Jump to content

TS User Profile Folders Not Being Created

Guest S Sainsbury

By Guest S Sainsbury
in Windows NT Server

 Share

Recommended Posts

Guest S Sainsbury

Guest S Sainsbury

Posted
Posted

I have a windows 2003 SP1 NAS Server.

 

A TSProfile$ share was setup some months ago and permissions were set as per

microsofts best practice. This has been working fine until today.

 

Now when I create a new user and set the profile path, no folder is being

created within the TSProfile$ share. I have gone over the permissions again

and again but can see no issue.

 

The users home drive is located on the same physical volume on a share

called Home$ which has identical NTFS & SMB permissions and that works

without issue. I have compared both shares again and again and see no

differenace between the two.

 

It only appears to be TSProfile that is affected.

 

If I create the users profile folder manually then the profile is created

and works. But I dont understand what has gone wrong. There are no errors

and the event logs are not showing anything.

 

Can anyone help?

  • Replies 12
  • Created
  • Last Reply

Popular Days

Popular Days

Guest Richard Thompson

Guest Richard Thompson

Posted
Posted

Re: TS User Profile Folders Not Being Created

 

I`ve just tested this on my test environment and it doesnt perform what you

say! Are you sure you were configuring the Terminal Services Profile Path

and not the Terminal Services Home folder?

 

Rt

 

 

"S Sainsbury" <SSainsbury@discussions.microsoft.com> wrote in message

news:9B7254EA-0520-4D6C-9E0B-2D31A4F6E3E0@microsoft.com...

>I have a windows 2003 SP1 NAS Server.

>

> A TSProfile$ share was setup some months ago and permissions were set as

> per

> microsofts best practice. This has been working fine until today.

>

> Now when I create a new user and set the profile path, no folder is being

> created within the TSProfile$ share. I have gone over the permissions

> again

> and again but can see no issue.

>

> The users home drive is located on the same physical volume on a share

> called Home$ which has identical NTFS & SMB permissions and that works

> without issue. I have compared both shares again and again and see no

> differenace between the two.

>

> It only appears to be TSProfile that is affected.

>

> If I create the users profile folder manually then the profile is created

> and works. But I dont understand what has gone wrong. There are no

> errors

> and the event logs are not showing anything.

>

> Can anyone help?

Guest S Sainsbury

Guest S Sainsbury

Posted
Posted

Re: TS User Profile Folders Not Being Created

 

Thanks for your response.

 

Yes I do mean the terminal services profile path. Like I said it was

working fine for the last few months, brand new server. Today however when

creating new accounts the folders are not being created automatically when

the ts profile path is entered into the AD user object.

 

The TS Home drive is working as normal, although it points to a different

share on the same server, both shares have the same root level permissions.

 

Profile path is set to....

 

\\nae-ho-nas01\tsprofiles$\%username%

 

TSProfile$ permissions are set as follows....

 

SMB

 

Administrator - Full Control

Authenticated Users - Full Control

Domain Admins - Full Control

 

NTFS

 

Administrator - Full Control (this folder only)

Authenticated Users - Traverse, List, Read Att, Read Perm. (this folder only)

Owner / Creator - Full Control (subfolder files only)

Domain Admin - Full Control (folder only)

System - Full Control (this folder only)

 

Thanks for any help.

 

 

"Richard Thompson" wrote:

> I`ve just tested this on my test environment and it doesnt perform what you

> say! Are you sure you were configuring the Terminal Services Profile Path

> and not the Terminal Services Home folder?

>

> Rt

>

>

> "S Sainsbury" <SSainsbury@discussions.microsoft.com> wrote in message

> news:9B7254EA-0520-4D6C-9E0B-2D31A4F6E3E0@microsoft.com...

> >I have a windows 2003 SP1 NAS Server.

> >

> > A TSProfile$ share was setup some months ago and permissions were set as

> > per

> > microsofts best practice. This has been working fine until today.

> >

> > Now when I create a new user and set the profile path, no folder is being

> > created within the TSProfile$ share. I have gone over the permissions

> > again

> > and again but can see no issue.

> >

> > The users home drive is located on the same physical volume on a share

> > called Home$ which has identical NTFS & SMB permissions and that works

> > without issue. I have compared both shares again and again and see no

> > differenace between the two.

> >

> > It only appears to be TSProfile that is affected.

> >

> > If I create the users profile folder manually then the profile is created

> > and works. But I dont understand what has gone wrong. There are no

> > errors

> > and the event logs are not showing anything.

> >

> > Can anyone help?

>

Guest Richard Thompson

Guest Richard Thompson

Posted
Posted

Re: TS User Profile Folders Not Being Created

 

Hi,

 

In my experience this is not and has never been possible. The terminal

services profile is used to assign a profile to a user. Ie, you build the

profile and then assign it to them, as in mandatory profiles!

 

I`ve tested this on 2 environments now and come back with the same response

on both. Perhaps someone else can come back with other advice.

 

Rt

 

 

"S Sainsbury" <SSainsbury@discussions.microsoft.com> wrote in message

news:915C92BF-2526-4E4E-AE47-26FB4C931D6E@microsoft.com...

> Thanks for your response.

>

> Yes I do mean the terminal services profile path. Like I said it was

> working fine for the last few months, brand new server. Today however

> when

> creating new accounts the folders are not being created automatically when

> the ts profile path is entered into the AD user object.

>

> The TS Home drive is working as normal, although it points to a different

> share on the same server, both shares have the same root level

> permissions.

>

> Profile path is set to....

>

> \\nae-ho-nas01\tsprofiles$\%username%

>

> TSProfile$ permissions are set as follows....

>

> SMB

>

> Administrator - Full Control

> Authenticated Users - Full Control

> Domain Admins - Full Control

>

> NTFS

>

> Administrator - Full Control (this folder only)

> Authenticated Users - Traverse, List, Read Att, Read Perm. (this folder

> only)

> Owner / Creator - Full Control (subfolder files only)

> Domain Admin - Full Control (folder only)

> System - Full Control (this folder only)

>

> Thanks for any help.

>

>

> "Richard Thompson" wrote:

>

>> I`ve just tested this on my test environment and it doesnt perform what

>> you

>> say! Are you sure you were configuring the Terminal Services Profile Path

>> and not the Terminal Services Home folder?

>>

>> Rt

>>

>>

>> "S Sainsbury" <SSainsbury@discussions.microsoft.com> wrote in message

>> news:9B7254EA-0520-4D6C-9E0B-2D31A4F6E3E0@microsoft.com...

>> >I have a windows 2003 SP1 NAS Server.

>> >

>> > A TSProfile$ share was setup some months ago and permissions were set

>> > as

>> > per

>> > microsofts best practice. This has been working fine until today.

>> >

>> > Now when I create a new user and set the profile path, no folder is

>> > being

>> > created within the TSProfile$ share. I have gone over the permissions

>> > again

>> > and again but can see no issue.

>> >

>> > The users home drive is located on the same physical volume on a share

>> > called Home$ which has identical NTFS & SMB permissions and that works

>> > without issue. I have compared both shares again and again and see no

>> > differenace between the two.

>> >

>> > It only appears to be TSProfile that is affected.

>> >

>> > If I create the users profile folder manually then the profile is

>> > created

>> > and works. But I dont understand what has gone wrong. There are no

>> > errors

>> > and the event logs are not showing anything.

>> >

>> > Can anyone help?

>>

Guest Vera Noest [MVP]

Guest Vera Noest [MVP]

Posted
Posted

Re: TS User Profile Folders Not Being Created

 

I don't agree with you, Richard. This is perfectly possible and

should work.

