Roaming Profiles Not Being Created or Used
Hi folks!
Roaming profiles problem. Got a Windows Server 2003-based Active Directory domain. We are currently using roaming profiles for all users, and existing users are having no difficulty. I'm adding a batch of new users, however, and cannot get their roaming profiles to work. I've tried creating them manually through AD Users and Computers as well as using dsadd, and neither works.
Basically, I create a user and specify the network location for their profile directory, which in our case is something like \\fileserver\profiles$\use
I have verified that permissions are all correct at both the share level and the NTFS level for the profiles$ share. I've also logged in as the user and manually accessed the \\fileserver\profiles$ share and am able to access it, create directories, create files, etc. So permissions do not seem to be an issue. As I said, I've tried both AD Users and Computers and dsadd. No luck either way.
Any thoughts?
- Ithizar
Roaming profiles problem. Got a Windows Server 2003-based Active Directory domain. We are currently using roaming profiles for all users, and existing users are having no difficulty. I'm adding a batch of new users, however, and cannot get their roaming profiles to work. I've tried creating them manually through AD Users and Computers as well as using dsadd, and neither works.
Basically, I create a user and specify the network location for their profile directory, which in our case is something like \\fileserver\profiles$\use
I have verified that permissions are all correct at both the share level and the NTFS level for the profiles$ share. I've also logged in as the user and manually accessed the \\fileserver\profiles$ share and am able to access it, create directories, create files, etc. So permissions do not seem to be an issue. As I said, I've tried both AD Users and Computers and dsadd. No luck either way.
Any thoughts?
- Ithizar
Mike Kline
are you using username or %username%
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Sorry, when I said "username" I meant an actual username. I started out trying the %username% variable, but then thinking something might be wrong with that, I've been trying to manually create accounts entering the actual username. So, for example, for jdoe I would have:
\\server\profiles$\jdoe
\\server\profiles$\jdoe
Double check the permissions again just to be safe http://technet.microsoft.com/en-us/library/cc757013(WS.10).aspx
Try logging on with one of these new users from a few machines to make sure it is not a machine issue.
...honestly sounds like you did everything right.
Try logging on with one of these new users from a few machines to make sure it is not a machine issue.
...honestly sounds like you did everything right.
yes...the variable should have as part of the profile path should have worked. i never create this without it as i'm afraid of misspelling the user's name.
ASKER
digitap: There are no errors at boot up or log in currently displayed, and there are no errors in the event log either. It's as if it's totally ignoring the fact that a profile path has been specified in the first place.
I enabled verbose logging as you suggested and rebooted the machine, as well as logged into the network. This time, I did get a roaming profile error at log on. Specifically:
"Windows cannot locate the server copy of your roaming profile and is attempting to log you on with your local profile. Changes to the profile will not be copied to the server when you logoff. Possible causes of this error include network problems or insufficient security rights. If this problem persists, contact your network administrator.
DETAIL - Access is denied."
However, if I put the UNC path of the profile folder for this user into the Run dialog, it is able to pull up the path and I have full access to add, change, and delete files and folders. I also have checked the permissions both at the share and NTFS levels, and everything appears to be correct. I cannot figure out where the "access is denied" error would be coming from.
- Ithizar
I enabled verbose logging as you suggested and rebooted the machine, as well as logged into the network. This time, I did get a roaming profile error at log on. Specifically:
"Windows cannot locate the server copy of your roaming profile and is attempting to log you on with your local profile. Changes to the profile will not be copied to the server when you logoff. Possible causes of this error include network problems or insufficient security rights. If this problem persists, contact your network administrator.
DETAIL - Access is denied."
However, if I put the UNC path of the profile folder for this user into the Run dialog, it is able to pull up the path and I have full access to add, change, and delete files and folders. I also have checked the permissions both at the share and NTFS levels, and everything appears to be correct. I cannot figure out where the "access is denied" error would be coming from.
- Ithizar
hmmm...curious. you can login on the SAME computer with an older account and it logs on fine...no errors? delete the user and recreate?
ASKER
Yes, older accounts are unaffected. The computer I am doing this testing from is regularly used by another employee all day long, and she has no issues what-so-ever.
