TS roaming profile not working correctly

phoeneous

We have about 300 users that connect to 7 2008 terminal servers in a dns round robin + session broker config. All ts are configured for roaming profiles via gpo. For some reason, there is just one user that is always given a Temp roaming profile and not the one configured through his AD account. He has full permission on the folder where the profile is stored. No obvious errors or warnings in eventvwr. Thoughts?

dynamik

Maybe look at these logs: Interpreting Userenv log files: Group Policy

phoeneous

dynamik wrote: »

Maybe look at these logs: Interpreting Userenv log files: Group Policy

No userenv log files on any of the ts today.

astorrs

Have you tried just renaming his existing roaming profile and having it create a new one for him? Profile "corruption" is not entirely uncommon with terminal servers.

Claymoore

Check the size of his profile. I've seen problems with roaming profiles not loading becasue there is not enough disk space to copy down the profile.

phoeneous

astorrs wrote: »

Have you tried just renaming his existing roaming profile and having it create a new one for him? Profile "corruption" is not entirely uncommon with terminal servers.

Ive removed his AD account entirely and gave him something completely new. It keeps giving him a roaming profile and the TS side, we dont us roaming profiles for local desktops. I even removed his pc from domain, renamed with newsid, and then joined back to the domain.

phoeneous

Claymoore wrote: »

Check the size of his profile. I've seen problems with roaming profiles not loading becasue there is not enough disk space to copy down the profile.

The profile gets recreated everytime so the size is never more than 3MB.

shednik

If you've recreated his ad account and his roaming profile even it sounds like a permissions issue, is he maybe in a group that has an explicit deny. I've done that to myself before adding to one group and it breaks something else.

rwwest7

Have you tried a Start...Run...\\servername\profilepath to see if he can even access the path?

Claymoore

phoeneous wrote: »

Ive removed his AD account entirely and gave him something completely new.

This just adds to the problem. His old profile was located at [URL="file://\\wherever\John.Smith"]\\wherever\John.Smith[/URL] and now his new AD account wants to create a new profile at [URL="file://\\wherever\John.Smith"]\\wherever\John.Smith[/URL] except that folder is owned by some dead SID and the new account has no rights. You need to rename or remove the old profile from the roaming location when you delete users.

Also, don't forget that you can have a terminal services roaming profile separate from your AD roaming profile. Check the terminal services GPO to see if you have multiple roaming profiles.

Change a user's Terminal Services profile path

phoeneous

Claymoore wrote: »

This just adds to the problem. His old profile was located at [URL="file://\\wherever\John.Smith"]\\wherever\John.Smith[/URL] and now his new AD account wants to create a new profile at [URL="file://\\wherever\John.Smith"]\\wherever\John.Smith[/URL] except that folder is owned by some dead SID and the new account has no rights. You need to rename or remove the old profile from the roaming location when you delete users.

Also, don't forget that you can have a terminal services roaming profile separate from your AD roaming profile. Check the terminal services GPO to see if you have multiple roaming profiles.

Change a user's Terminal Services profile path

Actually his new profile will point somewhere else because his AD account is named differently now. Ive recently discovered that it is affecting multiple users and not just him. The users dont have anything in common except for being members of the Domain Users group.

phoeneous

rwwest7 wrote: »

Have you tried a Start...Run...\\servername\profilepath to see if he can even access the path?

Which profile path? His or the temp one that gets created? He can access his because he has full control.

When he logs in to the TS and runs windows explorer, it points him to C:\Users\Temp instead of his profile directory.

gorebrush

Have you made sure that the user is the "owner" of the profile folder?

I found that I had problems setting up new TS users until I granted them ownership of their TS folder...

chmod

Are you sure that the policies are been applied correctly?
Sometimes there is an issue with GPO itself. Not loading properly or more than GP applied to a user group maybe one GP is overwritting the other.

SWM

Try setting the "administrators" group as owner , make sure you replace all permissions on sub folders. then add his user account to the security and try that.

phoeneous

gorebrush wrote: »

Have you made sure that the user is the "owner" of the profile folder?

I found that I had problems setting up new TS users until I granted them ownership of their TS folder...

I dont think it matters because the users that arent affected arent the owners of their folders but they have full control rights.

phoeneous

chmod wrote: »

Are you sure that the policies are been applied correctly?
Sometimes there is an issue with GPO itself. Not loading properly or more than GP applied to a user group maybe one GP is overwritting the other.

Positive because the other settings that are part of the gpo are being pushed through.

phoeneous

SWM wrote: »

Try setting the "administrators" group as owner , make sure you replace all permissions on sub folders. then add his user account to the security and try that.

Owner of what? The folder where the tsprofile is stored or the C:\users\<user folder> on the ts box where they are connecting to?

macdude

Lets take a step back and get some questions asked.

Is it everyone or just a few?
If it happens to user a but not user b, see if they are in the same groups or see if there is a difference, is there is look there.

Is this happening to the users on one server, all of them?

If you have created him a new account, then I would see there is a problem with your user groups, permissions or your server config.

phoeneous

macdude wrote: »

Lets take a step back and get some questions asked.

Is it everyone or just a few?
If it happens to user a but not user b, see if they are in the same groups or see if there is a difference, is there is look there.

Is this happening to the users on one server, all of them?

If you have created him a new account, then I would see there is a problem with your user groups, permissions or your server config.