When you set up a new user account and define a TS profile path,

the first time the user logs on, a copy of the Default User profile

on the TS is copied to the locally cached user profile on the TS.

When the user logs off, the local copy of the user profile is

copied to the TS profile path (and optionally deleted from the

server). I've never build a single profile for a new user, that's

not necessary.

 

S Sainsbury, I don't know why this suddenly stopped functioning.

The only troubleshooting technique that comes to mind is to enable

verbose logging of the user environment on the server, and check if

the userenv.log reveals what is going wrong.

 

221833 - How to enable user environment debug logging in retail

builds of Windows

http://support.microsoft.com/?kbid=221833

 

You could also (temporarily) enable security auditing of the TS

profile folder.

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

"Richard Thompson" <sbc@thompson.co.za> wrote on 11 sep 2007 in

microsoft.public.windows.terminal_services:

> Hi,

>

> In my experience this is not and has never been possible. The

> terminal services profile is used to assign a profile to a user.

> Ie, you build the profile and then assign it to them, as in

> mandatory profiles!

>

> I`ve tested this on 2 environments now and come back with the

> same response on both. Perhaps someone else can come back with

> other advice.

>

> Rt

>

>

> "S Sainsbury" <SSainsbury@discussions.microsoft.com> wrote in

> message

> news:915C92BF-2526-4E4E-AE47-26FB4C931D6E@microsoft.com...

>> Thanks for your response.

>>

>> Yes I do mean the terminal services profile path. Like I said

>> it was working fine for the last few months, brand new server.

>> Today however when

>> creating new accounts the folders are not being created

>> automatically when the ts profile path is entered into the AD

>> user object.

>>

>> The TS Home drive is working as normal, although it points to a

>> different share on the same server, both shares have the same

>> root level permissions.

>>

>> Profile path is set to....

>>

>> \\nae-ho-nas01\tsprofiles$\%username%

>>

>> TSProfile$ permissions are set as follows....

>>

>> SMB

>>

>> Administrator - Full Control

>> Authenticated Users - Full Control

>> Domain Admins - Full Control

>>

>> NTFS

>>

>> Administrator - Full Control (this folder only)

>> Authenticated Users - Traverse, List, Read Att, Read Perm.

>> (this folder only)

>> Owner / Creator - Full Control (subfolder files only)

>> Domain Admin - Full Control (folder only)

>> System - Full Control (this folder only)

>>

>> Thanks for any help.

>>

>>

>> "Richard Thompson" wrote:

>>

>>> I`ve just tested this on my test environment and it doesnt

>>> perform what you

>>> say! Are you sure you were configuring the Terminal Services

>>> Profile Path and not the Terminal Services Home folder?

>>>

>>> Rt

>>>

>>>

>>> "S Sainsbury" <SSainsbury@discussions.microsoft.com> wrote in

>>> message

>>> news:9B7254EA-0520-4D6C-9E0B-2D31A4F6E3E0@microsoft.com...

>>> >I have a windows 2003 SP1 NAS Server.

>>> >

>>> > A TSProfile$ share was setup some months ago and permissions

>>> > were set as

>>> > per

>>> > microsofts best practice. This has been working fine until

>>> > today.

>>> >

>>> > Now when I create a new user and set the profile path, no

>>> > folder is being

>>> > created within the TSProfile$ share. I have gone over the

>>> > permissions again

>>> > and again but can see no issue.

>>> >

>>> > The users home drive is located on the same physical volume

>>> > on a share called Home$ which has identical NTFS & SMB

>>> > permissions and that works without issue. I have compared

>>> > both shares again and again and see no differenace between

>>> > the two.

>>> >

>>> > It only appears to be TSProfile that is affected.

>>> >

>>> > If I create the users profile folder manually then the

>>> > profile is created

>>> > and works. But I dont understand what has gone wrong.

>>> > There are no errors

>>> > and the event logs are not showing anything.

>>> >

>>> > Can anyone help?

Guest Richard Thompson

Guest Richard Thompson

Posted
Posted

Re: TS User Profile Folders Not Being Created

 

Hi Vera,

 

From reading the original post what S Sainsbury is doing is entering the

path in AD and clicking apply and then the folder was being created! Or

thats how I read it anyway! I agree the profile will be created in the path

you specify on first logon.

 

">>> Today however when

>>> creating new accounts the folders are not being created

>>> automatically when the ts profile path is entered into the AD

>>> user object"

 

Have you tried entering the path and signing on to create the folder?

 

Cheers

Rt

 

"Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> wrote in message

news:Xns99A8DEBCD7Bveranoesthemutforsse@207.46.248.16...

>I don't agree with you, Richard. This is perfectly possible and

> should work.

> When you set up a new user account and define a TS profile path,

> the first time the user logs on, a copy of the Default User profile

> on the TS is copied to the locally cached user profile on the TS.

> When the user logs off, the local copy of the user profile is

> copied to the TS profile path (and optionally deleted from the

> server). I've never build a single profile for a new user, that's

> not necessary.

>

> S Sainsbury, I don't know why this suddenly stopped functioning.

> The only troubleshooting technique that comes to mind is to enable

> verbose logging of the user environment on the server, and check if

> the userenv.log reveals what is going wrong.

>

> 221833 - How to enable user environment debug logging in retail

> builds of Windows

> http://support.microsoft.com/?kbid=221833

>

> You could also (temporarily) enable security auditing of the TS

> profile folder.

> _________________________________________________________

> Vera Noest

> MCSE, CCEA, Microsoft MVP - Terminal Server

> TS troubleshooting: http://ts.veranoest.net

> ___ please respond in newsgroup, NOT by private email ___

>

> "Richard Thompson" <sbc@thompson.co.za> wrote on 11 sep 2007 in

> microsoft.public.windows.terminal_services:

>

>> Hi,

>>

>> In my experience this is not and has never been possible. The

>> terminal services profile is used to assign a profile to a user.

>> Ie, you build the profile and then assign it to them, as in

>> mandatory profiles!

>>

>> I`ve tested this on 2 environments now and come back with the

>> same response on both. Perhaps someone else can come back with

>> other advice.

>>

>> Rt

>>

>>

>> "S Sainsbury" <SSainsbury@discussions.microsoft.com> wrote in

>> message

>> news:915C92BF-2526-4E4E-AE47-26FB4C931D6E@microsoft.com...

>>> Thanks for your response.

>>>

>>> Yes I do mean the terminal services profile path. Like I said

>>> it was working fine for the last few months, brand new server.

>>> Today however when

>>> creating new accounts the folders are not being created

>>> automatically when the ts profile path is entered into the AD

>>> user object.

>>>

>>> The TS Home drive is working as normal, although it points to a

>>> different share on the same server, both shares have the same

>>> root level permissions.

>>>

>>> Profile path is set to....

>>>

>>> \\nae-ho-nas01\tsprofiles$\%username%

>>>

>>> TSProfile$ permissions are set as follows....

>>>

>>> SMB

>>>

>>> Administrator - Full Control

>>> Authenticated Users - Full Control

>>> Domain Admins - Full Control

>>>

>>> NTFS

>>>

>>> Administrator - Full Control (this folder only)

>>> Authenticated Users - Traverse, List, Read Att, Read Perm.

>>> (this folder only)

>>> Owner / Creator - Full Control (subfolder files only)

>>> Domain Admin - Full Control (folder only)

>>> System - Full Control (this folder only)

>>>

>>> Thanks for any help.

