Re: Problem with roaming profles

Tech-Archive recommends: Speed Up your PC by fixing your registry

Hello,

Is there anything within the error log on the workstation?

Did you configure the Domain Policy (below) properly on the Server?

Within the DOMAIN POLICY on the Server: Computer Configuration =>
Administrative Templates => System => User Profiles => "Add The
Administrators Security Group To Roaming User Profiels" [=Enabled]

The policy update may take a little while to refresh, so to be safe,
you can force an immediate update: http://support.microsoft.com/kb/227302

Rather than fiddle around with permissions, if you were to now remove
the copy of the users profile from the share on the server, it will be
created again (with the correct permissions) next time they log off.
You will now have administrative permissions.


HTH,
Stephen

On 30 May, 10:08, "Scott Ashton" <wib...@xxxxxxxxxx> wrote:
Many thanks for the reply,

I have followed these instructions EXACTLY and am still having trouble, any
ideas?

"Lanwench [MVP - Exchange]"<lanwe...@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message

news:eflwIQhnHHA.1216@xxxxxxxxxxxxxxxxxxxxxxx



Scott Ashton <wib...@xxxxxxxxxx> wrote:

Hi, I setup some roaming profiles and the users' folders did not have
any permissions assigned to them but they worked fine. As i need to
be able to view files/folders within each users' folder I had to set
permissions to allow access which resulted in the roaming profiles
not being found at logon. I am familiar with assigning permissions
so cannot think what I may/may not have done. How can I make it
possible for these to work with permissions?

Many Thanks.

How did you create them? You should have set the GPO option to
automatically add the Administrators group to all profiles before creating
them. Once you've got inaccessible profile folders, what you need to do
is, take ownership as the Administrators group (*not* the Administrator
account), and then reset the NTFS permissions so that in each folder,
Administrators, System, and <username> have full control, and no more.

Here's my standard boilerplate on the topic -

General tips:

1. Set up a share on the server. For example - d:\profiles, shared as
profiles$ to make it hidden from browsing. Make sure this share is not set
to allow offline files/caching!

2. Make sure the share permissions on profiles$ indicate everyone=full
control. Set the NTFS security to administrators, system, and users=full
control.

3. In the users' ADUC properties, specify \\server\profiles$\%username% in
the profiles field

4. Have each user log into the domain once from their usual workstation
(where their existing profile lives) and log out. The profile is now
roaming.

5. If you want the administrators group to automatically have permissions
to the profiles folders, you'll need to make the appropriate change in
group policy. Look in computer configuration/administrative
templates/system/user profiles - there's an option to add administrators
group to the roaming profiles permissions.

Notes:

* Make sure users understand that they should never log into multiple
computers at the same time when they have roaming profiles (unless you
make the profiles mandatory by renaming ntuser.dat to ntuser.man so they
can't change them). Explain that the last one out wins, when it comes to
uploading the final, changed copy of the profile.

* Keep your profiles TINY. Redirect My Documents; usually best done to the
user's home directory on the server - either via group policy (folder
redirection) or manually (far less advisable). If you aren't going to also
redirect the desktop using policies, tell users that they are not to store
any files on the desktop or you will beat them with a stick. Big
profile=slow login/logout, and possible profile corruption.
* Note that user profiles are not compatible between different OS
versions, even between W2k/XP. Keep all your computers. Keep your
workstations as identical as possible - meaning, OS version is the same,
SP level is the
same, app load is (as much as possible) the same.

* Do not let people store any data locally - all data belongs on the
server.

* The User Profile Hive Cleanup Utility should be running on all your
computers. You can download it here:
http://www.microsoft.com/downloads/details.aspx?familyid=1B286E6D-891...- Hide quoted text -

- Show quoted text -


.

Relevant Pages

  • Re: Trouble with Win2003 Folder Redirection Policy
    ... giving NTFS permissions to that group. ... From what information you've given me the policy is correct as long as ... The user's home folder in the profile section of the AD has been ... updated to the new server as well. ...
    (microsoft.public.windows.server.general)
  • Re: C#.NET app to run on Win 2003 from another Win2003 on the local net?
    ... Here is the exception dump: ... Policy Exception: Required permissions cannot be acquired. ... Win2003 (file server) doesn't even have the framework installed at all. ...
    (microsoft.public.dotnet.security)
  • Re: Folder security by GPO
    ... If file system does not work then you could use a Group ... Policy computer startup script using cacls to assign permissions for the ... > file system security through Group Policy in the Computer Config - Windows ... I want to set a policy such that Server A gets the policy ...
    (microsoft.public.win2000.security)
  • Re: Terminal Server profile group policy not working
    ... If the specified network share does not exist, Terminal Services displays an error message at the server and stores the user profiles locally. ... I applied the group policy to the OU. ...
    (microsoft.public.windows.server.active_directory)
  • Re: unrestricted access to a file share
    ... account out to those at the location. ... In addition you may need to configure in Local Security Policy ... let everyone permissions apply to anonymous ... fileshare that have never been defined on the server (neither the user or ...
    (microsoft.public.security)