Solved

Roaming Profiles Not Being Created or Used

Posted on 2010-08-12
20
808 Views
Last Modified: 2012-05-10
Hi folks!

Roaming profiles problem. Got a Windows Server 2003-based Active Directory domain. We are currently using roaming profiles for all users, and existing users are having no difficulty. I'm adding a batch of new users, however, and cannot get their roaming profiles to work. I've tried creating them manually through AD Users and Computers as well as using dsadd, and neither works.

Basically, I create a user and specify the network location for their profile directory, which in our case is something like \\fileserver\profiles$\username. Ordinarily, based on my past experience, the first time the user logs in, their profile and profile directory are automatically created. This doesn't happen. No directory created. So I tried creating the profile directory manually myself in advance. Still makes no difference. Nothing is actually copied to the directory when the user logs in.

I have verified that permissions are all correct at both the share level and the NTFS level for the profiles$ share. I've also logged in as the user and manually accessed the \\fileserver\profiles$ share and am able to access it, create directories, create files, etc. So permissions do not seem to be an issue. As I said, I've tried both AD Users and Computers and dsadd. No luck either way.

Any thoughts?

- Ithizar
0
Comment
Question by:Ithizar
  • 9
  • 7
  • 2
20 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 33425957
are you using username or %username%
0
 
LVL 33

Assisted Solution

by:digitap
digitap earned 500 total points
ID: 33425972
Do you get an error when the user logs on indicating that it can't find or can't access the roaming profile?  I know you said you checked the security already, but, to error on the side of completeness, here is a link describing how those settings should be configured.http://technet.microsoft.com/en-us/library/cc757013%28WS.10%29.aspxIs there any information in the event log?  Can you provide a screen shot of the user profile tab where the roaming profile information is configured?Also, here are steps to increase logging for the local workstation.  Post sanitized userenv.log information.Hive: HKEY_LOCAL_MACHINEKey: SOFTWARE\Microsoft\Windows\CurrentVersion\policies\systemName: VerboseStatusType: REG_DWORDValue: 1 default=0Note: Status messages will not display if the following key is present and the value is set to 1: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableStatusMessages2) Reboot disconnected.  Note the time.  Watch the status messages to see where it is hanging.3) After it finally boots, check the Event Log for relevant messages that were logged during the boot process and post them here if you can't identify the problem from the verbose messages and Event log errors.Having problems with login scripts and Group Policies? You can enable verbose logging to track all changes and settings applied using Group Policy and its extension to the local computer and to users who log on to the computer. The log file, userenv.log, will be written into the %windir%\debug folder. This folder is a hidden folder. To enable verbose logging (Userenv.log):Hive: HKEY_LOCAL_MACHINEKey: Software\Microsoft\Windows NT\Current Version\WinlogonName: UserenvDebugLevelType: REG_DWORDSet UserenvDebugLevel=30002 is for verbose logging, UserenvDebugLevel=30001 is for errors and warnings only, and UserenvDebugLevel=30000 logs nothing.
0
 

Author Comment

by:Ithizar
ID: 33425973
Sorry, when I said "username" I meant an actual username. I started out trying the %username% variable, but then thinking something might be wrong with that, I've been trying to manually create accounts entering the actual username. So, for example, for jdoe I would have:

\\server\profiles$\jdoe
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 33425994
Double check the permissions again just to be safe http://technet.microsoft.com/en-us/library/cc757013(WS.10).aspx

Try logging on with one of these new users from a few machines to make sure it is not a machine issue.

...honestly sounds like you did everything right.
0
 
LVL 33

Expert Comment

by:digitap
ID: 33426022
yes...the variable should have as part of the profile path should have worked.  i never create this without it as i'm afraid of misspelling the user's name.
0
 

Author Comment

by:Ithizar
ID: 33426053
digitap: There are no errors at boot up or log in currently displayed, and there are no errors in the event log either. It's as if it's totally ignoring the fact that a profile path has been specified in the first place.

I enabled verbose logging as you suggested and rebooted the machine, as well as logged into the network. This time, I did get a roaming profile error at log on. Specifically:

"Windows cannot locate the server copy of your roaming profile and is attempting to log you on with your local profile. Changes to the profile will not be copied to the server when you logoff. Possible causes of this error include network problems or insufficient security rights. If this problem persists, contact your network administrator.

DETAIL - Access is denied."

However, if I put the UNC path of the profile folder for this user into the Run dialog, it is able to pull up the path and I have full access to add, change, and delete files and folders. I also have checked the permissions both at the share and NTFS levels, and everything appears to be correct. I cannot figure out where the "access is denied" error would be coming from.

- Ithizar
0
 
LVL 33

Expert Comment

by:digitap
ID: 33426067
hmmm...curious.  you can login on the SAME computer with an older account and it logs on fine...no errors?  delete the user and recreate?
0
 

Author Comment

by:Ithizar
ID: 33426109
Yes, older accounts are unaffected. The computer I am doing this testing from is regularly used by another employee all day long, and she has no issues what-so-ever.