>>>

>>>

>>> "Richard Thompson" wrote:

>>>

>>>> I`ve just tested this on my test environment and it doesnt

>>>> perform what you

>>>> say! Are you sure you were configuring the Terminal Services

>>>> Profile Path and not the Terminal Services Home folder?

>>>>

>>>> Rt

>>>>

>>>>

>>>> "S Sainsbury" <SSainsbury@discussions.microsoft.com> wrote in

>>>> message

>>>> news:9B7254EA-0520-4D6C-9E0B-2D31A4F6E3E0@microsoft.com...

>>>> >I have a windows 2003 SP1 NAS Server.

>>>> >

>>>> > A TSProfile$ share was setup some months ago and permissions

>>>> > were set as

>>>> > per

>>>> > microsofts best practice. This has been working fine until

>>>> > today.

>>>> >

>>>> > Now when I create a new user and set the profile path, no

>>>> > folder is being

>>>> > created within the TSProfile$ share. I have gone over the

>>>> > permissions again

>>>> > and again but can see no issue.

>>>> >

>>>> > The users home drive is located on the same physical volume

>>>> > on a share called Home$ which has identical NTFS & SMB

>>>> > permissions and that works without issue. I have compared

>>>> > both shares again and again and see no differenace between

>>>> > the two.

>>>> >

>>>> > It only appears to be TSProfile that is affected.

>>>> >

>>>> > If I create the users profile folder manually then the

>>>> > profile is created

>>>> > and works. But I dont understand what has gone wrong.

>>>> > There are no errors

>>>> > and the event logs are not showing anything.

>>>> >

>>>> > Can anyone help?

Guest Vera Noest [MVP]

Guest Vera Noest [MVP]

Posted
Posted

Re: TS User Profile Folders Not Being Created

 

Aaaah, yes, I never realized that you could read it that way, and

now it seems like the most plausable interpretation. And then I

agree 100% with you of course, Richard! Profiles are not created

the moment you define them in AD, but home directories are.

 

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

"Richard Thompson" <sbc@thompson.co.za> wrote on 11 sep 2007 in

microsoft.public.windows.terminal_services:

> Hi Vera,

>

> From reading the original post what S Sainsbury is doing is

> entering the path in AD and clicking apply and then the folder

> was being created! Or thats how I read it anyway! I agree the

> profile will be created in the path you specify on first logon.

>

> ">>> Today however when

>>>> creating new accounts the folders are not being created

>>>> automatically when the ts profile path is entered into the AD

>>>> user object"

>

> Have you tried entering the path and signing on to create the

> folder?

>

> Cheers

> Rt

>

> "Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> wrote

> in message

> news:Xns99A8DEBCD7Bveranoesthemutforsse@207.46.248.16...

>>I don't agree with you, Richard. This is perfectly possible and

>> should work.

>> When you set up a new user account and define a TS profile

>> path, the first time the user logs on, a copy of the Default

>> User profile on the TS is copied to the locally cached user

>> profile on the TS. When the user logs off, the local copy of

>> the user profile is copied to the TS profile path (and

>> optionally deleted from the server). I've never build a single

>> profile for a new user, that's not necessary.

>>

>> S Sainsbury, I don't know why this suddenly stopped

>> functioning. The only troubleshooting technique that comes to

>> mind is to enable verbose logging of the user environment on

>> the server, and check if the userenv.log reveals what is going

>> wrong.

>>

>> 221833 - How to enable user environment debug logging in retail

>> builds of Windows

>> http://support.microsoft.com/?kbid=221833

>>

>> You could also (temporarily) enable security auditing of the TS

>> profile folder.

>> _________________________________________________________

>> Vera Noest

>> MCSE, CCEA, Microsoft MVP - Terminal Server

>> TS troubleshooting: http://ts.veranoest.net

>> ___ please respond in newsgroup, NOT by private email ___

>>

>> "Richard Thompson" <sbc@thompson.co.za> wrote on 11 sep 2007 in

>> microsoft.public.windows.terminal_services:

>>

>>> Hi,

>>>

>>> In my experience this is not and has never been possible. The

>>> terminal services profile is used to assign a profile to a

>>> user. Ie, you build the profile and then assign it to them, as

>>> in mandatory profiles!

>>>

>>> I`ve tested this on 2 environments now and come back with the

>>> same response on both. Perhaps someone else can come back with

>>> other advice.

>>>

>>> Rt

>>>

>>>

>>> "S Sainsbury" <SSainsbury@discussions.microsoft.com> wrote in

>>> message

>>> news:915C92BF-2526-4E4E-AE47-26FB4C931D6E@microsoft.com...

>>>> Thanks for your response.

>>>>

>>>> Yes I do mean the terminal services profile path. Like I

>>>> said it was working fine for the last few months, brand new

>>>> server. Today however when

>>>> creating new accounts the folders are not being created

>>>> automatically when the ts profile path is entered into the AD

>>>> user object.

>>>>

>>>> The TS Home drive is working as normal, although it points to

>>>> a different share on the same server, both shares have the

>>>> same root level permissions.

>>>>

>>>> Profile path is set to....

>>>>

>>>> \\nae-ho-nas01\tsprofiles$\%username%

>>>>

>>>> TSProfile$ permissions are set as follows....

>>>>

>>>> SMB

>>>>

>>>> Administrator - Full Control

>>>> Authenticated Users - Full Control

>>>> Domain Admins - Full Control

>>>>

>>>> NTFS

>>>>

>>>> Administrator - Full Control (this folder only)

>>>> Authenticated Users - Traverse, List, Read Att, Read Perm.

>>>> (this folder only)

>>>> Owner / Creator - Full Control (subfolder files only)

>>>> Domain Admin - Full Control (folder only)

>>>> System - Full Control (this folder only)

>>>>

>>>> Thanks for any help.

>>>>

>>>>

>>>> "Richard Thompson" wrote:

>>>>

>>>>> I`ve just tested this on my test environment and it doesnt

>>>>> perform what you

>>>>> say! Are you sure you were configuring the Terminal Services

>>>>> Profile Path and not the Terminal Services Home folder?

>>>>>

>>>>> Rt

>>>>>

>>>>>

>>>>> "S Sainsbury" <SSainsbury@discussions.microsoft.com> wrote

>>>>> in message

>>>>> news:9B7254EA-0520-4D6C-9E0B-2D31A4F6E3E0@microsoft.com...

>>>>> >I have a windows 2003 SP1 NAS Server.

>>>>> >

>>>>> > A TSProfile$ share was setup some months ago and

>>>>> > permissions were set as

>>>>> > per

>>>>> > microsofts best practice. This has been working fine

>>>>> > until today.

>>>>> >

>>>>> > Now when I create a new user and set the profile path, no

>>>>> > folder is being

>>>>> > created within the TSProfile$ share. I have gone over the

>>>>> > permissions again

>>>>> > and again but can see no issue.

>>>>> >

>>>>> > The users home drive is located on the same physical

>>>>> > volume on a share called Home$ which has identical NTFS &

>>>>> > SMB permissions and that works without issue. I have

>>>>> > compared both shares again and again and see no

>>>>> > differenace between the two.

>>>>> >

>>>>> > It only appears to be TSProfile that is affected.

>>>>> >

>>>>> > If I create the users profile folder manually then the

>>>>> > profile is created

>>>>> > and works. But I dont understand what has gone wrong.

>>>>> > There are no errors

>>>>> > and the event logs are not showing anything.

>>>>> >

>>>>> > Can anyone help?

