Solved

Need help with roaming user profiles

Posted on 2010-08-25
12
916 Views
Last Modified: 2012-05-10
I need some help with roaming user profiles.  I'm running a program called Graphon Go-Global for Windows (GGW) that acts somewhat like Citrix in that users can connect with a thin-client or browser plug-in to run Windows programs from the server.  The user appears to Windows like a local user, so the first time they login, they get a folder under c:\users\username with all the appropriate files and folders created there (or under documents and settings if installed on previous versions of Windows server).  GGW presents the user with its own applications window from which they launch the programs rather than a virtual Windows desktop.  When logging in, group policies are applied to the Active Directory users.

The GGW software can do load balancing where it will send a user to a member server that has low volume.  The issue I have is that the first time a user connects to a server they've not connected to before, the server sees them as new and creates a profile for them on that server under c:\users.  The application that we host saves settings to the user's registry (HKEY_CURRETN_USER), so all those settings are lost if they get a different server the next time they log in.  I'm told that the solution is to set up roaming user profiles.  I'm not having much luck.  I want all user profiles on a server called SHSMASTER in a folder called Profiles on the D: drive.

Here's what I've done:
Created a profiles folder on SHSMASTER server and set it to be shared as profiles$.  I assigned permissions to this folder and the share as described here:
http://blogs.technet.com/b/askds/archive/2008/06/30/automatic-creation-of-user-folders-for-home-roaming-profile-and-redirected-folders.aspx 

Then I ran group policy editor.  I have a policy that I have applied to the OU called "hosting customers" called "hosting customer policy".  I've verified that settings in here take effect by hiding some things in Internet Explorer via the policy, setting up IE as an application the user could run through GGW, then logging in as a user through GGW and running IE as a test.  Sure enough, the modifications were seen by the user.

Next I tried to set up roaming profiles via the policy.  I went here:
Computer configuration/Polcies/Administrative Templates/System/User Profiles Set Roaming Profile: Enabled

I set the path for \\shsmaster\profiles$\%USERNAME%  to match what I had set up earlier.

When I login via GGW, it forwards me to the first available server, HOST1.  I see that it creates the user's profile under C:\USERS on that server, rather than going to the share set up on SHSMASTER.

I tried to manually create a user folder for the user under the the profiles folder and assigning them full rights, but that didn't help.  I also tried putting \\shsmaster\profiles\%username% in the profile path field on the profiles tab of their user object in Active Directory Users and Computers.

Even though this is not Citrix, I'm posting to that forum in addition to Windows 2008 forum because I've heard of the need to set up something similar for Citrix somewhere in year's past.

Ideas from the Experts?

0
Comment
Question by:pcspcs
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
12 Comments
 
LVL 2

Expert Comment

by:cnemcse1
ID: 33526850
First it check that authenticated users have Full Control to the original folder PROFILES, and that Everyone has full control in the share permissions (profiles$).

Then check the User properties, profile tab, profile path and it has to be \\shsmaster\profiles$\%USERNAME% (where the username has to be the real username). If you don't see the path, then your problem is in the GPO. Use the group policy console and check if the policy applied.

You must logon as the user at least twice, cache credentials wont let the policy take effect right away.
0
 

Author Comment

by:pcspcs
ID: 33527033
Authenticated Users did not have full control, so I added it.  Same for Everyone having full control of the share.

Should their username folder get created automatically under the profiles folder when the login (the second time)?  I don't have to manually create it do I?

Also, on the user properties, profile tab of the AD user, do I have to put that path in for their profile, or should the group policy automatically add it?
0
 

Author Comment

by:pcspcs
ID: 33527301
I'm getting more confused.  After changing permissions as you described, I also decided to remove the %username% from the end of the path in the group policy.  Then the next time I logged in it created USER1.V2 folder and stored the profile there.  Great!  But when I create a new user, USER2 in the same OU, it doesn't do this.  I decided to try logging into a different server this thime, HOST2. I figured surely USER1 would work since it seemed to be reading the policy.  But no luck.  Even with USER1 it just created a new profile on HOST2 under the USERS folder.

