I am currently testing server 2008 (as a terminal server)and trying to understand how to setup new roaming profiles. I have 2domain controllers that are runningwindows 2000 server (Native mode) and I have profiles stored on a file server such as \\filesrv\profiles\%usersprofile% I read that in server 2008 since 2000, xp profiles are not compatible you need to create new ones. Well I setup a new user in the domain and have its terminal service profile at \\filesrv\profiles\user2008 When logging in on the 2008 server the profile always logs in as a temp profile and will notwrite back to the profile pathI specified. Now I also read in the"Managing Roaming User Data Deployment Guide" you need to create a new Network default profile and store it in your Domain controllers NETLOGON share. \\domain\NETLOGON\Default User.V2 I did this and it still doesn't login. Is this because I am running a 2000 domain and not a 2003 domain? Or am I missing something? Any help would be much appreciated. Nick

Hi, Yes. For the incompatibility between Version 1 user profiles (Windows 2000, Windows XP, Windows Server 2003) and Version 2 user profiles (Windows Vista, Windows Server 2008), a new roaming user profile (the folder with V2 suffix to distinguish from former user profiles ) have to be set for users that logon to Windows Vista and Windows Server 2008. About the default network profile in the NETLOGON share, it is a default users profile template for domain users just like the local default users profiles. When a user without roaming profile first time logon to a domain joined computer, this new created profile will originate from a default network user profile if it is available. If not, Windows will use the local default profile as a template. It seems there is not any relationship with the roaming profile we discussed. For the general roaming profile, here is a step-to-step practice: 1. Prepare the roaming user profile - Log on to a Windows Server 2008 with the domain user account to produce a user profile. Log off the computer. - Log on to the Windows Server 2008 with a domain administrator account. - Click Start--->right-click Computer--->Properties--->Advanced System Settings--->Advanced--->User Profiles Settings--->Settings--->Copy To. Copy the profile to the file server, such as '\\filesrv\profiles\username.v2' Note: A ".v2" suffix to the name of the user profile folder on the file server must be added to distinguish between version 1 and version 2 profiles. - In Permitted to use, click Change. Type the proper users or groups and then click OK. 2. Prepare the user Profile path setting - In the Active Directory Users and Computers, type the profile location such as '\\filesrv\profiles\username' in the user's Profile path attributes. Note: Do NOT add ".v2" to the Profile path of the user object. This indicates that for Windows Server 2008 it will load the profile from 'username.v2' folder and for former Windows operating systems they will load from 'username' folder if it exists. If you manually create user profile folder, please check the NTFS and share permission on the roaming profile share folder. - Locate the roaming profile share folder, and check the NTFS permission to make sure that the user, SYSTEM, and administrators have Full Controller permission on their folders and all sub-folder under the roaming profile folder has inherited proper permission. - Check the share permission to ensure that Everyone has Full Control permission. Please pay attention to the Event logs in Windows Logs--->Application. User Profile Service will log events to show the reason why the roaming profile is not applied.

I followed your steps above and still getting the same thing. My user account always loads under a temp profile.First event from application log on user login:Windows has backed up this user profile. Windows will automatically try to use the backup profile the next time this user logs on.Second event:Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.I have 2 profiles now on my file share \\file_share\profiles\user2008 and \\file_share\profiles\user2008.v2The user2008 being my old terminal services profile from 2000 server and the v2 being the new one created via your instructions.Permisson on the v2. are System, domain/Administrators, domain/user2008. All with full control rights and inherited to the subfolders.On my user2008 in Active Direcotry i have the profile path set in the Terminal Services Profile tab not in the Profile tab.Any other ideas? Or logs I can look at?

Hi, From my test, I suspect that there still should be a permission problem on the profile folders. I suggest that we recreate new shared folder such as '\\filesrv\profile1\' to store profiles and grant the folder Everyone full access control permission. In this way, we can isolate the root cause for this issue. 1. Create a new user, such as user2008, in Windows Server 2008 DC. 2. Create a new folder such as 'profile1' and share it with Everyone full control access permission. 3. Configure the user's Terminal Services Profile--->Profile Path setting and point it to '\\filesrv\profile1\user2008' 4. Try to logon with this user account by Terminal Service and check how it works. By doing this, all profile files should be created with the proper folder permission to that user according to the local default user profile (or default network profile if available) and it should works. Hope it helps.

