Archived from groups: microsoft.public.win2000.active_directory (More info?)

After i created the roaming profile in win2000 server AD domain users
and computers , when my user logged on, it has the following error. I
have shared the folder and make it full rights for everyone. I even
added the user to administrator groups. Pls help. Thanks


"Windows cannot locate the server copy of your roaming profile and is
attempting to log you on with your local profile. Changes to the
profile will not be copied to the server when you logoff. Possible
causes of this error include network problems or insufficient security
rights."


Regards
Daniel

Archived from groups: microsoft.public.win2000.active_directory (More info?)

<danieltan@time.net.my> wrote in message
news:1108600120.938700.24170@f14g2000cwb.googlegroups.com...
> After i created the roaming profile in win2000 server AD domain users
> and computers , when my user logged on, it has the following error. I
> have shared the folder and make it full rights for everyone. I even
> added the user to administrator groups. Pls help. Thanks
>
>
> "Windows cannot locate the server copy of your roaming profile and is
> attempting to log you on with your local profile. Changes to the
> profile will not be copied to the server when you logoff. Possible
> causes of this error include network problems or insufficient security
> rights."
>

How did you "create" the roaming profile?
(Hint: usually you DON'T "create" it but let it be created
when the user next logs on...)

Create parent directory on file server;
Set permissions to allow users to modify (or FC)
files and directories there.
Set properties in User's PROPERTY SHEE in
AD Users/Computers to POINT to that directory
you wish the user to use.

Log user ON and OFF.

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Herb, i've done all that, i don't create folders for user but they are
getting this error. They can logged on to domain even the home
directory is ok. What did i miss out ? Thanks

Rgds
Daniel

Archived from groups: microsoft.public.win2000.active_directory (More info?)

<danieltan@time.net.my> wrote in message
news:1108653279.647851.213920@o13g2000cwo.googlegroups.com...
> Herb, i've done all that, i don't create folders for user but they are
> getting this error. They can logged on to domain even the home
> directory is ok. What did i miss out ? Thanks

Roaming profile top directories have always had to be created
(and permissioned) by the admin.

If they exist and are writable, and the computers are authenticating
themselves and the user then the files get added on the next logon/logoff
sequence.

You have to entere an EXISTING directory (for profiles)
in AD Users and Computers -- that directory is for ONE
user but you can use %UserName% to do it for multiple users
or copy one with this setting.


--
Herb Martin


>
> Rgds
> Daniel
>

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Herb, how to know that my computer is being authenticated ? Thanks

Daniel


Herb Martin wrote:
> <danieltan@time.net.my> wrote in message
> news:1108653279.647851.213920@o13g2000cwo.googlegroups.com...
> > Herb, i've done all that, i don't create folders for user but they
are
> > getting this error. They can logged on to domain even the home
> > directory is ok. What did i miss out ? Thanks
>
> Roaming profile top directories have always had to be created
> (and permissioned) by the admin.
>
> If they exist and are writable, and the computers are authenticating
> themselves and the user then the files get added on the next
logon/logoff
> sequence.
>
> You have to entere an EXISTING directory (for profiles)
> in AD Users and Computers -- that directory is for ONE
> user but you can use %UserName% to do it for multiple users
> or copy one with this setting.
>
>
> --
> Herb Martin
>
>
> >
> > Rgds
> > Daniel
> >

Archived from groups: microsoft.public.win2000.active_directory (More info?)

<danieltan@time.net.my> wrote in message
news:1108700602.626100.140630@l41g2000cwc.googlegroups.com...
> Herb, how to know that my computer is being authenticated ? Thanks

It's a good question.

Probably the simplest procedure is to open a command
prompt and type "set l" (or just set if you cannot remember
the variable you want to see starts with an L: logonserver.

I don't think that this variable will ever be set to a DC
if your machine didn't authenticate and log the user on.

You can get more definite information about the computer's
secure channel with NLTest but that is overkill.

A general test (but it doesn't help that must when you already
have problems) is to try to USE your credentials against
a known available resource (file share) and if they don't
work but you can resolve the names and ping and stuff
then you are likely authenticated.

