Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Problem Accessing Roaming Profiles

Posted on 2014-01-21
Medium Priority
Last Modified: 2014-02-05
When some of our students log into our lab computers, they are getting an error message that Windows could not locate their roaming profile and they are being logged in with a temporary profile.  
We are running Active Directory on 2008 R2 servers.  We have been upgrading our lab computers from XP to Windows 7.  We have a handful of XP lab computers still to be updated.
I've noticed that the students who are able to log in successfully have two folders in the roaming profiles folder.  One with their username and one with .v2 after their username.  The students who are being logged in with a temporary profile do not have the .v2 profile folder.  
What do I need to do to fix this issue?  Thanks!
Question by:Charlotte Ealick
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5

Expert Comment

ID: 39797546
I would start by checking the permissions at the Share and NTFS level. Are the users' roaming profiles created at first logon or are they pre-created by the aministratators?

Also, check if the path specified for the profile in AD is correct in their configs.

Author Comment

by:Charlotte Ealick
ID: 39797837
The roaming profiles are created at first logon.
The path in the profile is correct.  (Although the profile path doesn't include .v2)
All the roaming profiles are located in one folder.  The file permissions for that roaming profile folder allow full access to the administrator group.  The permission aren't inherited.  I am not able to view the permissions for the individual roaming profiles.
LVL 37

Assisted Solution

Mahesh earned 2000 total points
ID: 39798063
Now if you try to cure permissions on roaming profile base folder, you will need to set permissions for each folder and also you need to take ownership as well which can affect other roaming profiles on the share.
Instead you could set new root folder for Win7 roaming profiles as below
Create a root folder called Win7Profiles and grant him share permissions as below

Security group of users needing to put data on share OR authenticated users - Full Control

Security Permissions:
Creator Owner - Full Control, Subfolders and Files Only
Security group of users needing to put data on share OR authenticated users -  
List Folder/Read Data, Create Folders/Append Data - This Folder Only
Local System - Full Control, This Folder, Subfolders and Files

Also do not forget to set GPO on OU containing computers and put Add the Administrator security group to the roaming user profile share GPO settings under Computer configuration\administrative templates\system\user profiles

Note: The policy setting must be configured on the client computer, not the server, for it to have any effect, because the client computer sets the file share permissions for the roaming profile at creation time.
In the default case, administrators have no file access to the user's profile, but they may still take ownership of this folder to grant themselves file permissions.

Also you don't need to worry, even if you change the roaming profile path on server and in AD properties of users, it will create \ copy of existing user local profile on new share as roaming profile.
later on you can delete old roaming profile folder from old share by taking its ownership.

Hope that helps

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

by:Charlotte Ealick
ID: 39800417
Thank you for this information.  After reading about roaming profiles, it looks like the preferred practice in some organizations is not to give access to administrators.  I'm not uncomfortable with not seeing their roaming profiles.  
I am concerned about some users being logged into a temporary profile.  Some users are being logged in properly to their roaming profile and some are getting a warning that they are logging into a temporary profile.  The roaming profiles for all students are in one folder, and I believe that the permissions for their individual profile folders would be the same.
All of the users who are being logged in properly (who are logging in from a Windows 7 machine) have a .v2 roaming profile.  None of the users who are being logged into a temporary profile have the .v2 roaming profile.
Is there something else I can try besides the permissions?
LVL 37

Assisted Solution

Mahesh earned 2000 total points
ID: 39800834
You can delete roaming user profile path from user properties in AD and then allow user to login to workstation.
Now He will \ should get logged on with local profile that is having same contents as roaming profile.
Now you can put new roaming user profile path in user properties as mentioned above and check if new roaming profile get created at new location.
Because if there is permissions issue exists on server side, probably user cannot create roaming profile and its get corrupted and cause creates temp profile

Alternatively you can take ownership of his old roaming profile folder only, grant user explicitly full control permissions with replace child object permissions in advanced options on his profile folder and check in next logon if he gets the same profile


Author Comment

by:Charlotte Ealick
ID: 39833044
Thank you for your helpful and thorough instructions.  It has taken me a while to get back to you.  We were slowed down by snow and then I needed to be sure I understood your suggestions.  
After reading your information on the appropriate permissions, I realized that we are missing the permissions for our roaming profile folder do not include the user.  Only administrator accounts are granted permission to the actual folder.  
Rather than set up a new roaming profile folder, since my administrator account has full control of the current roaming profile folder, would it cause problems if I added a security permission for the authenticated users to give them the List Folder/Read Data, Create Folders/Append Data for that Folder only?  
The existing roaming profiles for each individual seem to be working properly.  The problem is with new users or with users who move from XP to Win7 and need the new .v2 profile.
LVL 37