Guest S Sainsbury

Guest S Sainsbury

Posted
Posted

Re: TS User Profile Folders Not Being Created

 

Thanks for your comments, your probably right, however I have tried to logon

with a test user, upon doing so i get a user environment error saying the

profile cant be accessed...... "Access Denied". Upon checking the profile

share, no profile folder has been created. Permissions wise I cant see an

issue. If I manually create a profile folder access denied errors still

appear.

 

I have changed the permissions on the share to allow authenticated full

control, as a test, this worked. However I dont understand why,

authenticated users previously had traverse, create and read attribute rights

and from all the MS documents I have read this should be all thats required.

 

What are your suggestions for authenticated user rights to allow profile

creation/use?

 

"Vera Noest [MVP]" wrote:

> Aaaah, yes, I never realized that you could read it that way, and

> now it seems like the most plausable interpretation. And then I

> agree 100% with you of course, Richard! Profiles are not created

> the moment you define them in AD, but home directories are.

>

> _________________________________________________________

> Vera Noest

> MCSE, CCEA, Microsoft MVP - Terminal Server

> TS troubleshooting: http://ts.veranoest.net

> ___ please respond in newsgroup, NOT by private email ___

>

> "Richard Thompson" <sbc@thompson.co.za> wrote on 11 sep 2007 in

> microsoft.public.windows.terminal_services:

>

> > Hi Vera,

> >

> > From reading the original post what S Sainsbury is doing is

> > entering the path in AD and clicking apply and then the folder

> > was being created! Or thats how I read it anyway! I agree the

> > profile will be created in the path you specify on first logon.

> >

> > ">>> Today however when

> >>>> creating new accounts the folders are not being created

> >>>> automatically when the ts profile path is entered into the AD

> >>>> user object"

> >

> > Have you tried entering the path and signing on to create the

> > folder?

> >

> > Cheers

> > Rt

> >

> > "Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se> wrote

> > in message

> > news:Xns99A8DEBCD7Bveranoesthemutforsse@207.46.248.16...

> >>I don't agree with you, Richard. This is perfectly possible and

> >> should work.

> >> When you set up a new user account and define a TS profile

> >> path, the first time the user logs on, a copy of the Default

> >> User profile on the TS is copied to the locally cached user

> >> profile on the TS. When the user logs off, the local copy of

> >> the user profile is copied to the TS profile path (and

> >> optionally deleted from the server). I've never build a single

> >> profile for a new user, that's not necessary.

> >>

> >> S Sainsbury, I don't know why this suddenly stopped

> >> functioning. The only troubleshooting technique that comes to

> >> mind is to enable verbose logging of the user environment on

> >> the server, and check if the userenv.log reveals what is going

> >> wrong.

> >>

> >> 221833 - How to enable user environment debug logging in retail

> >> builds of Windows

> >> http://support.microsoft.com/?kbid=221833

> >>

> >> You could also (temporarily) enable security auditing of the TS

> >> profile folder.

> >> _________________________________________________________

> >> Vera Noest

> >> MCSE, CCEA, Microsoft MVP - Terminal Server

> >> TS troubleshooting: http://ts.veranoest.net

> >> ___ please respond in newsgroup, NOT by private email ___

> >>

> >> "Richard Thompson" <sbc@thompson.co.za> wrote on 11 sep 2007 in

> >> microsoft.public.windows.terminal_services:

> >>

> >>> Hi,

> >>>

> >>> In my experience this is not and has never been possible. The

> >>> terminal services profile is used to assign a profile to a

> >>> user. Ie, you build the profile and then assign it to them, as

> >>> in mandatory profiles!

> >>>

> >>> I`ve tested this on 2 environments now and come back with the

> >>> same response on both. Perhaps someone else can come back with

> >>> other advice.

> >>>

> >>> Rt

> >>>

> >>>

> >>> "S Sainsbury" <SSainsbury@discussions.microsoft.com> wrote in

> >>> message

> >>> news:915C92BF-2526-4E4E-AE47-26FB4C931D6E@microsoft.com...

> >>>> Thanks for your response.

> >>>>

> >>>> Yes I do mean the terminal services profile path. Like I

> >>>> said it was working fine for the last few months, brand new

> >>>> server. Today however when

> >>>> creating new accounts the folders are not being created

> >>>> automatically when the ts profile path is entered into the AD

> >>>> user object.

> >>>>

> >>>> The TS Home drive is working as normal, although it points to

> >>>> a different share on the same server, both shares have the

> >>>> same root level permissions.

> >>>>

> >>>> Profile path is set to....

> >>>>

> >>>> \\nae-ho-nas01\tsprofiles$\%username%

> >>>>

> >>>> TSProfile$ permissions are set as follows....

> >>>>

> >>>> SMB

> >>>>

> >>>> Administrator - Full Control

> >>>> Authenticated Users - Full Control

> >>>> Domain Admins - Full Control

> >>>>

> >>>> NTFS

> >>>>

> >>>> Administrator - Full Control (this folder only)

> >>>> Authenticated Users - Traverse, List, Read Att, Read Perm.

> >>>> (this folder only)

> >>>> Owner / Creator - Full Control (subfolder files only)

> >>>> Domain Admin - Full Control (folder only)

> >>>> System - Full Control (this folder only)

> >>>>

> >>>> Thanks for any help.

> >>>>

> >>>>

> >>>> "Richard Thompson" wrote:

> >>>>

> >>>>> I`ve just tested this on my test environment and it doesnt

> >>>>> perform what you

> >>>>> say! Are you sure you were configuring the Terminal Services

> >>>>> Profile Path and not the Terminal Services Home folder?

> >>>>>

> >>>>> Rt

> >>>>>

> >>>>>

> >>>>> "S Sainsbury" <SSainsbury@discussions.microsoft.com> wrote

> >>>>> in message

> >>>>> news:9B7254EA-0520-4D6C-9E0B-2D31A4F6E3E0@microsoft.com...

> >>>>> >I have a windows 2003 SP1 NAS Server.

> >>>>> >

> >>>>> > A TSProfile$ share was setup some months ago and

> >>>>> > permissions were set as

> >>>>> > per

> >>>>> > microsofts best practice. This has been working fine

> >>>>> > until today.

> >>>>> >

> >>>>> > Now when I create a new user and set the profile path, no

> >>>>> > folder is being

> >>>>> > created within the TSProfile$ share. I have gone over the

> >>>>> > permissions again

> >>>>> > and again but can see no issue.

> >>>>> >

> >>>>> > The users home drive is located on the same physical

> >>>>> > volume on a share called Home$ which has identical NTFS &

> >>>>> > SMB permissions and that works without issue. I have

> >>>>> > compared both shares again and again and see no

> >>>>> > differenace between the two.

> >>>>> >

> >>>>> > It only appears to be TSProfile that is affected.

> >>>>> >

> >>>>> > If I create the users profile folder manually then the

> >>>>> > profile is created

> >>>>> > and works. But I dont understand what has gone wrong.

> >>>>> > There are no errors

> >>>>> > and the event logs are not showing anything.

> >>>>> >

> >>>>> > Can anyone help?

>

Guest Vera Noest [MVP]

Guest Vera Noest [MVP]

Posted
Posted

Re: TS User Profile Folders Not Being Created

 

OK, but then you have a real permission problem.

You need at least to add an ACL for CREATOR OWNER with Full

Control, so that users not only can create their profile folder,

but also receive Full Control over the profile they create.

