Showing posts with label roaming user profile. Show all posts
Showing posts with label roaming user profile. Show all posts

Monday, July 29, 2013

You have been logged on with a temporary profile

This is annoying. My domain-joined Windows 7 machine kept showing this error upon login and I couldn't save any new profile.
On the Event Viewer, I saw these 2 errors (Event 1511 and 1515)


Initially, I thought my roaming profile was corrupted. But re-building the profile did not solve the problem. The same error still appear until I saw this Microsoft KB post.

I enumerated through the registry records on
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

Instead of just removing the sid.bak records, I removed all user registry records. In effect, it would force a rebuild of all local user profiles that would be synced from the central user profiles on the network share.
Posted by samyee at 4:49 PM 2 comments
Labels:

Thursday, October 18, 2012

Setting the ACL for Home and Roaming Profiles

Wonder how should you set the ACL of Share and NTFS of the network share for Users' Home folders and Roaming Profiles? Check out this Technet Blog: Automatic creation of user folders for home, roaming profile and redirected folders

By default, all newly created folders are set with inheritable permissions that include Read permission for all users. As a result, users would be able to see all other users' home folders. Access Based Enumeration (ABE) is designed to prevent users from viewing other folders that they have no read access. It can be easily enabled on the "Share and Storage Management" console. However, inheritable permission get in the way because it permits all users to have "Read" access to all folders.

For ABE to work, you'll have to remove that inheritable permissions after the users' home folders are automatically created. You can have a Powershell Script that take in CSV file (exported by csvde) and remove all inheritable permissions on the user home folders. And this is my script:

import-csv C:\temp\users.csv | foreach-object {
  # individual user name
  $user = $_.sAMAccountName
  # user home folder
  $newPath = Join-Path "\\FileShare\Home$" -ChildPath $user
  $acl = Get-Acl $newPath
  # this would remove inheritable permission
  $acl.SetAccessRuleProtection($true,$false)
  # additional custom permission added (optional)
  $permission = "MyDomain\$user","Modify","Allow"
  $accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
  $acl.SetAccessRule($accessRule)
  $acl | Set-Acl $newPath
}

If you happen to encounter situation whereby you can't move or remove the user profile folders, you'll have to take ownership of the folder recursively. Here're the command lines:
takeown /F folder-name /R /D y 
icacls folder-name /grant administrators:F /T
Posted by samyee at 4:36 PM 0 comments
Labels: ,

Friday, February 26, 2010

Roaming User Profiles & Folder Redirection on Terminal Server

We are offering some RemoteApp Terminal Services (TS) based on W2K8. One consideration is the porting of existing user local profile to roaming user profile, so that the users won't get upset of losing their IE favorite bookmarks.

Unfortunately, WinXP local profiles are V1 and W2K8 are V2 and they aren't compatible. Hence, we use Terminal Service profile that supersedes the roaming profile in TS environment. To reduce the profile loading time, we implemented loopback policy on the TS server that enable folder redirection. If folder redirection is not implemented, the local server will have to load the profiles from the network shares when the users log in and upload again when the users log out. Users with large profiles will naturally have longer loading time.

I found two very good sources that implement roaming profiles and loopback policy on TS:
  1. How to implement Basic Roaming Profile & folder redirection
  2. Folder Redirection on Terminal Server
Posted by samyee at 10:15 PM 0 comments
Labels: , ,
Subscribe to: Posts (Atom)