Roaming Profiles on NSS

Similar Messages

• Roaming Profile are not stored completely

  Hello NG
  In our environment we work with NWClient 2 SP1 IR9, ZCM11 SP1a and Roaming
  profile is activated by a ZCM policy.
  Now we have the problem, that when a user logout from the workstation, the
  roaming profile is not stored completely to the home profile. Strange is,
  that the ntuser.dat has an updated times
  The homedirectory where the roaming profiles should be stored is a NSS
  volume.
  On the workstation evenviewer i saw following interesting information.
  Event ID 1509
  Source \\?\C:\Users\MichelB\Favorites\Links
  Target \\?\UNC\SERVER2$NOCSC$\HOMEL\USERS/MichelB\Windows NT 6.1 Workstation
  Profile.V2\Favorites\Links
  Error The system can not found the path
  Source \\?\C:\Users\MichelB\Favorites
  Target \\?\UNC\SERVER2$NOCSC$\HOMEL\USERS/MichelB\Windows NT 6.1 Workstation
  Profile.V2\Favorites
  Error The system can not found the path
  etc. this happens for all folders in the profile path.
  Then event ID 1534 is diplayed that says there was too many copy errors.....
  And at last the Event ID 1504 that says that the roaming profile couldn't be
  updated completely
  I suppose that here the Novell Client has problems to write to the NSS
  volume
  Somebody can help me to solve this issue?

  Originally Posted by breezer
  -keeping the thread alive-
  We have been doing extensive testing here and have found (win7) that the local user & profile created by zcm is not properly removed after a user logs out.
  We have found up to 40 student user accounts in the LRC machines when doing a net user and the equivalent c:\user\<username>, there are also <username>-<machinename>.001/2/3 directories as well.
  I use volatile accounts, [setting] using existing account or not doesn't make any difference.
  I can demonstrate that clearing down local profiles (net user <username> /delete and rd c:\users\<username>) allows the user to log in again without any issues, but usually they can do this only once or twice before the profile blows out.
  Our students are very mobile and a typical day will be 9.00-10.00 lessons, 10.00-10.30 LRC, 10.30-12.30 lessons (different class room) ........
  This was identified in September when the students returned from break and we have had the issues for nearly 4 months.
  Our machines are built via zen imaging, the client and agent are then installed with the appropriate enabling software for the machine (zoomtext/jaws/dragon/read&write).
  Can anybody give me any pointers on this as my tech support and novell (via a SR) have not yet been able to pin point the problem and provide a fix.
  Breezer
  Try Knowlegebase 7940698, that might lead you the right way?

• Alternatives to using Zenworks for Roaming Profiles

  Novell support tells me I should be using a dedicated Server for Zenworks
  This would be a real over kill!
  So, are there any alternatives to using Zenworks for Roaming profiles?
  Googeling I see SAMBA can support Roaming Profiles
  Samba is installed & I created Samba users via SBE Admin but when I select
  Samba Administration - seems to be no details ie. users, workgroup name etc?
  Is Novell Samba differently?
  Is it possible setup Roaming Profiles with Novell Samba?

  I'm gonna attempt this with a couple of scripts - (one added to login script
  & the other at shutdown)
  to copy Desktop & Favorites - already told users they will be shot if the
  they put files in my docs!
  (It would be nice to do Desktop Colour / Image etc so the user feels at home
  but...)
  "W_ Prindl" <[email protected]> wrote in message
  news:[email protected]...
  > Although I use OWS SBE I never use the integrated Simba tools, etc. I
  > install everything using the standard non SBE methods. So I don't know
  > if you installed SLES Samba or OES ( = Novell) Samba. Of course Novell
  > Samba is different from plain Samba as it provides integrated
  > Edirectory logon and - if using NSS volumes - transparent consistent
  > file access rights.
  >
  > For Novell Samba your users have to be LUM enabled.
  >
  > But roaming profiles should work regardless of the Samba server in use.
  > But of course - if you do not have a common configuration source such
  > as a domain or Zenworks - you will have to configure your roaming ( =
  > server-stored) profiles locally at each PC for each user individually.
  > Should be possible in a 10 users/10 PCs environment - but that are 100
  > configuration entries just for this feature.
  >
  > BTW I have Zenworks and Groupwise running on the same server in a small
  > setup similar to yours.
  >
  > Only negative thing with Zenworks Configuration Management is, that it
  > is a real resource hog at the client side. Recent dual core or quad
  > core processor PCs have no problem, but older dual cores and single
  > cores come really to a halt with the Zenworks Agent.
  > --
  > W. Prindl
  >
  >
  > Chris wrote:
  >
  >>Novell support tells me I should be using a dedicated Server for
  >>Zenworks This would be a real over kill!
  >>
  >>So, are there any alternatives to using Zenworks for Roaming profiles?
  >>
  >>Googeling I see SAMBA can support Roaming Profiles
  >>
  >>Samba is installed & I created Samba users via SBE Admin but when I
  >>select Samba Administration - seems to be no details ie. users,
  >>workgroup name etc?
  >>
  >>Is Novell Samba differently?
  >>
  >>Is it possible setup Roaming Profiles with Novell Samba?

