Roaming profile in problem

[danieltan]

After i created the roaming profile in win2000 server AD domain users
and computers , when my user logged on, it has the following error. I
have shared the folder and make it full rights for everyone. I even
added the user to administrator groups. Pls help. Thanks


"Windows cannot locate the server copy of your roaming profile and is
attempting to log you on with your local profile. Changes to the
profile will not be copied to the server when you logoff. Possible
causes of this error include network problems or insufficient security
rights."


Regards
Daniel

 

[Herb Martin]

After i created the roaming profile in win2000 server AD domain users
and computers , when my user logged on, it has the following error. I
have shared the folder and make it full rights for everyone. I even
added the user to administrator groups. Pls help. Thanks


"Windows cannot locate the server copy of your roaming profile and is
attempting to log you on with your local profile. Changes to the
profile will not be copied to the server when you logoff. Possible
causes of this error include network problems or insufficient security
rights."

How did you "create" the roaming profile?
(Hint: usually you DON'T "create" it but let it be created
when the user next logs on...)

Create parent directory on file server;
Set permissions to allow users to modify (or FC)
files and directories there.
Set properties in User's PROPERTY SHEE in
AD Users/Computers to POINT to that directory
you wish the user to use.

Log user ON and OFF.

 

[danieltan]

Herb, i've done all that, i don't create folders for user but they are
getting this error. They can logged on to domain even the home
directory is ok. What did i miss out ? Thanks

Rgds
Daniel

 

[Herb Martin]

Herb, i've done all that, i don't create folders for user but they are
getting this error. They can logged on to domain even the home
directory is ok. What did i miss out ? Thanks

Roaming profile top directories have always had to be created
(and permissioned) by the admin.

If they exist and are writable, and the computers are authenticating
themselves and the user then the files get added on the next logon/logoff
sequence.

You have to entere an EXISTING directory (for profiles)
in AD Users and Computers -- that directory is for ONE
user but you can use %UserName% to do it for multiple users
or copy one with this setting.

 

[danieltan]

Herb, how to know that my computer is being authenticated ? Thanks

Daniel

 

[Herb Martin]

Herb, how to know that my computer is being authenticated ? Thanks

It's a good question.

Probably the simplest procedure is to open a command
prompt and type "set l" (or just set if you cannot remember
the variable you want to see starts with an L: logonserver.

I don't think that this variable will ever be set to a DC
if your machine didn't authenticate and log the user on.

You can get more definite information about the computer's
secure channel with NLTest but that is overkill.

A general test (but it doesn't help that must when you already
have problems) is to try to USE your credentials against
a known available resource (file share) and if they don't
work but you can resolve the names and ping and stuff
then you are likely authenticated.

We are now full circle because you were having trouble
which made us suspect authentication.

Set L

....works pretty well for a quick look.

 

[Lanwench [MVP - Exchange]]

After i created the roaming profile in win2000 server AD domain users
and computers , when my user logged on, it has the following error. I
have shared the folder and make it full rights for everyone. I even
added the user to administrator groups. Pls help. Thanks


"Windows cannot locate the server copy of your roaming profile and is
attempting to log you on with your local profile. Changes to the
profile will not be copied to the server when you logoff. Possible
causes of this error include network problems or insufficient security
rights."


Regards
Daniel

General tips:

1. Set up a share on the server. For example - d:\profiles, shared as
profiles$ to make it hidden from browsing.
2. Make sure the share permissions on profiles$ indicate everyone=full
control. Set the NTFS security to administrators, system, and users=full
control.
3. In the users' ADUC properties, specify \\server\profiles%\%username% in
the profiles field
4. Have each user log into the domain once from their usual workstation
(where their existing profile lives) and log out. The profile is now
roaming.

Notes:

* Make sure users understand that they should never log into multiple
computers at the same time when they have roaming profiles (unless you make
the profiles mandatory by renaming ntuser.dat to ntuser.man so they can't
change them). Explain that the
last one out
wins, when it comes to uploading the final, changed copy of the profile.

* Keep your profiles TINY. Redirect My Documents
to a subfolder of each user's home directory on the server - either via
group policy (folder redirection) or manually (less advisable). If you
aren't going to also redirect the desktop using policies, tell people that
they are not to store any files on the desktop or you will beat them with a
stick. Big profile=slow login/logout, and possible profile corruption.

* Note that user profiles are not compatible between different OS versions,
even between W2k/XP. Keep all your computers. Keep your workstations as
identical as possible - meaning, OS version is the same, SP level is the
same, app load is (as much as possible) the same.

* Do not let people store any data locally - all data belongs on the server.

 

[danieltan]

Herb, firstly if i can set L to a DC and get result then my computer is
authenticated ? also if USE and ping can be used then it is
authenticated also ? What are the components required to have in order
to have roaming profile works ?