Hi I followed your instructions and it appeared to work as the next time I logged in at a client machine i wasnt told I would be made a temporary account. But after I logged off then logged on at a different machine my settings didnt follow Any help would be greatly appreciated

I honestly don't mean to thread-hijack here, but I'm having the exact same issues described.Server 2k8 isn't handling any permissions on the user profile share correctly.I've posted the question on Experts-Exchange, but no response yet (prolly not a ton of ppl completely migrated over to Serv2k8 yet :) )If I find a solution, I'll post it here. But have you guys found a solution to this problem? Any hints in the right direction would be appreciated.http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_24570842.html----------------------------------Experts,Would somebody be able to point me in the right direction? I've recently migrated (still in the process of actually) from a SBS 2003 environment to a 2008 one, with separate DC / Exchange / File Servers. *one heck of a upgrade*Unfortunately, with the Serv2k8 setup, I'm having some problems getting Roaming profiles to work as they should.I've followed: http://technet.microsoft.com/en-us/library/cc757013(WS.10).aspx to a T. As I did when I was in the 2003 enviornment - when everything was working.My permissions match that technet article exactly, but whenever an end user tries to log in, they're given an error that their roaming profile cannot be located, so the machines creates a local profile for them - to be deleted on logoff.As a side note, I have the user's home directory mapped to a share on the exact same server with the same folder permissions, and those work like a champ. However, I think the reason that those are working, where the profiles fail - is that when I create a user in AD it creates the home folder at the same time, where as profiles aren't created until the user actually logs in. So, from Domain Admin permissions to make the home folder - to user permissions trying to make the profile folder...Either or, I'm at a stump right now. And as I mentioned before, these are the exact same permissions I had on the SBS 2003 box where roaming profiles were in fact working.Any ideas that can be thrown into the mix would be greatly appreciated.**On that server the user share is: \\server\users While the profile share is \\server\profiles$

Hi, Yes. For the incompatibility between Version 1 user profiles (Windows 2000, Windows XP, Windows Server 2003) and Version 2 user profiles (Windows Vista, Windows Server 2008), a new roaming user profile (the folder with V2 suffix to distinguish from former user profiles ) have to be set for users that logon to Windows Vista and Windows Server 2008. About the default network profile in the NETLOGON share, it is a default users profile template for domain users just like the local default users profiles. When a user without roaming profile first time logon to a domain joined computer, this new created profile will originate from a default network user profile if it is available. If not, Windows will use the local default profile as a template. It seems there is not any relationship with the roaming profile we discussed. For the general roaming profile, here is a step-to-step practice: 1. Prepare the roaming user profile - Log on to a Windows Server 2008 with the domain user account to produce a user profile. Log off the computer. - Log on to the Windows Server 2008 with a domain administrator account. - Click Start--->right-click Computer--->Properties--->Advanced System Settings--->Advanced--->User Profiles Settings--->Settings--->Copy To. Copy the profile to the file server, such as '\\filesrv\profiles\username.v2' Note: A ".v2" suffix to the name of the user profile folder on the file server must be added to distinguish between version 1 and version 2 profiles. - In Permitted to use, click Change. Type the proper users or groups and then click OK. 2. Prepare the user Profile path setting - In the Active Directory Users and Computers, type the profile location such as '\\filesrv\profiles\username' in the user's Profile path attributes. Note: Do NOT add ".v2" to the Profile path of the user object. This indicates that for Windows Server 2008 it will load the profile from 'username.v2' folder and for former Windows operating systems they will load from 'username' folder if it exists. If you manually create user profile folder, please check the NTFS and share permission on the roaming profile share folder. - Locate the roaming profile share folder, and check the NTFS permission to make sure that the user, SYSTEM, and administrators have Full Controller permission on their folders and all sub-folder under the roaming profile folder has inherited proper permission. - Check the share permission to ensure that Everyone has Full Control permission. Please pay attention to the Event logs in Windows Logs--->Application. User Profile Service will log events to show the reason why the roaming profile is not applied. Hi MilesI have tried this on my new Windows Server 2008 R2, but when I go to "Computer -> Properties-> Advanced System Settings -> Advanced -> User Profiles Settings -> Settings" and choose the profile I want to copy, the "Copy to..." button is gryed out?I have tried changing permissions and owner, restart the server, but it's still gryed out.Do you know what's wrong?Thanks/Mads

