Roaming Profiles Question.

I am using win2k3 server.

I setup a user named jason
I then went into profile and setup under profile \\Server\profile\%username%

I then move to the desktop computer. Input the username/pass on the domain. It takes for ever to login. After logging in, I then check the server to make sure it created a folder named Jason under profile. It did. However, it shows there is 0bytes in the folder and I am unable to access this folder as the admin on the domain box.

My local file structure for the share is as follows.

\profile | Everyone group has sharing permissions, Domain Admin has full control, jason has full control.

The name of the server is Server

Any ideas?

Find more posts tagged with

Comments

TeKniques

Here's a Technet article to help you out.

A possible reason for the login taking so long is your DNS settings.

Make sure the client machine has it's DNS server address pointing to the IP of the server.

Best of luck.

RTmarc

Another thing to check is to make sure your domain controller is on the same subnet as the workstation. If it's not, you can still login (provided you are attached to the same router or have configured a route to the gateway) but it will take an excessive amount of time to sign in.

I might add that the first time you sign into a machine it actually has to build the profile which might also explain an issue with the login delay. The subsequent logins should be quicker.

As for the permissions issue. It looks like everything is correct but check to make sure there are no Deny permissions assigned to any accounts. As you know, Deny overrides all other permissions.

TechJunky

Thanks for the input. I am aware of the building time for a Roaming Profile in AD. However, this is a lot longer period of time. I went ahead and defragemented the disk. The desktop is on the same subnet as the Server. I tried removing the roaming profile and it still seems to take a while to log in. I made sure the dns servers are pointed correctly...

I am more stumped about the profile of the user being not accesable by the domain admin. Plus the profile not showing any data in the users folder....

Any other tips/ideas?

Btw, the server is a P4 1.5ghz, with a ATA33 HD, it was all I had. The server has 256mb ram with a 10gig HD. 1.5gb free.

Thanks.

eurotrash

You tried to log on as Jason. You (Jason) managed to log on (after awhile), but while it created a folder named Jason, it was empty (any folders in there?). You then tried to access the Jason folder (locally?) as Admin, but found you couldn't (permissions).
Am I correct?

I will assume for now that I am.
So. About the zero bytes. Did you try copying anything to your profile, i.e. a document to your My Documents folder and see if at logoff it synchronized, putting the document on the server? (Ok, I get mixed up with roaming profiles and redirection so I'm not sure, but anyway.)
Taking awhile to log in is normal at first, because it must create the profile.

You are unable to access his folder. Locally? Did you take a look at its ACL, and see if perhaps you were removed? That would be normal, or at least that's the way it was for me (again, roaming profiles or My Documents redirection, can't remember which).

Do this: On the user's folder, configure these three permissions and remove all others:

Administrator: Full Control
%username%: Full Control
System: Full Control

Remember that the most restrictive permission sum/culmination (NTFS/sharing) wins. So even if you were to give yourself (as administrator) and Jason Full Control sharing permissions, if the Everyone group has only Read permissions then that is all you or Jason will get, seeing as you are part of the Everyone group.

sprkymrk

_omni_ wrote:

Remember that the most restrictive permission sum/culmination (NTFS/sharing) wins. So even if you were to give yourself (as administrator) and Jason Full Control sharing permissions, if the Everyone group has only Read permissions then that is all you or Jason will get, seeing as you are part of the Everyone group.

Actually, when accessing a share across the network, the least restrictive permissions between sharing and security apply, unless there is an explicit "deny". And obviously, if accessing the folder locally share permissions have no effect, only security.

I agree that the reason the folder is empty is because he didn't put anything in it. I think you have to specify under Folder Redirection or else in the user properties (ADUC) what files are accessible when roaming. I don't use roaming profiles, so I don't remember for sure, but I think he just left out a step.

As for the access denied from the admin, it's most likely because the user "Jason" created the folder called "Jason" when he logged in, thus becoming the owner. Since it did not exist when you created the "profiles" directory, the default permissions when it was created are probably "Owner - FC". Try, as admin, to right click and go to properties, security, advanced, owner, and have the admin take ownership. Say okay to all prompts. Then go back into the properties and give the admin FC.