We are now full circle because you were having trouble
which made us suspect authentication.

Set L

....works pretty well for a quick look.



--
Herb Martin


>
> Daniel
>
>
> Herb Martin wrote:
> > <danieltan@time.net.my> wrote in message
> > news:1108653279.647851.213920@o13g2000cwo.googlegroups.com...
> > > Herb, i've done all that, i don't create folders for user but they
> are
> > > getting this error. They can logged on to domain even the home
> > > directory is ok. What did i miss out ? Thanks
> >
> > Roaming profile top directories have always had to be created
> > (and permissioned) by the admin.
> >
> > If they exist and are writable, and the computers are authenticating
> > themselves and the user then the files get added on the next
> logon/logoff
> > sequence.
> >
> > You have to entere an EXISTING directory (for profiles)
> > in AD Users and Computers -- that directory is for ONE
> > user but you can use %UserName% to do it for multiple users
> > or copy one with this setting.
> >
> >
> > --
> > Herb Martin
> >
> >
> > >
> > > Rgds
> > > Daniel
> > >
>

Archived from groups: microsoft.public.win2000.active_directory (More info?)

danieltan@time.net.my wrote:
> After i created the roaming profile in win2000 server AD domain users
> and computers , when my user logged on, it has the following error. I
> have shared the folder and make it full rights for everyone. I even
> added the user to administrator groups. Pls help. Thanks
>
>
> "Windows cannot locate the server copy of your roaming profile and is
> attempting to log you on with your local profile. Changes to the
> profile will not be copied to the server when you logoff. Possible
> causes of this error include network problems or insufficient security
> rights."
>
>
> Regards
> Daniel

General tips:

1. Set up a share on the server. For example - d:\profiles, shared as
profiles$ to make it hidden from browsing.
2. Make sure the share permissions on profiles$ indicate everyone=full
control. Set the NTFS security to administrators, system, and users=full
control.
3. In the users' ADUC properties, specify \\server\profiles%\%username% in
the profiles field
4. Have each user log into the domain once from their usual workstation
(where their existing profile lives) and log out. The profile is now
roaming.

Notes:

* Make sure users understand that they should never log into multiple
computers at the same time when they have roaming profiles (unless you make
the profiles mandatory by renaming ntuser.dat to ntuser.man so they can't
change them). Explain that the
last one out
wins, when it comes to uploading the final, changed copy of the profile.

* Keep your profiles TINY. Redirect My Documents
to a subfolder of each user's home directory on the server - either via
group policy (folder redirection) or manually (less advisable). If you
aren't going to also redirect the desktop using policies, tell people that
they are not to store any files on the desktop or you will beat them with a
stick. Big profile=slow login/logout, and possible profile corruption.

* Note that user profiles are not compatible between different OS versions,
even between W2k/XP. Keep all your computers. Keep your workstations as
identical as possible - meaning, OS version is the same, SP level is the
same, app load is (as much as possible) the same.

* Do not let people store any data locally - all data belongs on the server.

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Herb, firstly if i can set L to a DC and get result then my computer is
authenticated ? also if USE and ping can be used then it is
authenticated also ? What are the components required to have in order
to have roaming profile works ?

Regards
Daniel

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Lanwench, what are those components need to have in order for roaming
profiles to be working ? Thanks for your info.

Rgds
Daniel

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Herb, i just tested and set L does return name of the logon server and
also does the set command which indicates correct server name. what i
need to test next ?

Rgds
Daniel

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Lanwench, problem is the user folder not even created by the system
when user logged on and off. This is due to the error id 1521, DETAIL -
The system detected a possible attempt to compromise security. Please
ensure that you can contact the server that authenticated you. Can't
find any info abt this exact error on eventid.net. Possible is nework
problem or insufficient security rights. Any ideas now ?

Rgds
Daniel

Archived from groups: microsoft.public.win2000.active_directory (More info?)

<danieltan@time.net.my> wrote in message
news:1108908702.154362.35980@g14g2000cwa.googlegroups.com...
> Herb, firstly if i can set L to a DC and get result then my computer is
> authenticated ?