• Roaming profiles in Linux

  Hey all,
  If you use roaming profiles in windows and your expecting someday
  to use them in Linux, you had better speak up.
  Novell tells me that there are no plans to create a roaming profile
  setup for NCL.
  So if you want this feature post here!
  this feature is important even if you don't roam,
  if you want your "documents" folder to be stored on the network
  without reconfigureing open office and a host of other programs
  to use a different location to store things in
  then putting your profile in your home directory is a must.
  why have a documents folder created with a user if you can't
  get to anything in it unless you are logged in to the same pc it was
  created on? I know you can use ifolder to sync this folder to your
  netstorage location but what if you don't use ifolder.

  Well then, honestly said I cannot understand, why Novell thinks that it is sustainable not to
  implement the Romaing Profile feature.
  By frequent reading of these forums I know that you are trying to place the linux home
  directories on ressources provided by the Novell Linux Client by manupulation of the pam.d
  scripts. Since I do not use Novell's linux distribution on my clients, but Gentoo Linux, it was
  already a special challenge to put the Novell Client into operation at all. Standing on shaky
  ground I abstained from trying something similar as you do. Instead I additionally export a NSS
  share on Netware by NFS. However this solution is neither absolute stable nor secure and was
  initially meant as temporary solution... Therefore I ran scared reading that Novell called off
  support.
  Jokes aside, linux is still in short supply: On one side they preach the linux transfer and on the
  other side people coming from linux world are bemused at best after surviving the examination
  ordeal. For example the NSS kernel module of the OES SP2 Linux server has a serious bug
  preventing the export of NSS shares by NFS without error. Now ask yourself: Does Novell really
  think that people are willing to establish a heterogeneous environment not only with the servers,
  but also with the clients? Well, I can tell you, it does not make fun.
  Cheers,
  Torsten
  > Hey all,
  > If you use roaming profiles in windows and your expecting someday
  > to use them in Linux, you had better speak up.
  > Novell tells me that there are no plans to create a roaming profile
  > setup for NCL.
  > So if you want this feature post here!
  > this feature is important even if you don't roam,
  > if you want your "documents" folder to be stored on the network
  > without reconfigureing open office and a host of other programs
  > to use a different location to store things in
  > then putting your profile in your home directory is a must.
  > why have a documents folder created with a user if you can't
  > get to anything in it unless you are logged in to the same pc it was
  > created on? I know you can use ifolder to sync this folder to your
  > netstorage location but what if you don't use ifolder.
  >
  >

• How to set up roaming profile on Macs using AD like in windows

  I can bind the workstations to the domain fine.. But can someone direct me to instructions of how to set up the roaming profiles ?
  What steps do I need on the server ? This is what I've done so far.
  I already have OU's for the departments and the users have a shared folder inside their department folder.... \\server\shared_folder\user
  I have done the usual things with AD as far as the profile settings on the windows server.
  Am currently running Mac OS 10.5 and above
  My windows AD runs on windows server 2008
  All my windows workstation are able to use roaming profile without a problem.
  So far i have tried the so many avenues including..
  Make sure the Mac systems are joined to the domain controller and an ADS user can log on successfully. Use "Directory Utility" under "Utilities" menu to join the system to the domain.
  Backup all the contents from /Users to the storage or somewhere locally.
  Configure automount - Go to "Utilities" -> "Directory Utility" - Select the domain and click "Show advanced options" - Click "Mounts" tab and add automount as mentioned below. Remote NFS URL: nfs://server_name/share_name/path/to/profile/directory Mount location: /Users Additional mount parameters: -P,-T Apply the settings and this will mount the remote shared folder or we can name it as Roaming Profile Space - under /Users directory
  Enable roaming profile - Go to "Utilities" -> "Directory Utility" - Select the domain and click "Show advanced options" - Click "Services" -> Select "Active Directory" and click "Show advanced option" - Click "User experience" tab and select the option "Create mobile account at login".
  Reboot the system and log in as any ADS user. The Roaming shared folder will be mounted and the user profile will be created on the shared folder
  Can anyone kindly assist me