 

Microsoft actually recommends to give all users Full Control on the

profile share, as documented here:

Create a roaming user profile

http://technet2.microsoft.com/windowsserver/en/library/ee39aec2-

efac-41b5-aba4-390116e660471033.mspx

 

When individual profiles are created in that shared folder,

permissions are not inherited, as with standard subfolders. Users

become the owners of their own profile folders and by default, no

other users (not even Administrators) have any permissions on

individual profiles. You can change this behaviour with the policy

setting:

 

Computer Configuration - Administrative templates - System - User

profiles

"Add the Administrators security group to roaming user profiles"

 

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

=?Utf-8?B?UyBTYWluc2J1cnk=?=

<SSainsbury@discussions.microsoft.com> wrote on 13 sep 2007 in

microsoft.public.windows.terminal_services:

> Thanks for your comments, your probably right, however I have

> tried to logon with a test user, upon doing so i get a user

> environment error saying the profile cant be accessed......

> "Access Denied". Upon checking the profile share, no profile

> folder has been created. Permissions wise I cant see an issue.

> If I manually create a profile folder access denied errors still

> appear.

>

> I have changed the permissions on the share to allow

> authenticated full control, as a test, this worked. However I

> dont understand why, authenticated users previously had

> traverse, create and read attribute rights and from all the MS

> documents I have read this should be all thats required.

>

> What are your suggestions for authenticated user rights to allow

> profile creation/use?

>

> "Vera Noest [MVP]" wrote:

>

>> Aaaah, yes, I never realized that you could read it that way,

>> and now it seems like the most plausable interpretation. And

>> then I agree 100% with you of course, Richard! Profiles are not

>> created the moment you define them in AD, but home directories

>> are.

>>

>> _________________________________________________________

>> Vera Noest

>> MCSE, CCEA, Microsoft MVP - Terminal Server

>> TS troubleshooting: http://ts.veranoest.net

>> ___ please respond in newsgroup, NOT by private email ___

>>

>> "Richard Thompson" <sbc@thompson.co.za> wrote on 11 sep 2007 in

>> microsoft.public.windows.terminal_services:

>>

>> > Hi Vera,

>> >

>> > From reading the original post what S Sainsbury is doing is

>> > entering the path in AD and clicking apply and then the

>> > folder was being created! Or thats how I read it anyway! I

>> > agree the profile will be created in the path you specify on

>> > first logon.

>> >

>> > ">>> Today however when

>> >>>> creating new accounts the folders are not being created

>> >>>> automatically when the ts profile path is entered into the

>> >>>> AD user object"

>> >

>> > Have you tried entering the path and signing on to create the

>> > folder?

>> >

>> > Cheers

>> > Rt

>> >

>> > "Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se>

>> > wrote in message

>> > news:Xns99A8DEBCD7Bveranoesthemutforsse@207.46.248.16...

>> >>I don't agree with you, Richard. This is perfectly possible

>> >>and

>> >> should work.

>> >> When you set up a new user account and define a TS profile

>> >> path, the first time the user logs on, a copy of the Default

>> >> User profile on the TS is copied to the locally cached user

>> >> profile on the TS. When the user logs off, the local copy of

>> >> the user profile is copied to the TS profile path (and

>> >> optionally deleted from the server). I've never build a

>> >> single profile for a new user, that's not necessary.

>> >>

>> >> S Sainsbury, I don't know why this suddenly stopped

>> >> functioning. The only troubleshooting technique that comes

>> >> to mind is to enable verbose logging of the user environment

>> >> on the server, and check if the userenv.log reveals what is

>> >> going wrong.

>> >>

>> >> 221833 - How to enable user environment debug logging in

>> >> retail builds of Windows

>> >> http://support.microsoft.com/?kbid=221833

>> >>

>> >> You could also (temporarily) enable security auditing of the

>> >> TS profile folder.

>> >> _________________________________________________________

>> >> Vera Noest

>> >> MCSE, CCEA, Microsoft MVP - Terminal Server

>> >> TS troubleshooting: http://ts.veranoest.net

>> >> ___ please respond in newsgroup, NOT by private email ___

>> >>

>> >> "Richard Thompson" <sbc@thompson.co.za> wrote on 11 sep 2007

>> >> in microsoft.public.windows.terminal_services:

>> >>

>> >>> Hi,

>> >>>

>> >>> In my experience this is not and has never been possible.

>> >>> The terminal services profile is used to assign a profile

>> >>> to a user. Ie, you build the profile and then assign it to

>> >>> them, as in mandatory profiles!

>> >>>

>> >>> I`ve tested this on 2 environments now and come back with

>> >>> the same response on both. Perhaps someone else can come

>> >>> back with other advice.

>> >>>

>> >>> Rt

>> >>>

>> >>>

>> >>> "S Sainsbury" <SSainsbury@discussions.microsoft.com> wrote

>> >>> in message

>> >>> news:915C92BF-2526-4E4E-AE47-26FB4C931D6E@microsoft.com...

>> >>>> Thanks for your response.

>> >>>>

>> >>>> Yes I do mean the terminal services profile path. Like I

>> >>>> said it was working fine for the last few months, brand

>> >>>> new server. Today however when

>> >>>> creating new accounts the folders are not being created

>> >>>> automatically when the ts profile path is entered into the

>> >>>> AD user object.

>> >>>>

>> >>>> The TS Home drive is working as normal, although it points

>> >>>> to a different share on the same server, both shares have

>> >>>> the same root level permissions.

>> >>>>

>> >>>> Profile path is set to....

>> >>>>

>> >>>> \\nae-ho-nas01\tsprofiles$\%username%

>> >>>>

>> >>>> TSProfile$ permissions are set as follows....

>> >>>>

>> >>>> SMB

>> >>>>

>> >>>> Administrator - Full Control

>> >>>> Authenticated Users - Full Control

>> >>>> Domain Admins - Full Control

>> >>>>

>> >>>> NTFS

>> >>>>

>> >>>> Administrator - Full Control (this folder only)

>> >>>> Authenticated Users - Traverse, List, Read Att, Read Perm.

>> >>>> (this folder only)

>> >>>> Owner / Creator - Full Control (subfolder files only)

>> >>>> Domain Admin - Full Control (folder only)

>> >>>> System - Full Control (this folder only)

>> >>>>

>> >>>> Thanks for any help.

>> >>>>

>> >>>>

>> >>>> "Richard Thompson" wrote:

>> >>>>

>> >>>>> I`ve just tested this on my test environment and it

>> >>>>> doesnt perform what you

>> >>>>> say! Are you sure you were configuring the Terminal

>> >>>>> Services Profile Path and not the Terminal Services Home

>> >>>>> folder?

>> >>>>>

>> >>>>> Rt

>> >>>>>

>> >>>>>

>> >>>>> "S Sainsbury" <SSainsbury@discussions.microsoft.com>

>> >>>>> wrote in message

>> >>>>> news:9B7254EA-0520-4D6C-9E0B-2D31A4F6E3E0@microsoft.com...

>> >>>>> >I have a windows 2003 SP1 NAS Server.

>> >>>>> >

>> >>>>> > A TSProfile$ share was setup some months ago and

>> >>>>> > permissions were set as

>> >>>>> > per

>> >>>>> > microsofts best practice. This has been working fine

>> >>>>> > until today.

>> >>>>> >

>> >>>>> > Now when I create a new user and set the profile path,

>> >>>>> > no folder is being

>> >>>>> > created within the TSProfile$ share. I have gone over

>> >>>>> > the permissions again

>> >>>>> > and again but can see no issue.

>> >>>>> >

>> >>>>> > The users home drive is located on the same physical

>> >>>>> > volume on a share called Home$ which has identical NTFS

>> >>>>> > & SMB permissions and that works without issue. I have

>> >>>>> > compared both shares again and again and see no

>> >>>>> > differenace between the two.