"I read that in server 2008 since 2000, xp profiles are not compatible you need to create new ones." Not entirely correct. What *is* true that you cannot use multiple client OSes to access the same profile - e.g., Windows 2000 Pro and XP Pro users cannot roam between workstations. You don't mention having had TS for W2k before ...nor TS profiles For TS, you have always needed to create a separate TS profile anyway. Never try to log into a TS session using a *desktop* roaming profile or you will have problems. I would apply this via a GPO instead of in the Terminal Services profile option in ADUC so you don't need to remember to do that. Link the policy at the OU where your TS box lives and apply loopback processing so all users get the same settings. Also see KB 278295 for some good TS lockdown suggestions. Also see MVP Patrick Rouse's articles at http://www.msterminalservices.org/articles/Locking-Down-Windows-Terminal-Services.html You don't need the .v2 stuff - a) this is TS and b) this ain't Vista. Roaming profiles in general have not changed much over the years. Here's my boilerplate - a lot of it will apply to TS as well...especially the folder redirection stuff. TS profiles, roaming profiles - you need to keep them TINY. ******************** General tips: 1. Set up a share on the server. For example - d:\profiles, shared as profiles$ to make it hidden from browsing. Make sure this share is *not* set to allow offline files/caching! (that's on by default - disable it) 2. Make sure the share permissions on profiles$ indicate everyone=full control. Set the NTFS security to administrators, system, and users=full control. 3. In the users' ADUC properties, specify \\server\profiles$\%username% in the profiles field 4. Have each user log into the domain once - if this is an existing user with a profile you wish to keep, have them log in at their usual workstationand log out. The profile is now roaming. 5. If you want the administrators group to automatically have permissions to the profiles folders, you'll need to make the appropriate change in group policy. Look in computer configuration/administrative templates/system/user profiles - there's an option to add administrators group to the roaming profiles permissions. Do this *before* the users' roaming profile folders are created - it isn't retroactive. ******************** Notes: Make sure users understand that they should not log into multiple computers at the same time when they have roaming profiles (unless you make the profiles mandatory by renaming ntuser.dat to ntuser.man so they can't change them, which has major disadvantages),. Explain that the 'last one out wins' when it comes to uploading the final, changed copy of the profile. If you want to restrict multiple simultaneous network logins, look at LimitLogon (too much overhead for me), or this: http://www.jsifaq.com/SF/Tips/Tip.aspx?id=8768 ******************** Keep your profiles TINY. Via group policy, you should be redirecting My Documents (at the very least) - to a subfolder of the user's home directory or user folder. Also consider redirecting Desktop & Application Data similarly..... so the user will end up with: \\server\users\%username%\My Documents, \\server\users\%username%\Desktop, \\server\users\%username%\Application Data. [Alternatively, just manually re-target My Documents to \\server\users\%username% (this is not optimal, however!)] You should use folder redirection even without roaming profiles, but it's especially critical if you *are* using them. If you aren't going to also redirect the desktop using policies, tell users that they are not to store any files on the desktop or you will beat them with a stick. Big profile=slow login/logout, and possible profile corruption. ******************** Note that user profiles are not compatible between different OS versions, even between W2k/XP. Keep all your computers. Keep your workstations as identical as possible - meaning, OS version is the same, SP level is the same, app load is (as much as possible) the same. ********************* If you also have Terminal Services users, make sure you set up a n entirely *separate* TS profile path for them in their ADUC properties - e.g., \\server\tsprofiles$\%username% ******************** Do not let people store any data locally - all data belongs on the server. ******************** The User Profile Hive Cleanup Utility should be running on all your computers. You can download it here: http://www.microsoft.com/downloads/details.aspx?familyid=1B286E6D-8912-4E18-B570-42470E2F3582&displaylang=en ******************** Roaming profile & folder redirection article - http://www.windowsnetworking.com/articles_tutorials/Profile-Folder-Redirection-Windows-Server-2003.html Lanwench [MVP - Exchange] ** Do not fold, spindle or mutilate. Fill in the box completely and erase any stray marks. Use only a #2 pencil.