Regards
Daniel

 

[danieltan]

Lanwench, what are those components need to have in order for roaming
profiles to be working ? Thanks for your info.

Rgds
Daniel

 

[danieltan]

Herb, i just tested and set L does return name of the logon server and
also does the set command which indicates correct server name. what i
need to test next ?

Rgds
Daniel

 

[danieltan]

Lanwench, problem is the user folder not even created by the system
when user logged on and off. This is due to the error id 1521, DETAIL -
The system detected a possible attempt to compromise security. Please
ensure that you can contact the server that authenticated you. Can't
find any info abt this exact error on eventid.net. Possible is nework
problem or insufficient security rights. Any ideas now ?

Rgds
Daniel

 

[Herb Martin]

Herb, firstly if i can set L to a DC and get result then my computer is
authenticated ?

I think this is true -- were the the user not logged on
it would seem wrong to show a logon server.

NLTest is more definitive but difficult to use (contrary
command line switches.)

I was sort of hoping that someone would post a KB article
describing such tests. (Experience makes it pretty obvious
to me but that is NOT a good answer for someone trying to
learn.)

also if USE and ping can be used then it is
authenticated also ?

In no way does ping tell you this.

Ping FAILURE would make it unlikely that authentication
worked but even that is not reliable unless you are very
certain why ping failed.

For instance, any firewall including the XP-Win2003 built-in
firewall might block ping or IP might be broken a computer
still authenticate in some domains with another protocol but
this is less common today with IP required and few people
using other protocols.

What are the components required to have in order
to have roaming profile works ?

Authentication
Server with share, proper permissions on share and NTFS
Usually share and NTFS need to be Full Control for the
group or user to who will save a profile.
Network operation so that client can reach the share (timely
manner so that it doesn't timeout)

 

[Herb Martin]

Herb, i just tested and set L does return name of the logon server and
also does the set command which indicates correct server name. what i
need to test next ?

Explictly use the share (as the affected user).

(logon as [test] user first to avoid accidentally using
admin credentials)

net use X: \\serverName\shareName


[If it fails, let's try specific authentication, which would
be necessary if we are not really authenticated on the domain,
OR if the server is not properly working in the domain***.]

net use Y: \\serverName\shareName * /useromainName\UserName

If neither of these works, then we likely have a problem with
the Server (in the domain) being authenticated.

If the first fails and the second works then we pretty much know
that the user wasn't fully authenticated and that the user CAN
authenticate and use the server resources.

Ok, let's assume that X: is connected (first worked).

Do these:

X:
cd \username
copy con t.txt
Type some test here
Anything will do
to FINISH you must hit <CTRL-Z><Enter>

If this works, you have proven the user can use the share
and has enough share AND NTFS permissions to create
a file.

If all that works then likely the profile will work.

***Forgot to mention this earlier: Server must be authenticated
properly and working in the domain (or a trusting domain with
trusts working.)

 

[ptwilliams]

The logonserver is the local machine if a DC cannot be found, e.g. the
computer name.


--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/

Herb, firstly if i can set L to a DC and get result then my computer is
authenticated ?

I think this is true -- were the the user not logged on
it would seem wrong to show a logon server.

NLTest is more definitive but difficult to use (contrary
command line switches.)

I was sort of hoping that someone would post a KB article
describing such tests. (Experience makes it pretty obvious
to me but that is NOT a good answer for someone trying to
learn.)

also if USE and ping can be used then it is
authenticated also ?

In no way does ping tell you this.

Ping FAILURE would make it unlikely that authentication
worked but even that is not reliable unless you are very
certain why ping failed.

For instance, any firewall including the XP-Win2003 built-in
firewall might block ping or IP might be broken a computer
still authenticate in some domains with another protocol but
this is less common today with IP required and few people
using other protocols.

What are the components required to have in order
to have roaming profile works ?

Authentication
Server with share, proper permissions on share and NTFS
Usually share and NTFS need to be Full Control for the
group or user to who will save a profile.
Network operation so that client can reach the share (timely
manner so that it doesn't timeout)

 

[Herb Martin]

The logonserver is the local machine if a DC cannot be found, e.g. the
computer name.

I was also leaving some wriggle room for
things like DC available, authenticates, then
DC does down (credentials might even expire.)

I wonder if there is a built-in and direct way to
tell if the machine and user are authenticated....

(Looking at the environment works for me, but
seems a bit indirect or non-specific.)

 

[danieltan]

Herb, if i use the net use command each at a time then it is
successful. If i use the first and after that the second net use
together , 2nd net use will reported error as multiple user logged in a
folder, cannot be the same user name. If one at a time both created a
mapped drive x and y. But the cd \ username , what does it means ?
inside the X drive it doesn't have any folder. But i can copy con t.txt
and put the file inside the map drive.