>> >>>>> >

>> >>>>> > It only appears to be TSProfile that is affected.

>> >>>>> >

>> >>>>> > If I create the users profile folder manually then the

>> >>>>> > profile is created

>> >>>>> > and works. But I dont understand what has gone wrong.

>> >>>>> > There are no errors

>> >>>>> > and the event logs are not showing anything.

>> >>>>> >

>> >>>>> > Can anyone help?

Guest S Sainsbury

Guest S Sainsbury

Posted
Posted

Re: TS User Profile Folders Not Being Created

 

I managed to resolve this, but I find it strange. I had to set the share

permissions to allow "everyone" full control. Previously "Authenticated

Users" was the only group and it was set to full control. I dont see the

differance between the two, however by adding the Everyone group it resolved

the problem. The NTFS permissions were not an issue.

 

Thanks for your help.

 

"Vera Noest [MVP]" wrote:

> OK, but then you have a real permission problem.

> You need at least to add an ACL for CREATOR OWNER with Full

> Control, so that users not only can create their profile folder,

> but also receive Full Control over the profile they create.

>

> Microsoft actually recommends to give all users Full Control on the

> profile share, as documented here:

> Create a roaming user profile

> http://technet2.microsoft.com/windowsserver/en/library/ee39aec2-

> efac-41b5-aba4-390116e660471033.mspx

>

> When individual profiles are created in that shared folder,

> permissions are not inherited, as with standard subfolders. Users

> become the owners of their own profile folders and by default, no

> other users (not even Administrators) have any permissions on

> individual profiles. You can change this behaviour with the policy

> setting:

>

> Computer Configuration - Administrative templates - System - User

> profiles

> "Add the Administrators security group to roaming user profiles"

>

> _________________________________________________________

> Vera Noest

> MCSE, CCEA, Microsoft MVP - Terminal Server

> TS troubleshooting: http://ts.veranoest.net

> ___ please respond in newsgroup, NOT by private email ___

>

> =?Utf-8?B?UyBTYWluc2J1cnk=?=

> <SSainsbury@discussions.microsoft.com> wrote on 13 sep 2007 in

> microsoft.public.windows.terminal_services:

>

> > Thanks for your comments, your probably right, however I have

> > tried to logon with a test user, upon doing so i get a user

> > environment error saying the profile cant be accessed......

> > "Access Denied". Upon checking the profile share, no profile

> > folder has been created. Permissions wise I cant see an issue.

> > If I manually create a profile folder access denied errors still

> > appear.

> >

> > I have changed the permissions on the share to allow

> > authenticated full control, as a test, this worked. However I

> > dont understand why, authenticated users previously had

> > traverse, create and read attribute rights and from all the MS

> > documents I have read this should be all thats required.

> >

> > What are your suggestions for authenticated user rights to allow

> > profile creation/use?

> >

> > "Vera Noest [MVP]" wrote:

> >

> >> Aaaah, yes, I never realized that you could read it that way,

> >> and now it seems like the most plausable interpretation. And

> >> then I agree 100% with you of course, Richard! Profiles are not

> >> created the moment you define them in AD, but home directories

> >> are.

> >>

> >> _________________________________________________________

> >> Vera Noest

> >> MCSE, CCEA, Microsoft MVP - Terminal Server

> >> TS troubleshooting: http://ts.veranoest.net

> >> ___ please respond in newsgroup, NOT by private email ___

> >>

> >> "Richard Thompson" <sbc@thompson.co.za> wrote on 11 sep 2007 in

> >> microsoft.public.windows.terminal_services:

> >>

> >> > Hi Vera,

> >> >

> >> > From reading the original post what S Sainsbury is doing is

> >> > entering the path in AD and clicking apply and then the

> >> > folder was being created! Or thats how I read it anyway! I

> >> > agree the profile will be created in the path you specify on

> >> > first logon.

> >> >

> >> > ">>> Today however when

> >> >>>> creating new accounts the folders are not being created

> >> >>>> automatically when the ts profile path is entered into the

> >> >>>> AD user object"

> >> >

> >> > Have you tried entering the path and signing on to create the

> >> > folder?

> >> >

> >> > Cheers

> >> > Rt

> >> >

> >> > "Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se>

> >> > wrote in message

> >> > news:Xns99A8DEBCD7Bveranoesthemutforsse@207.46.248.16...

> >> >>I don't agree with you, Richard. This is perfectly possible

> >> >>and

> >> >> should work.

> >> >> When you set up a new user account and define a TS profile

> >> >> path, the first time the user logs on, a copy of the Default

> >> >> User profile on the TS is copied to the locally cached user

> >> >> profile on the TS. When the user logs off, the local copy of

> >> >> the user profile is copied to the TS profile path (and

> >> >> optionally deleted from the server). I've never build a

> >> >> single profile for a new user, that's not necessary.

> >> >>

> >> >> S Sainsbury, I don't know why this suddenly stopped

> >> >> functioning. The only troubleshooting technique that comes

> >> >> to mind is to enable verbose logging of the user environment

> >> >> on the server, and check if the userenv.log reveals what is

> >> >> going wrong.

> >> >>

> >> >> 221833 - How to enable user environment debug logging in

> >> >> retail builds of Windows

> >> >> http://support.microsoft.com/?kbid=221833

> >> >>

> >> >> You could also (temporarily) enable security auditing of the

> >> >> TS profile folder.

> >> >> _________________________________________________________

> >> >> Vera Noest

> >> >> MCSE, CCEA, Microsoft MVP - Terminal Server

> >> >> TS troubleshooting: http://ts.veranoest.net

> >> >> ___ please respond in newsgroup, NOT by private email ___

> >> >>

> >> >> "Richard Thompson" <sbc@thompson.co.za> wrote on 11 sep 2007

> >> >> in microsoft.public.windows.terminal_services:

> >> >>

> >> >>> Hi,

> >> >>>

> >> >>> In my experience this is not and has never been possible.

> >> >>> The terminal services profile is used to assign a profile

> >> >>> to a user. Ie, you build the profile and then assign it to

> >> >>> them, as in mandatory profiles!

> >> >>>

> >> >>> I`ve tested this on 2 environments now and come back with

> >> >>> the same response on both. Perhaps someone else can come

> >> >>> back with other advice.

> >> >>>

> >> >>> Rt

> >> >>>

> >> >>>

> >> >>> "S Sainsbury" <SSainsbury@discussions.microsoft.com> wrote

> >> >>> in message

> >> >>> news:915C92BF-2526-4E4E-AE47-26FB4C931D6E@microsoft.com...

> >> >>>> Thanks for your response.

> >> >>>>

> >> >>>> Yes I do mean the terminal services profile path. Like I

> >> >>>> said it was working fine for the last few months, brand

> >> >>>> new server. Today however when

> >> >>>> creating new accounts the folders are not being created

> >> >>>> automatically when the ts profile path is entered into the

> >> >>>> AD user object.

> >> >>>>

> >> >>>> The TS Home drive is working as normal, although it points

> >> >>>> to a different share on the same server, both shares have

> >> >>>> the same root level permissions.

> >> >>>>

> >> >>>> Profile path is set to....

> >> >>>>

> >> >>>> \\nae-ho-nas01\tsprofiles$\%username%

> >> >>>>

> >> >>>> TSProfile$ permissions are set as follows....

> >> >>>>

> >> >>>> SMB

> >> >>>>

> >> >>>> Administrator - Full Control

> >> >>>> Authenticated Users - Full Control

> >> >>>> Domain Admins - Full Control

> >> >>>>

> >> >>>> NTFS

> >> >>>>

> >> >>>> Administrator - Full Control (this folder only)

> >> >>>> Authenticated Users - Traverse, List, Read Att, Read Perm.