As an experiment, I temporarily made this new user account a member of the Administrators and Domain Admins group on the domain. I then logged into the computer again. The error did not recur. I logged out and then checked the user's profile directory. The profile had been copied to the appropriate directory.
I'm afraid that doesn't clear it up for me, though. That does seem to confirm a permissions error of some sort. But I don't understand how there could be a permissions error when I can log in as the user and manually access the profile directory and have full access.
- Ithizar
As an experiment, I temporarily made this new user account a member of the Administrators and Domain Admins group on the domain. I then logged into the computer again. The error did not recur. I logged out and then checked the user's profile directory. The profile had been copied to the appropriate directory.
I'm afraid that doesn't clear it up for me, though. That does seem to confirm a permissions error of some sort. But I don't understand how there could be a permissions error when I can log in as the user and manually access the profile directory and have full access.
- Ithizar
have you configured the profile share exactly as the links we provided and without any custom security groups?
you could even create a new "test" share and apply the security per the links above and try again.
you could even create a new "test" share and apply the security per the links above and try again.
ASKER
I double checked both the NTFS security settings and the share permissions and compared to them to the TechNet link that was given above. All of the settings match exactly, except that the Administrators and Domain Admins group have Full Control rights to the profiles share at the share level. All other permissions specified, such as the security group permissions, Everyone permissions, local system permissions, etc. are correct.
After making sure those matched, I created a brand new test user account named "John Q. Public" with a username of jpublic. I created this account manually through Active Directory Users and Computers. I double checked that all settings were correct.
And, yet, still having the same problem.
I am attaching five screen shots of Active Directory settings and permissions to show what is what. Hopefully, you will see something I have missed.
- Ithizar
jpublicad1.jpg
jpublicad2.jpg
security1.jpg
security2.jpg
security3.jpg
After making sure those matched, I created a brand new test user account named "John Q. Public" with a username of jpublic. I created this account manually through Active Directory Users and Computers. I double checked that all settings were correct.
And, yet, still having the same problem.
I am attaching five screen shots of Active Directory settings and permissions to show what is what. Hopefully, you will see something I have missed.
- Ithizar
jpublicad1.jpg
jpublicad2.jpg
security1.jpg
security2.jpg
security3.jpg
The only thing I see that's different is within the share-level. The instructions indicate that Everyone should have full control. I don't know if that matters. That's the only thing I have specified when I create the share.
I'll keep looking.
I'll keep looking.
ASKER
The instructions I'm looking at specify that Everyone should have no permissions. I'm getting them from this link:
http://technet.microsoft.com/en-us/library/cc757013(WS.10).aspx
Is there a different set of instructions you have that I should be following?
Thanks!
- Ithizar
http://technet.microsoft.com/en-us/library/cc757013(WS.10).aspx
Is there a different set of instructions you have that I should be following?
Thanks!
- Ithizar
sorry...i'm wrong. i double checked and you're right. i'm on the phone with a user walking them through installing a new server, switch and various network hardware at a new location. i should wait to do this until i can give more attention....sorry.
ASKER
That's okay. I appreciate everything that you, and the others who have posted here, are doing. This is an extremely frustrating problem, and so far I've come up with no potential solution, other than making every one of our users an Administrator. :) We are a junior college and, unfortunately, our students are back in the building on Monday morning, so I don't have long to figure this issue out.
Sorry...one more link. I didn't think the link you were referencing looked like the one I've used before. I thought the link below was the one I posted above, but it wasn't. Please review below and let me know what you think:
http://support.microsoft.com/kb/274443
http://support.microsoft.com/kb/274443
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Bummer...sorry I didn't have the "golden" answer. I was for sure it was a rights issue. However, you got it and I appreciate the points!
By the way, above it's indicating:
Notice: Ithizar has requested that this question be closed by accepting Ithizar's comment #33438636 (0 points) as the solution for the following reason...
Meaning, your points are being awarded the way you've indicated. They have a new system and some times points aren't being awarded as we like. FYI...
Notice: Ithizar has requested that this question be closed by accepting Ithizar's comment #33438636 (0 points) as the solution for the following reason...
Meaning, your points are being awarded the way you've indicated. They have a new system and some times points aren't being awarded as we like. FYI...