Roaming Profiles Question.
TechJunky
Member Posts: 881
I am using win2k3 server.
I setup a user named jason
I then went into profile and setup under profile \\Server\profile\%username%
I then move to the desktop computer. Input the username/pass on the domain. It takes for ever to login. After logging in, I then check the server to make sure it created a folder named Jason under profile. It did. However, it shows there is 0bytes in the folder and I am unable to access this folder as the admin on the domain box.
My local file structure for the share is as follows.
\profile | Everyone group has sharing permissions, Domain Admin has full control, jason has full control.
The name of the server is Server
Any ideas?
I setup a user named jason
I then went into profile and setup under profile \\Server\profile\%username%
I then move to the desktop computer. Input the username/pass on the domain. It takes for ever to login. After logging in, I then check the server to make sure it created a folder named Jason under profile. It did. However, it shows there is 0bytes in the folder and I am unable to access this folder as the admin on the domain box.
My local file structure for the share is as follows.
\profile | Everyone group has sharing permissions, Domain Admin has full control, jason has full control.The name of the server is Server
Any ideas?
Comments
A possible reason for the login taking so long is your DNS settings.
Make sure the client machine has it's DNS server address pointing to the IP of the server.
Best of luck.
I might add that the first time you sign into a machine it actually has to build the profile which might also explain an issue with the login delay. The subsequent logins should be quicker.
As for the permissions issue. It looks like everything is correct but check to make sure there are no Deny permissions assigned to any accounts. As you know, Deny overrides all other permissions.
I am more stumped about the profile of the user being not accesable by the domain admin. Plus the profile not showing any data in the users folder....
Any other tips/ideas?
Btw, the server is a P4 1.5ghz, with a ATA33 HD, it was all I had. The server has 256mb ram with a 10gig HD. 1.5gb free.
Thanks.
Am I correct?
I will assume for now that I am.
So. About the zero bytes. Did you try copying anything to your profile, i.e. a document to your My Documents folder and see if at logoff it synchronized, putting the document on the server? (Ok, I get mixed up with roaming profiles and redirection so I'm not sure, but anyway.)
Taking awhile to log in is normal at first, because it must create the profile.
You are unable to access his folder. Locally? Did you take a look at its ACL, and see if perhaps you were removed? That would be normal, or at least that's the way it was for me (again, roaming profiles or My Documents redirection, can't remember which).
Do this: On the user's folder, configure these three permissions and remove all others:
Administrator: Full Control
%username%: Full Control
System: Full Control
Remember that the most restrictive permission sum/culmination (NTFS/sharing) wins. So even if you were to give yourself (as administrator) and Jason Full Control sharing permissions, if the Everyone group has only Read permissions then that is all you or Jason will get, seeing as you are part of the Everyone group.
Actually, when accessing a share across the network, the least restrictive permissions between sharing and security apply, unless there is an explicit "deny". And obviously, if accessing the folder locally share permissions have no effect, only security.
I agree that the reason the folder is empty is because he didn't put anything in it. I think you have to specify under Folder Redirection or else in the user properties (ADUC) what files are accessible when roaming. I don't use roaming profiles, so I don't remember for sure, but I think he just left out a step.
As for the access denied from the admin, it's most likely because the user "Jason" created the folder called "Jason" when he logged in, thus becoming the owner. Since it did not exist when you created the "profiles" directory, the default permissions when it was created are probably "Owner - FC". Try, as admin, to right click and go to properties, security, advanced, owner, and have the admin take ownership. Say okay to all prompts. Then go back into the properties and give the admin FC.
To avoid this in the future, on the profiles folder go to advanced security properties, select the admin and edit, then make sure the FC permissions apply to "This Folder, Subfolder, and Files" or whatever that option is (can't remember exactly).
lol. I dare you to try it out.
Again, this is all contingent on there being no Deny permissions.
Did I really write that?
What was I thinking?
This is almost one of those occasions when one is tempted to change user names so as to avoid recognition...
Thanks for not pouncing too hard on my blunder!
I did go ahead and make a folder, and then made a text document within that folder that was placed on the desktop. It said when logging off that it was saved. However, when I tried to check via the AD server there wasnt any data shown under the folder. I actually couldnt access the folder at all. It was giving me a permission denied error. Which tells me its a permission issue still. Even though I already took ownership of the folder and allowed FC to the admin.
That DC had tons of crap on it. DNS, DHCP,Citrix, RIS, AD. So I simply formatted and installed win2k3 server instead of 2000 server that I was using. The users are able to login to the DC controller a lot faster now. I am now going to try and enable roaming profiles and see what happens.
So since its not sending its letting me beleive its the network card.
If you do it the 290 style you won't be able to access the folder and it will give you "access denied" regardless of the permissions structure. If you take ownership of the files the user will not be able to log on. hence do this it will solve your problem.
-Create the account(trial account).
-don't set the roaming profile location.
-On the desktop computer Log on as the trial account.
-Log of the desktop computer and re-logon as the Administrator.
-Hit window key + pause break......advanced tab,user profiles.
-Trial appears as a local account.
-Then select copy to and specify the UNC to the server share(profile share). Forgive me i don't have the computer here.
-Under permitted to use......leave as the default...should still be trial.
-Go to the domain controller,log on as administrator.
-Window key + R, type DSA.MSC, this opens active directory users and computers.
-On the trial account properties, go to the profile tab .
-enter this \\server\profiles\trial.
Susbstitute trial for what appears on the shared profiles directory. And walla you can access the contents of the profile account.
For the share permissions give everyone......full control, for the NTFS permissions leave them at there default setting.
This is what i do at work. At my place users cannot logon to the domain controller, so for your case you can substitute the desktop for your DC by enabling users to log on interactively