> >> >>>> (this folder only)

> >> >>>> Owner / Creator - Full Control (subfolder files only)

> >> >>>> Domain Admin - Full Control (folder only)

> >> >>>> System - Full Control (this folder only)

> >> >>>>

> >> >>>> Thanks for any help.

> >> >>>>

> >> >>>>

> >> >>>> "Richard Thompson" wrote:

> >> >>>>

> >> >>>>> I`ve just tested this on my test environment and it

> >> >>>>> doesnt perform what you

> >> >>>>> say! Are you sure you were configuring the Terminal

> >> >>>>> Services Profile Path and not the Terminal Services Home

> >> >>>>> folder?

> >> >>>>>

> >> >>>>> Rt

> >> >>>>>

> >> >>>>>

> >> >>>>> "S Sainsbury" <SSainsbury@discussions.microsoft.com>

> >> >>>>> wrote in message

> >> >>>>> news:9B7254EA-0520-4D6C-9E0B-2D31A4F6E3E0@microsoft.com...

> >> >>>>> >I have a windows 2003 SP1 NAS Server.

> >> >>>>> >

> >> >>>>> > A TSProfile$ share was setup some months ago and

> >> >>>>> > permissions were set as

> >> >>>>> > per

> >> >>>>> > microsofts best practice. This has been working fine

> >> >>>>> > until today.

> >> >>>>> >

> >> >>>>> > Now when I create a new user and set the profile path,

> >> >>>>> > no folder is being

> >> >>>>> > created within the TSProfile$ share. I have gone over

> >> >>>>> > the permissions again

> >> >>>>> > and again but can see no issue.

> >> >>>>> >

> >> >>>>> > The users home drive is located on the same physical

> >> >>>>> > volume on a share called Home$ which has identical NTFS

> >> >>>>> > & SMB permissions and that works without issue. I have

> >> >>>>> > compared both shares again and again and see no

> >> >>>>> > differenace between the two.

> >> >>>>> >

> >> >>>>> > It only appears to be TSProfile that is affected.

> >> >>>>> >

> >> >>>>> > If I create the users profile folder manually then the

> >> >>>>> > profile is created

> >> >>>>> > and works. But I dont understand what has gone wrong.

> >> >>>>> > There are no errors

> >> >>>>> > and the event logs are not showing anything.

> >> >>>>> >

> >> >>>>> > Can anyone help?

>

Guest Vera Noest [MVP]

Guest Vera Noest [MVP]

Posted
Posted

Re: TS User Profile Folders Not Being Created

 

I'm glad that you've solved your problem, and thanks for reporting

the solution here!

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

=?Utf-8?B?UyBTYWluc2J1cnk=?=

<SSainsbury@discussions.microsoft.com> wrote on 14 sep 2007 in

microsoft.public.windows.terminal_services:

> I managed to resolve this, but I find it strange. I had to set

> the share permissions to allow "everyone" full control.

> Previously "Authenticated Users" was the only group and it was

> set to full control. I dont see the differance between the two,

> however by adding the Everyone group it resolved the problem.

> The NTFS permissions were not an issue.

>

> Thanks for your help.

>

> "Vera Noest [MVP]" wrote:

>

>> OK, but then you have a real permission problem.

>> You need at least to add an ACL for CREATOR OWNER with Full

>> Control, so that users not only can create their profile

>> folder, but also receive Full Control over the profile they

>> create.

>>

>> Microsoft actually recommends to give all users Full Control on

>> the profile share, as documented here:

>> Create a roaming user profile

>> http://technet2.microsoft.com/windowsserver/en/library/ee39aec2-

>> efac-41b5-aba4-390116e660471033.mspx

>>

>> When individual profiles are created in that shared folder,

>> permissions are not inherited, as with standard subfolders.

>> Users become the owners of their own profile folders and by

>> default, no other users (not even Administrators) have any

>> permissions on individual profiles. You can change this

>> behaviour with the policy setting:

>>

>> Computer Configuration - Administrative templates - System -

>> User profiles

>> "Add the Administrators security group to roaming user

>> profiles"

>>

>> _________________________________________________________

>> Vera Noest

>> MCSE, CCEA, Microsoft MVP - Terminal Server

>> TS troubleshooting: http://ts.veranoest.net

>> ___ please respond in newsgroup, NOT by private email ___

>>

>> =?Utf-8?B?UyBTYWluc2J1cnk=?=

>> <SSainsbury@discussions.microsoft.com> wrote on 13 sep 2007 in

>> microsoft.public.windows.terminal_services:

>>

>> > Thanks for your comments, your probably right, however I have

>> > tried to logon with a test user, upon doing so i get a user

>> > environment error saying the profile cant be accessed......

>> > "Access Denied". Upon checking the profile share, no profile

>> > folder has been created. Permissions wise I cant see an

>> > issue. If I manually create a profile folder access denied

>> > errors still appear.

>> >

>> > I have changed the permissions on the share to allow

>> > authenticated full control, as a test, this worked. However

>> > I dont understand why, authenticated users previously had

>> > traverse, create and read attribute rights and from all the

>> > MS documents I have read this should be all thats required.

>> >

>> > What are your suggestions for authenticated user rights to

>> > allow profile creation/use?

>> >

>> > "Vera Noest [MVP]" wrote:

>> >

>> >> Aaaah, yes, I never realized that you could read it that

>> >> way, and now it seems like the most plausable

>> >> interpretation. And then I agree 100% with you of course,

>> >> Richard! Profiles are not created the moment you define them

>> >> in AD, but home directories are.

>> >>

>> >> _________________________________________________________

>> >> Vera Noest

>> >> MCSE, CCEA, Microsoft MVP - Terminal Server

>> >> TS troubleshooting: http://ts.veranoest.net

>> >> ___ please respond in newsgroup, NOT by private email ___

>> >>

>> >> "Richard Thompson" <sbc@thompson.co.za> wrote on 11 sep 2007

>> >> in microsoft.public.windows.terminal_services:

>> >>

>> >> > Hi Vera,

>> >> >

>> >> > From reading the original post what S Sainsbury is doing

>> >> > is entering the path in AD and clicking apply and then the

>> >> > folder was being created! Or thats how I read it anyway! I

>> >> > agree the profile will be created in the path you specify

>> >> > on first logon.

>> >> >

>> >> > ">>> Today however when

>> >> >>>> creating new accounts the folders are not being created

>> >> >>>> automatically when the ts profile path is entered into

>> >> >>>> the AD user object"

>> >> >

>> >> > Have you tried entering the path and signing on to create

>> >> > the folder?

>> >> >

>> >> > Cheers

>> >> > Rt

>> >> >

>> >> > "Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se>

>> >> > wrote in message

>> >> > news:Xns99A8DEBCD7Bveranoesthemutforsse@207.46.248.16...

>> >> >>I don't agree with you, Richard. This is perfectly

>> >> >>possible and

>> >> >> should work.

>> >> >> When you set up a new user account and define a TS

>> >> >> profile path, the first time the user logs on, a copy of

>> >> >> the Default User profile on the TS is copied to the

>> >> >> locally cached user profile on the TS. When the user logs

>> >> >> off, the local copy of the user profile is copied to the

>> >> >> TS profile path (and optionally deleted from the server).

>> >> >> I've never build a single profile for a new user, that's

>> >> >> not necessary.

