Solved

Group Policy Roaming Profiles Issues

Posted on 2014-10-09
21
955 Views
Last Modified: 2014-10-14
I have enabled roaming profiles via GPO (Computer configuration > Admin templates > System > User Profiles > Set roaming profile path). I have applied the GPO to the OU of users and the OU of computers that I want it applied to.

I have a shared folder on a server with full share and NTFS permissions given to all domain users.

However I'm running into a problem.. When I log into a computer as a user that is in the OU the GPO is applied to, it is not logging in with a roaming profile. If I right click documents and click properties, it shows to be a local user profile.. however... on the server with the shared folder I set up for the roaming profiles, it creates a user profile directory.

It's like the group policy for roaming profiles is working since it's creating user directories on the server for the path I specified, but the computers themselves aren't taking the policy?

What gives? FYI the workstations are Windows 7 and the servers are Win2k8r2
0
Comment
Question by:bsidfw
  • 11
  • 8
  • 2
21 Comments
 
LVL 2

Expert Comment

by:Satheesh Agatheeswaran
ID: 40372264
Try adding a GPO to disable local system Firewall. Also try logging off the user and re-login.
If you are using more than one DC, ensure the replication is performed and GPO  user & computer configurations are updated.
If you are still having the issues, use RSoP to detect the cause of the issue
0
 
LVL 4

Author Comment

by:bsidfw
ID: 40372280
I added the disable firewall rule. I have also rebooted and added 5 other new users to test with and I'm still having the same issue. We have 2 DCs, both are replicated.
0
 
LVL 4

Author Comment

by:bsidfw
ID: 40372295
Also just a note, I know the group policy is being applied because various other settings from that policy are working properly on the computers (Unable to access control panel, set wallpaper, ect) The roaming profile part of the policy is the only thing not working properly.
0
 
LVL 2

Expert Comment

by:Satheesh Agatheeswaran
ID: 40372310
Have you checked the Folder permissions on the Profiles, The ownership of the folders needs to be the users and not administrators
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40372347
That's not necessarily correct Satheesh. I have this Policy working perfectly fine when the owner is set to 'Administrators'.

bsidfw: Is the Group Policy applying to Authenticated Users in the Security Filtering section?
0
 
LVL 4

Author Comment

by:bsidfw
ID: 40374039
VB ITS: Yes, the group policy is applied to authenticated users and domain users in the security filtering section. In the link section, it is applied to the OU of users  I want the policy applied to as well as the OU of computers I want the policy applied to.

Still, the machines are not using roaming profiles.. If I right click the documents folder and click properties, the path is showing to be on the local machine, not the server.
0
 
LVL 24

Accepted Solution

by:
VB ITS earned 500 total points
ID: 40375594
Create a new policy with JUST this setting enabled, then create a test OU. Move a test PC into this test OU then try logging in with your test account. There's no need to move the user into this OU as it's a computer level policy. Run gpupdate /target:computer or reboot the PC (depending on your AD structure), then test it out.

You can use the command gpresult /r to verify if the test policy is applying or not. Let me know how you go with the testing.
0
 
LVL 4

Author Comment

by:bsidfw
ID: 40377996
VB ITS:

I have done as you asked.. I created a new OU called Test OU. I moved one PC into that OU. I created a new GPO object called "Roaming Profiles" with JUST roaming profiles enabled and mapped the path to the server of where the roaming profiles should be saving to. I applied the new GPO to the new OU (Test OU). I created a new AD account and logged into the computer that I moved into that test OU.

The profile is still local, the one new thing is I am getting a message saying I am logged in with a temporary profile now. That wasn't happening before.

Again, it created a user profile folder on the server I specified with the new roaming profile GPO. So it appears the policy is creating roaming user profiles, but its not actually using the roaming profile.

Here is the output of the gpresult /r command on the computer I am testing with:

C:\Users\TEMP.ABR.001>gpresult /r

Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.
Copyright (C) Microsoft Corp. 1981-2001

Created On 10/13/2014 at 2:15:53 PM


RSOP data for ABR\kennytest2 on ABA-AGENT3 : Logging Mode
----------------------------------------------------------

OS Configuration:            Member Workstation
OS Version:                  6.1.7601
Site Name:                   N/A
Roaming Profile:             \\192.168.20.7\kennytest2.V2
Local Profile:               C:\Users\TEMP.ABR.001
Connected over a slow link?: No


USER SETTINGS
--------------
    CN=kenny test2,OU=Agents,OU=ABR Users,DC=abr,DC=local
    Last time Group Policy was applied: 10/13/2014 at 2:12:59 PM
    Group Policy was applied from:      DC02.abr.local
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        ABR
    Domain Type:                        Windows 2000

    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy
        ComputerLockdown

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The user is a part of the following security groups
    ---------------------------------------------------
        Domain Users
        Everyone
        BUILTIN\Users
        NT AUTHORITY\INTERACTIVE
        CONSOLE LOGON
        NT AUTHORITY\Authenticated Users
        This Organization
        LOCAL
        Medium Mandatory Level

C:\Users\TEMP.ABR.001>
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40378760
OK we're making some progress at least. Next thing to check is the Event Log on the test PC. Check the Application Log and set the Filter to show only Errors, Warnings and Critical events. We're mainly interested in the User Profile Service related errors/warnings.