  Hi Guys, anyone with the Soln...or Tips..Am waiting

• Tablet 2 won't upload roaming profile

  Tablet 2, Windows 8 Pro (factory installed), AD domain member, user account with roaming profile.
  The OS will download my roaming profile when I log in, but refuses to upload it back to the server when I log off. I've installed Windows 8 (Enterprise) from scratch on two other computers (a Dell laptop and a Lenovo W500 laptop), and on those machines, the roaming profile works correctly. Has anybody else seen this behavior?
  Bob

  Have you tried to export to the "camera roll", and then try to export to you tube from the photos app?

• Windows Domain Controller on Windows Server 2012 R2: Hyper-V roaming profiles not loading due to slow connection

  I have racked my brain and done everything that I know to do for about two weeks now.  I am setting up a new system at our fire department and I am having the worst luck with getting the workstations to login to the domain controller with roaming
  profiles.  It keeps telling me that the roaming profile could not be loaded because of a slow connection.  These are workstations that are connected directly to the switch that the DC is connected to.  I have tried multiple connections regarding
  the layout (DC into the router, router into the switch).  The router is a Cisco RV220W.  I have two VLANS, one for public and one for private domain.  The Private VLAN has DHCP turned off since I am providing it through the DC.  I currently
  have a connection from the Private VLAN going to the unmanaged switch that the workstations and server are plugged into.
  The server is a Dell PowerEdge R420 that has 6 NIC ports (1 dual port and 1 quad port).  I have a virtual switch setup on Hyper-V for an external port (let's say Card 2 Port 3) that is assigned to the WS 2012R2 Domain Controller.  The DC can see
  the internet fine and the workstations can connect to the shared folders on the server.  I can retrieve files by just using the computer name or FQDN.  The DC is also running DNS and DHCP.  The DNS has the _msdcs setup from when I installed
  the active directory role.  I have attempted to assign static IP addresses to the workstations:
  IP:                     10.0.0.80
  Subnet:             255.255.255.0
  IPV4 Gateway:  10.0.0.1
  IPV4 DNS:        10.0.0.12
  I've attempted "append the specific DNS suffix", I've "registered the connection in DNS", I've used "use this connections suffix in DNS registration".
  The server is assigned:
  IP:                     10.0.0.12
  Subnet:             255.255.255.0
  IPV4 Gateway:  10.0.0.1
  IPV4 DNS:         10.0.0.12
  The DNS entries have forwarders that forward to my ISP DNS servers for lookup
  I've enabled and disabled DHCP, I've installed a new VM just to create another DC to make sure that I didn't goof up when I created it.
  I've lost my patience with this project and am sinking fast.  Can someone please offer some advice as to what I've done wrong?  I've created this exact scenario at work many times but, I've never done it with Windows Server 2012.  Is this
  possibly something to do with the Dell PowerEdge server (Generation 12) with the SR-IOV?  I am going to attempt to work on it some more tomorrow when I get over there.  I think there may be an issue with the SR-IOV not being enabled on the machine
  through the Dell Bios.  Would the SR-IOV really cause the workstations to report a slow connection?  When I login at the domain controller the roaming profiles and folder redirection work fine so, I know the GPO settings are correct.  I don't
  have "ignore slow connections" or any of those GPO's set.  I need to get it working the correct way so, I didn't want to fool the server when there is another underlying problem.  Any help that someone can offer, I am more than willing
  to listen.  If you need more information, please ask.
  Thanks,
  Jay

  So, I've managed to research this some more since Thursday and I've come to the conclusion that Hyper-V does a horrible job of supporting Qualcomm NIC cards. That's the only thing I can conclude as far as where the issue is originating. I've read many
  post and walkthroughs but nothing that has helped. The issue wasn't with any settings in the domain controller. The issue was that there really is a slow connection originating at the domain controller that is a VM and has network connectivity through the
  virtual switch from Hyper-V. So, next question is, how do I get the DC to have better connectivity through the NIC that Hyper-V won't give it? If hyper-v would allow passthrough, this would be so much simpler. VM-ware is looking really good at this point.
  Im disappointed in MS right now.

