Re: Roaming Profiles - Access is Denied.
- From: "Merv Porter [SBS-MVP]" <mwport@xxxxxxxxxxxxxxxxxxx>
- Date: Thu, 19 Oct 2006 18:27:42 -0400
Please post an ipconfig /all for the server and for a workstation.
What make/model router are you using?
Is this SBS 2003 (Premium, Standard, SP1, R2; ISA 2000, ISA 2004)?
Here's what I have from my notes the last time I set up roaming profiles for
a client (SBS 2003 Premium, ISA 2000, no SP1). You should also be using
folder redirection for the My Documents folder for each Roaming user because
you don't want to have the My Docs folder being copied to and from the
server at login/logoff (may produce slow login). I normally take ownership
of all folders so that a domain admin has access to all user's folders on
the server (i.e., so that admins are not blocked from viewing the folders).
(If anyone sees any glaring errors, omissions or unsafe practices, feel free
to comment).
---------------------------------------------------------------------
NOTE: Use a combination of Folder Redirection and Roaming Profiles to
reduce the logon/logoff times.
FOLDER REDIRECTION FOR ROAMING PROFILE USERS
1. Create a security group called "FolderRedirects" and add the roaming
users to it (plus anyone else who should use My Documents folder
redirection - usually users with non-dedicated computers). DO NOT include
any domain admins in this security group if you don't want their folders
redirected
2. Default domain group policy | Edit | User Configuration | Windows
Settings | Folder Redirection | My Documents | Properties | Target tab |
Advanced - "Specify locations for various user groups"
Add | Security Group Membership: FolderRedirects
Target Folder Location: "Create a folder for each user under the root path"
Root Path: \\server1\Users
OK
3. Settings (checkmark): Move.; Redirect the folder back.\; Make My
Pictures.
4. Uncheck: Grant the user exclusive rights.
5. Repeat for Application and Desktop EXCEPT: (this is for Roaming
Profiles)
Root Path: \\server1RProfiles
6. Close Group Policy
7. At a command prompt: gpupdate /force
ROAMING PROFILE SETUP
1. Create a security group called "RoamingUsers" and add the roaming users
to it. (Add Domain admins to this group to give them access to the roaming
profiles shared folder that is created next).
2. Create a (hidden) share named: RProfiles$
Sharing Permissions: Everyone - FULL
Sharing Offline Settings: (only one checked) Files or programs from the
share will not be available offline
Security Permissions: Administrators, SYSTEM, Users, RoamingUsers - FULL
Advanced: Allow inheritable permissions.
Advanced: Take ownership by Administrators or Dailyadmin
3. In each user's ADUC properties, specify:
\\server1\RProfiles$\%username% in the profiles field
4. Redirect Application Data and Desktop for Roaming Profile users
Default domain group policy | Edit | User Configuration | Windows Settings |
Folder Redirection | Application Data | Properties | Target tab | Advanced -
"Specify locations for various user groups"
Add | Security Group Membership: RoamingUsers
Target Folder Location: "Create a folder for each user under the root path"
Root Path: \\server1RProfiles
OK
5. Settings (checkmark): Move.; Redirect the folder back.\; Make My
Pictures.
6. Uncheck: Grant the user exclusive rights.
7. Repeat for Desktop
8. Close Group Policy
9. At a command prompt: gpupdate /force
10. Have each user log into the domain once from their usual workstation
(where their existing profile lives) and log out. The profile is now
roaming.
11. After a login by the roaming profile user you may want to STOP offline
folder synchronization at logoff on each computer and for each profile:
Open My Documents | Tools | Folder Options | Offline Files | uncheck "Enable
Offline Files"
NOTE: Make sure users understand that they should never log into multiple
computers at the same time when they have roaming profiles (unless you make
the profiles mandatory by renaming ntuser.dat to ntuser.man so they can't
change them). Explain that the last one out wins, when it comes to uploading
the final, hanged copy of the profile. Also, do not store ANYTHING on the
desktop as this may increase logon/logoff times dramatically.