What do you mean by server must authenticated properly ? I've checked
the net and found the error code. But not sure what it means, any idea
? Thanks

SEC_E_DOWNGRADE_DETECTED, The system detected a possible attempt to
compromise security. Verify that the server that authenticated you can
be contacted.

http://msdn.microsoft.com/library/default.asp
url=/library/enus/secauthn/security/sspi_status_codes.asp

Regards
Daniel

 

[ptwilliams]

I wonder if there is a built-in and direct way to tell if the machine and

user are authenticated....

That would be nice!

Can you whip something up in Perl?!? ;-)


--

Paul Williams

http://www.msresource.net
http://forums.msresource.net

The logonserver is the local machine if a DC cannot be found, e.g. the
computer name.

I was also leaving some wriggle room for
things like DC available, authenticates, then
DC does down (credentials might even expire.)

I wonder if there is a built-in and direct way to
tell if the machine and user are authenticated....

(Looking at the environment works for me, but
seems a bit indirect or non-specific.)

 

[Herb Martin]

That would be nice!

Maybe these are close enough:

nltest /whowillomain.Com UserName

nltest /finduser:UserName

Can you whip something up in Perl?!? ;-)

Well, sure, though it wouldn't be direct but
just another hack <grin>

#Perl begins

$debug = 1; #set to 0 for less output
@services = `net start`;
foreach (@services) {
next unless /^\s+Net Logon\s*$/;
$dc = 1;
print if $debug;
last;
}

print "DC\n" if $dc && $debug;
print "not DC\n" if $dc && $debug;
if (defined($ENV{LOGONSERVER})) {
$logonServer = $ENV{LOGONSERVER};
$logonServer =~ s/.*\\+(.*)/$1/;
print "LogonServer: $logonServer\n" if $debug;
}
if (defined($ENV{COMPUTERNAME})) {
$computer = $ENV{COMPUTERNAME};
print "Computer: $computer\n" if $debug;
}

if ($dc || ($computer != $logonServer)) {
print "logged onto domain.\n";
exit 0;
} else { #User is
print "NOT logged onto domain.\n";
exit 1;
}

# Perl ends

 

[ptwilliams]

Ah...nice. I'll have a play with that tomorrow. I'm thinking about
learning Perl. I just downloaded and installed ActivePerl...


I often use /whowill, but I'd forgotten about /finduser.

nltest is a real handy tool alright!!!


--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/

That would be nice!

Maybe these are close enough:

nltest /whowillomain.Com UserName

nltest /finduser:UserName

Can you whip something up in Perl?!? ;-)

Well, sure, though it wouldn't be direct but
just another hack <grin>

#Perl begins

$debug = 1; #set to 0 for less output
@services = `net start`;
foreach (@services) {
next unless /^\s+Net Logon\s*$/;
$dc = 1;
print if $debug;
last;
}

print "DC\n" if $dc && $debug;
print "not DC\n" if $dc && $debug;
if (defined($ENV{LOGONSERVER})) {
$logonServer = $ENV{LOGONSERVER};
$logonServer =~ s/.*\\+(.*)/$1/;
print "LogonServer: $logonServer\n" if $debug;
}
if (defined($ENV{COMPUTERNAME})) {
$computer = $ENV{COMPUTERNAME};
print "Computer: $computer\n" if $debug;
}

if ($dc || ($computer != $logonServer)) {
print "logged onto domain.\n";
exit 0;
} else { #User is
print "NOT logged onto domain.\n";
exit 1;
}

# Perl ends

 

[danieltan]

Lanwench, i got it works already. Problem is the norton internet
security blocking it. I do all that being told and works. Thanks all
you guys .

Regards
Daniel

General tips:

1. Set up a share on the server. For example - d:\profiles, shared as
profiles$ to make it hidden from browsing.
2. Make sure the share permissions on profiles$ indicate everyone=full
control. Set the NTFS security to administrators, system, and users=full
control.
3. In the users' ADUC properties, specify

\\server\profiles%\%username% in

the profiles field
4. Have each user log into the domain once from their usual workstation
(where their existing profile lives) and log out. The profile is now
roaming.

Notes:

* Make sure users understand that they should never log into multiple
computers at the same time when they have roaming profiles (unless you make
the profiles mandatory by renaming ntuser.dat to ntuser.man so they can't
change them). Explain that the
last one out
wins, when it comes to uploading the final, changed copy of the profile.

* Keep your profiles TINY. Redirect My Documents
to a subfolder of each user's home directory on the server - either via
group policy (folder redirection) or manually (less advisable). If you
aren't going to also redirect the desktop using policies, tell people that
they are not to store any files on the desktop or you will beat them with a
stick. Big profile=slow login/logout, and possible profile corruption.

* Note that user profiles are not compatible between different OS versions,
even between W2k/XP. Keep all your computers. Keep your workstations as
identical as possible - meaning, OS version is the same, SP level is the
same, app load is (as much as possible) the same.

* Do not let people store any data locally - all data belongs on the

server.