.  FYI...
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.