Need help with roaming user profiles

I need some help with roaming user profiles.  I'm running a program called Graphon Go-Global for Windows (GGW) that acts somewhat like Citrix in that users can connect with a thin-client or browser plug-in to run Windows programs from the server.  The user appears to Windows like a local user, so the first time they login, they get a folder under c:\users\username with all the appropriate files and folders created there (or under documents and settings if installed on previous versions of Windows server).  GGW presents the user with its own applications window from which they launch the programs rather than a virtual Windows desktop.  When logging in, group policies are applied to the Active Directory users.

The GGW software can do load balancing where it will send a user to a member server that has low volume.  The issue I have is that the first time a user connects to a server they've not connected to before, the server sees them as new and creates a profile for them on that server under c:\users.  The application that we host saves settings to the user's registry (HKEY_CURRETN_USER), so all those settings are lost if they get a different server the next time they log in.  I'm told that the solution is to set up roaming user profiles.  I'm not having much luck.  I want all user profiles on a server called SHSMASTER in a folder called Profiles on the D: drive.

Here's what I've done:
Created a profiles folder on SHSMASTER server and set it to be shared as profiles$.  I assigned permissions to this folder and the share as described here: 

Then I ran group policy editor.  I have a policy that I have applied to the OU called "hosting customers" called "hosting customer policy".  I've verified that settings in here take effect by hiding some things in Internet Explorer via the policy, setting up IE as an application the user could run through GGW, then logging in as a user through GGW and running IE as a test.  Sure enough, the modifications were seen by the user.

Next I tried to set up roaming profiles via the policy.  I went here:
Computer configuration/Polcies/Administrative Templates/System/User Profiles Set Roaming Profile: Enabled

I set the path for \\shsmaster\profiles$\%USERNAME%  to match what I had set up earlier.

When I login via GGW, it forwards me to the first available server, HOST1.  I see that it creates the user's profile under C:\USERS on that server, rather than going to the share set up on SHSMASTER.

I tried to manually create a user folder for the user under the the profiles folder and assigning them full rights, but that didn't help.  I also tried putting \\shsmaster\profiles\%username% in the profile path field on the profiles tab of their user object in Active Directory Users and Computers.

Even though this is not Citrix, I'm posting to that forum in addition to Windows 2008 forum because I've heard of the need to set up something similar for Citrix somewhere in year's past.

Ideas from the Experts?

Who is Participating?
sbo2002Connect With a Mentor Commented:
I think you might be expecting the wrong behavior from roaming profiles. I'll list what will happen for a user configured with a roaming profile who has never logged on before:

1) User logs on for the first time. Profile gets created on the server that they logged onto.
2) User logs off. Profile gets uploaded to the network share specified in the roaming profile configuration.
3) User logs on to a server (the same server or a different server). Profile gets copied down from the network share to the server the user is logging on to.
4) User logs off. Profile gets uploaded to the network share.

You will always see a profile created locally. A roaming profile means that the profile gets copied down from the network share to whatever machine you log onto and it gets uploaded back to the network share when you log off.

Folder Redirection, on the other hand, is where you specify a network share and the data exists only on that network share. With a redirected My Documents folder, for example, My Documents is just a shortcut to the network share. The data in My Documents is never downloaded to the computer that the user logs on to.

Once you get roaming profiles performing the way you want them to, I'd suggest you implement Folder Redirection as well. If your users store data on the Desktop or in My Documents, all of that data has to get downloaded to the local computer each time they log on if you use roaming profiles and don't redirect any of those folders where users store data. That's the big knock against roaming profiles. As users accumulate data, it takes longer and longer for them to log on because all that stuff has to download.

You can't redirect NTUSER.DAT (which is where the registry is) as far as I know, so your solution will have to include roaming profiles. You won't be able to do it all with Folder Redirection.
First it check that authenticated users have Full Control to the original folder PROFILES, and that Everyone has full control in the share permissions (profiles$).

Then check the User properties, profile tab, profile path and it has to be \\shsmaster\profiles$\%USERNAME% (where the username has to be the real username). If you don't see the path, then your problem is in the GPO. Use the group policy console and check if the policy applied.

You must logon as the user at least twice, cache credentials wont let the policy take effect right away.
pcspcsAuthor Commented:
Authenticated Users did not have full control, so I added it.  Same for Everyone having full control of the share.

Should their username folder get created automatically under the profiles folder when the login (the second time)?  I don't have to manually create it do I?

Also, on the user properties, profile tab of the AD user, do I have to put that path in for their profile, or should the group policy automatically add it?
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

pcspcsAuthor Commented:
I'm getting more confused.  After changing permissions as you described, I also decided to remove the %username% from the end of the path in the group policy.  Then the next time I logged in it created USER1.V2 folder and stored the profile there.  Great!  But when I create a new user, USER2 in the same OU, it doesn't do this.  I decided to try logging into a different server this thime, HOST2. I figured surely USER1 would work since it seemed to be reading the policy.  But no luck.  Even with USER1 it just created a new profile on HOST2 under the USERS folder.

I also rebooted all three servers and tried GPUPDATE at various times.  Are there any time limits needed for anything to take effect here?  SHSMASTER is the PCD by the way and the only server running AD ...the others are just joined to the domain.
pcspcsAuthor Commented:
Wow, thanks for the thorough description.  That will help greatly in trying to figure out if things are working right as work with this.  You're right, I'll want to use folder redirection too so that desktop and my documents go directly to the network share rather than having to copy up and down each time from the roaming profile folder to the local server they log into.  And I'll definitely want roaming profiles too since I want user registry changes made by the app to follow them.

