Group Policy Roaming Profiles Issues

I have enabled roaming profiles via GPO (Computer configuration > Admin templates > System > User Profiles > Set roaming profile path). I have applied the GPO to the OU of users and the OU of computers that I want it applied to.

I have a shared folder on a server with full share and NTFS permissions given to all domain users.

However I'm running into a problem.. When I log into a computer as a user that is in the OU the GPO is applied to, it is not logging in with a roaming profile. If I right click documents and click properties, it shows to be a local user profile.. however... on the server with the shared folder I set up for the roaming profiles, it creates a user profile directory.

It's like the group policy for roaming profiles is working since it's creating user directories on the server for the path I specified, but the computers themselves aren't taking the policy?

What gives? FYI the workstations are Windows 7 and the servers are Win2k8r2
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Satheesh AgatheeswaranIT ManagerCommented:
Try adding a GPO to disable local system Firewall. Also try logging off the user and re-login.
If you are using more than one DC, ensure the replication is performed and GPO  user & computer configurations are updated.
If you are still having the issues, use RSoP to detect the cause of the issue
bsidfwAuthor Commented:
I added the disable firewall rule. I have also rebooted and added 5 other new users to test with and I'm still having the same issue. We have 2 DCs, both are replicated.
bsidfwAuthor Commented:
Also just a note, I know the group policy is being applied because various other settings from that policy are working properly on the computers (Unable to access control panel, set wallpaper, ect) The roaming profile part of the policy is the only thing not working properly.
IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

Satheesh AgatheeswaranIT ManagerCommented:
Have you checked the Folder permissions on the Profiles, The ownership of the folders needs to be the users and not administrators
VB ITSSpecialist ConsultantCommented:
That's not necessarily correct Satheesh. I have this Policy working perfectly fine when the owner is set to 'Administrators'.

bsidfw: Is the Group Policy applying to Authenticated Users in the Security Filtering section?
bsidfwAuthor Commented:
VB ITS: Yes, the group policy is applied to authenticated users and domain users in the security filtering section. In the link section, it is applied to the OU of users  I want the policy applied to as well as the OU of computers I want the policy applied to.

Still, the machines are not using roaming profiles.. If I right click the documents folder and click properties, the path is showing to be on the local machine, not the server.
VB ITSSpecialist ConsultantCommented:
Create a new policy with JUST this setting enabled, then create a test OU. Move a test PC into this test OU then try logging in with your test account. There's no need to move the user into this OU as it's a computer level policy. Run gpupdate /target:computer or reboot the PC (depending on your AD structure), then test it out.

You can use the command gpresult /r to verify if the test policy is applying or not. Let me know how you go with the testing.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
bsidfwAuthor Commented:

I have done as you asked.. I created a new OU called Test OU. I moved one PC into that OU. I created a new GPO object called "Roaming Profiles" with JUST roaming profiles enabled and mapped the path to the server of where the roaming profiles should be saving to. I applied the new GPO to the new OU (Test OU). I created a new AD account and logged into the computer that I moved into that test OU.

The profile is still local, the one new thing is I am getting a message saying I am logged in with a temporary profile now. That wasn't happening before.

Again, it created a user profile folder on the server I specified with the new roaming profile GPO. So it appears the policy is creating roaming user profiles, but its not actually using the roaming profile.

Here is the output of the gpresult /r command on the computer I am testing with:

C:\Users\TEMP.ABR.001>gpresult /r

Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.
Copyright (C) Microsoft Corp. 1981-2001

Created On 10/13/2014 at 2:15:53 PM

RSOP data for ABR\kennytest2 on ABA-AGENT3 : Logging Mode

OS Configuration:            Member Workstation
OS Version:                  6.1.7601
Site Name:                   N/A
Roaming Profile:             \\\kennytest2.V2
Local Profile:               C:\Users\TEMP.ABR.001
Connected over a slow link?: No

    CN=kenny test2,OU=Agents,OU=ABR Users,DC=abr,DC=local
    Last time Group Policy was applied: 10/13/2014 at 2:12:59 PM
    Group Policy was applied from:      DC02.abr.local
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        ABR
    Domain Type:                        Windows 2000

    Applied Group Policy Objects
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The user is a part of the following security groups
        Domain Users
        NT AUTHORITY\Authenticated Users
        This Organization
        Medium Mandatory Level

VB ITSSpecialist ConsultantCommented:
OK we're making some progress at least. Next thing to check is the Event Log on the test PC. Check the Application Log and set the Filter to show only Errors, Warnings and Critical events. We're mainly interested in the User Profile Service related errors/warnings.