I also rebooted all three servers and tried GPUPDATE at various times.  Are there any time limits needed for anything to take effect here?  SHSMASTER is the PCD by the way and the only server running AD ...the others are just joined to the domain.
0
Salesforce Made Easy to Use

On-screen guidance at the moment of need enables you & your employees to focus on the core, you can now boost your adoption rates swiftly and simply with one easy tool.

 
LVL 3

Accepted Solution

by:
sbo2002 earned 500 total points
ID: 33532490
I think you might be expecting the wrong behavior from roaming profiles. I'll list what will happen for a user configured with a roaming profile who has never logged on before:

1) User logs on for the first time. Profile gets created on the server that they logged onto.
2) User logs off. Profile gets uploaded to the network share specified in the roaming profile configuration.
3) User logs on to a server (the same server or a different server). Profile gets copied down from the network share to the server the user is logging on to.
4) User logs off. Profile gets uploaded to the network share.

You will always see a profile created locally. A roaming profile means that the profile gets copied down from the network share to whatever machine you log onto and it gets uploaded back to the network share when you log off.

Folder Redirection, on the other hand, is where you specify a network share and the data exists only on that network share. With a redirected My Documents folder, for example, My Documents is just a shortcut to the network share. The data in My Documents is never downloaded to the computer that the user logs on to.

Once you get roaming profiles performing the way you want them to, I'd suggest you implement Folder Redirection as well. If your users store data on the Desktop or in My Documents, all of that data has to get downloaded to the local computer each time they log on if you use roaming profiles and don't redirect any of those folders where users store data. That's the big knock against roaming profiles. As users accumulate data, it takes longer and longer for them to log on because all that stuff has to download.

You can't redirect NTUSER.DAT (which is where the registry is) as far as I know, so your solution will have to include roaming profiles. You won't be able to do it all with Folder Redirection.
0
 

Author Comment

by:pcspcs
ID: 33532833
Wow, thanks for the thorough description.  That will help greatly in trying to figure out if things are working right as work with this.  You're right, I'll want to use folder redirection too so that desktop and my documents go directly to the network share rather than having to copy up and down each time from the roaming profile folder to the local server they log into.  And I'll definitely want roaming profiles too since I want user registry changes made by the app to follow them.

Two more things to clarify that would help me get this going:

1.  Is there any need to manually put a path in the user's object in AD for their profile, or should the group policy take care of it (I hope)?  Will the group policy actually end up updating their user object in AD so that if I go there and look I'll see that it worked?

2. Am I in the right place when I'm setting this in: Computer configuration/Polcies/Administrative Templates/System/User Profiles Set Roaming Profile ?  And when I do make changes there, do I get the policy changes to apply ASAP by opening a command prompt and running GPUPDATE?  Should I do that  on the PDC as well as the member servers where the users login?
0
 

Author Comment

by:pcspcs
ID: 33534148
Okay, I got things set so that the user folder will automatically get created under the profiles share (with .v2 after it) once the user logs in.  I had previously been setting this in the GPO for the OU with the users and didn't realize that as a computer-wide setting I'd have to apply it to the OU with the servers themselves.  I actually created a new OU called Hosting Servers then moved the two hosting servers from the Comptuers OU into the Hosting Servers OU.  I then created a new GPO and linked it to this OU.

Now the problem seems to be that it's not actually using that folder that is creates.  User registry settings don't appear to be going there because they different based on which server the user logs into.  I took ownership of the user's folder under profiles as administrator so I could see if the NTUSER.DAT file was getting copied there, but it's not.  In fact, the folder is empty (I set for show hidden and system files).

I went ahead and manually put the profile path in the user's object, both at USER1 and USER1.V2, but to no avail.

Share Permissions
Administrators, System, Authenticated Users, Everyone: Full Access
NTSF Permissions
Administrators, Creator, System, Authenticated Users: Full Access

Now what?
0
 
LVL 3

Expert Comment

by:sbo2002
ID: 33536453
There are two types of roaming profiles:
A) The roaming profile for users logging directly onto a workstation.
B) The roaming profile for users logging into a server via Terminal Services (or Remote Desktop Services on 2008).