Lanwench Just stating my first 2008 roll out. Your information was concise and exceptionally useful. Thank you Pau NCN IT

Hi Guys, I'm setting up a new Server 2008 R2 Remote Desktop Services (TS) environment for a client. I've created GPOs to redirect Application Data, Documents etc to folders within the users personal directory, and setup Roaming Profiles to be redirected back to the server, but can't log on as a client. Ie. there's an empty folder the client has write permissions to, but Windows doesn't create a profile in this directory. Is there a way to bulk create a heap of 'empty' profiles so I can log on as the users and continue testing this environment, or do I need to unlink the group policy, create a local profile for each users, copy it to the server and re-apply the GPOs (this sounds like a lot of tedious, manual work). Any help appreciated.

You're most welcome. Roaming profiles are great ...if you set 'em up right. Otherwise they can be an enormous PITA.Lanwench [MVP - Exchange] ** Do not fold, spindle or mutilate. Fill in the box completely and erase any stray marks. Use only a #2 pencil.

Not really (re bulk creation). Let's see where the problem is occurring. Start by letting us know what happens when you try to log in as a client. Is the user account in the appropriate security group that would allow them to log into the TS box remotely? I generally create a TS Users group in AD and add that to the member server TS box's "remote desktop users" group. If that isn't the issue, try reviewing the event logs on the server (as an admin) and check for userenv errors.Lanwench [MVP - Exchange] ** Do not fold, spindle or mutilate. Fill in the box completely and erase any stray marks. Use only a #2 pencil.

I did all that and it works BUT the owner of the newly created profile (.v2) folder is unknown (atleast to me as domain admin) Taking ownership of the folder and granting the user belonging to the profile FULL control break the profile so we are back into the 'loading with temporary profile' problem Under the old win2003 system, the user was the owner but when the admin took ownership and granting the user full control (of even just modify), it worked. What's the difference now?

Im having the same problem. I really hope that somebody finds out an answer to this.. I suspected UAC because i had problems with it before(Only R2, administrators etc.) but it wasnt it.. :(

I've had the same problem. The steps in the above thread are correct but what's missing is that the user needs to be the owner of the folder (this was not the case with Server2003). Just make sure you select option to Replace owner on subcontainers and objects. Also, you might want to make sure that your NTFS permissions include Administrator so that you have access as well.

It seems to be related with the backup-scripts (they take ownership if admin rights are not present) and indeed, profiles that are created do have the user as owner and lack any kind of admin rights (even if this is setup on the profile folder for all subfolders) Problem solved

For the general roaming profile, here is a step-to-step practice: 1. Prepare the roaming user profile - Log on to a Windows Server 2008 with the domain user account to produce a user profile. Log off the computer. You cannot log on to a Server machine with a domain users profile. You get a warning message saying you do not have the correct credentials to log on to this machine.