PERMISSIONS
Folder Redirection and Roaming Profiles
Roaming Profiles folder. Adjust permissions:
Administrators, Domain Admins, System, RoamingUsers - FULL CONTROL
Users - Read & Execute, List, Read
Users Shared Folders. Adjust permissions:
Administrators, Domain Admins, System, (specific user)- FULL CONTROL
Folders will be created inside the User Shared Folders and the RPRofile
folder. The folder inside each User Shared folder will be called My
Documents and that inside the Profiles folder will be called: %username%
(the logon name of the user). Access will only be available to the specific
user. To grant access to the domain admins group, take ownership of each
folder and subfolders:
Roaming Profile users.
RProfiles folder Security tab
Advanced
Owner
(highlight) Administrators group
(checkmark) "replace owner on subcontainers and objects"
OK
Security tab
Advanced
Permissions
(checkmark) "Allow inheritable."
(checkmark) "Replace permission entries."
OK
Folder Redirects users (includes Roaming Profile users).
User Shared Folders | (each user's folder) | Security tab
Advanced
Owner
(highlight) Administrators group
(checkmark) "replace owner on subcontainers and objects"
OK
Security tab
Advanced
Permissions
(checkmark) "Allow inheritable."
(checkmark) "Replace permission entries."
OK
---------------------------------------------------------------------
--
Merv Porter [SBS-MVP]
============================
"b.leddon" <bleddon@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:1612C175-79C5-4CDD-92F4-BBB14DC31C33@xxxxxxxxxxxxxxxx
These are on wired connections.
I have disabled OneCare. No change.
The roaming profiles worked at one time, I don't know what changed. The
only
user the roaming profiles work for is me, and I belong to the
Administrators
and Domain Admins groups.
I followed a process like this one:
http://support.microsoft.com/?id=316353
I went through my steps again with another roaming profiles walkthrough on
this newsgroup (but for the life of me can't find it at this moment.)
I have had a few funky issues so far, and have only had my SBS running
since
July.
1) Any users I created before setting up RWW cannot use RWW. Similar to
this
thread:
http://groups.google.com/group/microsoft.public.windows.server.sbs/browse_thread/thread/228abb0a3a8db57b/6d8559f5a18d813d?lnk=gst&q=rww+&rnum=10#6d8559f5a18d813d
2) Users that can get into RWW cannot use the "Connect to my computer at
work". I've scoured the newsgroups, read all of Microsofts KB articles,
and
in all theory it should work fine. But it doesn't. Similar to this thread:
http://groups.google.com/group/microsoft.public.windows.server.sbs/browse_thread/thread/f32e8a777e1b4c3a/5c7eb8aa99370b45?lnk=st&q=rww+cannot+connect+work&rnum=3#5c7eb8aa99370b45
Man, I feel like I just can't get anything to work. Ugh.
"Merv Porter [SBS-MVP]" wrote:
These are hard-wired connection and not wireless, right?
Have you tried disabling OneCare?
Does Roaming Profiles work for any user?
What procedure did you follow to set up roaming profiles on the server?
--
Merv Porter [SBS-MVP]
.
- Follow-Ups:
- Re: Roaming Profiles - Access is Denied.
- From: b.leddon
- Re: Roaming Profiles - Access is Denied.
- References:
- Re: Roaming Profiles - Access is Denied.
- From: Merv Porter [SBS-MVP]
- Re: Roaming Profiles - Access is Denied.
- From: Merv Porter [SBS-MVP]
- Re: Roaming Profiles - Access is Denied.
- Prev by Date: Re: ISA2004 - Firewall Client
- Next by Date: Re: Help with AD issue
- Previous by thread: Re: Roaming Profiles - Access is Denied.
- Next by thread: Re: Roaming Profiles - Access is Denied.
- Index(es):
Relevant Pages
|
