Roaming profiles and local policy

[Manoi]

Hi,

I don't know if I am posting in the right forum, but I know that on Tek-Tips forums there are always professionals that can help.

We've recently migrated from a SBS NT4 to SBS 2000 server; everything went ok even installing and using VPN. I am facing two problems now:

Problem 1: when adding a new user in AD, the user cannot logon with the roaming profile. On any workstation the user try to logon a message pops up saying that his folder cannot be created. When I manually create the folder on the share everything goes fine. Any explanations or help so that it can be created by itself?

Problem 2: we need some users to logon the server through VPN. They can effectively open the VPN and also the RDP connection with their own name and pw. When trying to logon the server a message saying the local policy is not set to logon interactive is generated. Only administrators can logon. How can I change this policy?

Thanks in advance

 

[captaincrunch00]

I don't know if this will help any, I'm probably going off in the wrong direction but here goes nothing:

Problem 1: Turn off the Terminal Services Profile. In Active directory, look at the properties of a user and the tab you want to look at is 'Terminal Services Profile'
Delete the profile under the 'tsprofiles' directory, then click on the normal 'profile' tab and make sure your profile path is correct.

Problem 2: In active directory, get the properties of a user and click the 'Dial In' tab. Most users should be set to "Control Through Remote Access Policy"
I have no idea what that is, so I set all the users that I want to be allowed to use VPN to 'Allow access'

I hope that helped some, but knowing me it probably didn't.

 

[Grenage]

Does the user logging in have the correct security privileges on the drive to create the folder?

 

[Manoi]

Thanks for replying
@captaincrunch00, the answer1 maybe a solution, i cannot try it at this moment, weekend
Answer2: as said users can open VPN connection and also remote desktop, but only administrators can logon the server. The error message: LOCAL POLICY prevents you from logging in remotely, pops up.
@Grenage, I don´t understand what do you mean, the problem occurs when a fresh new user try to logon the domain. He can logon but no changes on his workstation can be saved on the server, in other words no roaming profile because the folder with his name could not be created.

 

[captaincrunch00]

When you log in, does it give you a message saying "the profile path \\tsprofile$\username cannot be created" and it automatically closes in 3 seconds?
If so, thats the terminal services profile, you just gotta take that off like #1 in my previous response.

If not, check the Group Policy to see if there's anything in there, i really have no ideas if that's the case. Hopefully someone smart will read your thread.

 

[Manoi]

@captaincrunch00, no it says:
LOCAL POLICY prevents you from logging in remotely
I´ve already went through local, domain and DC policies and tried to enable logging on localy and added a test user, but no help.

 

[Grenage]

What I meant sorry was, does the user logging in have permissions to create a folder on the server where the profiles are stored?

I'm not 100% sure on this but I imagine they would.

 

[Manoi]

Hi,
As for my 2nd problem, it was partially solved with secedit command after changing local logon policy, I was very stupid. Yet another error message saying that the user has got no right to admit this session pops up.

Regards,
Manoi