Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

Windows Server 2003 checks for pre-created roaming profile folders when you make a roaming user profile


View products that this article applies to.

Summary

Versions of Microsoft Windows 2000 earlier than Service Pack 4 (SP4) and versions of Microsoft Windows XP earlier than Service Pack 1 (SP1) do not check the permissions of the target roaming profile folder if the folder already exists when a roaming user profile is created. This behavior might permit an individual to create another user's roaming profile folder in advance and to set permissions that might permit the creator of the folder to visit the folder later. The creator might then be able to modify the user's roaming user profile or to deny access to the legitimate user. Windows Server 2003, Windows XP Service Pack 1 (SP1), and Windows 2000 SP4 checks for correct permissions and does not permit roaming if the permissions are not those that Windows requires. This article discusses this new behavior in the products that are listed at the beginning of this article.

↑ Back to the top


More information

Windows Server 2003 uses the following steps to confirm correct security for roaming user profile folders:
  • Windows Server 2003 determines if the roaming profile folder exists and that either the user or the Administrators group is the owner of the folder.
  • Windows Server 2003 considers the folder legitimate and copies files to the folder during the logoff process and from the folder during the logon process if the following conditions are true:
    • The user or the Administrators group owns the folder.
    • The "Do not check for user ownership of Roaming Profile Folders" policy is not set.
  • When these conditions are not true, Windows Server 2003 does not copy any files from or to the folder. Windows Server 2003 displays an error message and logs an event in the System event log.
  • Windows Server 2003 creates the folder in its current secure manner if no cached profile exists, the user's cached profile, or a temporary profile is issued.
  • Windows Server 2003 assumes that the folder is legitimate if the "Do not check for user ownership of Roaming Profile Folders" policy is set and the ownership of the folder is not checked.

Error messages

When you log on as a user that has a roaming profile and Windows Server 2003 determines that the roaming profile folder is not legitimate, you receive the following error message:
Windows did not load your roaming profile and is attempting to log you on with your local profile. Changes to the profile will not be copied to the server when you logoff. Windows did not load your profile because a server copy of the profile folder already exists that does not have the correct security. Either the current user or the Administrator's group must be the owner of the folder. Contact your network administrator.
This new policy prevents Windows Server 2003 from checking for correct permissions on a user's roaming profile folder. Windows Server 2003 does not copy files to or from the roaming profile folder if the following conditions exist:
  • You turn off or do not configure this setting.
  • The roaming user profile folder exists.
  • Neither the user nor the Administrators group is the owner of the folder.
If you turn on this setting, the behavior is the same as versions of Windows that are earlier than Windows Server 2003 or Microsoft Windows XP without SP1.

To change the "Do not check for user ownership of Roaming Profile Folders" policy setting:
  1. Start the Group Policy snap-in.
  2. Browse to the following folder:

    Computer Configuration\Administrative Templates\System\User Profiles
  3. In the right pane, double-click Do not check for user Ownership of Roaming Profile Folders.
  4. To turn on the policy, click Enabled. To turn off the policy, leave the policy undefined or click Disabled.
  5. Click OK.

↑ Back to the top


Keywords: KB327259, kbinfo

↑ Back to the top

Article Info
Article ID : 327259
Revision : 13
Created on : 2/28/2007
Published on : 2/28/2007
Exists online : False
Views : 252