Go Premium for a chance to win a PS4. Enter to Win


Problem Accessing Roaming Profiles

Posted on 2014-01-21
Medium Priority
Last Modified: 2014-02-05
When some of our students log into our lab computers, they are getting an error message that Windows could not locate their roaming profile and they are being logged in with a temporary profile.  
We are running Active Directory on 2008 R2 servers.  We have been upgrading our lab computers from XP to Windows 7.  We have a handful of XP lab computers still to be updated.
I've noticed that the students who are able to log in successfully have two folders in the roaming profiles folder.  One with their username and one with .v2 after their username.  The students who are being logged in with a temporary profile do not have the .v2 profile folder.  
What do I need to do to fix this issue?  Thanks!
Question by:Charlotte Ealick
  • 6
  • 5

Expert Comment

ID: 39797546
I would start by checking the permissions at the Share and NTFS level. Are the users' roaming profiles created at first logon or are they pre-created by the aministratators?

Also, check if the path specified for the profile in AD is correct in their configs.

Author Comment

by:Charlotte Ealick
ID: 39797837
The roaming profiles are created at first logon.
The path in the profile is correct.  (Although the profile path doesn't include .v2)
All the roaming profiles are located in one folder.  The file permissions for that roaming profile folder allow full access to the administrator group.  The permission aren't inherited.  I am not able to view the permissions for the individual roaming profiles.
LVL 38

Assisted Solution

Mahesh earned 2000 total points
ID: 39798063
Now if you try to cure permissions on roaming profile base folder, you will need to set permissions for each folder and also you need to take ownership as well which can affect other roaming profiles on the share.
Instead you could set new root folder for Win7 roaming profiles as below
Create a root folder called Win7Profiles and grant him share permissions as below

Security group of users needing to put data on share OR authenticated users - Full Control

Security Permissions:
Creator Owner - Full Control, Subfolders and Files Only
Security group of users needing to put data on share OR authenticated users -  
List Folder/Read Data, Create Folders/Append Data - This Folder Only
Local System - Full Control, This Folder, Subfolders and Files


Also do not forget to set GPO on OU containing computers and put Add the Administrator security group to the roaming user profile share GPO settings under Computer configuration\administrative templates\system\user profiles

Note: The policy setting must be configured on the client computer, not the server, for it to have any effect, because the client computer sets the file share permissions for the roaming profile at creation time.
In the default case, administrators have no file access to the user's profile, but they may still take ownership of this folder to grant themselves file permissions.

Also you don't need to worry, even if you change the roaming profile path on server and in AD properties of users, it will create \ copy of existing user local profile on new share as roaming profile.
later on you can delete old roaming profile folder from old share by taking its ownership.

Hope that helps

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why


Author Comment

by:Charlotte Ealick
ID: 39800417
Thank you for this information.  After reading about roaming profiles, it looks like the preferred practice in some organizations is not to give access to administrators.  I'm not uncomfortable with not seeing their roaming profiles.  
I am concerned about some users being logged into a temporary profile.  Some users are being logged in properly to their roaming profile and some are getting a warning that they are logging into a temporary profile.  The roaming profiles for all students are in one folder, and I believe that the permissions for their individual profile folders would be the same.
All of the users who are being logged in properly (who are logging in from a Windows 7 machine) have a .v2 roaming profile.  None of the users who are being logged into a temporary profile have the .v2 roaming profile.
Is there something else I can try besides the permissions?
LVL 38

Assisted Solution

Mahesh earned 2000 total points
ID: 39800834
You can delete roaming user profile path from user properties in AD and then allow user to login to workstation.
Now He will \ should get logged on with local profile that is having same contents as roaming profile.
Now you can put new roaming user profile path in user properties as mentioned above and check if new roaming profile get created at new location.
Because if there is permissions issue exists on server side, probably user cannot create roaming profile and its get corrupted and cause creates temp profile

Alternatively you can take ownership of his old roaming profile folder only, grant user explicitly full control permissions with replace child object permissions in advanced options on his profile folder and check in next logon if he gets the same profile


Author Comment

by:Charlotte Ealick
ID: 39833044
Thank you for your helpful and thorough instructions.  It has taken me a while to get back to you.  We were slowed down by snow and then I needed to be sure I understood your suggestions.  
After reading your information on the appropriate permissions, I realized that we are missing the permissions for our roaming profile folder do not include the user.  Only administrator accounts are granted permission to the actual folder.  
Rather than set up a new roaming profile folder, since my administrator account has full control of the current roaming profile folder, would it cause problems if I added a security permission for the authenticated users to give them the List Folder/Read Data, Create Folders/Append Data for that Folder only?  
The existing roaming profiles for each individual seem to be working properly.  The problem is with new users or with users who move from XP to Win7 and need the new .v2 profile.
LVL 38