As for the gpresult command, I forgot to say that you will need to run the Command Prompt as an Administrator to be able to see the Computer level policies applying.
bsidfwAuthor Commented:

Here we go! There are indeed errors.. There's a couple of different ones.

Event ID 1521
Windows cannot locate the server copy of your roaming profile and is attempting to log you on with your local profile. Changes to the profile will not be copied to the server when you log off. This error may be caused by network problems or insufficient security rights.

 DETAIL - The network name cannot be found.

Event ID 1511
Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.

Event ID 1530
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.  

 1 user registry handles leaked from \Registry\User\S-1-5-21-1970138822-2916252931-2279090805-1871:
Process 3144 (\Device\HarddiskVolume3\Windows\System32\winlogon.exe) has opened key \REGISTRY\USER\S-1-5-21-1970138822-2916252931-2279090805-1871

So this appears to be a security settings or permissions related. What's weird is, I can browse through Windows Explorer to the roaming profile folder of the user I'm logged in as on the remote server just fine. If there were a permissions issue, I wouldn't be able to get that far, correct? Also, running the gpresult /r command shows that the "Roaming Profiles" GPU is infact applied to that computer.

Thank you for your continued support by the way, I really appreciate it so much.
bsidfwAuthor Commented:
Also, here are the NTFS permissions to the roaming profile folder on the remote server for this test user.

One note which may or may not be related is domain users are being given full access to my test profiles.. that shouldn't be happening, should it?

VB ITSSpecialist ConsultantCommented:
No worries, I deal with roaming profile issues on a daily basis so this is just second nature to me really.

Can you please take a screenshot of the permissions on the UserProfiles share?
bsidfwAuthor Commented:
You bet!

VB ITSSpecialist ConsultantCommented:
Sorry, not the permissions for the folder but for the UserProfiles share.

Click on the Sharing tab > Advanced Sharing... > Permissions > screenshot this window.
bsidfwAuthor Commented:
Whoops, here you go. I should mention that roaming profiles were working before but for one reason or another stopped working a few days ago. After disjoining and rejoining a few machines to the domain and rebooting DC's with no luck, I deleted the policy and created it from scratch after I ran out of ideas and here we are. So the folder permissions and everything were working before at one time. I'm not sure what happened.

VB ITSSpecialist ConsultantCommented:
I guess the last thing we need to check is the actual Group Policy setting itself. Can you please show me the value for the roaming profile path?
bsidfwAuthor Commented:
Here you go.. I mapped it by IP just to take out the possibly of any DNS issues..

VB ITSSpecialist ConsultantCommented:
Doesn't look quite right there - looks like the UserProfiles share isn't in that path. Is that intended?

i.e. the roaming profile path (for me at least) should be \\FS01\UserProfiles\%USERNAME%
bsidfwAuthor Commented:
Whoops, what a bonehead mistake. That has been fixed and guess what? EVERYTHING WORKS! Thank you for your continued support on helping me get this working!

The incorrect path wasn't the real issue I swear. I think I was just beginning to make stupid mistakes from working on this for so long. I think the real factor here was creating a separate GPO for the roaming profiles on their own and having an additional GPO for everything else.

Thank you VB ITS!!
bsidfwAuthor Commented:
Thank you VB ITS, you're awesome!
VB ITSSpecialist ConsultantCommented:
Not a problem bsidfw! Glad we got there in the end :)

The incorrect path wasn't the real issue I swear. I think I was just beginning to make stupid mistakes from working on this for so long.
Don't worry, it's happened to all of us, myself included!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.