• AppV 5 slow to refresh with roaming profile (no redirects) but fast with local profile

  Hi,
  I have an issue I can't get thought out. I have an AppV5 SP3 full infra, with SMB share and local caching of packages enabled. Everything works from a functional level. However I have an issue where users with a roaming profile get a very slow AppV refresh
  during login.
  I created a few testaccounts, a few with local profile and a few with roaming profiles. For these testusers there are NO folder redirects. The only difference between them is local profile or roaming profile.
  When I login with a local-profile user initially, the AppV client rather slowly refreshes the applications and shortcuts. It generates quite some CPU load on the RDS host, but as soon as the shortcuts are placed everything is fine. When I log that user off,
  and log in again, the shortcuts are there immediately and I can immediately start the applications (Office 2010 for example). Blazing fast. Also when logging in, the refresh-UI is there for about half a second, it really flashes and it's done.
  Then with a testuser with roaming profile, the initial refresh is about the same. But when I logoff that user and login again, it's all very slow. The shortcuts are there but blank initially, it takes about 5-10 seconds to get the correct icon. It takes
  much longer before the refresh actually starts (sometimes up to 30 seconds after login), and it takes 5-10 seconds to do the refresh, with 100% cpu load on the thread AppVclient.exe is running on. Also right after loging in when the shortcuts are blank they
  don't work until they get the proper icon. WHen everything is refreshed it works all fine though. It's just painfully slow at start.
  I don't understand this. I can reproduce this every single time. Without folder redirects I don't see the difference between roaming and local profile from AppV perspective, as the roaming profile is of course copied to the server and in that sense the server
  just works with a local copy anyway.
  Anyone encountered this, and how to troubleshoot, or better fix this?

  So is the fact that there is a 5-10 second delay during refresh actually an issue? What I mean by that is - are any users comparing the local profiles with roaming profiles experience, or complaining that the delay is there?
  Roaming profiles and Folder redirection are of course very simple to configure; however for the best user experience I recommend managing profiles with a real profile management solution.
  If you have MDOP, then you'll also have access to UE-V. You've mentioned your environment is RDS, which sadly doesn't get UE-V, even though you have App-V.
  Here are some resources on UE-V + App-V and what's required when managing App-V with roaming users:
  How To Use Microsoft User Experience Virtualization With App-V Applications
  Application Publishing and Client Interaction: Roaming registry and data
  Here's also some resources on App-V performance worth looking at:
  Performance Guidance for Application Virtualization 5.0
  App-V Performance Best Practices: New Project VRC White Paper
  Please remember to click "Mark as Answer" or "Vote as Helpful" on the post that answers your question (or click "Unmark as Answer" if a marked post does not actually
  answer your question). This can be beneficial to other community members reading the thread.
  This forum post is my own opinion and does not necessarily reflect the opinion or view of my employer, Microsoft, its employees, or other MVPs.
  Twitter:
  @stealthpuppy | Blog:
  stealthpuppy.com |
  The Definitive Guide to Delivering Microsoft Office with App-V

• How do I use long path names ("\\?\UNC\...") with Server 2008 roaming profiles?

  Hey folks!
  I administrate a Windows Server 2008 R2 SP1 Domain with about 40 users on
  Windows 7 SP1 clients. Because the users often switch between the many PCs, I am using Roaming Profiles which tend to produce errors with different application-specific paths and files inside the users profiles.
  As one of many example, our standard mail application Thunderbird produces paths and files according to folders/subfolders and mails in a user's mailbox. Another one is Microsoft Office's Auto Recovery files which reside in a user's profile and can
  get very long.
  These paths and filenames often extend the allowed max. path of about 256 characters, when (on log on or off) the synchronization process between the client and the server takes place, leading to errors in the event log and a notification to the user about
  the conflict:
  "Event ID 1509 - Windows cannot copy file \\server\share\users\user123.v2\AppData\Roaming\looooong to location C:\Users\user123\AppData\Roaming\looooong. DETAIL - The filename or extension is too long."
  In the long run this leads to different file versions on different clients which - in the case of Thunderbird - leads to missing mails.
  After extensive searches and lectures of forums - including this - I haven't found a solution for this problem.
  So my question is if there's a way to use the extended max path with roaming profiles and if so how do I get it to work?
  I tried changing the profile path of a test user in the Active Directory user preferences from "\\server\share\profiles\test_user" to something like "\\?\UNC\server\share\profiles\test_user" without any changes in the system's behavior.
  Also I think that because this is such a fundamental problem somebody must have come up with a solution for it...
  Thanks in advance,
  Nico

