User Environment: Windows cannot log you on because profile cannot be. 1

[1LUV1T]

Hello all, for some reason I have been having an issue creating accounts in my domain for terminal services. (see screenshot below)

I tried to research this problem but anyone that has encountered this error gets it because they use Roaming Profiles. I do not. I simple go to Active Directory > Add user > make Member Of Remote Desktop Users and from there they should connect to our terminal server just fine. However lately I am getting the error above.

This is Windows 2003 Server and machines are WinXP.
Any help would be greatly appreciated.

 

[1LUV1T]

Also, I am not using Roaming profiles and in the Event Viewer, the error logs says EVENT ID 1500 and DETAIL - Access Denied.

The only way around this is if I make the user a Member of Administrators, then they can log in, there profile gets created, and I have to demote them. (this is very dangerous).

 

[markdmac]

Sounds like you have a permissions problem that is being inherrited. My making the user a member of the Admin group they create a folder and become the owner of that folder and files, thus having full control of that folder. When you demote them those NTFS permissions remain.

Check the NTFS permissions at the root level or at each of the higher folders to see what is being inherrited.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

 

[monsterjta]

You may want to check the NTFS permissions on the Default User in Documents and Settings. This is the container that builds each new profile that log into the machine.

By default, Everyone and Users should have READ & EXECUTE / LIST FOLDER CONTENTS / READ permissions. Admin and System have FULL CONTROL.

Hope This Helps,

Good Luck!

 

[1LUV1T]

You guys are correct that it was inheriting permissions, which meant that only Administrator and System had full access rights. However, I disabled inheritance for C:\Documents and Settings\Default User and followed monsterjta's advice by making Everyone and Users should have READ & EXECUTE / LIST FOLDER CONTENTS / READ permissions. Admin and System have FULL CONTROL.

I am still getting the same issue.

 

[1LUV1T]

I even gave EVERYONE and USERS full control: Modify, Read & Execute, List Folder Contents, Read, Write in NTFS Security of Default User folder and....

I create test/test account in AD
Then go to RDP and try to login as test/test and it does not create a user profile just gives me that error.

 

[monsterjta]

AOConsulting,

The same permissions go for Documents and Settings directory (as I stated for the Default User), and should inherit from there.

Hope This Helps,

Good Luck!

 

[1LUV1T]

Thanks monsterjta for your valuable post! That fixed it.

I just remembered that I set that permission myself because I wanted to prevent users that browse our terminal server c:\ from seeing all the user folders in Documents and Settings. Should I just remove the list folder contents from Users, Everyone?

 

[monsterjta]

I wouldn't do that, because I believe the system needs this permission to properly create user profiles. Once the user's profile is created, the system will set the appropriate permission on the user's directory and nobody will be able to browse it excpept for the administrator.

You could, however, hide the c: drive from users in group policy. This would be another post.

Hope This Helps,

Good Luck!