Assisted Solution

Mahesh earned 2000 total points
ID: 39833258
Actually when you set above permissions to roaming profile root folder on server, at 1st attempt, users will be able to create there roaming profile folders underneath root folder with granting them full control and ownership of their roaming profile folder.
Starting from win Vista, MS has appended .V2 extension to roaming profiles
Starting from Win 8 I think its changed to .V3, I have not tested it, but I have reading some where.
You can try adding above permissions explicitly on the existing roaming profiles root folder, It should work.

But setting up brand new roaming profile root folder with correct permissions is very easy option. Even computers also will save their profiles on new path without any problem. Once all profiles have been migrated this way to new folder, you can simply delete old roaming profile folder.
I am just outlining high level steps as below

Remove roaming profile path from 1 user object in active directory which is using Win7 Machine.
Ask user to logon to Win7 Machine and ensure that he has got local profile with all settings.
Open registry on his machine and navigate to ProfileList registry key under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList and ensure that centralprofile registry is empty \ not there.
Centralprofile is representing roaming user profile path.

Now logoff user and enter new roaming user profile path in the form of variable in AD user properties as below.
Now again ask user to logon to workstation and check if roaming profile folder is created on new location and user has got its profile perfectly.
Also check if Centralprofile registry key is created \ pointing to new profile path in registry

If above idea works perfectly, you can remove roaming profile path from all Win7 users from active directory, let them allow to login with local profiles for a day and then point there roaming profile folder to new path next day.

Same trick can be used for WinXP Machines as well


Author Comment

by:Charlotte Ealick
ID: 39833340
Although making a new roaming profile root folder makes sense, I think I will try changing permissions on the existing folder.
We have about 300 student users, so changing their profile in AD would be challenging.  Is there a way to use group policy to do this?
LVL 37

Assisted Solution

Mahesh earned 2000 total points
ID: 39833512
You can try with changing permissions.

Actually its not challenging once you created new root folder for roaming profiles with appropriate permissions.

Try below in phase wise.
take a sample 10 user.
Post production hours select all 10 users, right click and go to properties \ profile tab, remove roaming profile path
Allow users to logon next day with local profiles.
Now navigate to 10 users properties \ profiles tab and enter \\server\profiles\%username%
as a new profile path. This will populate roaming profile path for all users in AD and when user logon to workstation next day, their roaming profile will get created at new path on the server

Alternatively, you can use GPO to achieve this but its not for users, it is for computers.
It means who ever logon to that computer, will get roaming profile
The setting can be found at Computer configuration\administrative templates\system\user profiles as "Set roaming Profile path for all users logging on to this computer" and here you need to enter path such as \\server\profiles\%username%
This policy need to apply to OU containing computer accounts
Here What you can do, create one global security group and add some sample computers (one \ two) for testing. Now use group policy security filtering and remove authenticated users and add above group there.
Remember, all computers in the group must reside in the OU \ some where underneath sub OU, then only policy will apply.
This will ensure that policy will not apply to other computers in OU and once you got success, add more computers to that group gradually.
Check excellent article below.


Author Comment

by:Charlotte Ealick
ID: 39834041
Changing the permissions for that root folder only seems to have worked for now.  I  think I will follow your directions to set up a new roaming profile folder this summer when the students are away.
Thank you for sharing the link.  It is an excellent article, and the site looks very helpful.
May I ask one more question?  Is it possible for roaming profiles to become corrupted if a user fails to log off from a workstation and then logs into another workstation while still logged into the first?
LVL 37

Accepted Solution

Mahesh earned 2000 total points
ID: 39834885
No, it will not corrupt roaming  profiles stored on server.

When user 1st time logon to workstation, it will 1st create roaming profile on server.

Now if user logs on to multiple computers, his roaming profile get downloaded from server to new workstations, so if user not logged of on that workstation, any changes he made in profile on that workstation will not getting saved to server copy.
In mean time user also logged on to another workstation, roaming profile get downloaded on his workstation from server, but changes made to profile on 1st computer will not be visible on 2nd computer.

Now whoever will logoff 1st, those changes will be stored on server copy and available for user if he logged on 3rd machine.


Author Closing Comment

by:Charlotte Ealick
ID: 39835385
Problem solved!  The detailed instructions have been very helpful for me!

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question