"I read that in server 2008 since 2000, xp profiles are not compatible you need to create new ones." Not entirely correct. What *is* true that you cannot use multiple client OSes to access the same profile - e.g., Windows 2000 Pro and XP Pro users cannot roam between workstations. You don't mention having had TS for W2k before ...nor TS profiles For TS, you have always needed to create a separate TS profile anyway. Never try to log into a TS session using a *desktop* roaming profile or you will have problems. I would apply this via a GPO instead of in the Terminal Services profile option in ADUC so you don't need to remember to do that. Link the policy at the OU where your TS box lives and apply loopback processing so all users get the same settings. Also see KB 278295 for some good TS lockdown suggestions. Also see MVP Patrick Rouse's articles at http://www.msterminalservices.org/articles/Locking-Down-Windows-Terminal-Services.html You don't need the .v2 stuff - a) this is TS and b) this ain't Vista. Roaming profiles in general have not changed much over the years. Here's my boilerplate - a lot of it will apply to TS as well...especially the folder redirection stuff. TS profiles, roaming profiles - you need to keep them TINY. ******************** General tips: 1. Set up a share on the server. For example - d:\profiles, shared as profiles$ to make it hidden from browsing. Make sure this share is *not* set to allow offline files/caching! (that's on by default - disable it) 2. Make sure the share permissions on profiles$ indicate everyone=full control. Set the NTFS security to administrators, system, and users=full control. 3. In the users' ADUC properties, specify \\server\profiles$\%username% in the profiles field 4. Have each user log into the domain once - if this is an existing user with a profile you wish to keep, have them log in at their usual workstationand log out. The profile is now roaming. 5. If you want the administrators group to automatically have permissions to the profiles folders, you'll need to make the appropriate change in group policy. Look in computer configuration/administrative templates/system/user profiles - there's an option to add administrators group to the roaming profiles permissions. Do this *before* the users' roaming profile folders are created - it isn't retroactive. ******************** Notes: Make sure users understand that they should not log into multiple computers at the same time when they have roaming profiles (unless you make the profiles mandatory by renaming ntuser.dat to ntuser.man so they can't change them, which has major disadvantages),. Explain that the 'last one out wins' when it comes to uploading the final, changed copy of the profile. If you want to restrict multiple simultaneous network logins, look at LimitLogon (too much overhead for me), or this: http://www.jsifaq.com/SF/Tips/Tip.aspx?id=8768 ******************** Keep your profiles TINY. Via group policy, you should be redirecting My Documents (at the very least) - to a subfolder of the user's home directory or user folder. Also consider redirecting Desktop & Application Data similarly..... so the user will end up with: \\server\users\%username%\My Documents, \\server\users\%username%\Desktop, \\server\users\%username%\Application Data. [Alternatively, just manually re-target My Documents to \\server\users\%username% (this is not optimal, however!)] You should use folder redirection even without roaming profiles, but it's especially critical if you *are* using them. If you aren't going to also redirect the desktop using policies, tell users that they are not to store any files on the desktop or you will beat them with a stick. Big profile=slow login/logout, and possible profile corruption. ******************** Note that user profiles are not compatible between different OS versions, even between W2k/XP. Keep all your computers. Keep your workstations as identical as possible - meaning, OS version is the same, SP level is the same, app load is (as much as possible) the same. ********************* If you also have Terminal Services users, make sure you set up a n entirely *separate* TS profile path for them in their ADUC properties - e.g., \\server\tsprofiles$\%username% ******************** Do not let people store any data locally - all data belongs on the server. ******************** The User Profile Hive Cleanup Utility should be running on all your computers. You can download it here: http://www.microsoft.com/downloads/details.aspx?familyid=1B286E6D-8912-4E18-B570-42470E2F3582&displaylang=en ******************** Roaming profile & folder redirection article - http://www.windowsnetworking.com/articles_tutorials/Profile-Folder-Redirection-Windows-Server-2003.html Lanwench [MVP - Exchange] ** Do not fold, spindle or mutilate. Fill in the box completely and erase any stray marks. Use only a #2 pencil. Thanks Lanwench. Best and usefull anwser.

In step 1, on the "User Profiles" dialog, the "Copy To..." button is grayed out for me on all profiles with the exception of "Default Profile". Does anyone know why am I seeing this? Could it have to do with the fact that I'm connected remotely to a server running in a VM?Thank you, eugen_nw

It's because you have logged in on that profile and it is now in memory, restart your client login as local admin then do the copy. Alan

I can't copy the profile either can you explain a bit more on how to copy the profile?

hi all FYI "copy to" option will be grayed out by default ...to use this option you have to perfrom a "sysprep" in ur 2k8 machines....... n thn u can use it ...... as for roaming profile Go to AD User and computers >>user properties >>> profiles >>> give path \\servername\<sharename>\%username% it should work...... need ne help email me at shuvodeep.b@hotmail.com