Re: Problem with roaming profles

Scott Ashton <wibble@xxxxxxxxxx> wrote:
Many thanks for the reply,

I have followed these instructions EXACTLY and am still having
trouble, any ideas?

So, verify the permissions, while everyone's logged out:

At the parent profile folder, share permissions = Everyone, full control
At the parent profile folder, Administrators is the owner (not the
individual Administrator or anything)
At the parent profile folder, untick the inheritence options/copy
Make sure Administrators + System have full control, and force the
permissions down the tree; make sure the subfolders inherit the permissions
At each user's profile folder, add the individual user with full control
(Administrators & System should already have this there) and push the
settings down/inherited

If all this is done, it isn't a permissions issue.

Check the event logs on the workstation, and event logs....



"Lanwench [MVP - Exchange]"
<lanwench@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:eflwIQhnHHA.1216@xxxxxxxxxxxxxxxxxxxxxxx
Scott Ashton <wibble@xxxxxxxxxx> wrote:

Hi, I setup some roaming profiles and the users' folders did not
have any permissions assigned to them but they worked fine. As i
need to be able to view files/folders within each users' folder I
had to set permissions to allow access which resulted in the
roaming profiles not being found at logon. I am familiar with
assigning permissions so cannot think what I may/may not have done.
How can I make it possible for these to work with permissions?

Many Thanks.

How did you create them? You should have set the GPO option to
automatically add the Administrators group to all profiles before
creating them. Once you've got inaccessible profile folders, what
you need to do is, take ownership as the Administrators group (*not*
the Administrator account), and then reset the NTFS permissions so
that in each folder, Administrators, System, and <username> have
full control, and no more. Here's my standard boilerplate on the topic -

General tips:

1. Set up a share on the server. For example - d:\profiles, shared as
profiles$ to make it hidden from browsing. Make sure this share is
not set to allow offline files/caching!

2. Make sure the share permissions on profiles$ indicate
everyone=full control. Set the NTFS security to administrators,
system, and users=full control.

3. In the users' ADUC properties, specify
\\server\profiles$\%username% in the profiles field

4. Have each user log into the domain once from their usual
workstation (where their existing profile lives) and log out. The
profile is now roaming.

5. If you want the administrators group to automatically have
permissions to the profiles folders, you'll need to make the
appropriate change in group policy. Look in computer
configuration/administrative templates/system/user profiles -
there's an option to add administrators group to the roaming
profiles permissions. Notes:

* Make sure users understand that they should never log into multiple
computers at the same time when they have roaming profiles (unless
you make the profiles mandatory by renaming ntuser.dat to ntuser.man
so they can't change them). Explain that the last one out wins, when
it comes to uploading the final, changed copy of the profile.

* Keep your profiles TINY. Redirect My Documents; usually best done
to the user's home directory on the server - either via group policy
(folder redirection) or manually (far less advisable). If you aren't
going to also redirect the desktop using policies, tell users that
they are not to store any files on the desktop or you will beat them
with a stick. Big profile=slow login/logout, and possible profile
corruption. * Note that user profiles are not compatible between
different OS versions, even between W2k/XP. Keep all your computers.
Keep your workstations as identical as possible - meaning, OS
version is the same, SP level is the
same, app load is (as much as possible) the same.

* Do not let people store any data locally - all data belongs on the
server.

* The User Profile Hive Cleanup Utility should be running on all your
computers. You can download it here:
http://www.microsoft.com/downloads/details.aspx?familyid=1B286E6D-8912-4E18-B570-42470E2F3582&displaylang=en



.

Relevant Pages

  • Re: Add the Adminsitrators security group to roaming user profiles
    ... but an ADM isn't necessary -- NTFS permissions are already an item ... using a Security Template is easier for you. ... But since roaming profiles are on a file server why not ...
    (microsoft.public.windows.server.active_directory)
  • Re: Problem with roaming profles
    ... any permissions assigned to them but they worked fine. ... automatically add the Administrators group to all profiles before creating ... take ownership as the Administrators group (*not* the Administrator ...
    (microsoft.public.windows.server.sbs)
  • Re: Problem with roaming profles
    ... any permissions assigned to them but they worked fine. ... automatically add the Administrators group to all profiles before creating ... take ownership as the Administrators group (*not* the Administrator ... account), and then reset the NTFS permissions so that in each folder, ...
    (microsoft.public.windows.server.sbs)
  • Re: Problem to update ACL using ADsSecurity from VBScript
    ... I'm trying to do pretty much the same thing with the users roaming profiles ... Except not moving anything. ... Administrators security group to roaming user profiles) so that we don't have ... > After taking onwership of a file/folder I'm copying the current permissions ...
    (microsoft.public.windows.server.scripting)
  • Re: Problem to update ACL using ADsSecurity from VBScript
    ... i.e. adding Administrators permissions to profiles. ... look into the computer settings tree, under admin templates, within ... > and add Administrators to the security. ...
    (microsoft.public.windows.server.scripting)
Loading