I think this is true -- were the the user not logged on
it would seem wrong to show a logon server.

NLTest is more definitive but difficult to use (contrary
command line switches.)

I was sort of hoping that someone would post a KB article
describing such tests. (Experience makes it pretty obvious
to me but that is NOT a good answer for someone trying to
learn.)

> also if USE and ping can be used then it is
> authenticated also ?

In no way does ping tell you this.

Ping FAILURE would make it unlikely that authentication
worked but even that is not reliable unless you are very
certain why ping failed.

For instance, any firewall including the XP-Win2003 built-in
firewall might block ping or IP might be broken a computer
still authenticate in some domains with another protocol but
this is less common today with IP required and few people
using other protocols.

> What are the components required to have in order
> to have roaming profile works ?

Authentication
Server with share, proper permissions on share and NTFS
Usually share and NTFS need to be Full Control for the
group or user to who will save a profile.
Network operation so that client can reach the share (timely
manner so that it doesn't timeout)

--
Herb Martin


>
> Regards
> Daniel
>

Archived from groups: microsoft.public.win2000.active_directory (More info?)

<danieltan@time.net.my> wrote in message
worknews:1108914155.799256.289670@c13g2000cwb.googlegroups.com...
> Herb, i just tested and set L does return name of the logon server and
> also does the set command which indicates correct server name. what i
> need to test next ?

Explictly use the share (as the affected user).

(logon as [test] user first to avoid accidentally using
admin credentials)

net use X: \\serverName\shareName


[If it fails, let's try specific authentication, which would
be necessary if we are not really authenticated on the domain,
OR if the server is not properly working in the domain***.]

net use Y: \\serverName\shareName * /useromainName\UserName

If neither of these works, then we likely have a problem with
the Server (in the domain) being authenticated.

If the first fails and the second works then we pretty much know
that the user wasn't fully authenticated and that the user CAN
authenticate and use the server resources.

Ok, let's assume that X: is connected (first worked).

Do these:

X:
cd \username
copy con t.txt
Type some test here
Anything will do
to FINISH you must hit <CTRL-Z><Enter>

If this works, you have proven the user can use the share
and has enough share AND NTFS permissions to create
a file.

If all that works then likely the profile will work.

***Forgot to mention this earlier: Server must be authenticated
properly and working in the domain (or a trusting domain with
trusts working.)

--
Herb Martin


>
> Rgds
> Daniel
>

Archived from groups: microsoft.public.win2000.active_directory (More info?)

The logonserver is the local machine if a DC cannot be found, e.g. the
computer name.


--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/

"Herb Martin" <news@LearnQuick.com> wrote in message
news:unSbSA3FFHA.1392@tk2msftngp13.phx.gbl...
<danieltan@time.net.my> wrote in message
news:1108908702.154362.35980@g14g2000cwa.googlegroups.com...
> Herb, firstly if i can set L to a DC and get result then my computer is
> authenticated ?

I think this is true -- were the the user not logged on
it would seem wrong to show a logon server.

NLTest is more definitive but difficult to use (contrary
command line switches.)

I was sort of hoping that someone would post a KB article
describing such tests. (Experience makes it pretty obvious
to me but that is NOT a good answer for someone trying to
learn.)

> also if USE and ping can be used then it is
> authenticated also ?

In no way does ping tell you this.

Ping FAILURE would make it unlikely that authentication
worked but even that is not reliable unless you are very
certain why ping failed.

For instance, any firewall including the XP-Win2003 built-in
firewall might block ping or IP might be broken a computer
still authenticate in some domains with another protocol but
this is less common today with IP required and few people
using other protocols.

> What are the components required to have in order
> to have roaming profile works ?

Authentication
Server with share, proper permissions on share and NTFS
Usually share and NTFS need to be Full Control for the
group or user to who will save a profile.
Network operation so that client can reach the share (timely
manner so that it doesn't timeout)

--
Herb Martin


>
> Regards
> Daniel
>