Additionally, there are two places where you can configure these profiles:
C) In the account properties for each account.
D) In Group Policy (Computer Config > Admin Templates > Windows Components > Remote Desktop Services)

I think you've been configuring the wrong roaming profile (A) when the profile you want to configure is (B). As far as (C) and (D) go, you probably want (D).

Limit your testing to one server, for now. Make the GPO changes on the PDC and then do gpupdate on the member server that you're going to use for testing. Make sure you run the command prompt as administrator (I mean right-click and choose "run as administrator", not just open a command prompt while logged on as an administrator). Log on as a user and log off and see if the profile gets uploaded to the share.
0
 

Author Comment

by:pcspcs
ID: 33536850
Getting closer.  First, I've confirmed that when a user logs in via GGW it logs them in as if they were directly logging into the server, not an RDP/TS session.  One way I know this is that when I create a new user then login I see a folder for their profile get created in the path I specified in the GPO on the share folder on the PDC.  I think that confirms that we're dealing with A).  

So the question is why it creates that folder, but then doesn't store anything there?  I have to take ownership of it to open it as admin, but doing so confirms that it's empty.  It seems like it could be a permissions issue, but I've given full access to the share and NTSF as shown above.

Thanks for clarifying the other issues.  I now not know to put anything on the profile tab for the AD user since the GPO will set their profile and also that the GPO does not fill it in on the user object either, so I shouldn't look for it to be there.
0
 
LVL 3

Assisted Solution

by:sbo2002
sbo2002 earned 500 total points
ID: 33537214
Try logging directly onto the server as one of your users. I mean not through the GGW software, just regular CTRL+ALT+DEL and log on.

If these are physical servers, do this through a direct logon (using the keyboard connected to the server), not RDP.  Logon and logoff and see if the profile gets created correctly in the share.

If these are VMs, log in using the hypervisor's management console.

If the profile gets created correctly when you logon directly, then it's possible that Windows doesn't know how to execute roaming profiles correctly when you log on using GGW. I don't know how you'd fix that. Maybe check the GGW support site...but only after you verify that you have roaming profiles working correctly when not logging in through the GGW software.
0
 

Author Comment

by:pcspcs
ID: 33538007
Closer still!  Yes these are VMs, so I logged in via Hyper-V and it did not see it as an RDP session and let me in.  When I do this, it still creates the profile folder on the share like it did before.  But this time is seems to actually copy the profile into it when I logout.  I know this because I changed something in the application that we host while logged in at the server, then I logged in via GGW and the change was there.  I could then login to either host server and it would read that setting from the roaming profile in the shared folder.

However, if I make changes while logged in via GGW, it doesn't seem to copy it back up to the profile in the shared folder when logging off because the change is not visible when logging into the other server...it retains the value set when I logged in at the console instead.

So it seems to me that perhaps one of two things are happening:

1. GGW is not functioning properly to tell Windows it's logging the user out so that the profile will copy from the local server back to the roaming folder in the share or

2. Perhaps there's a permission issue where it tries to copy but can't do so

Does that sound right?
0
 
LVL 3

Expert Comment

by:sbo2002
ID: 33540221
I'd guess that (2) is unlikely. If GGW is running in the context of the logged in user, then permissions shouldn't be an issue. The easiest way to eliminate this as a possibility is to add "everyone: full control" to both the share permissions and the NTFS permissions on your roaming profile share. If it still doesn't work, then it's not permissions. If it does work, you'll just need to figure out who GGW is running as and add appropriate permissions for that account.

If the problem is (1), then I'm out of suggestions. Assuming GGW is running as a locally logged in user and not an RDP user, you have the roaming profiles set up correctly and it's still not working. Now you're into developer-level troubleshooting, which is a little deeper than I can go. At least you've narrowed the problem down to one specific thing: GGW not triggering the roaming profile process when a session closes.
0
 

Author Comment

by:pcspcs
ID: 33541534
Even with the group Everyone having full access to the share and the folder itself it still seems that a GGW login will bring down the user info from the shared profile folder to the local server, but does not seem to process the logout to push it back up.  So it seems we're looking at a GGW bug/issue as you said, and I'll bring it up with them. Thanks for the excellent help with troubleshooting.
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question