Roaming Profile doesn't copy over in TS 2003

[Ed]

On a Terminal Server 200 box, I created a roaming profile by:

1. Logging in as the user
2. Customizing the profile as the user
3. Implementing a GPO for the username on a DC (for further
restrictions/lockdowns)
4. Re-log in as the user
5. Copy the profile to another location than documents and settings.
6. Share out that copied profile
7. Set the TS path of a different user's properties to point to the shared
profile
8. Log in as that user.

Voila! New, locked-down, copied profile is working correctly.

I am having problems on Terminal Server 2003.

I followed all the same steps as above, but when logging in as the user
(#8), I get a mixture of a new profile and the profile that was copied. I
do NOT get the locked down profile that I had after GPO was applied to the
original profile as I did in TS2000.

To sum it up, the copying of the profile in TS2003 does not seem to save the
locked down (via GPO) profile that I create. TS2000 does this fine. WHAT
GIVES?!!?!

Please help me. I really like the added bells and whistles in TS2003, but
if this doesn't work, then I'm going to have to hold off on it for a while.

Thanks,

Ed

 

[Matthew Harris [MVP]]

Are the GPOs being applied to the profile after you login
at #8?

-M

-----Original Message-----

 

[Ed]

No, it's not, because I'm logging in as a totally different user.

Are the GPOs being applied to the profile after you login
at #8?

-M

 

[Matthew Harris [MVP]]

Isn't that the problem then? You need your lock-down GPOs
to take affect here.

-M

-----Original Message-----
No, it's not, because I'm logging in as a totally different user.

 

[Ed]

Matt,

I think I've at least been able to further define the problem...

The GPO, as it is applied to the initial profile is saved into the profile
after I log out (let's call the initial user profile "GPOUser"). I can tell
this is what happens, b/c after I copy and paste the profile to a new shared
location on the local drive and log in as a totally new user with the TS
profile path pointing to this share (let's call this user using the roaming
profile "TSUser"), I get the locked down profile with no problems. This is
what occurs in TS2000.

Now, with a TS2003 server, basically, TSUser does not get the saved,
locked-down-by-GPO profile that the user logging into a TS2000 server gets.
He gets the modified taskbar and icons that I created, but it doesn't save
the locked-down settings.

It appears that TS2003 is not saving the locked down profile like TS2000 is.
Any ideas? I really need help here.

Thanks,

Ed

 

[Matthew Harris [MVP]]

When you copy over the profile on a Windows 2003 server,
is the ntuser.dat file also copying?

Try this...let's step through the GPO application
process...

-First of all, turn on a setting of the group policy and
log on using an account that the GPO affects.

-When the user logs on, open up the registry, using an
admin account, and verify that the registry setting that
you enabling in the GPO is present in the user's registry.

-Now, log off the user, open up regedit, and load that
user's ntuser.dat hive, and again, verify that the
registry entry is still there.

So...what did you find?

I thought somewhere I read that the portions of the
registry that the GPO affect are deleted and recreated
everytime the GPO is changed. I wonder if that is
affecting you in the wrong way here...

-M

-----Original Message-----
Matt,

I think I've at least been able to further define the problem...

The GPO, as it is applied to the initial profile is saved into the profile
after I log out (let's call the initial user

profile "GPOUser"). I can tell

 

[Ed]

Matt,

Thanks for the help. Can you direct me to the correct registry hives to
check?

Thanks,

Ed

 

[Matthew Harris [MVP]]

Oof...uh...sure can.

Why don't you give me a sample of some of the GPO settings
you are working with. Just for kicks, a majority of those
GPO are going to affect either of the following two
registry locations:

HKLM\Software\Policies
or
HKCU\Software\Policies

I would set some policies, then look in these locations to
see if there are registry entries there are are
controlling different lockdown policies. You might be
able to track down a few faster than I can, considering
you are sitting in front of the system.

I just read an article and it said, "Group policy
infrastructure on every desktop performs a registry
cleanup once a particular setting no longer applies to
that computer." I wonder if this is giving you problems.

-M