[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1712
  • Last Modified:

2008 R2 Roaming Profiles

Have a new 2008 R2 Server with AD installed.

Want to setup roaming profiles for my users but doesn't seem to be working.

Tried the following...
Created folder on server called Company_Users

Shared folder (share permissions were full control Authenticated Users, Domain Admins, Domain Users)
NTFS Permissions (Full Control Authenticated Users, Domain Admins, Domain Users, System)

Set user profile to \\servername\share\%USERNAME% in the user's account under active directory.

When I log in with this user it says " you are logged on with a temporary profile..."


Please supply the steps to properly configure roaming profiles, I seem to be missing it.

Thanks
0
tech911
Asked:
tech911
  • 6
  • 4
1 Solution
 
SandeshdubeyCommented:
Have to say that below article on the Group Policy Blog is pretty much spot on for most things you'd be looking for in setting it up

http://www.grouppolicy.biz/2010/08/best-practice-roaming-profiles-and-folder-redirection-a-k-a-user-virtualization/
0
 
SandeshdubeyCommented:
0
 
tech911Author Commented:
I followed the instructions in the first article, even though it was a little different from what I saw (2008 R2 I suspect), but I am still getting the "Logging you on with temporary profile this will be deleted..."

Here is what I do know...
Inside the roaming profile share, the users's folder is being created, within that folder, there is a folder called Profile.V2 that also gets created.
There is nothing inside of the Profile.V2 folder.

Thoughts?
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
tech911Author Commented:
Update - I put the user in the Domain Admins group, and tried to log him in from the console, it logged him in no problem.  However, it did not create his profile in the shared folder I specified in his AD profile, instead it put it in the default Users folder.

Not sure what that means?
0
 
tech911Author Commented:
Update 2 -  Just to be sure there wasn't an issue with the test client we are using, I logged in using the administrator account and it logged in perfectly.

0
 
SandeshdubeyCommented:
The v2 extension was added after vista came out

google  "Managing Roaming User Data Deployment Guide"   that white paper has a lot more info on the v2 profiles.

More info here  http://blogs.msdn.com/spatdsg/archive/2007/03/15/vista-and-mandatory-profiles.aspx

...so it is normal and has changed per Microsoft.


On server 2008, the .v2 profile is created because your roaming profile points to a folder that already exists.

in 2003, you might have had c:\users\usernames  because that made sense.

but in 2008 (and vista and 7)  C:\users already exists, and is where "documents and settings" was moved to.

so your roaming profile is trying to co-exist in the middle of a system-default profile location.  here, the permissions are so screwed up, it creates a .v2 folder.  you'll see this if you try to browse around a users profile as a domain admin, all kinds of "you don't have permission" junk.

your best bet is to move all your roaming profiles to something OTHER than c:\users.... call it like, c:\profiles instead.

Refer below for more details:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_27265559.html
0
 
tech911Author Commented:
Update - 3

I thought the test user's account might have had an issue on the machine we were using for testing, so I grabbed a new machine (Win7-64), added it to the domain (successful), logged in from the machine as the domain admin (successful), logged in as the test user (failed) logs me on with temporary profile.

It seems that it is a permissions issue on the AD Server.  Something related to the Company_Users folder that I created to store roaming profiles in.

I am going to delete the folder, delete the user from AD, restart the server and re-create everything from scratch.

Will post update shortly.
0
 
tech911Author Commented:
SOLUTION FOUND

After trying numerous iterations of permissions on the roaming profile folder, here is what worked

1.) Create the new folder that you want to store the roaming profiles in.

2.) Go into properties, security > Advanced > Edit - You want to make sure the folder is NOT inheriting permissions from its parent.  When you go to remove the inheritance you will get a pop up message, select Add from the pop up.  Click OK to everything and close out of properties for the folder.

3.) Go back into properties of the folder, security tab > Advanced > Edit, add or make sure the following entries are there (do not remove any entries until told to do so).  Also note the "Apply To" should say this folder and subfolders.  To edit an entry click Edit, To add en entry click Add.

When you are done this is what you should have...

SYSTEM : Full Control
Administrators : Full Control
Creator Owner : Full Control
Domain Users : Traverse/excute file, List folder/read data, Read Attributes, Read Extended Attributes, Create Files/write data, Create Folders/append data.

Click OK, all the way back to the properties list.

Click on the on the sharing tab, share the folder, give it a name, click permissions give Administrators Full control, Authenticated Users Full Control, Domain Users Full Control.  Click OK until you are back to the properties window.  Click OK to close the window.

Go back into the folder properties, Security Tab > Advanced > and remove any entries that don't belong.  Click OK until the properties window is closed.

Test and valid


0
 
SandeshdubeyCommented:
As mentioned before you need to change the profile path to get rid out of this and you did the same  by changing the roaming profile path you were able to fix the issue.

0
 
tech911Author Commented:
Nice job
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 6
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now