# Roaming Profiles Issue



## beeblebrox (Sep 9, 2010)

Hi folks,

I have a problem with Roaming Profiles here in the office that I'm struggling with because A) I just started this job on monday and B) After over 10 years in support, I've never had to deal with Roaming Profiles before.

Basically, whenever anyone logs off on any computer in the building with get an error saying that the Roaming Profile could not be updated. There are 2 entries created in the Application Log.

The first is Event ID 1509. "Windows cannot copy file c:\documents and settings\username\ntuser.tmp to locations \\serverip\profiles\staff\username\ntuser.dat. Possible causes of this error include network problems or insufficient security rights. DETAIL - Access is Denied". Source is Userenv.

The second entry is Event ID 1504. "Windows cannot update your roaming profile. Possible causes of this error include network problems or insufficient security rights. If this problem persists, contact your network administrator. DETAIL - Access is Denied" Same source.

Now I have tested a little with my own profile and saved files in the redirected My Documents seem to be transferring. But as I say, I have NO EXPERIENCE with roaming profiles so if anyone has any ideas, talk to me like I'm a child. Its hard enough getting used to a new system without this as well.


----------



## 2xg (Aug 5, 2009)

Hello and Welcome to TSF!

What type and version of Windows Server do you have? SBS2003, Windows 2008?


----------



## djaburg (May 15, 2008)

Sounds to me like a permissions issue with the directory that is hosting the profiles. Has this been going on all along or is this a new issue?

Check here for permissions recommendations from MS.


----------



## beeblebrox (Sep 9, 2010)

Thanks for the replies folks, and the welcome.

Both the DC server and the app server where the profiles are stored are Windows 2003 Standard Edition.

I had been looking at the permissions before I posted here and found one odd thing. First of all there are 2 different sets of folders, one for the profiles themselves and another for user shared drives. Each member of staff has a folder in both sections. All those folders are held in a folder called "Staff". The profile folders are then held in a shared folder called "Profiles" and the network drive folders and held in a shared folder called "home". 

So the path for the Profiles folders is 

\Profiles\staff\#staffmember#

And the path for each network drive is 

\home\staff\#staffmember#

Both the "home" and "profiles" folder are then shared out. NTFS permissions on each folder are as follows

Profiles:
Administrators - Full Control
"All Staff" security group - Read & Exectute
"All Students" security group - Read & Exectute (we're a college, there's a seperate student folder in here too for their roaming profiles)
System - Full Control

Home:
Administrators - Full Control
"All Staff" group - Special Permissions (seems set to Traverse/Execute Folder, List/Read Data, Read Attribs, Read Extended Attribs, Read Permissions)
System - Full Control.

However, in both Share Permissions there is only one listing. It is "Authenticated Users" I can't find this anywhere on AD and if I go to Add a new user to these permissions (Click Add, Advanced, Find now so that all users and groups appear in the search), this entry has no "In Folder" details or anything else. So Maybe this is the problem, maybe there should be a different security group added in here. What do you think?

I can add security details for the subfolders if that will help.

Thanks.


----------



## djaburg (May 15, 2008)

If you think about it, all staff have read and execute (for profiles), not write permissions, therefore they could never save changes. Make sure you take a look at the link I provided where MS has their suggested permissions listed.


----------



## Maz_- (Nov 4, 2008)

Well spotted Djaburg!! ray:


----------



## beeblebrox (Sep 9, 2010)

Hi Guys, 

I've not been ignoring this thread, just more pressing things have come up in the office. I tried tinkering with the permissions as above, to no avail though. I'll look closer again

thanks.


----------

