Solved

Problem Accessing Roaming Profiles

Posted on 2014-01-21
12
3,524 Views
Last Modified: 2014-02-05
When some of our students log into our lab computers, they are getting an error message that Windows could not locate their roaming profile and they are being logged in with a temporary profile.  
We are running Active Directory on 2008 R2 servers.  We have been upgrading our lab computers from XP to Windows 7.  We have a handful of XP lab computers still to be updated.
I've noticed that the students who are able to log in successfully have two folders in the roaming profiles folder.  One with their username and one with .v2 after their username.  The students who are being logged in with a temporary profile do not have the .v2 profile folder.  
What do I need to do to fix this issue?  Thanks!
0
Comment
Question by:cealick
  • 6
  • 5
12 Comments
 
LVL 4

Expert Comment

by:vnicolae
Comment Utility
I would start by checking the permissions at the Share and NTFS level. Are the users' roaming profiles created at first logon or are they pre-created by the aministratators?

Also, check if the path specified for the profile in AD is correct in their configs.
0
 

Author Comment

by:cealick
Comment Utility
The roaming profiles are created at first logon.
The path in the profile is correct.  (Although the profile path doesn't include .v2)
All the roaming profiles are located in one folder.  The file permissions for that roaming profile folder allow full access to the administrator group.  The permission aren't inherited.  I am not able to view the permissions for the individual roaming profiles.
0
 
LVL 35

Assisted Solution

by:Mahesh
Mahesh earned 500 total points
Comment Utility
Now if you try to cure permissions on roaming profile base folder, you will need to set permissions for each folder and also you need to take ownership as well which can affect other roaming profiles on the share.
Instead you could set new root folder for Win7 roaming profiles as below
Create a root folder called Win7Profiles and grant him share permissions as below

Security group of users needing to put data on share OR authenticated users - Full Control

Security Permissions:
Creator Owner - Full Control, Subfolders and Files Only
 
Security group of users needing to put data on share OR authenticated users -  
List Folder/Read Data, Create Folders/Append Data - This Folder Only
 
Local System - Full Control, This Folder, Subfolders and Files

http://technet.microsoft.com/en-us/library/cc757013(WS.10).aspx

Also do not forget to set GPO on OU containing computers and put Add the Administrator security group to the roaming user profile share GPO settings under Computer configuration\administrative templates\system\user profiles

Note: The policy setting must be configured on the client computer, not the server, for it to have any effect, because the client computer sets the file share permissions for the roaming profile at creation time.
In the default case, administrators have no file access to the user's profile, but they may still take ownership of this folder to grant themselves file permissions.

Also you don't need to worry, even if you change the roaming profile path on server and in AD properties of users, it will create \ copy of existing user local profile on new share as roaming profile.
later on you can delete old roaming profile folder from old share by taking its ownership.

Hope that helps

Mahesh
0
 

Author Comment

by:cealick
Comment Utility
Hello,
Thank you for this information.  After reading about roaming profiles, it looks like the preferred practice in some organizations is not to give access to administrators.  I'm not uncomfortable with not seeing their roaming profiles.  
I am concerned about some users being logged into a temporary profile.  Some users are being logged in properly to their roaming profile and some are getting a warning that they are logging into a temporary profile.  The roaming profiles for all students are in one folder, and I believe that the permissions for their individual profile folders would be the same.
All of the users who are being logged in properly (who are logging in from a Windows 7 machine) have a .v2 roaming profile.  None of the users who are being logged into a temporary profile have the .v2 roaming profile.
Is there something else I can try besides the permissions?
0
 
LVL 35

Assisted Solution

by:Mahesh
Mahesh earned 500 total points
Comment Utility
You can delete roaming user profile path from user properties in AD and then allow user to login to workstation.
Now He will \ should get logged on with local profile that is having same contents as roaming profile.
Now you can put new roaming user profile path in user properties as mentioned above and check if new roaming profile get created at new location.
Because if there is permissions issue exists on server side, probably user cannot create roaming profile and its get corrupted and cause creates temp profile

Alternatively you can take ownership of his old roaming profile folder only, grant user explicitly full control permissions with replace child object permissions in advanced options on his profile folder and check in next logon if he gets the same profile

Mahesh
0
 

Author Comment

by:cealick
Comment Utility
Mahesh,
Thank you for your helpful and thorough instructions.  It has taken me a while to get back to you.  We were slowed down by snow and then I needed to be sure I understood your suggestions.  
After reading your information on the appropriate permissions, I realized that we are missing the permissions for our roaming profile folder do not include the user.  Only administrator accounts are granted permission to the actual folder.  
Rather than set up a new roaming profile folder, since my administrator account has full control of the current roaming profile folder, would it cause problems if I added a security permission for the authenticated users to give them the List Folder/Read Data, Create Folders/Append Data for that Folder only?  
The existing roaming profiles for each individual seem to be working properly.  The problem is with new users or with users who move from XP to Win7 and need the new .v2 profile.
0
Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

 
LVL 35

Assisted Solution

by:Mahesh
Mahesh earned 500 total points
Comment Utility
Actually when you set above permissions to roaming profile root folder on server, at 1st attempt, users will be able to create there roaming profile folders underneath root folder with granting them full control and ownership of their roaming profile folder.
Starting from win Vista, MS has appended .V2 extension to roaming profiles
Starting from Win 8 I think its changed to .V3, I have not tested it, but I have reading some where.
You can try adding above permissions explicitly on the existing roaming profiles root folder, It should work.