  Hi,
  Thanks for your posting.
  The Event 1509 can happen if the destination path of the users profile is on a server with a long name and share folder name. For detail information, please refer to:
  User profile cannot be loaded with Event ID 1509, DETAIL - The filename or extension is too long
  http://blogs.technet.com/b/win7/archive/2011/02/15/user-profile-cannot-be-loaded-with-event-id-1509-detail-the-filename-or-extension-is-too-long.aspx
  User profile cannot be loaded with Event ID 1509, DETAIL - The filename or extension is too long
  http://support.microsoft.com/kb/2536571
  Hope this helps.
  Regards.
  Vivian Wang
  TechNet Community Support

• How can we reset the SAP cache for users roaming profile in a d?

  Our active directory is on windows server 2003.
  SAP version 6.40
  users work from different workstations in our company with their roaming profile.
  printouts are defined by assigning a printer to the terminal (usually the closest terminal to theprinter)
  we have some users who have logined to windows, are unable to print to the assigned printer, because the name of the terminal is stuck on another terminal they worked on before.
  we think that the the cache in SAP does not update properly.
  Where is the SAP cache, is it in the server, or the workstation, or the user profile?
  Can anyone help?
  Robyn

  all configurations of the printers are correct.
  I will try and explain the problem differently:
  In general If a user logs on to SAP, we will see in tc al08 the username and terminal the user is working from. (The terminal is the full computer name e.g. WS-KITCHEN).
  When a user with the problem logs on to SAP, we will see in tc al08 the username and the name of a terminal he worked from in the past and not the work station he is at present. Therefore his printouts go to the printer that is allocated to the terminal that he worked on before and not the WS-KITCHEN he is working on now.
  Thanks
  Robyn

• App-v 5.0 sp3 Publish application icons/ shourtcut missed on 2nd time logon on terminal server 2012 r2 with roaming profile with folder redirection

  1. I updated app-v 5.0 sp3 environment on 2012 R2. Roaming profile users with folder redirection logon fine at first time applications icons available but at 2nd logon applicaitons icons are missed while packages are available. we are using existing
  roaming profiles with folder redirection which are running in current environment through APP-V 4.6 2008 R2. Please suggest work around to resolve this issue.
  2. TS Nodes of 2008 R2 with App-v 4.6 running fine on Microsoft 2012 private cloud but we are facing performance issue (stuck, slow logon, slow performance etc) when we are moving in new 2012 R2 private cloud. SAP, SCSM and other sevices are running
  fine, please provide solution.
  Thanks

  1.) What are you doing with the App-V Icon path? e.g. %LOCALAPPDATA%\Microsoft\AppV\Client\Integration\<GUID>\Root\AppVClientUX.exe.0.ico ?
  I guess you could workaround it with deploying the icons to a central location and then pointing to the icon out on a central share. Or put the icons in a machine location...I haven't had this issue but that's just off the top of my head.
  2.) I have not used App-V 4.6 in an environment like yours BUT would pre-caching the applications be possible? Any chance you'll be moving those apps into App-V 5.0 soon?
  PLEASE MARK ANY ANSWERS TO HELP OTHERS Blog:
  rorymon.com Twitter: @Rorymon

• Issue with offline availability of roaming profiles in Server 2012

  I've recently stood up a Windows 2012 R2 server. I set up folder redirection using the guidelines
  here and roaming profiles using Group Policy. All is well except for the fact that if the client is physically disconnected from the network then the profile isn't available.
  I've set up folder redirection/roaming profiles on many different version of Windows Server and this is the first time I can remember that the files weren't available offline without further intervention from me. Is there some new setting or default on 2012
  R2 that I'm running afoul of?
  I note the following screen on the share properties but don't want to go at it until I know more
  Location of image in case of no display
  Sunt ludi et ioci dum aliquis oculo nocet.

