Solved

Problem Accessing Roaming Profiles

Posted on 2014-01-21
12
3,764 Views
Last Modified: 2014-02-05
When some of our students log into our lab computers, they are getting an error message that Windows could not locate their roaming profile and they are being logged in with a temporary profile.  
We are running Active Directory on 2008 R2 servers.  We have been upgrading our lab computers from XP to Windows 7.  We have a handful of XP lab computers still to be updated.
I've noticed that the students who are able to log in successfully have two folders in the roaming profiles folder.  One with their username and one with .v2 after their username.  The students who are being logged in with a temporary profile do not have the .v2 profile folder.  
What do I need to do to fix this issue?  Thanks!
0
Comment
Question by:Charlotte Ealick
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
12 Comments
 
LVL 4

Expert Comment

by:vnicolae
ID: 39797546
I would start by checking the permissions at the Share and NTFS level. Are the users' roaming profiles created at first logon or are they pre-created by the aministratators?

Also, check if the path specified for the profile in AD is correct in their configs.
0
 

Author Comment

by:Charlotte Ealick
ID: 39797837
The roaming profiles are created at first logon.
The path in the profile is correct.  (Although the profile path doesn't include .v2)
All the roaming profiles are located in one folder.  The file permissions for that roaming profile folder allow full access to the administrator group.  The permission aren't inherited.  I am not able to view the permissions for the individual roaming profiles.
0
 
LVL 37

Assisted Solution

by:Mahesh
Mahesh earned 500 total points
ID: 39798063
Now if you try to cure permissions on roaming profile base folder, you will need to set permissions for each folder and also you need to take ownership as well which can affect other roaming profiles on the share.
Instead you could set new root folder for Win7 roaming profiles as below
Create a root folder called Win7Profiles and grant him share permissions as below

Security group of users needing to put data on share OR authenticated users - Full Control

Security Permissions:
Creator Owner - Full Control, Subfolders and Files Only
 
Security group of users needing to put data on share OR authenticated users -  
List Folder/Read Data, Create Folders/Append Data - This Folder Only
 
Local System - Full Control, This Folder, Subfolders and Files

http://technet.microsoft.com/en-us/library/cc757013(WS.10).aspx

Also do not forget to set GPO on OU containing computers and put Add the Administrator security group to the roaming user profile share GPO settings under Computer configuration\administrative templates\system\user profiles

Note: The policy setting must be configured on the client computer, not the server, for it to have any effect, because the client computer sets the file share permissions for the roaming profile at creation time.
In the default case, administrators have no file access to the user's profile, but they may still take ownership of this folder to grant themselves file permissions.

Also you don't need to worry, even if you change the roaming profile path on server and in AD properties of users, it will create \ copy of existing user local profile on new share as roaming profile.
later on you can delete old roaming profile folder from old share by taking its ownership.

Hope that helps

Mahesh
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 

Author Comment

by:Charlotte Ealick
ID: 39800417
Hello,
Thank you for this information.  After reading about roaming profiles, it looks like the preferred practice in some organizations is not to give access to administrators.  I'm not uncomfortable with not seeing their roaming profiles.  
I am concerned about some users being logged into a temporary profile.  Some users are being logged in properly to their roaming profile and some are getting a warning that they are logging into a temporary profile.  The roaming profiles for all students are in one folder, and I believe that the permissions for their individual profile folders would be the same.
All of the users who are being logged in properly (who are logging in from a Windows 7 machine) have a .v2 roaming profile.  None of the users who are being logged into a temporary profile have the .v2 roaming profile.
Is there something else I can try besides the permissions?
0
 
LVL 37

Assisted Solution

by:Mahesh
Mahesh earned 500 total points
ID: 39800834
You can delete roaming user profile path from user properties in AD and then allow user to login to workstation.
Now He will \ should get logged on with local profile that is having same contents as roaming profile.
Now you can put new roaming user profile path in user properties as mentioned above and check if new roaming profile get created at new location.
Because if there is permissions issue exists on server side, probably user cannot create roaming profile and its get corrupted and cause creates temp profile

Alternatively you can take ownership of his old roaming profile folder only, grant user explicitly full control permissions with replace child object permissions in advanced options on his profile folder and check in next logon if he gets the same profile

Mahesh
0
 

Author Comment

by:Charlotte Ealick
ID: 39833044
Mahesh,
Thank you for your helpful and thorough instructions.  It has taken me a while to get back to you.  We were slowed down by snow and then I needed to be sure I understood your suggestions.  
After reading your information on the appropriate permissions, I realized that we are missing the permissions for our roaming profile folder do not include the user.  Only administrator accounts are granted permission to the actual folder.  
Rather than set up a new roaming profile folder, since my administrator account has full control of the current roaming profile folder, would it cause problems if I added a security permission for the authenticated users to give them the List Folder/Read Data, Create Folders/Append Data for that Folder only?  
The existing roaming profiles for each individual seem to be working properly.  The problem is with new users or with users who move from XP to Win7 and need the new .v2 profile.
0
 
LVL 37

Assisted Solution

by:Mahesh
Mahesh earned 500 total points
ID: 39833258
Actually when you set above permissions to roaming profile root folder on server, at 1st attempt, users will be able to create there roaming profile folders underneath root folder with granting them full control and ownership of their roaming profile folder.
Starting from win Vista, MS has appended .V2 extension to roaming profiles
Starting from Win 8 I think its changed to .V3, I have not tested it, but I have reading some where.
You can try adding above permissions explicitly on the existing roaming profiles root folder, It should work.

