Re: Access Denied Roaming Profile
Christal Rasband
By default the roaming profiles folders for users are only allowed access from the SYSTEM and the user themselves. This can be prevented in Group Policy ahead before the folder is created, Computer Configuration, Administrative Templates, System, User Profiles, Add the Administrators security group to roaming user profiles.
cacls D:\Profile\User.Name /T /E /C /G Administrators:FIn the end, the two default entries will stay in the ACL, however this will add in the local administrators group as well. Which is how it should be if the Group Policy did it automatically.
Have you tried resetting the profiles, that is, renaming both the local and server copies of their folders? Then you can recreate their profile folder on the server and set write permissions for that user. Anything missing can be copied from the old local profile folder and changes will be saved to the server when the user logs off.
Do not use roaming profiles. They are a bad old technology and Redirected Folders + Offline Files completely replaces it. I would highly recommend not using roaming profiles (roaming mandatory profiles is ok).
Our domain admins have free reign over the roaming profile folders while logged into the server but their only option is to take ownership of the folder/files if they attempt to access them from a workstation.
Folder redirection does make sense, except if the server is no longer accessible you have a problem. At least with roaming you can do what ever you need to locally and signing in/out will do the rest.
In the past, for granular restoration and access to user redirected files/user profiles, I have added a line to the login script that had the user themselves grant the administrator full permission to those directories.
I just take ownership of the folder, then give myself permission, once I have permission I change the ownership back to the user. Not that I have to do this often, but a few times a year there is an issue where I need access.
GoToMeeting user based Installer created a Folder in AppData\Roaming\Microsoft\Installer and these sync Problems occured in our roaming profiles. Deleting the folder both on the local machine and on the profile Server fixed this problem.
The article also tells about a registry value HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ExcludeProfileDirs that controls which folders are excluded from synchronization. You might want to add the AppData\Roaming\Microsoft\Installer to the list.
However we needed a way for some programs that lot's of people use to be rolled out on workstations. This is where we created this problem; we used gpo's to rollout software that can be installed via 'Control panel > Programs and features > Install a program from the network'.
Everytime I post a request for Dropbox to start supporting Roaming Profiles on Windows 7/8 the message seems to get removed by a moderator. But when I search, there are alot of users asking for this. I would urge Dropbox to consider supporting roaming profiles as other solutions already are. And it is only a matter of time that all non mac users will abandon this app when it becomes a problem. I am already seeing clients switching to google drive and microsofts version. I think dropbox is a better system, but it has to stay current and advance with the times. In the era of virtualized workstations, pcoip, and smaller companies harnessing the power of roaming profiles, it would be suicide to ignore.
Since Dropbox installs to the folder path %APPDATA%\Dropbox, roaming profiles will cause Windows to mark the Dropbox database files as offline files, sending them back to the server. When this happens, the files are effectively unavailable, causing the Dropbox client to unlink.
I have setup a Citrix 7.9 XA/XD Site using Netscaler vpx 11 and Storefront 3.6 and everything is working so far except I am having a lot of trouble getting UPM to work for roaming profiles. My environment is all Windows Server 2012 and I have a number of the servers setup as shared desktops which are load balanced.
I cannot get a profile to logon and for the profile to get created in the user store path I have setup, when I try to logon I get a Windows Security message "these files can't be opened". This is a share on a Windows 2012 server, all the correct perms have been applied and this is where I would like all my profiles to be stored.
This has finally resolved this issue, a big shout out to Carl who has to be the go to man for anything Citrix on the web. Thank you for persevering with me on this. Now when I logon to a shared desktop the logon time is much faster (quite fast actually) and my profiles are getting created in the correct user store on my fileserver. I'm rapt.