  Shaon,
  No problem at all, I'm delighted that someone is answering at all! :-)
  The answers to your points/questions are as follows:
  1. The issue persists after a reboot
  2. All computers in the OU are experiencing this issue along with all users affected by these group policy items
  3. There is only one group policy applied here and in relation to the three items you've mentioned:
  Action on server disconnect [Not configured]
  Non-default server disconnect actions [Not configured]
  Do not automatically make redirected folders available offline [Not visible]
  All the relevant group policy objects (on the server) are at their default "Not configured" value. I've filtered by Windows 7 and Windows 8 as I have nothing below that. I've checked both locations viz.:
  Computer Configuration\Policies\Administrative Templates\Network\Offline Files
  User Configuration\Policies\Administrative Templates\Network\Offline Files
  The same is true for Local Computer Policy, all are set to "Not configured". In Explorer on the client under the Easy Access option all of the salient settings are greyed out.
  - Derek
  Sunt ludi et ioci dum aliquis oculo nocet.

• Slow logon for roaming profiles on Server 2012 R2.

  Hey all,
  We have migrated Windows Server 2008 R2 to 2012 R2. After this, roaming profiles began to take 7-8 mins to 15-16 mins to logon to the 2012 R2 RDHS. Same roaming profiles have no problems logging on other RDS servers running Server 2008 R2.
  All updates are installed. All RDS related HotFixes have been applied. Server 2012 R2 only got RDSH role activated. It's a domain environment and AD role is on a physical DC. This is a mixed OS environment for clients.
  Local users have no problems logging on. Roaming profiles have no problems logging back in day after the first logon - The very first logon took a long time for them.
  Profiles stored on an SSD NAS device. The device doesn't support SMB3 protocol. Could this be why?
  Also when we check Event Viewer, we see "Event ID 5: Kernel-General :: {Registry Hive Recovered} Registry hive (file): '\........\NTUSER.DAT' was corrupted and it has been recovered. Some data might have been lost." But again,
  same profiles have no problem logging on Server 2008 R2.
  Looking forward to hearing your thoughts and advices.
  Thanks in advance.

  Hi Bruce,
  >>After this, roaming profiles began to take 7-8 mins to 15-16 mins to logon to the 2012 R2 RDHS.
  Before going further, I want to further confirm if this happens when the users log onto the server first time or all the time.  Besides, does this happen to all domain users logging onto the server?
  >>"Event ID 5: Kernel-General :: {Registry Hive Recovered} Registry hive (file): '\........\NTUSER.DAT' was corrupted and it has been recovered. Some data might have been lost."
  For this event, we can refer to the solution provided by Justin in the following thread to tackle the issue.
  Registry Hive Corrupted - Event ID 5: Kernel-General
  http://answers.microsoft.com/en-us/windows/forum/windows_7-system/registry-hive-corrupted-event-id-5-kernel-general/275d080b-4d29-4eed-887d-bee55725c602?page=1
  Best regards,
  Frank Shen

• NAC and AD, Machine GPOs, Roaming Profiles = Chaos

  I've just observed a hapless Cisco consultant try to make NAC 4.1 work on computers with machine GPOs, roaming profiles, logon scripts within user GPOs, and for that matter legacy logon scripts with "run logon scripts synchronously" enabled. All of these technologies seem to fail on a NAC-enforced connection.
  We assign software on machine GPOs and we use roaming user profiles, and it seems we either need to have a domain controller and profile share on the isolation VLAN, which defeats the purpose of NAC, or perform some kind of machine authentication, which can occur before GPO processing and net logons can happen.
  While I'm not the Cisco consultant, it wasn't hard to recognize this problem.
  Everything I've read about NAC and CAA suggests this is a per-user compliance solution and not a per-machine solution. Surely others have observed this, and I think this is what machine authentication (802.1x) NAC, as opposed to user authentication NAC, is all about. At the risk of sounding like a total n00b, where can I start researching a NAC solution that supports what I want and lets us use the Cisco NAC gear we've already invested in?

  I have had similar issues and have solved many with a custom script that runs at log on. It is a compiled script and works great, AutoIT3.
  The policy part takes care of itself if you leave machines logged in long enough or do a gpupdate /force. This will force the group policy to synchronize but you will need to log off and on again.
  The roaming profile is much tougher. I am still trying to get this working. If anyone has any info on EXACTLY what takes place on a roaming profile synchronization, I would be grateful. If I can I will replicate that process in my script and solve this issue also.
  I have fixed the log in script stuff with a delayscript that I use (ironically) clean access to install. You have to launch it with the users credentials, though and not from Clean Access which uses the SYSTEM users credentials in its stub agent!
  This is a known issue to Cisco but any prodding of them to get it working would help. Their solution is braindead, just give unremediated machines full access! If they fail remediation, kick them off then. Gee, that gives the unremediated machine a mere two to three minutes to attack your AD DCs on each log in attempt. Not good.
  Anyway, that's where I am at. Most of this can be dealt with, some is still problematical.
  Dan S.

