Re: TS User Profile Folders Not Being Created
OK, but then you have a real permission problem.
You need at least to add an ACL for CREATOR OWNER with Full
Control, so that users not only can create their profile folder,
but also receive Full Control over the profile they create.
Microsoft actually recommends to give all users Full Control on the
profile share, as documented here:
Create a roaming user profile
http://technet2.microsoft.com/windowsserver/en/library/ee39aec2-
efac-41b5-aba4-390116e660471033.mspx
When individual profiles are created in that shared folder,
permissions are not inherited, as with standard subfolders. Users
become the owners of their own profile folders and by default, no
other users (not even Administrators) have any permissions on
individual profiles. You can change this behaviour with the policy
setting:
Computer Configuration - Administrative templates - System - User
profiles
"Add the Administrators security group to roaming user profiles"
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting:
http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
=?Utf-8?B?UyBTYWluc2J1cnk=?=
<SSainsbury@discussions.microsoft.com> wrote on 13 sep 2007 in
microsoft.public.windows.terminal_services:
> Thanks for your comments, your probably right, however I have
> tried to logon with a test user, upon doing so i get a user
> environment error saying the profile cant be accessed......
> "Access Denied". Upon checking the profile share, no profile
> folder has been created. Permissions wise I cant see an issue.
> If I manually create a profile folder access denied errors still
> appear.
>
> I have changed the permissions on the share to allow
> authenticated full control, as a test, this worked. However I
> dont understand why, authenticated users previously had
> traverse, create and read attribute rights and from all the MS
> documents I have read this should be all thats required.
>
> What are your suggestions for authenticated user rights to allow
> profile creation/use?
>
> "Vera Noest [MVP]" wrote:
>
>> Aaaah, yes, I never realized that you could read it that way,
>> and now it seems like the most plausable interpretation. And
>> then I agree 100% with you of course, Richard! Profiles are not
>> created the moment you define them in AD, but home directories
>> are.
>>
>> _________________________________________________________
>> Vera Noest
>> MCSE, CCEA, Microsoft MVP - Terminal Server
>> TS troubleshooting: http://ts.veranoest.net
>> ___ please respond in newsgroup, NOT by private email ___
>>
>> "Richard Thompson" <sbc@thompson.co.za> wrote on 11 sep 2007 in
>> microsoft.public.windows.terminal_services:
>>
>> > Hi Vera,
>> >
>> > From reading the original post what S Sainsbury is doing is
>> > entering the path in AD and clicking apply and then the
>> > folder was being created! Or thats how I read it anyway! I
>> > agree the profile will be created in the path you specify on
>> > first logon.
>> >
>> > ">>> Today however when
>> >>>> creating new accounts the folders are not being created
>> >>>> automatically when the ts profile path is entered into the
>> >>>> AD user object"
>> >
>> > Have you tried entering the path and signing on to create the
>> > folder?
>> >
>> > Cheers
>> > Rt
>> >
>> > "Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se>
>> > wrote in message
>> > news:Xns99A8DEBCD7Bveranoesthemutforsse@207.46.248.16...
>> >>I don't agree with you, Richard. This is perfectly possible
>> >>and
>> >> should work.
>> >> When you set up a new user account and define a TS profile
>> >> path, the first time the user logs on, a copy of the Default
>> >> User profile on the TS is copied to the locally cached user
>> >> profile on the TS. When the user logs off, the local copy of
>> >> the user profile is copied to the TS profile path (and
>> >> optionally deleted from the server). I've never build a
>> >> single profile for a new user, that's not necessary.
>> >>
>> >> S Sainsbury, I don't know why this suddenly stopped
>> >> functioning. The only troubleshooting technique that comes
>> >> to mind is to enable verbose logging of the user environment
>> >> on the server, and check if the userenv.log reveals what is
>> >> going wrong.
>> >>
>> >> 221833 - How to enable user environment debug logging in
>> >> retail builds of Windows
>> >> http://support.microsoft.com/?kbid=221833
>> >>
>> >> You could also (temporarily) enable security auditing of the
>> >> TS profile folder.
