Problem Accessing Roaming Profiles

Posted on 2014-01-21
Last Modified: 2014-02-05
When some of our students log into our lab computers, they are getting an error message that Windows could not locate their roaming profile and they are being logged in with a temporary profile.  
We are running Active Directory on 2008 R2 servers.  We have been upgrading our lab computers from XP to Windows 7.  We have a handful of XP lab computers still to be updated.
I've noticed that the students who are able to log in successfully have two folders in the roaming profiles folder.  One with their username and one with .v2 after their username.  The students who are being logged in with a temporary profile do not have the .v2 profile folder.  
What do I need to do to fix this issue?  Thanks!
Question by:cealick
  • 6
  • 5

Expert Comment

ID: 39797546
I would start by checking the permissions at the Share and NTFS level. Are the users' roaming profiles created at first logon or are they pre-created by the aministratators?

Also, check if the path specified for the profile in AD is correct in their configs.

Author Comment

ID: 39797837
The roaming profiles are created at first logon.
The path in the profile is correct.  (Although the profile path doesn't include .v2)
All the roaming profiles are located in one folder.  The file permissions for that roaming profile folder allow full access to the administrator group.  The permission aren't inherited.  I am not able to view the permissions for the individual roaming profiles.
LVL 37

Assisted Solution

Mahesh earned 500 total points
ID: 39798063
Now if you try to cure permissions on roaming profile base folder, you will need to set permissions for each folder and also you need to take ownership as well which can affect other roaming profiles on the share.
Instead you could set new root folder for Win7 roaming profiles as below
Create a root folder called Win7Profiles and grant him share permissions as below

Security group of users needing to put data on share OR authenticated users - Full Control

Security Permissions:
Creator Owner - Full Control, Subfolders and Files Only
Security group of users needing to put data on share OR authenticated users -  
List Folder/Read Data, Create Folders/Append Data - This Folder Only
Local System - Full Control, This Folder, Subfolders and Files

Also do not forget to set GPO on OU containing computers and put Add the Administrator security group to the roaming user profile share GPO settings under Computer configuration\administrative templates\system\user profiles

Note: The policy setting must be configured on the client computer, not the server, for it to have any effect, because the client computer sets the file share permissions for the roaming profile at creation time.
In the default case, administrators have no file access to the user's profile, but they may still take ownership of this folder to grant themselves file permissions.

Also you don't need to worry, even if you change the roaming profile path on server and in AD properties of users, it will create \ copy of existing user local profile on new share as roaming profile.
later on you can delete old roaming profile folder from old share by taking its ownership.

Hope that helps

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.


Author Comment

ID: 39800417
Thank you for this information.  After reading about roaming profiles, it looks like the preferred practice in some organizations is not to give access to administrators.  I'm not uncomfortable with not seeing their roaming profiles.  
I am concerned about some users being logged into a temporary profile.  Some users are being logged in properly to their roaming profile and some are getting a warning that they are logging into a temporary profile.  The roaming profiles for all students are in one folder, and I believe that the permissions for their individual profile folders would be the same.
All of the users who are being logged in properly (who are logging in from a Windows 7 machine) have a .v2 roaming profile.  None of the users who are being logged into a temporary profile have the .v2 roaming profile.
Is there something else I can try besides the permissions?
LVL 37

Assisted Solution

Mahesh earned 500 total points
ID: 39800834
You can delete roaming user profile path from user properties in AD and then allow user to login to workstation.
Now He will \ should get logged on with local profile that is having same contents as roaming profile.
Now you can put new roaming user profile path in user properties as mentioned above and check if new roaming profile get created at new location.
Because if there is permissions issue exists on server side, probably user cannot create roaming profile and its get corrupted and cause creates temp profile

Alternatively you can take ownership of his old roaming profile folder only, grant user explicitly full control permissions with replace child object permissions in advanced options on his profile folder and check in next logon if he gets the same profile


Author Comment

ID: 39833044
Thank you for your helpful and thorough instructions.  It has taken me a while to get back to you.  We were slowed down by snow and then I needed to be sure I understood your suggestions.  
After reading your information on the appropriate permissions, I realized that we are missing the permissions for our roaming profile folder do not include the user.  Only administrator accounts are granted permission to the actual folder.  
Rather than set up a new roaming profile folder, since my administrator account has full control of the current roaming profile folder, would it cause problems if I added a security permission for the authenticated users to give them the List Folder/Read Data, Create Folders/Append Data for that Folder only?  
The existing roaming profiles for each individual seem to be working properly.  The problem is with new users or with users who move from XP to Win7 and need the new .v2 profile.
LVL 37

Assisted Solution

Mahesh earned 500 total points
ID: 39833258
Actually when you set above permissions to roaming profile root folder on server, at 1st attempt, users will be able to create there roaming profile folders underneath root folder with granting them full control and ownership of their roaming profile folder.
Starting from win Vista, MS has appended .V2 extension to roaming profiles
Starting from Win 8 I think its changed to .V3, I have not tested it, but I have reading some where.
You can try adding above permissions explicitly on the existing roaming profiles root folder, It should work.