• Roaming Profile Folder Creation Immediately Inaccessible

  Set up is AD 2008.  Terminal 2012 R2, Fileserver 2012.
  Before we've had it set so we could create a user in AD, log them onto the Terminal, it creates the profile, which on log out is saved to its roaming location on the Fileserver with a V2 after it.  In their profile field in AD, that Fileserver location
  was given as well.
  Something changed recently and we're not sure what.  Now if I create a user in AD, and log them into the Terminal, it gives me a message that a temporary profile is being used for this log on.  When I log out, it creates the V2 on the Fileserver,
  but I'm unable to access it even with admin credentials.  I've been able to change the owner, but it doesn't allow me to delete that folder and try again.  I have been able to run this
  SET DIRECTORY_NAME="C:\profilelocation"
  TAKEOWN /f %DIRECTORY_NAME% /r /d y
  ICACLS %DIRECTORY_NAME% /grant administrators:F /t
  PAUSE
  where the profile location is the folder in question and have it open it up enough to delete so we can troubleshoot.  But doing that doesn't change the initial Terminal status of using a roaming profile and it using a temporary profile.
  On the terminal server, I have also found the registry setting for that user and deleted it (the one with the .bak ending).  That allows a good logon if I remove the profile location setting in AD.  But when I move the folder to the fileserver,
  and then add the location back in AD, I get the Temporary Profile error again.
  Any ideas where to start looking?  I don't think we've changed any GPs that affect our terminal users.  Current users are fine, but I won't be able to create any new users and have them use a roaming profile.
  Ben Rollman

  Well, I'm still not sure what changed.  Here's what I've done so far.  (Email to my boss yesterday.)
  I set up a test container under States and moved all the state user, test user, etc into it.  Then I backed up the current ExtUsers_UsersGPO settings and imported them
  into a new GPO called TextExt… and enabled the computer settings.  It had the following but the Computer Setting wasn’t enabled so it wouldn’t have done that.
  Policy
  Setting
  Comment
  Add the Administrators security group to roaming user profiles
  Enabled
  I deleted the local and roaming file, and for good measure the registry entry.  I logged in as “testuser” and didn’t receive any problems.  Created a test folder,
  test file, logged off.  I see the testuser.V2 on the FS, but I can’t access it, like before.
  I run the following script to change it so I can access it.
  SET DIRECTORY_NAME="C:\Files\Profiles\testuser.v2"
  TAKEOWN /f %DIRECTORY_NAME% /r /d y
  ICACLS %DIRECTORY_NAME% /grant administrators:F /t
  PAUSE
  The FS profile is set for full rights for domain and local admin, but no user.  So I add the user as the owner, and give the user full rights.  Log in, and I get
  this.
  Your roaming profile is not synchronized correctly with the server. Windows will load your previously-saved local profile instead. See the previous events for details.
  And these in event viewer.
  Windows cannot copy file
  \\statefs\Profiles\testuser.V2\ntuser.ini to location C:\Users\testuser\ntuser.ini. This error may be caused by network problems or insufficient security rights.
  DETAIL - The system cannot find the file specified.
  Windows could not load your roaming profile and is attempting to log you on with your local profile. Changes to the profile will not be copied to the server when you log off. Windows could
  not load your profile because a server copy of the profile folder already exists that does not have the correct security. Either the current user or the Administrators group must be the owner of the folder.
  I had put the icons on the FS folder just to see if it would show up.  I saw the test folder okay in both.  But when I logged back in, the shortcut icons weren’t
  there.  AND when I logged off, it overwrote the FS folder, removing the icons.
  From there I checked the TS local profile folder (just in case) and saw it had no testuser rights at all.  The owner of that folder was SYSTEM.  So just for fun I
  changed the owner to testuser, made sure to set it for all subfolders, logged in, no error message.  Logged out, put shortcuts into the desktop folder on FS, logged back in, no errors and the shortcuts are there.
  So.
  I don’t know if it’s the GP or the fact that maybe the TS folder wasn’t getting the right permission to allow the roaming process to write to it or both.  I’m going to
  try to recreate this, see if there’s a way to shorten the process or create a template like before.
  Ben Rollman