To avoid this in the future, on the profiles folder go to advanced security properties, select the admin and edit, then make sure the FC permissions apply to "This Folder, Subfolder, and Files" or whatever that option is (can't remember exactly).

eurotrash

sprkymrk wrote:

_omni_ wrote:

Remember that the most restrictive permission sum/culmination (NTFS/sharing) wins. So even if you were to give yourself (as administrator) and Jason Full Control sharing permissions, if the Everyone group has only Read permissions then that is all you or Jason will get, seeing as you are part of the Everyone group.

Actually, when accessing a share across the network, the least restrictive permissions between sharing and security apply, unless there is an explicit "deny".

lol. I dare you to try it out.

RTmarc

sprkymrk wrote:

Actually, when accessing a share across the network, the least restrictive permissions between sharing and security apply, unless there is an explicit "deny". And obviously, if accessing the folder locally share permissions have no effect, only security.

It's most restrictive when it comes to Share + NTFS. Microsoft states that best practice is to give everyone Full Control Share permissions and lock them down with NTFS permissions. This allows for the least amount of administrative overhead which, as we all know, is exactly what Microsoft harps on.

Again, this is all contingent on there being no Deny permissions.

sprkymrk

_omni_ wrote:

lol. I dare you to try it out.

RTmarc wrote:

It's most restrictive when it comes to Share + NTFS. Microsoft states that best practice is to give everyone Full Control Share permissions and lock them down with NTFS permissions.

Did I really write that?

What was I thinking?

:
This is almost one of those occasions when one is tempted to change user names so as to avoid recognition...

Thanks for not pouncing too hard on my blunder!

TechJunky

_omni_: Yes, this is what was done. I tried taking ownership of the folder before I posted, and that didnt work either. I gave Admin FC, user FC, and the everyone group FC just to make sure the permissions were loose and it wasnt a permission issue.

I did go ahead and make a folder, and then made a text document within that folder that was placed on the desktop. It said when logging off that it was saved. However, when I tried to check via the AD server there wasnt any data shown under the folder. I actually couldnt access the folder at all. It was giving me a permission denied error. Which tells me its a permission issue still. Even though I already took ownership of the folder and allowed FC to the admin.

That DC had tons of crap on it. DNS, DHCP,Citrix, RIS, AD. So I simply formatted and installed win2k3 server instead of 2000 server that I was using. The users are able to login to the DC controller a lot faster now. I am now going to try and enable roaming profiles and see what happens.

sprkymrk

I just remembered something else too. If you don't have access to a folder, it will show a folder size of 0 bytes regardless of what's in it. That may at least answer one question....

TechJunky

So I think I figured the problem out. I havent fixed it, but I am pretty sure its the network card in the server. One I boot the Server up it gets connectivity with the router and other computers on the network. I can ping its loopback address and its ip address. So it makes me think its the router. But anyhow, after about 5 minutes the network card doesnt send anything. It shows 0bytes of data sent and 256,000bytes of data recieved.

So since its not sending its letting me beleive its the network card.

K_amisi

Techjunky i totally understand your situation i'v been in this predicament before...this is the procedure that you should follow inorder to create a roaming user profile where the ADmin can access the contents of the folder.

If you do it the 290 style you won't be able to access the folder and it will give you "access denied" regardless of the permissions structure. If you take ownership of the files the user will not be able to log on. hence do this it will solve your problem.

-Create the account(trial account).
-don't set the roaming profile location.
-On the desktop computer Log on as the trial account.
-Log of the desktop computer and re-logon as the Administrator.
-Hit window key + pause break......advanced tab,user profiles.
-Trial appears as a local account.
-Then select copy to and specify the UNC to the server share(profile share). Forgive me i don't have the computer here.
-Under permitted to use......leave as the default...should still be trial.
-Go to the domain controller,log on as administrator.
-Window key + R, type DSA.MSC, this opens active directory users and computers.
-On the trial account properties, go to the profile tab .
-enter this \\server\profiles\trial.

Susbstitute trial for what appears on the shared profiles directory. And walla you can access the contents of the profile account.

For the share permissions give everyone......full control, for the NTFS permissions leave them at there default setting.

This is what i do at work. At my place users cannot logon to the domain controller, so for your case you can substitute the desktop for your DC by enabling users to log on interactively