But setting up brand new roaming profile root folder with correct permissions is very easy option. Even computers also will save their profiles on new path without any problem. Once all profiles have been migrated this way to new folder, you can simply delete old roaming profile folder.
I am just outlining high level steps as below

Remove roaming profile path from 1 user object in active directory which is using Win7 Machine.
Ask user to logon to Win7 Machine and ensure that he has got local profile with all settings.
Open registry on his machine and navigate to ProfileList registry key under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList and ensure that centralprofile registry is empty \ not there.
Centralprofile is representing roaming user profile path.

Now logoff user and enter new roaming user profile path in the form of variable in AD user properties as below.
Now again ask user to logon to workstation and check if roaming profile folder is created on new location and user has got its profile perfectly.
Also check if Centralprofile registry key is created \ pointing to new profile path in registry

If above idea works perfectly, you can remove roaming profile path from all Win7 users from active directory, let them allow to login with local profiles for a day and then point there roaming profile folder to new path next day.

Same trick can be used for WinXP Machines as well


Author Comment

ID: 39833340
Although making a new roaming profile root folder makes sense, I think I will try changing permissions on the existing folder.
We have about 300 student users, so changing their profile in AD would be challenging.  Is there a way to use group policy to do this?
LVL 37

Assisted Solution

Mahesh earned 500 total points
ID: 39833512
You can try with changing permissions.

Actually its not challenging once you created new root folder for roaming profiles with appropriate permissions.

Try below in phase wise.
take a sample 10 user.
Post production hours select all 10 users, right click and go to properties \ profile tab, remove roaming profile path
Allow users to logon next day with local profiles.
Now navigate to 10 users properties \ profiles tab and enter \\server\profiles\%username%
as a new profile path. This will populate roaming profile path for all users in AD and when user logon to workstation next day, their roaming profile will get created at new path on the server

Alternatively, you can use GPO to achieve this but its not for users, it is for computers.
It means who ever logon to that computer, will get roaming profile
The setting can be found at Computer configuration\administrative templates\system\user profiles as "Set roaming Profile path for all users logging on to this computer" and here you need to enter path such as \\server\profiles\%username%
This policy need to apply to OU containing computer accounts
Here What you can do, create one global security group and add some sample computers (one \ two) for testing. Now use group policy security filtering and remove authenticated users and add above group there.
Remember, all computers in the group must reside in the OU \ some where underneath sub OU, then only policy will apply.
This will ensure that policy will not apply to other computers in OU and once you got success, add more computers to that group gradually.
Check excellent article below.


Author Comment

ID: 39834041
Changing the permissions for that root folder only seems to have worked for now.  I  think I will follow your directions to set up a new roaming profile folder this summer when the students are away.
Thank you for sharing the link.  It is an excellent article, and the site looks very helpful.
May I ask one more question?  Is it possible for roaming profiles to become corrupted if a user fails to log off from a workstation and then logs into another workstation while still logged into the first?
LVL 37

Accepted Solution

Mahesh earned 500 total points
ID: 39834885
No, it will not corrupt roaming  profiles stored on server.

When user 1st time logon to workstation, it will 1st create roaming profile on server.

Now if user logs on to multiple computers, his roaming profile get downloaded from server to new workstations, so if user not logged of on that workstation, any changes he made in profile on that workstation will not getting saved to server copy.
In mean time user also logged on to another workstation, roaming profile get downloaded on his workstation from server, but changes made to profile on 1st computer will not be visible on 2nd computer.

Now whoever will logoff 1st, those changes will be stored on server copy and available for user if he logged on 3rd machine.


Author Closing Comment

ID: 39835385
Problem solved!  The detailed instructions have been very helpful for me!

Featured Post

Backup Solution for AWS

Read about how CloudBerry Backup fully integrates your backups with Amazon S3 and Amazon Glacier to provide military-grade encryption and dramatically cut storage costs on any platform.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question