But setting up brand new roaming profile root folder with correct permissions is very easy option. Even computers also will save their profiles on new path without any problem. Once all profiles have been migrated this way to new folder, you can simply delete old roaming profile folder.
I am just outlining high level steps as below

Remove roaming profile path from 1 user object in active directory which is using Win7 Machine.
Ask user to logon to Win7 Machine and ensure that he has got local profile with all settings.
Open registry on his machine and navigate to ProfileList registry key under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList and ensure that centralprofile registry is empty \ not there.
Centralprofile is representing roaming user profile path.

Now logoff user and enter new roaming user profile path in the form of variable in AD user properties as below.
\\server1\UserProfiles\%username%
Now again ask user to logon to workstation and check if roaming profile folder is created on new location and user has got its profile perfectly.
Also check if Centralprofile registry key is created \ pointing to new profile path in registry

If above idea works perfectly, you can remove roaming profile path from all Win7 users from active directory, let them allow to login with local profiles for a day and then point there roaming profile folder to new path next day.

Same trick can be used for WinXP Machines as well

Mahesh
0
 

Author Comment

by:Charlotte Ealick
ID: 39833340
Although making a new roaming profile root folder makes sense, I think I will try changing permissions on the existing folder.
We have about 300 student users, so changing their profile in AD would be challenging.  Is there a way to use group policy to do this?
0
 
LVL 37

Assisted Solution

by:Mahesh
Mahesh earned 500 total points
ID: 39833512
You can try with changing permissions.

Actually its not challenging once you created new root folder for roaming profiles with appropriate permissions.

Try below in phase wise.
take a sample 10 user.
Post production hours select all 10 users, right click and go to properties \ profile tab, remove roaming profile path
Allow users to logon next day with local profiles.
Now navigate to 10 users properties \ profiles tab and enter \\server\profiles\%username%
as a new profile path. This will populate roaming profile path for all users in AD and when user logon to workstation next day, their roaming profile will get created at new path on the server

Alternatively, you can use GPO to achieve this but its not for users, it is for computers.
It means who ever logon to that computer, will get roaming profile
The setting can be found at Computer configuration\administrative templates\system\user profiles as "Set roaming Profile path for all users logging on to this computer" and here you need to enter path such as \\server\profiles\%username%
This policy need to apply to OU containing computer accounts
Here What you can do, create one global security group and add some sample computers (one \ two) for testing. Now use group policy security filtering and remove authenticated users and add above group there.
Remember, all computers in the group must reside in the OU \ some where underneath sub OU, then only policy will apply.
This will ensure that policy will not apply to other computers in OU and once you got success, add more computers to that group gradually.
Check excellent article below.
http://www.grouppolicy.biz/tag/roaming-profile/

Mahesh
0
 

Author Comment

by:Charlotte Ealick
ID: 39834041
Changing the permissions for that root folder only seems to have worked for now.  I  think I will follow your directions to set up a new roaming profile folder this summer when the students are away.
Thank you for sharing the link.  It is an excellent article, and the site looks very helpful.
May I ask one more question?  Is it possible for roaming profiles to become corrupted if a user fails to log off from a workstation and then logs into another workstation while still logged into the first?
0
 
LVL 37

Accepted Solution

by:
Mahesh earned 500 total points
ID: 39834885
No, it will not corrupt roaming  profiles stored on server.

When user 1st time logon to workstation, it will 1st create roaming profile on server.

Now if user logs on to multiple computers, his roaming profile get downloaded from server to new workstations, so if user not logged of on that workstation, any changes he made in profile on that workstation will not getting saved to server copy.
In mean time user also logged on to another workstation, roaming profile get downloaded on his workstation from server, but changes made to profile on 1st computer will not be visible on 2nd computer.

Now whoever will logoff 1st, those changes will be stored on server copy and available for user if he logged on 3rd machine.

Mahesh
0
 

Author Closing Comment

by:Charlotte Ealick
ID: 39835385
Problem solved!  The detailed instructions have been very helpful for me!
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Certificate Authority Issues 6 55
Ransomware case 23 107
wannacry ransomware virus 2008R2 6 87
NSLOOKUP for a  DC/GC/DNS results Non-existent Domain 8 21
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question