Two more things to clarify that would help me get this going:

1.  Is there any need to manually put a path in the user's object in AD for their profile, or should the group policy take care of it (I hope)?  Will the group policy actually end up updating their user object in AD so that if I go there and look I'll see that it worked?

2. Am I in the right place when I'm setting this in: Computer configuration/Polcies/Administrative Templates/System/User Profiles Set Roaming Profile ?  And when I do make changes there, do I get the policy changes to apply ASAP by opening a command prompt and running GPUPDATE?  Should I do that  on the PDC as well as the member servers where the users login?
pcspcsAuthor Commented:
Okay, I got things set so that the user folder will automatically get created under the profiles share (with .v2 after it) once the user logs in.  I had previously been setting this in the GPO for the OU with the users and didn't realize that as a computer-wide setting I'd have to apply it to the OU with the servers themselves.  I actually created a new OU called Hosting Servers then moved the two hosting servers from the Comptuers OU into the Hosting Servers OU.  I then created a new GPO and linked it to this OU.

Now the problem seems to be that it's not actually using that folder that is creates.  User registry settings don't appear to be going there because they different based on which server the user logs into.  I took ownership of the user's folder under profiles as administrator so I could see if the NTUSER.DAT file was getting copied there, but it's not.  In fact, the folder is empty (I set for show hidden and system files).

I went ahead and manually put the profile path in the user's object, both at USER1 and USER1.V2, but to no avail.

Share Permissions
Administrators, System, Authenticated Users, Everyone: Full Access
NTSF Permissions
Administrators, Creator, System, Authenticated Users: Full Access

Now what?
There are two types of roaming profiles:
A) The roaming profile for users logging directly onto a workstation.
B) The roaming profile for users logging into a server via Terminal Services (or Remote Desktop Services on 2008).

Additionally, there are two places where you can configure these profiles:
C) In the account properties for each account.
D) In Group Policy (Computer Config > Admin Templates > Windows Components > Remote Desktop Services)

I think you've been configuring the wrong roaming profile (A) when the profile you want to configure is (B). As far as (C) and (D) go, you probably want (D).

Limit your testing to one server, for now. Make the GPO changes on the PDC and then do gpupdate on the member server that you're going to use for testing. Make sure you run the command prompt as administrator (I mean right-click and choose "run as administrator", not just open a command prompt while logged on as an administrator). Log on as a user and log off and see if the profile gets uploaded to the share.
pcspcsAuthor Commented:
Getting closer.  First, I've confirmed that when a user logs in via GGW it logs them in as if they were directly logging into the server, not an RDP/TS session.  One way I know this is that when I create a new user then login I see a folder for their profile get created in the path I specified in the GPO on the share folder on the PDC.  I think that confirms that we're dealing with A).  

So the question is why it creates that folder, but then doesn't store anything there?  I have to take ownership of it to open it as admin, but doing so confirms that it's empty.  It seems like it could be a permissions issue, but I've given full access to the share and NTSF as shown above.

Thanks for clarifying the other issues.  I now not know to put anything on the profile tab for the AD user since the GPO will set their profile and also that the GPO does not fill it in on the user object either, so I shouldn't look for it to be there.
sbo2002Connect With a Mentor Commented:
Try logging directly onto the server as one of your users. I mean not through the GGW software, just regular CTRL+ALT+DEL and log on.

If these are physical servers, do this through a direct logon (using the keyboard connected to the server), not RDP.  Logon and logoff and see if the profile gets created correctly in the share.

If these are VMs, log in using the hypervisor's management console.

If the profile gets created correctly when you logon directly, then it's possible that Windows doesn't know how to execute roaming profiles correctly when you log on using GGW. I don't know how you'd fix that. Maybe check the GGW support site...but only after you verify that you have roaming profiles working correctly when not logging in through the GGW software.
pcspcsAuthor Commented:
Closer still!  Yes these are VMs, so I logged in via Hyper-V and it did not see it as an RDP session and let me in.  When I do this, it still creates the profile folder on the share like it did before.  But this time is seems to actually copy the profile into it when I logout.  I know this because I changed something in the application that we host while logged in at the server, then I logged in via GGW and the change was there.  I could then login to either host server and it would read that setting from the roaming profile in the shared folder.

However, if I make changes while logged in via GGW, it doesn't seem to copy it back up to the profile in the shared folder when logging off because the change is not visible when logging into the other retains the value set when I logged in at the console instead.

So it seems to me that perhaps one of two things are happening:

1. GGW is not functioning properly to tell Windows it's logging the user out so that the profile will copy from the local server back to the roaming folder in the share or

2. Perhaps there's a permission issue where it tries to copy but can't do so

Does that sound right?
I'd guess that (2) is unlikely. If GGW is running in the context of the logged in user, then permissions shouldn't be an issue. The easiest way to eliminate this as a possibility is to add "everyone: full control" to both the share permissions and the NTFS permissions on your roaming profile share. If it still doesn't work, then it's not permissions. If it does work, you'll just need to figure out who GGW is running as and add appropriate permissions for that account.

If the problem is (1), then I'm out of suggestions. Assuming GGW is running as a locally logged in user and not an RDP user, you have the roaming profiles set up correctly and it's still not working. Now you're into developer-level troubleshooting, which is a little deeper than I can go. At least you've narrowed the problem down to one specific thing: GGW not triggering the roaming profile process when a session closes.
pcspcsAuthor Commented:
Even with the group Everyone having full access to the share and the folder itself it still seems that a GGW login will bring down the user info from the shared profile folder to the local server, but does not seem to process the logout to push it back up.  So it seems we're looking at a GGW bug/issue as you said, and I'll bring it up with them. Thanks for the excellent help with troubleshooting.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.