>> >> _________________________________________________________
>> >> Vera Noest
>> >> MCSE, CCEA, Microsoft MVP - Terminal Server
>> >> TS troubleshooting: http://ts.veranoest.net
>> >> ___ please respond in newsgroup, NOT by private email ___
>> >>
>> >> "Richard Thompson" <sbc@thompson.co.za> wrote on 11 sep 2007
>> >> in microsoft.public.windows.terminal_services:
>> >>
>> >>> Hi,
>> >>>
>> >>> In my experience this is not and has never been possible.
>> >>> The terminal services profile is used to assign a profile
>> >>> to a user. Ie, you build the profile and then assign it to
>> >>> them, as in mandatory profiles!
>> >>>
>> >>> I`ve tested this on 2 environments now and come back with
>> >>> the same response on both. Perhaps someone else can come
>> >>> back with other advice.
>> >>>
>> >>> Rt
>> >>>
>> >>>
>> >>> "S Sainsbury" <SSainsbury@discussions.microsoft.com> wrote
>> >>> in message
>> >>> news:915C92BF-2526-4E4E-AE47-26FB4C931D6E@microsoft.com...
>> >>>> Thanks for your response.
>> >>>>
>> >>>> Yes I do mean the terminal services profile path. Like I
>> >>>> said it was working fine for the last few months, brand
>> >>>> new server. Today however when
>> >>>> creating new accounts the folders are not being created
>> >>>> automatically when the ts profile path is entered into the
>> >>>> AD user object.
>> >>>>
>> >>>> The TS Home drive is working as normal, although it points
>> >>>> to a different share on the same server, both shares have
>> >>>> the same root level permissions.
>> >>>>
>> >>>> Profile path is set to....
>> >>>>
>> >>>> \\nae-ho-nas01\tsprofiles$\%username%
>> >>>>
>> >>>> TSProfile$ permissions are set as follows....
>> >>>>
>> >>>> SMB
>> >>>>
>> >>>> Administrator - Full Control
>> >>>> Authenticated Users - Full Control
>> >>>> Domain Admins - Full Control
>> >>>>
>> >>>> NTFS
>> >>>>
>> >>>> Administrator - Full Control (this folder only)
>> >>>> Authenticated Users - Traverse, List, Read Att, Read Perm.
>> >>>> (this folder only)
>> >>>> Owner / Creator - Full Control (subfolder files only)
>> >>>> Domain Admin - Full Control (folder only)
>> >>>> System - Full Control (this folder only)
>> >>>>
>> >>>> Thanks for any help.
>> >>>>
>> >>>>
>> >>>> "Richard Thompson" wrote:
>> >>>>
>> >>>>> I`ve just tested this on my test environment and it
>> >>>>> doesnt perform what you
>> >>>>> say! Are you sure you were configuring the Terminal
>> >>>>> Services Profile Path and not the Terminal Services Home
>> >>>>> folder?
>> >>>>>
>> >>>>> Rt
>> >>>>>
>> >>>>>
>> >>>>> "S Sainsbury" <SSainsbury@discussions.microsoft.com>
>> >>>>> wrote in message
>> >>>>> news:9B7254EA-0520-4D6C-9E0B-2D31A4F6E3E0@microsoft.com...
>> >>>>> >I have a windows 2003 SP1 NAS Server.
>> >>>>> >
>> >>>>> > A TSProfile$ share was setup some months ago and
>> >>>>> > permissions were set as
>> >>>>> > per
>> >>>>> > microsofts best practice. This has been working fine
>> >>>>> > until today.
>> >>>>> >
>> >>>>> > Now when I create a new user and set the profile path,
>> >>>>> > no folder is being
>> >>>>> > created within the TSProfile$ share. I have gone over
>> >>>>> > the permissions again
>> >>>>> > and again but can see no issue.
>> >>>>> >
>> >>>>> > The users home drive is located on the same physical
>> >>>>> > volume on a share called Home$ which has identical NTFS
>> >>>>> > & SMB permissions and that works without issue. I have
>> >>>>> > compared both shares again and again and see no
>> >>>>> > differenace between the two.
>> >>>>> >
>> >>>>> > It only appears to be TSProfile that is affected.
>> >>>>> >
>> >>>>> > If I create the users profile folder manually then the
>> >>>>> > profile is created
>> >>>>> > and works. But I dont understand what has gone wrong.
>> >>>>> > There are no errors
>> >>>>> > and the event logs are not showing anything.
>> >>>>> >
>> >>>>> > Can anyone help? 
( Our profile