As an experiment, I temporarily made this new user account a member of the Administrators and Domain Admins group on the domain. I then logged into the computer again. The error did not recur. I logged out and then checked the user's profile directory. The profile had been copied to the appropriate directory.

I'm afraid that doesn't clear it up for me, though. That does seem to confirm a permissions error of some sort. But I don't understand how there could be a permissions error when I can log in as the user and manually access the profile directory and have full access.

- Ithizar
0
 
LVL 33

Expert Comment

by:digitap
ID: 33426149
have you configured the profile share exactly as the links we provided and without any custom security groups?

you could even create a new "test" share and apply the security per the links above and try again.
0
 

Author Comment

by:Ithizar
ID: 33432116
I double checked both the NTFS security settings and the share permissions and compared to them to the TechNet link that was given above. All of the settings match exactly, except that the Administrators and Domain Admins group have Full Control rights to the profiles share at the share level. All other permissions specified, such as the security group permissions, Everyone permissions, local system permissions, etc. are correct.

After making sure those matched, I created a brand new test user account named "John Q. Public" with a username of jpublic. I created this account manually through Active Directory Users and Computers. I double checked that all settings were correct.

And, yet, still having the same problem.

I am attaching five screen shots of Active Directory settings and permissions to show what is what. Hopefully, you will see something I have missed.

- Ithizar
jpublicad1.jpg
jpublicad2.jpg
security1.jpg
security2.jpg
security3.jpg
0
 
LVL 33

Expert Comment

by:digitap
ID: 33432401
The only thing I see that's different is within the share-level.  The instructions indicate that Everyone should have full control.  I don't know if that matters.  That's the only thing I have specified when I create the share.

I'll keep looking.
0
 

Author Comment

by:Ithizar
ID: 33432654
The instructions I'm looking at specify that Everyone should have no permissions. I'm getting them from this link:

http://technet.microsoft.com/en-us/library/cc757013(WS.10).aspx

Is there a different set of instructions you have that I should be following?

Thanks!

- Ithizar
0
 
LVL 33

Expert Comment

by:digitap
ID: 33432717
sorry...i'm wrong.  i double checked and you're right.  i'm on the phone with a user walking them through installing a new server, switch and various network hardware at a new location.  i should wait to do this until i can give more attention....sorry.
0
 

Author Comment

by:Ithizar
ID: 33432744
That's okay. I appreciate everything that you, and the others who have posted here, are doing. This is an extremely frustrating problem, and so far I've come up with no potential solution, other than making every one of our users an Administrator. :) We are a junior college and, unfortunately, our students are back in the building on Monday morning, so I don't have long to figure this issue out.
0
 
LVL 33

Expert Comment

by:digitap
ID: 33433641
Sorry...one more link.  I didn't think the link you were referencing looked like the one I've used before.  I thought the link below was the one I posted above, but it wasn't.  Please review below and let me know what you think:

http://support.microsoft.com/kb/274443
0
 

Accepted Solution

by:
Ithizar earned 0 total points
ID: 33438636
Well, folks, I want to thank everyone who helped, especially digitap, but I think I'm just going to have to chalk this one up to one of those inexplicable Microsoft happenings.

Today, after spending a good 2 days working on this problem, I finally decided it was time to just chuck this server and start over. The server where the profiles are being stored is nothing but a file server, so nothing complex to re-install and re-configure, and all of the data is on a separate drive from the operating system. So I wiped the OS drive and did a fresh, clean install of Server 2003, applied all the patches and updates, and then configured a brand new profiles share according to the last link provided by digitap.

Once that was done, all worked normally. I can't even begin to explain what was going on with the server, but whatever it was apparently was specific to that Windows install and was eliminated by wiping it. It was frustrating to have to go that route, but as a friend of mine once said "Sometimes it's just easier to do it the hard way." :)

None of the discussion in this thread produced an actual solution to the original problem, but digitap got me thinking in a lot of valuable directions and provided the link that I used to configure the newly installed server and its profiles share, so I'm awarding the points on this one to him.

Thanks again!

- Ithizar
0
 
LVL 33

Expert Comment

by:digitap
ID: 33438786
Bummer...sorry I didn't have the "golden" answer.  I was for sure it was a rights issue.  However, you got it and I appreciate the points!
0
 
LVL 33

Expert Comment

by:digitap
ID: 33438795
By the way, above it's indicating:

Notice: Ithizar has requested that this question be closed by accepting Ithizar's comment #33438636 (0 points) as the solution for the following reason...

Meaning, your points are being awarded the way you've indicated.  They have a new system and some times points aren't being awarded as we like.  FYI...
0

Join & Write a Comment

The Need In an Active Directory enviroment, the PDC emulator provide time synchronization for the domain. This is important since Active Directory uses Kerberos for authentication.  By default, if the time difference between systems is off by more …
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now