But setting up brand new roaming profile root folder with correct permissions is very easy option. Even computers also will save their profiles on new path without any problem. Once all profiles have been migrated this way to new folder, you can simply delete old roaming profile folder.
I am just outlining high level steps as below

Remove roaming profile path from 1 user object in active directory which is using Win7 Machine.
Ask user to logon to Win7 Machine and ensure that he has got local profile with all settings.
Open registry on his machine and navigate to ProfileList registry key under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList and ensure that centralprofile registry is empty \ not there.
Centralprofile is representing roaming user profile path.

Now logoff user and enter new roaming user profile path in the form of variable in AD user properties as below.
\\server1\UserProfiles\%username%
Now again ask user to logon to workstation and check if roaming profile folder is created on new location and user has got its profile perfectly.
Also check if Centralprofile registry key is created \ pointing to new profile path in registry

If above idea works perfectly, you can remove roaming profile path from all Win7 users from active directory, let them allow to login with local profiles for a day and then point there roaming profile folder to new path next day.

Same trick can be used for WinXP Machines as well

Mahesh
0
 

Author Comment

by:cealick
Comment Utility
Although making a new roaming profile root folder makes sense, I think I will try changing permissions on the existing folder.
We have about 300 student users, so changing their profile in AD would be challenging.  Is there a way to use group policy to do this?
0
 
LVL 35

Assisted Solution

by:Mahesh
Mahesh earned 500 total points
Comment Utility
You can try with changing permissions.

Actually its not challenging once you created new root folder for roaming profiles with appropriate permissions.

Try below in phase wise.
take a sample 10 user.
Post production hours select all 10 users, right click and go to properties \ profile tab, remove roaming profile path
Allow users to logon next day with local profiles.
Now navigate to 10 users properties \ profiles tab and enter \\server\profiles\%username%
as a new profile path. This will populate roaming profile path for all users in AD and when user logon to workstation next day, their roaming profile will get created at new path on the server

Alternatively, you can use GPO to achieve this but its not for users, it is for computers.
It means who ever logon to that computer, will get roaming profile
The setting can be found at Computer configuration\administrative templates\system\user profiles as "Set roaming Profile path for all users logging on to this computer" and here you need to enter path such as \\server\profiles\%username%
This policy need to apply to OU containing computer accounts
Here What you can do, create one global security group and add some sample computers (one \ two) for testing. Now use group policy security filtering and remove authenticated users and add above group there.
Remember, all computers in the group must reside in the OU \ some where underneath sub OU, then only policy will apply.
This will ensure that policy will not apply to other computers in OU and once you got success, add more computers to that group gradually.
Check excellent article below.
http://www.grouppolicy.biz/tag/roaming-profile/

Mahesh
0
 

Author Comment

by:cealick
Comment Utility
Changing the permissions for that root folder only seems to have worked for now.  I  think I will follow your directions to set up a new roaming profile folder this summer when the students are away.
Thank you for sharing the link.  It is an excellent article, and the site looks very helpful.
May I ask one more question?  Is it possible for roaming profiles to become corrupted if a user fails to log off from a workstation and then logs into another workstation while still logged into the first?
0
 
LVL 35

Accepted Solution

by:
Mahesh earned 500 total points
Comment Utility
No, it will not corrupt roaming  profiles stored on server.

When user 1st time logon to workstation, it will 1st create roaming profile on server.

Now if user logs on to multiple computers, his roaming profile get downloaded from server to new workstations, so if user not logged of on that workstation, any changes he made in profile on that workstation will not getting saved to server copy.
In mean time user also logged on to another workstation, roaming profile get downloaded on his workstation from server, but changes made to profile on 1st computer will not be visible on 2nd computer.

Now whoever will logoff 1st, those changes will be stored on server copy and available for user if he logged on 3rd machine.

Mahesh
0
 

Author Closing Comment

by:cealick
Comment Utility
Problem solved!  The detailed instructions have been very helpful for me!
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Join & Write a Comment

Scenario:  You do full backups to a internal hard drive in either product (SBS or Server 2008).  All goes well for a very long time.  One day, backups begin to fail with a message that the disk is full.  Your disk contains many, many more backups th…
You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now