This error has been annoying me for nearly 4 hours now.
We have a terminal server for students. All students use a mandatory profile, located on a share so that it can be accessed by all of the servers in the farm.
I thought this would be easy to set up, so I did the following:
- Log in as a user (that does not have the profile path set) to create a local profile on the machine.
- Configure the profile as you require and then log off.
- Log on as an administrator.
- Open up System Properties –> Advanced –> User Profiles
- Select the profile that you created in steps 1 -3 and select Copy To.
- Specify the location and a security group and the intended user. Click OK and verify that the folder exists in the new location.
- Go to the location and rename NTUSER.DAT to NTUSER.MAN to make it mandatory.
- Set the user profile location for all your desired users.
- Log in and test.
All was going well. I was at step 8, and failure struck. Group Policy Client Service Failed the Login: Access is Denied.
Check the following first, as simple solutions:
- The user has read access to the share.
- The user profile is owned by the DOMAIN\Administrators group.
- Ensure the desired group has got read access to the entire profile (you can replace all permissions).
After checking this and repeating the whole process twice, I started looking at something else. The NTUSER.DAT file is a registry hive, which contains keys with their own security on them. So:
- Open up Registry Editor
- Select HKEY_USERS and then rtight click and Load Hive
- Browse to the location of the profile and open NTUSER.MAN
- Give the key a temporary name. e.g Profile.
- Right click the name you just gave and choose permissions.
- Make sure the desired group is listed and has Full Control permissions.
- Propagate all these permissions to all child objects.
- Unload the hive and close Registry Editor
This cured the problem for me. Now all of the intended users can pick up the profile and work as desired.
I understand from my Googling that this is a problem with some Vista users to. I have not tried this as a solution for them, but would be interested to hear if it does solve it.