This error has been annoying me for nearly 4 hours now.
We have a terminal server for students. All students use a mandatory profile, located on a share so that it can be accessed by all of the servers in the farm.
I thought this would be easy to set up, so I did the following:
- Log in as a user (that does not have the profile path set) to create a local profile on the machine.
- Configure the profile as you require and then log off.
- Log on as an administrator.
- Open up System Properties –> Advanced –> User Profiles
- Select the profile that you created in steps 1 -3 and select Copy To.
- Specify the location and a security group and the intended user. Click OK and verify that the folder exists in the new location.
- Go to the location and rename NTUSER.DAT to NTUSER.MAN to make it mandatory.
- Set the user profile location for all your desired users.
- Log in and test.
All was going well. I was at step 8, and failure struck. Group Policy Client Service Failed the Login: Access is Denied.
Check the following first, as simple solutions:
- The user has read access to the share.
- The user profile is owned by the DOMAIN\Administrators group.
- Ensure the desired group has got read access to the entire profile (you can replace all permissions).
After checking this and repeating the whole process twice, I started looking at something else. The NTUSER.DAT file is a registry hive, which contains keys with their own security on them. So:
- Open up Registry Editor
- Select HKEY_USERS and then rtight click and Load Hive
- Browse to the location of the profile and open NTUSER.MAN
- Give the key a temporary name. e.g Profile.
- Right click the name you just gave and choose permissions.
- Make sure the desired group is listed and has Full Control permissions.
- Propagate all these permissions to all child objects.
- Unload the hive and close Registry Editor
This cured the problem for me. Now all of the intended users can pick up the profile and work as desired.
I understand from my Googling that this is a problem with some Vista users to. I have not tried this as a solution for them, but would be interested to hear if it does solve it.
Perfect, we only came across the problem after trying the mandatory with a different user account to the one that created it, but this olved the problem.
Just to add, if you are running REGEDIT in 2008 server or Windows 7, ensure you right click and run it as administrator to negate any permission issues setting the permissions!
Another tip for all those out there…Google for ADMODIFY tool. if you are messing about changing profile paths this is an invaluable tool for bulk changes to user properties in the domain.
Thanks,
A
Thanks Andrew – and for the ADMODIFY tool. That will definitely come in handy.
Thanks man, I was troubleshooting mandatory profiles over the weeking till the Hive permissions that you highlighted solved it.
:)
I’ve been reading a few posts and really and enjoy your writing. I’m just setting up my own blog and only hope that I can write as well and provide the reader so much insight.
Thanks. You shall have to let me know the address and I will come and have a read!
I really liked reading your post!. Quallity content. With such a valuable blog i believe you deserve to be ranking even higher in the search engines :). Check out the link in my name. That links to a tool that really helped me rank high in google. This way even more people can enjoy your posts and nothing beats a big audiance ;)
Thanks for a fantastic and detailed post. I have exactly the same problem but unfortunatly, your fix didn’t work for me… :-(
Sorry it didn’t work for you. I would be interested to know what sorted it for you though.
Are you also working with Terminal Server, or just mandatory profiles for fat clients?