How to configure true roaming profiles using Windows XP Professional in a workgroup environment using the classic NTFS file permissions (not simple file sharing.)
Copyright February 16, 2003, published at toups.info All rights reserved.
This write up assumes that you have a workgroup set up and the computers can see each other on the network. Furthermore, we will assume that computer A is the computer on which all the user profiles currently exist. I have implemented this on a two computer system.
I believe, but have not verified, that these instructions will work for additional systems. These instructions are issued for informational purposes; the reader assumes any and all responsibilities for their use.
All steps are required. The following steps are very important but not obvious: 5, 6b, 9 and 11a-g.
1) If not currently disabled, disable simple file sharing to allow the use of full NTFS file permissions. (Note that simple file sharing is the default for a workgroup environment while classic is the default for a domain environment. Disable simple file sharing by going to "Start" Menu -> "My Computer" -> "Tools" -> "Folder Options..." -> "View" tab -> in "Advanced Settings" box uncheck "Use Simple File Sharing (Recommended)"
2) Make sure that the users that you want roaming profiles for exist on computer A and have logged on and off of this system to create their local folder structure (normally in c:\Documents and Settings.) Also make sure that the roaming users have passwords for their accounts.
3) Create a folder to use for storage of the master copy of the roaming profiles. This folder can exist on any of the computers.
a) Log on an account with administrator privileges on the computer on which you want the master copy of the roaming profiles to exist on. Create the folder, e.g., “Start" Menu -> "My Computer" -> "Local Disk (C:)" -> "File" menu -> "New Folder", rename as desired, such as "Roaming." Be sure the "Read-only" box is not selected.
b) Share the folder and set the share permissions on the folder to allow at least the roaming users to have "Full Control."
c) Turn off Caching, "Caching" button, uncheck "Allow caching of files in this shared folder."
d) Set NTFS permissions on the folder. The minimum permissions normally required
Creator/Owner, Full Control, Subfolders and Files Only
Administrator, Full Control (after setup, Administrators can be set to None.)
System, Full Control, This Folder, Subfolders And Files
Users, Special, List Folder / Read Data and Create Folders / Append Data, This Folder Only
4) On computer A, set up roaming for each user profile on the first machine. "Start" Menu -> "Control Panel" -> "Performance and Maintenance" -> "Administrative Tools" -> "Computer Management" look under "System Tools" -> "Local Users and Groups" -> "Users." Double click each user and under the "Profile" tab set "Roaming Path:" to the \\Computername\Roaming\Username where \\Computername\Roaming is the name of the file folder created in step 3. Username is the name of the user for which the profile is being set up. Important, leave "Local Path" alone (blank.) Do not set the local path to the location of the roaming profile master copy location.
5) On computer A, enable the group policies for “Do not check for user ownership of Roaming Profile Folders” and "Add the Administrator security group to the roaming user profile share" policy using "Start" menu -> "Run", enter "gpedit.msc" -> under "Computer Configuration" -> “Administrative Templates” -> "System" -> "User Profiles" and enabling these two properties.
6) On computer A.
a) Log on and off of each account for which roaming
profiles are to be created in order to create the roaming profile folders and
files. Note, minimum permissions for
each user's roaming profile folder should be:
%Username%, Full Control, Owner of Folder
System, Full Control
Administrators, No Permissions (However, using these instructions, it will be Full Control. This is needed to perform the remaining steps as written.)
b) Have "Administrator" take ownership of the roaming profiles by using "Start" menu -> "My Computer" -> browse to the master roaming folder. Right click on the folder, select "Properties" -> "Security" tab -> "Advanced" button -> "Owner" tab and select "Administrators" and check the box for "Replace owner on subcontainers and objects" and apply.
7) On computer B (and any remaining computers), create new user profiles for each roaming user with the same name and password as on computer A. (Do not enter a value for "Roaming Path:" in this step. This must be done in step 10.)
8) On computer B (and any remaining computers), log on and off of each new user profile to create the initial user profile folder and directory structure.
9) On every computer, perform step 5 to enable the group policies for “Do not check for user ownership of Roaming Profile Folders” and "Add the Administrator security group to the roaming user profile share."
10) On computer B (and any remaining computers), set up roaming for each user profile on the first machine. Do this by logging on to computer B with an administrator account and performing the same steps as in step 4 above.
11) On computer B (and any remaining computers), set the registry permissions on the user hive to allow the computer to modify the profile. Log on an account that is part of the Administrators group and set the folder view to show hidden files and file extensions using "Start" Menu, -> "My Computer" -> "Tools" -> "Folder Options..." -> "View" tab -> in "Advanced Settings" select "Show hidden files and folders" and unselect “Hide extensions for know file types." Next run regedit, using "Start" menu -> "Run", enter "regedit"
a) Select HKEY_USERS.
b) Load your roaming profile using "File" menu -> "Load Hive...", select location of the user's master roaming profile (completed in step 6 above) NTuser.dat file, nominally \\computername\Roaming\%Username%\NTuser and click "Open." Enter username at prompt for "Key Name:"
c) Select the folder under HKEY_USERS with the username that you entered in step d. Right click and select "Permissions..." from the pull down menu. Click the "Add" button. Enter the username and click "OK."
d) With the username selected, select the "Full Control" permission checkbox. The unknown user(s) corresponds to the user's identity on the other computer(s).
e) Click on the "Advanced" button, and in the "Advanced Security Settings for Username" window, select "Replace permission entries on all child objects with entries shown here that apply to child objects" and click "Apply" and answer "Yes" to the prompt. Click "OK" and "OK" to close the permission windows.
f) Select the username folder under HKEY_USERS and run "File" menu -> "Unload Hive" and respond "Yes."
g) Copy the roaming profile NTuser.dat and NTuser.dat.log files to the local profile, i.e., copy \\computernameA\Roaming\%Username%\NTuser.dat and \\computernameA\Roaming\%Username%\NTuser.dat.log to c:\Documents and Settings\%Username%\NTuser.dat and c:\Documents and Settings\%Username%\NTuser.dat.log on the current machine.
h) Repeat steps a through g for each roaming user (and for every roaming user on each additional computer. I have only tried this for two computers, A and B.)
12) On computer B (and any remaining computers), log on and log off each roaming user.
Troubleshooting and notes
There is a log file at C:\WINDOWS\Debug\UserMode\userenv.log or (%windows%\Debug\UserMode\userenv.log.) Enhanced logging can be turned on by creating a registry key. See http://support.microsoft.com/default.aspx?scid=kb;en-us;221833 use a value of 30002 hex for the most information.
If you are unable to access any items in menus and nothing is visible in the start menu, then most likely, the registry permissions are not properly set. Be sure the user has full control of all keys in the hive for both the local and roaming profiles. (Basically see step 10 but do check both local and roaming copies of NTuser.dat, you may need to change both if something was messed up the first time.)
If you have are unable to load the profile from computer B, make sure that Administrators is the owner of the roaming profile. The computer requires the owner to be Administrators or the current user. However, without a domain, the system does not recognize the same user on different machines as the same. (See step 6b.) Also, make sure that the step 9 was successfully performed; otherwise, the loading will fail because it does not recognize the current owner properly.
There appears to be a problem where .jpg wallpaper does not appear to roam properly. However, the registry settings are being updated properly. Usually, if you go to the desktop tab after right clicking for properties on the desktop, you will find the proper wallpaper file is actually selected. Clicking "OK" will cause it to display.