It happens to more and more users each day. Im a domain admin and it hasnt happened to me until today. I have successfully logged in to each of the 7 ts boxes with a roaming profile until today. Another domain admin has had this happen to him about an hour ago.

What doesnt make sense is if we havent made any changes to the gpo, why is it starting to affect users who werent affected before? If its a permissions issue then why because the domain admins have full control to everything. It is affecting sporadic users on all 7 ts boxes and not just one.

SWM

Quote:
Originally Posted by SWM
Try setting the "administrators" group as owner , make sure you replace all permissions on sub folders. then add his user account to the security and try that.

Owner of what? The folder where the tsprofile is stored or the C:\users\<user folder> on the ts box where they are connecting to?

if the profile path under AD points to [URL="file://\\servername\profiles\fred"]\\servername\profiles\fred[/URL]

make sure the Administrators group is the OWNER of fred and all items and sub folders.

I learnt this with Vista and its v2 roaming profiles. Unless the user or Administrators group is the owner, the profile will not load. By default vista makes the user the owner and gives no security access to the profile folder for Domain Admins which is annoying. I had hoped Vista would just copy the profile security from the XP profile, but it starts from scratch.

Once you have the owner sorted, logon as the user and browse to [URL="file://\\server\profile\user"]\\server\profile\user[/URL] and see if you can save a file in this location.

The event logs on the TS should give specific errors in relation to profile errors

phoeneous

SWM wrote: »

if the profile path under AD points to [URL="file://\\servername\profiles\fred"]\\servername\profiles\fred[/URL]

make sure the Administrators group is the OWNER of fred and all items and sub folders.

<snip>

By default vista makes the user the owner and gives no security access to the profile folder for Domain Admins which is annoying.

Those statements contradict each other.

If I try to browse \\server\share\userprofile.v2, I cant view its security properties so I cant change owner to anything. In the current owner field it says "Unable to display current owner". When I try to change owner to Administrators it gives me "Access is denied".

SWM

Quote:
Originally Posted by SWM
if the profile path under AD points to [URL="file://servername/profiles/fred"]\\servername\profiles\fred[/URL]

make sure the Administrators group is the OWNER of fred and all items and sub folders.

<snip>

By default vista makes the user the owner and gives no security access to the profile folder for Domain Admins which is annoying.

Those statements contradict each other.

If I try to browse \\server\share\userprofile.v2, I cant view its security properties so I cant change owner to anything. In the current owner field it says "Unable to display current owner". When I try to change owner to Administrators it gives me "Access is denied".

"Those statements contradict each other". No they dont. When you first log a Vista computer onto a domain as a user that has an existing XP roaming profile, AD created a new folder called username.v2 (in the profile share) but sets the user as the owner and configures the security.

If you then try and access the users profile folder from the server you get accessed denied as a domain administrator!!!

In order for both the user to access/logon and the domain admin to see the folder on the server, the owner needs to be changed from username to the "administrators" group. and then the appropriate security configured.

My suggestion is on a user that you are having problems with, reset the owner on the users profile folder to "administrators" and then grant the appropriate user security access rights. Make sure this is applied to all sub folders/files in the users profile folder.

SWM

If I try to browse \\server\share\userprofile.v2, I cant view its security properties so I cant change owner to anything. In the current owner field it says "Unable to display current owner". When I try to change owner to Administrators it gives me "Access is denied".

I think this is your problem. You are trying to access the folder via a share and the security is denying you access. Access the folder on the server via i.e d:\profiles\share\username.v2 and then take ownership and set security.

phoeneous

SWM wrote: »

I think this is your problem. You are trying to access the folder via a share and the security is denying you access. Access the folder on the server via i.e d:\profiles\share\username.v2 and then take ownership and set security.

Cant do that because the permissions are controlled by a SAN appliance (NetApp). So the true path is \\san\dir\%userfolders.v2%

phoeneous

SWM wrote: »

"Those statements contradict each other". No they dont. When you first log a Vista computer onto a domain as a user that has an existing XP roaming profile, AD created a new folder called username.v2 (in the profile share) but sets the user as the owner and configures the security.

True but it also applies when you set the users home directory and ts profile path to the same location. All ts profiles are appended with .v2, Im assuming its because there is already a user folder there and it has to distinguish it from the other.

If you then try and access the users profile folder from the server you get accessed denied as a domain administrator!!!

Thats what I said after you said it.

In order for both the user to access/logon and the domain admin to see the folder on the server, the owner needs to be changed from username to the "administrators" group. and then the appropriate security configured. My suggestion is on a user that you are having problems with, reset the owner on the users profile folder to "administrators" and then grant the appropriate user security access rights. Make sure this is applied to all sub folders/files in the users profile folder.

Thats what I am trying to explain to you! I cant change the owner because I dont have access. I cant even view the ntfs permissions of any of the .v2 folders. And the user cant change the permission either because they dont have permission to browse \\san\share which means they dont have the abilit to right-click on their own folder. Their u: drive gets pointed to them directly through ad home dir path.

SWM

Cant do that because the permissions are controlled by a SAN appliance (NetApp). So the true path is \\san\dir\%userfolders.v2%

no dramas. you should still be able to set the security and owner though as its a NAS not Windows..

phoeneous

SWM wrote: »

no dramas. you should still be able to set the security and owner though as its a NAS not Windows..

Not with the NetApp, it only applies the permission to the root directory and not the child objects.