Re: Please help, used folder redirection, now roaming profiles wont wo

Tech-Archive recommends: Fix windows errors by optimizing your registry

Keith <Keith@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
Hello,

Saturday I decided to try and used the redirect folders option so my
users could hopefully log on and off quicker.

You mean "more quickly," but yes, I follow. For what it's worth, I think you
should always set up your own GPO(s) for folder redirection instead of
using the built-in one via the checkbox.

I read an article that
said it would be a good Idea to change the permissions for "users" to
deny access so everyone could not look at each other's profiles. So
I did just that. Some of the profiles did not have the word "user"
in the security options, so I added "users" and denied them access.

Don't use Deny.

Where are your profiles? \\server\profiles$ is what I use - usually
e:\profiles on the server.

The basics of profile folder permissions:
The share needs to be wide open. Perms=Everyone, Full Control.
You must disable offline caching in the share properties.
The NTFS permissions for the parent folder should be Administrators & System
= Full Control.
For each *subfolder* that gets created (automatically when the user logs
in!), you should see Administrators, System, and User = Full Control. That's
it.

Make sure the owner is either the user himself or the group Administrators
(not Administrator).

I'd reset all of these folders to make sure they're kosher. If you have too
many to do manually, you could use xcacls.vbs - and there's a GUI you can
download for that somewhere. But in SBS land it's usually easy enough to do
them by hand. Make sure inheritence is deselected from the parent (choose
Copy rather than Remove), and then fix the NTFS permissions & re-set
inheritence on the child folders.

Then, I tried to redirect the application data, desktop, my documents
and start menu.

To where? I use "Basic - redirect everyone to the same location" and choose
\\server\users as the root. So you end up with \\server\users\username\My
Documents, \Desktop, \Application Data. I do not redirect Start Menu (I
wouldn't do this unless all PCs are identical in terms of software load).

I used the basic option, redirect everyone's folder
to the same location, and also checked the option of "redirect the
folder back to the local user profile location when policy is
removed" option.

That's all good.


Well, the procedure never did redirect anything, so I decided to just
set the option back to "not configured" Now, my users can't connect
to the roaming profiles set up.

Profiles and redirection aren't related - although they're good to use
together. Uncouple these issues in your mind. First fix one, and then the
other. My boilerplate on roaming profiles is at the bottom.

I did delete the "user" option to
the ones I added, and denied access and still no go. The profiles
data is still there, but some way the permissions have changed. I
checked a backup file, and the place where it says "Inherited From",
the older backup copy that worked fine says "Inherited from c:
profiles. The current profile says "not inherited"

I'm not very good at setting advanced permissions, but I checked all
the permissions and the user, and system has full access. But when a
user tries to log on, they get an error saying the server cannot copy
certain files, and also the server cannot locate the user's profile.

If anyone can help me, I would REALLY appreciate it. Oh, I copied my
last backup copy of a user to the profile, and that user can log on,
and off just fine. So I know it's a permission setting, but I'm not
sure what to change, or what the default permissions are for a user's
profile. Thank you in advance!!!

********************
General tips:

1. Set up a share on the server. For example - d:\profiles, shared as
profiles$ to make it hidden from browsing. Make sure this share is *not* set
to allow offline files/caching! (that's on by default - disable it)

2. Make sure the share permissions on profiles$ indicate everyone=full
control. Set the NTFS security to administrators, system, and users=full
control.

3. In the users' ADUC properties, specify \\server\profiles$\%username% in
the profiles field

4. Have each user log into the domain once - if this is an existing user
with a profile you wish to keep, have them log in at their usual
workstationand log out. The profile is now roaming.

5. If you want the administrators group to automatically have permissions to
the profiles folders, you'll need to make the appropriate change in group
policy. Look in computer configuration/administrative templates/system/user
profiles - there's an option to add administrators group to the roaming
profiles permissions. Do this *before* the users' roaming profile folders
are created - it isn't retroactive.

********************
Notes:

Make sure users understand that they should not log into multiple computers
at the same time when they have roaming profiles (unless you make the
profiles mandatory by renaming ntuser.dat to ntuser.man so they can't change
them, which has major disadvantages),. Explain that the 'last one out wins'
when it comes to uploading the final, changed copy of the profile. If you
want to restrict multiple simultaneous network logins, look at LimitLogon
(too much overhead for me), or this:
http://www.jsifaq.com/SF/Tips/Tip.aspx?id=8768

********************
Keep your profiles TINY. Via group policy, you should be redirecting My
Documents (at the very least) - to a subfolder of the user's home directory
or user folder. Also consider redirecting Desktop & Application Data
similarly..... so the user will end up with:

\\server\users\%username%\My Documents,
\\server\users\%username%\Desktop,
\\server\users\%username%\Application Data.

[Alternatively, just manually re-target My Documents to
\\server\users\%username% (this is not optimal, however!)]

You should use folder redirection even without roaming profiles, but it's
especially critical if you *are* using them.

If you aren't going to also redirect the desktop using policies, tell users
that they are not to store any files on the desktop or you will beat them
with a
stick. Big profile=slow login/logout, and possible profile corruption.

********************
Note that user profiles are not compatible between different OS versions,
even between W2k/XP. Keep all your computers. Keep your workstations as
identical as possible - meaning, OS version is the same, SP level is the
same, app load is (as much as possible) the same.

*********************
If you also have Terminal Services users, make sure you set up a different
TS profile path for them in their ADUC properties - e.g.,
\\server\tsprofiles$\%username%

********************
Do not let people store any data locally - all data belongs on the server.

********************
The User Profile Hive Cleanup Utility should be running on all your
computers. You can download it here:
http://www.microsoft.com/downloads/details.aspx?familyid=1B286E6D-8912-4E18-B570-42470E2F3582&displaylang=en

********************
Roaming profile & folder redirection article -
http://www.windowsnetworking.com/articles_tutorials/Profile-Folder-Redirection-Windows-Server-2003.html


.

Relevant Pages