>> >> >>

>> >> >> S Sainsbury, I don't know why this suddenly stopped

>> >> >> functioning. The only troubleshooting technique that

>> >> >> comes to mind is to enable verbose logging of the user

>> >> >> environment on the server, and check if the userenv.log

>> >> >> reveals what is going wrong.

>> >> >>

>> >> >> 221833 - How to enable user environment debug logging in

>> >> >> retail builds of Windows

>> >> >> http://support.microsoft.com/?kbid=221833

>> >> >>

>> >> >> You could also (temporarily) enable security auditing of

>> >> >> the TS profile folder.

>> >> >> _________________________________________________________

>> >> >> Vera Noest

>> >> >> MCSE, CCEA, Microsoft MVP - Terminal Server

>> >> >> TS troubleshooting: http://ts.veranoest.net

>> >> >> ___ please respond in newsgroup, NOT by private email ___

>> >> >>

>> >> >> "Richard Thompson" <sbc@thompson.co.za> wrote on 11 sep

>> >> >> 2007 in microsoft.public.windows.terminal_services:

>> >> >>

>> >> >>> Hi,

>> >> >>>

>> >> >>> In my experience this is not and has never been

>> >> >>> possible. The terminal services profile is used to

>> >> >>> assign a profile to a user. Ie, you build the profile

>> >> >>> and then assign it to them, as in mandatory profiles!

>> >> >>>

>> >> >>> I`ve tested this on 2 environments now and come back

>> >> >>> with the same response on both. Perhaps someone else can

>> >> >>> come back with other advice.

>> >> >>>

>> >> >>> Rt

>> >> >>>

>> >> >>>

>> >> >>> "S Sainsbury" <SSainsbury@discussions.microsoft.com>

>> >> >>> wrote in message

>> >> >>> news:915C92BF-2526-4E4E-AE47-26FB4C931D6E@microsoft.com..

>> >> >>> .

>> >> >>>> Thanks for your response.

>> >> >>>>

>> >> >>>> Yes I do mean the terminal services profile path. Like

>> >> >>>> I said it was working fine for the last few months,

>> >> >>>> brand new server. Today however when

>> >> >>>> creating new accounts the folders are not being created

>> >> >>>> automatically when the ts profile path is entered into

>> >> >>>> the AD user object.

>> >> >>>>

>> >> >>>> The TS Home drive is working as normal, although it

>> >> >>>> points to a different share on the same server, both

>> >> >>>> shares have the same root level permissions.

>> >> >>>>

>> >> >>>> Profile path is set to....

>> >> >>>>

>> >> >>>> \\nae-ho-nas01\tsprofiles$\%username%

>> >> >>>>

>> >> >>>> TSProfile$ permissions are set as follows....

>> >> >>>>

>> >> >>>> SMB

>> >> >>>>

>> >> >>>> Administrator - Full Control

>> >> >>>> Authenticated Users - Full Control

>> >> >>>> Domain Admins - Full Control

>> >> >>>>

>> >> >>>> NTFS

>> >> >>>>

>> >> >>>> Administrator - Full Control (this folder only)

>> >> >>>> Authenticated Users - Traverse, List, Read Att, Read

>> >> >>>> Perm. (this folder only)

>> >> >>>> Owner / Creator - Full Control (subfolder files only)

>> >> >>>> Domain Admin - Full Control (folder only)

>> >> >>>> System - Full Control (this folder only)

>> >> >>>>

>> >> >>>> Thanks for any help.

>> >> >>>>

>> >> >>>>

>> >> >>>> "Richard Thompson" wrote:

>> >> >>>>

>> >> >>>>> I`ve just tested this on my test environment and it

>> >> >>>>> doesnt perform what you

>> >> >>>>> say! Are you sure you were configuring the Terminal

>> >> >>>>> Services Profile Path and not the Terminal Services

>> >> >>>>> Home folder?

>> >> >>>>>

>> >> >>>>> Rt

>> >> >>>>>

>> >> >>>>>

>> >> >>>>> "S Sainsbury" <SSainsbury@discussions.microsoft.com>

>> >> >>>>> wrote in message

>> >> >>>>> news:9B7254EA-0520-4D6C-9E0B-2D31A4F6E3E0@microsoft.com

>> >> >>>>> ...

>> >> >>>>> >I have a windows 2003 SP1 NAS Server.

>> >> >>>>> >

>> >> >>>>> > A TSProfile$ share was setup some months ago and

>> >> >>>>> > permissions were set as

>> >> >>>>> > per

>> >> >>>>> > microsofts best practice. This has been working

>> >> >>>>> > fine until today.

>> >> >>>>> >

>> >> >>>>> > Now when I create a new user and set the profile

>> >> >>>>> > path, no folder is being

>> >> >>>>> > created within the TSProfile$ share. I have gone

>> >> >>>>> > over the permissions again

>> >> >>>>> > and again but can see no issue.

>> >> >>>>> >

>> >> >>>>> > The users home drive is located on the same physical

>> >> >>>>> > volume on a share called Home$ which has identical

>> >> >>>>> > NTFS & SMB permissions and that works without issue.

>> >> >>>>> > I have compared both shares again and again and see

>> >> >>>>> > no differenace between the two.

>> >> >>>>> >

>> >> >>>>> > It only appears to be TSProfile that is affected.

>> >> >>>>> >

>> >> >>>>> > If I create the users profile folder manually then

>> >> >>>>> > the profile is created

>> >> >>>>> > and works. But I dont understand what has gone

>> >> >>>>> > wrong. There are no errors

>> >> >>>>> > and the event logs are not showing anything.

>> >> >>>>> >

>> >> >>>>> > Can anyone help?

Guest Hank Arnold (MVP)

Guest Hank Arnold (MVP)

Posted
Posted

Re: TS User Profile Folders Not Being Created

 

S Sainsbury wrote:

> I managed to resolve this, but I find it strange. I had to set the share

> permissions to allow "everyone" full control. Previously "Authenticated

> Users" was the only group and it was set to full control. I dont see the

> differance between the two, however by adding the Everyone group it resolved

> the problem. The NTFS permissions were not an issue.

>

> Thanks for your help.

>

 

I'd prefer that you add "Domain Users" instead of "everyone". Should

accomplish the same thing and be a bit more secure....

 

--

 

Regards,

Hank Arnold

Microsoft MVP

Windows Server - Directory Services

  • 3 weeks later...
Guest Frank B

Guest Frank B

Posted
Posted

Re: TS User Profile Folders Not Being Created

 

We have been noticing this issue in our environment also. We have Win2K3 AD

running Win2K Mixed Mode with NT4Emulator still enabled. :o( Our profile

server is running Win2K, latest SPs and HFs, as are our terminal servers.

About two or three months ago the profile folder creation just stopped

working. I tried the fix listed above with no improvement, I had the share

perms set to Domain Users originally.

 

I see nothing in any Event Logs, so I guess I'll check out KB 221833 to see

if I can catch anything that way.

 

"Hank Arnold (MVP)" wrote:

> S Sainsbury wrote:

> > I managed to resolve this, but I find it strange. I had to set the share

> > permissions to allow "everyone" full control. Previously "Authenticated

> > Users" was the only group and it was set to full control. I dont see the

> > differance between the two, however by adding the Everyone group it resolved

> > the problem. The NTFS permissions were not an issue.

> >

> > Thanks for your help.

> >

>

> I'd prefer that you add "Domain Users" instead of "everyone". Should

> accomplish the same thing and be a bit more secure....

>

> --

>

> Regards,

> Hank Arnold

> Microsoft MVP

> Windows Server - Directory Services

>

 Share
Go to topic listing
×
×
  • Create New...