Carl, not sure what to do here. I found this however it points Server 2008 and XA 6.5 but it talks about creating a new default user profile an editing the ntuser.dat and changing the owner of Software\Microsoft\SystemCertificates\Root\ProtectedRoots
Optimising Windows 2012 - turn off UAC, turn off IE enhanced security, run this .reg file IEBrowserMaximumMajorVersion.reg, Turn on Smart Screening, turn off Windows firewall, for SCOM to manage a Citrix server make sure WinRM is running (cmd prompt > winrm quickconfig).
I now can't logon to this server properly that I have been testing on, even with my domain admin account through RDP and turning the GPO off, I get a temporary profile so something has gone amiss somewhere. I am going to rebuild this server. I tried copying the ntuser.dat from a working server to thge default user and I made sure I deleted any local accounts.
OK I fixed the temporary profile issue with logging onto the server by deleting any .bak files from the registry, perhaps I don't need to rebuild this server. As I have copied over a new ntuser.dat I will try giving SYSTEM full control and if this fails then I am out of ideas. Carl, thank you so far for your time, I didn't think UPM would be this troublesome to setup.
I'm having this exact issue but I cannot edit the NTUSER.DAT for the default user profile as it's in use when logged on? As soon as I Logoff the NTUSER.DAT is written back to the profile share so I can't edit it locally, and when I try and edit via the hive whilst on the share it says Access Denied. I cannot add SYSTEM or any other object .
Hi Wayne, I'm not sure why your default user has been redirected to a share? Something sounds amiss in your upm setup. The default user is local to each shared desktop in each server, I would go back and check your setup, have a look at Carl's guide on this. Can you login as a local administrator and load the ntuser.dat hive and edit the default user that way?
I'm logging onto the XenApp Server with a fresh new account which creates the local profile in C:\USERS and also on the profile share ?. I make changes, i.e; pin icons to taskbar and logoff. This then writes back to the profile on share under UPM_Profile
This problem occurs because of a change that was made in Windows 10, version 1803. This change inadvertently caused folders that are usually excluded from roaming to be synchronized by roaming user profiles when you log on or log off.
To work around this problem, you can copy the ExcludeProfileDirs registry key from a Windows 10, version 1709-based computer to the version 1803-based computers that are experiencing the problem. Full path to the registry key:
Just recently my computer started having a notification saying that my roaming profile was not synchronizing. I have not changed anything on my computer other than Windows Updates. Any ideas how to fix this. Thank you.
Warning #2
Windows cannot copy file \\?\UNC\fs3\users\THunter\profile.V6\AppData\Roaming\Microsoft\Installer to location \\?\C:\Users\thunter\AppData\Roaming\Microsoft\Installer. This error may be caused by network problems or insufficient security rights.
DETAIL - Access is denied.
Hallo!
Danke fr die Info. Ich habe leider keinen Tipp. Bin eher am berlegen das Skript wieder offline zu nehmen, da ich schon von mehreren Seiten gehrt habe, dass es Probleme gibt.
Liebe Gre
ich habe das Problem, dass verrsteckte Dateien und Verzeichnisse uebergangen werden, loesen konnen. Und zwar lag es daran, dass Get-ChildItem diese schlicht ignoriert, wenn man nicht den -Force Schalter aktiviert. Ansonsten lasse ich Dein Script genau so laufen, wie Du es veroeffentlicht hast und es tut genau was es soll. Vielen Dank!
Patrick do you tell me what is and purpose of roaming profiles. What does mean when you say roaming profiles. Do you mean roaming profiles store my files and folders on server intend on my local pc or laptop
When you post code, sample data, console output or error messages please format it as code using the preformatted text button ( ). Simply place your cursor on an empty line, click the button and paste your code.
The Remove-Item cmdlet deletes one or more items. Because it's supported by many providers, it can delete many different types of items, including files, folders, registry keys, variables, aliases, and functions.
The snippet I shared above will delete the desired files and folders in ALL user profiles. Usually users do not have access to the profiles of other users. If you only want to clean up the profile of the currently logged on user you may use your initial approach.
7fc3f7cf58