• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1176
  • Last Modified:

windows cannot update your roaming profile access denied

I recently did a file server migration.

The original file server had individual shares setup for each users Roaming profile. For example, \\server\shares\username$ - However, I changed this on the new server so there is one large Profiles share and Everyone has full control. The permissions are now handled at a NTFS level. For example \\server\profiles\ and in their path to roaming profile is \\server\profiles\%username%

The problem I am running into, is that when users shutdown after the migration, they get the message "windows cannot update your roaming profile access denied"

Each user is the Owner of their folder and I've made sure to check the box and replace all child object permissions. This issue is still happening. I have even done the process of taking ownership as Administrator and giving ownership back to the User on a few folders, still the same error.

The actual file path is C:\Data\Profiles - NTFS permissions on Data and Profiles is full control for admins and read/modify for server\Users group. The Ownership permission is set on each individual username folder below the Profiles folder.

Thoughts?
0
Metaltree
Asked:
Metaltree
  • 5
  • 4
1 Solution
 
Hypercat (Deb)Commented:
I assume you migrated from a Windows 2003 to a Windows 2008 R2 server.  The permission requirements are different on the newer OS.  The Users group needs to have the following permissions to the top level (Profiles) folder:

Traverse folder/execute file
List folder/read data
Read attributes
Read extended attributes
Create files/write data
Create folders/append data
Read

Set this under the Advanced Security Settings. Edit the settings, and then edit the Users group settings and apply the above permissions to "This folder only" so that it doesn't get inherited down to the individual profile folders that are created.

BTW, just so you know for future reference, the user does not have to be the owner of his/her own profile folder. I always leave this set to the Administrators group.
0
 
MetaltreeAuthor Commented:
Hello - I have verified that the local\Users group includes Domain\Domain Users group and also it includes NT AUTHORITY\Authenticated Users and INTERACTIVE.

I have verified that starting at the C:\ - in the advanced permissions there are two local\Users.. one of which contains:
Traverse folder/execute file
List folder/read data
Read attributes
Read extended attributes
Read

The other contains:
Create files/write data
Create folders/append data

I have verified these settings are Inherited on the C:\Data\Profiles folder. And I have also again verified the share gives Everyone full access.

So my issue isn't solved. :(
0
 
Hypercat (Deb)Commented:
This may be a silly question, but just to confirm: In addition to being the owner of the folder, I assume that each user has Full Control NTFS permissions on their own folder and subfolders, correct?

For the share permissions, remove Everyone and change it to Administrators and Users both with full control. I don't know why this would make a difference, but it's worth a try.

Is there any content in the current roaming profiles (i.e., did you copy the profile content from the old server to the new one)?  If so, I think that may be the problem.  Try creating a completely new, empty profile folder for one user on the server. Then, log on to their workstation as the Administrator and follow the traditional instructions for creating a roaming profile. That is, go to the Advanced tab of System Properties, open the Users dialog box, click their profile, select Copy To, and then fill in the fields to copy their local profile to the roaming profile folder and give them permissions.  See if that works.
0
Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

 
MetaltreeAuthor Commented:
I will check.

I can not do this on a user by user basis to fix, too many users.
0
 
MetaltreeAuthor Commented:
The users are designated as the Owner

The Creater Owner property gives the user Full Control

However, most of of the Username folders do not have NTFS permissions  assigned to their actual Username, just Owner
0
 
Hypercat (Deb)Commented:
Again, that's not the way I would do it, and every article I've ever come across on this subject states that you need to give the user's own account Full control NTFS permissions. I would suggest that you test changing this on one user to see if it fixes the problem. Remove Creater/Owner and add the user's individual account with Full NTFS permissions on his/her profile folder and force inheritance.   Test with one user and then if this works, I believe you can change the permissions from AD on a mass basis by re-applying the profile settings.
0
 
MetaltreeAuthor Commented:
Once I gave the user object itself Full Control, it resolved the issue. So, even though the user was the owner and the owner had full control, it still needed the actual user object assigned full control as well.

I will try the mass change via AD, hopefully it works, if not I'll have to do them one by one, which I want to avoid.
0
 
MetaltreeAuthor Commented:
hypercat, any ideas how to do this to multiple users? Even if I re-type in the profile path, it and re-apply it doesn't seem to have any effect.
0
 
Hypercat (Deb)Commented:
Other than using cacls in a batch file, I can't think of any other way.  For Windows 2008, you have to use icacls:

http://technet.microsoft.com/en-us/library/cc753525(v=WS.10).aspx
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now