Windows Server 2003 checks for pre-created roaming profile folders when you make a roaming user profile

Versions of Microsoft Windows 2000 earlier than Service Pack 4 (SP4) and versions of Microsoft Windows XP earlier than Service Pack 1 (SP1) do not check the permissions of the target roaming profile folder if the folder already exists when a roaming user profile is created. This behavior might permit an individual to create another user's roaming profile folder in advance and to set permissions that might permit the creator of the folder to visit the folder later. The creator might then be able to modify the user's roaming user profile or to deny access to the legitimate user. Windows Server 2003, Windows XP Service Pack 1 (SP1), and Windows 2000 SP4 checks for correct permissions and does not permit roaming if the permissions are not those that Windows requires. This article discusses this new behavior in the products that are listed at the beginning of this article.

Windows Server 2003 uses the following steps to confirm correct security for roaming user profile folders:

• Windows Server 2003 determines if the roaming profile folder exists and that either the user or the Administrators group is the owner of the folder.
• Windows Server 2003 considers the folder legitimate and copies files to the folder during the logoff process and from the folder during the logon process if the following conditions are true:
  • The user or the Administrators group owns the folder.
  • The "Do not check for user ownership of Roaming Profile Folders" policy is not set.
• When these conditions are not true, Windows Server 2003 does not copy any files from or to the folder. Windows Server 2003 displays an error message and logs an event in the System event log.
• Windows Server 2003 creates the folder in its current secure manner if no cached profile exists, the user's cached profile, or a temporary profile is issued.
• Windows Server 2003 assumes that the folder is legitimate if the "Do not check for user ownership of Roaming Profile Folders" policy is set and the ownership of the folder is not checked.

Error messages

When you log on as a user that has a roaming profile and Windows Server 2003 determines that the roaming profile folder is not legitimate, you receive the following error message:This new policy prevents Windows Server 2003 from checking for correct permissions on a user's roaming profile folder. Windows Server 2003 does not copy files to or from the roaming profile folder if the following conditions exist:

• You turn off or do not configure this setting.
• The roaming user profile folder exists.
• Neither the user nor the Administrators group is the owner of the folder.

If you turn on this setting, the behavior is the same as versions of Windows that are earlier than Windows Server 2003 or Microsoft Windows XP without SP1.

To change the "Do not check for user ownership of Roaming Profile Folders" policy setting:

1. Start the Group Policy snap-in.
2. Browse to the following folder:
   
   Computer Configuration\Administrative Templates\System\User Profiles
3. In the right pane, double-click Do not check for user Ownership of Roaming Profile Folders.
4. To turn on the policy, click Enabled. To turn off the policy, leave the policy undefined or click Disabled.
5. Click OK.