Server 2008 Roaming Profiles Permissions

I'm having an issue setting up roaming profiles in Windows Server 2008 R2. The roaming profile is not being created on login/logoff with the user and they constantly have a temporary profile. I have the following permissions set on the folder:

Share Name: profiles$
Permissions:
  Authenticated Users - Full
  Administrators - Full
  SYSTEM - Full

NTFS Settings:
  CREATOR OWNER - Full, 
  SYSTEM - Full, 
  Administrators - Full, 
  Authenticated Users - Traverse folder/Execute, 
  List Contents, Read Permissions 

This is how I used to set this up in Server 2003 and I never had an issue like this, but since then MS has changed the wording on some of the permissions settings so I may be overlooking something. I can temporarily fix the problem by just adding the Everyone = Full permission on the NTFS settings, but that is not a solution. Any suggestions?

Update:

I used the guide that was provided below and the profile directory is now being created when the user logs in for the first time, but the profile is never written to it when the user logs off.


Solution 1:

  1. If you have Authenticated Users = Full in shared, you don't need any of the others.

  2. Your NTFS permissions have no way for a normal user to create their home folder. As such, you'll have to create the folder yourself. The best way to do this is to create all the home folders, and use chown to set the owner to them. That way they own the folder and you can use the Creater Owner security object to set permissions appropriately.

    I highly suggest that Creater Owner does not get Full Control, as this will also allow the users to muck with the permissions of their home folder, something they should never need to do.

    The alternative is to grant the "Create Folders" permission on the Profiles folder, and set it to apply to "This folder only". This will allow the users to create the folder, but it will only apply to that single folder. This will also allow any user to create any arbitrary folder.

The permission you have in the question would not have worked on Server 2003. Permissions are almost identical between 2003/2008/2008R2.

Solution 2:

The following article details how you should have your Share and NTFS permissions set up for roaming profiles. The article is for W2K3 but applies to W2K8 as well.

http://technet.microsoft.com/en-us/library/cc737633(WS.10).aspx

Solution 3:

I found that if the user has an existing profile on the computer, you must delete the the profile completely from the control panel. Getting rid of the profile under C:/Users still left traces of the user.

Then I had the user login, recreate a profile on the local machine and then had the user log off. The user was able to completely sync to the network.

I placed the users files from backup onto his newly created profile and have not experience problems since then.