As for the gpresult command, I forgot to say that you will need to run the Command Prompt as an Administrator to be able to see the Computer level policies applying.
0
 
LVL 4

Author Comment

by:bsidfw
ID: 40379076
VB ITS:

Here we go! There are indeed errors.. There's a couple of different ones.

Event ID 1521
Windows cannot locate the server copy of your roaming profile and is attempting to log you on with your local profile. Changes to the profile will not be copied to the server when you log off. This error may be caused by network problems or insufficient security rights.

 DETAIL - The network name cannot be found.

Event ID 1511
Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.

Event ID 1530
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.  

 DETAIL -
 1 user registry handles leaked from \Registry\User\S-1-5-21-1970138822-2916252931-2279090805-1871:
Process 3144 (\Device\HarddiskVolume3\Windows\System32\winlogon.exe) has opened key \REGISTRY\USER\S-1-5-21-1970138822-2916252931-2279090805-1871





So this appears to be a security settings or permissions related. What's weird is, I can browse through Windows Explorer to the roaming profile folder of the user I'm logged in as on the remote server just fine. If there were a permissions issue, I wouldn't be able to get that far, correct? Also, running the gpresult /r command shows that the "Roaming Profiles" GPU is infact applied to that computer.

Thank you for your continued support by the way, I really appreciate it so much.
0
 
LVL 4

Author Comment

by:bsidfw
ID: 40379083
Also, here are the NTFS permissions to the roaming profile folder on the remote server for this test user.

One note which may or may not be related is domain users are being given full access to my test profiles.. that shouldn't be happening, should it?

permissions.PNG
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40379177
No worries, I deal with roaming profile issues on a daily basis so this is just second nature to me really.

Can you please take a screenshot of the permissions on the UserProfiles share?
0
 
LVL 4

Author Comment

by:bsidfw
ID: 40379181
You bet!

permissions2.PNG
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40379195
Sorry, not the permissions for the folder but for the UserProfiles share.

Click on the Sharing tab > Advanced Sharing... > Permissions > screenshot this window.
0
 
LVL 4

Author Comment

by:bsidfw
ID: 40379759
Whoops, here you go. I should mention that roaming profiles were working before but for one reason or another stopped working a few days ago. After disjoining and rejoining a few machines to the domain and rebooting DC's with no luck, I deleted the policy and created it from scratch after I ran out of ideas and here we are. So the folder permissions and everything were working before at one time. I'm not sure what happened.

permissions.PNG
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40379886
I guess the last thing we need to check is the actual Group Policy setting itself. Can you please show me the value for the roaming profile path?
0
 
LVL 4

Author Comment

by:bsidfw
ID: 40380005
Here you go.. I mapped it by IP just to take out the possibly of any DNS issues..

perm2.PNG
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40380016
Doesn't look quite right there - looks like the UserProfiles share isn't in that path. Is that intended?

i.e. the roaming profile path (for me at least) should be \\FS01\UserProfiles\%USERNAME%
0
 
LVL 4

Author Comment

by:bsidfw
ID: 40381426
Whoops, what a bonehead mistake. That has been fixed and guess what? EVERYTHING WORKS! Thank you for your continued support on helping me get this working!

The incorrect path wasn't the real issue I swear. I think I was just beginning to make stupid mistakes from working on this for so long. I think the real factor here was creating a separate GPO for the roaming profiles on their own and having an additional GPO for everything else.

Thank you VB ITS!!
0
 
LVL 4

Author Closing Comment

by:bsidfw
ID: 40381428
Thank you VB ITS, you're awesome!
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40381429
Not a problem bsidfw! Glad we got there in the end :)

The incorrect path wasn't the real issue I swear. I think I was just beginning to make stupid mistakes from working on this for so long.
Don't worry, it's happened to all of us, myself included!
0

Join & Write a Comment

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This Micro Tutorial will teach you how to change your appearance and customize your Windows 7 interface to your unique preference. This will be demonstrated using Windows 7 operating system.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now