Problem with roaming profiles

[me]

We have Win2k Professional SP4 and WinXP SP1 as clients on an active
directory domain, and some servers running Server 2003. I just enabled
some accounts to have roaming profiles that would be stored on the 2003
servers. These accounts are now having problems (profile related).
I've ensure that they have permissions on the shares where their
profiles are. The following errors are being generated:

----------------------------------
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1504
Date: 8/15/2004
Time: 1:32:43 PM
User: domainname\username
Computer: xxxxxxxx
Description:
Windows cannot update your roaming profile. Possible causes of this
error include network problems or insufficient security rights. If this
problem persists, contact your network administrator.

DETAIL - Access is denied.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
------------------------------------------

---------------------------------------
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1509
Date: 8/15/2004
Time: 1:32:42 PM
User: domainname\username
Computer: xxxxxxxx
Description:
Windows cannot copy file C:\Documents and Settings\username\Application
Data\Microsoft\SystemCertificates\My\Keys\967E95B3205E600D41C2B412D12C97928559DB15
to location \\server\username$\profile\Application
Data\Microsoft\SystemCertificates\My\Keys\xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.
Possible causes of this error include network problems or insufficient
security rights. If this problem persists, contact your network
administrator.

DETAIL - Access is denied.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
-------------------------------------------------

---------------------------------------------------
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1509
Date: 8/15/2004
Time: 1:24:29 PM
User: domainname\username
Computer: xxxxxxxx
Description:
Windows cannot copy file C:\Documents and Settings\username\Application
Data\Talkback\MozillaOrg\Firefox10\Win32\2004062622\permdata.box to
location \\server\username$\profile\Application
Data\Talkback\MozillaOrg\Firefox10\Win32\2004062622\permdata.box.
Possible causes of this error include network problems or insufficient
security rights. If this problem persists, contact your network
administrator.

DETAIL - Access is denied.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
-----------------------------------------------------

Some of the other accounts are getting error messages at logon that are
similar (can't copy a file) and then it tells them that they will be
logged on with a temporary profile. If I then check their system, their
original profile is renamed with a .bak extension, and the system will
not show them as having a profile on the system if I check the
properties on My Computer.

Any help is appreciated.

 

[Oli Restorick [MVP]]

Are you sure that the user has full control at both the NTFS file/directory
permission level and on the share?

If you're sure that's correct, try resetting the permissions on the existing
profile.

Also, while logged in with an account that causes this problem, type "echo
%userprofile%" at the command prompt and see if, by chance, the profile path
ends with "\TEMP". This is a sign that the roaming profile has inconsistent
permissions down the tree. If so, try resetting them.

Oli

 

[me]

Are you sure that the user has full control at both the NTFS file/directory
permission level and on the share?

If you're sure that's correct, try resetting the permissions on the existing
profile.

Also, while logged in with an account that causes this problem, type "echo
%userprofile%" at the command prompt and see if, by chance, the profile path
ends with "\TEMP". This is a sign that the roaming profile has inconsistent
permissions down the tree. If so, try resetting them.

Oli

I believe you are correct. I checked the permissions, and some files in
the user's original profile (the local one on the desktop) had problems
and could not be corrected for whatever reason. I checked the copy on
the server, and the ownership was not correct (owned by the
Administrator on the server). I corrected the ownership and re-applied
permissions, and it worked. I checked some of the other profiles, and
the ownership appears to be incorrect. Why is Administrator being set
as the owner on the newly created roaming profiles?

 

[me]

Are you sure that the user has full control at both the NTFS file/directory
permission level and on the share?

If you're sure that's correct, try resetting the permissions on the existing
profile.

Also, while logged in with an account that causes this problem, type "echo
%userprofile%" at the command prompt and see if, by chance, the profile path
ends with "\TEMP". This is a sign that the roaming profile has inconsistent
permissions down the tree. If so, try resetting them.

Oli

The plot thickens:

I corrected all of the permission problems on the local computer and
then on the share for the user's roamin profile. The user logged on
without error, then logged off, then logged on to a different computer
with no error, logged off. The user went back to the original computer,
and got the access denied error message and it logged him on with a temp
profile.

Any ideas to what is causing this?

 

[me]

Are you sure that the user has full control at both the NTFS file/directory
permission level and on the share?

If you're sure that's correct, try resetting the permissions on the existing
profile.

Also, while logged in with an account that causes this problem, type "echo
%userprofile%" at the command prompt and see if, by chance, the profile path
ends with "\TEMP". This is a sign that the roaming profile has inconsistent
permissions down the tree. If so, try resetting them.

Oli

Another, related, question.

Say a person has already logged in on multiple computers, and has
profiles setup on each of them, with slightly different desktops (call
them computer1, computer2, computer3). What happens if the user logs on
to computer1 after the user's profile has been setup with roaming
profiles, logs off, logs on to the other computers. Are the profiles
going to be merged, does one replace the other? I've tried testing
this, but I'm getting varying results. I've setup roaming profiles in
the past, but didn't have these problems. They appear to work
differently under AD than under an NT4 domain. Help!

 

[me]

Are you sure that the user has full control at both the NTFS file/directory
permission level and on the share?

If you're sure that's correct, try resetting the permissions on the existing
profile.

Also, while logged in with an account that causes this problem, type "echo
%userprofile%" at the command prompt and see if, by chance, the profile path
ends with "\TEMP". This is a sign that the roaming profile has inconsistent
permissions down the tree. If so, try resetting them.

Oli

Ok, I'm sure it's a permissions problem at this point, but where?

I created a test account to test with, no profile, no roaming profile.
I logged on with this account on various desktops and setup the local
profiles. I picked one desktop to be the home desktop, arranged it,
then logged off. I then edited the account to have a roaming profile,
setup the share, set permissions, and logged on as that user again. No
errors. I modified the desktop slightly, logged off and logged on
again, no errors. I went to another desktop, logged on as that user, no
errors, and got the roaming profile. I went back to the original
computer, logged on, and got an error about not being able to copy a
file, and logging on with a temp profile.

I don't understand why this is happening.