Assisted Solution

Mahesh earned 2000 total points
ID: 39833258
Actually when you set above permissions to roaming profile root folder on server, at 1st attempt, users will be able to create there roaming profile folders underneath root folder with granting them full control and ownership of their roaming profile folder.
Starting from win Vista, MS has appended .V2 extension to roaming profiles
Starting from Win 8 I think its changed to .V3, I have not tested it, but I have reading some where.
You can try adding above permissions explicitly on the existing roaming profiles root folder, It should work.

But setting up brand new roaming profile root folder with correct permissions is very easy option. Even computers also will save their profiles on new path without any problem. Once all profiles have been migrated this way to new folder, you can simply delete old roaming profile folder.
I am just outlining high level steps as below

Remove roaming profile path from 1 user object in active directory which is using Win7 Machine.
Ask user to logon to Win7 Machine and ensure that he has got local profile with all settings.
Open registry on his machine and navigate to ProfileList registry key under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList and ensure that centralprofile registry is empty \ not there.
Centralprofile is representing roaming user profile path.

Now logoff user and enter new roaming user profile path in the form of variable in AD user properties as below.
Now again ask user to logon to workstation and check if roaming profile folder is created on new location and user has got its profile perfectly.
Also check if Centralprofile registry key is created \ pointing to new profile path in registry

If above idea works perfectly, you can remove roaming profile path from all Win7 users from active directory, let them allow to login with local profiles for a day and then point there roaming profile folder to new path next day.

Same trick can be used for WinXP Machines as well


Author Comment

by:Charlotte Ealick
ID: 39833340
Although making a new roaming profile root folder makes sense, I think I will try changing permissions on the existing folder.
We have about 300 student users, so changing their profile in AD would be challenging.  Is there a way to use group policy to do this?
LVL 38

Assisted Solution

Mahesh earned 2000 total points
ID: 39833512
You can try with changing permissions.

Actually its not challenging once you created new root folder for roaming profiles with appropriate permissions.

Try below in phase wise.
take a sample 10 user.
Post production hours select all 10 users, right click and go to properties \ profile tab, remove roaming profile path
Allow users to logon next day with local profiles.
Now navigate to 10 users properties \ profiles tab and enter \\server\profiles\%username%
as a new profile path. This will populate roaming profile path for all users in AD and when user logon to workstation next day, their roaming profile will get created at new path on the server

Alternatively, you can use GPO to achieve this but its not for users, it is for computers.
It means who ever logon to that computer, will get roaming profile
The setting can be found at Computer configuration\administrative templates\system\user profiles as "Set roaming Profile path for all users logging on to this computer" and here you need to enter path such as \\server\profiles\%username%
This policy need to apply to OU containing computer accounts
Here What you can do, create one global security group and add some sample computers (one \ two) for testing. Now use group policy security filtering and remove authenticated users and add above group there.
Remember, all computers in the group must reside in the OU \ some where underneath sub OU, then only policy will apply.
This will ensure that policy will not apply to other computers in OU and once you got success, add more computers to that group gradually.
Check excellent article below.


Author Comment

by:Charlotte Ealick
ID: 39834041
Changing the permissions for that root folder only seems to have worked for now.  I  think I will follow your directions to set up a new roaming profile folder this summer when the students are away.
Thank you for sharing the link.  It is an excellent article, and the site looks very helpful.
May I ask one more question?  Is it possible for roaming profiles to become corrupted if a user fails to log off from a workstation and then logs into another workstation while still logged into the first?
LVL 38

Accepted Solution

Mahesh earned 2000 total points
ID: 39834885
No, it will not corrupt roaming  profiles stored on server.

When user 1st time logon to workstation, it will 1st create roaming profile on server.

Now if user logs on to multiple computers, his roaming profile get downloaded from server to new workstations, so if user not logged of on that workstation, any changes he made in profile on that workstation will not getting saved to server copy.
In mean time user also logged on to another workstation, roaming profile get downloaded on his workstation from server, but changes made to profile on 1st computer will not be visible on 2nd computer.

Now whoever will logoff 1st, those changes will be stored on server copy and available for user if he logged on 3rd machine.


Author Closing Comment

by:Charlotte Ealick
ID: 39835385
Problem solved!  The detailed instructions have been very helpful for me!

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question