Roaming profile fails to copy down at login after applying Windows XP SP1 or Windows 2000 SP4.

  • 7013440
  • 11-Oct-2013
  • 14-Oct-2013

Environment

Microsoft Windows XP SP1
Microsoft Windows XP
Microsoft Windows XP Professional
Microsoft Windows 2000 SP4
Microsoft Windows 2000 SP3

Situation

Applied Microsoft Windows XP SP1 or Microsoft Windows 2000 SP4, or a post-XP / post-2000 SP3 update which included USERENV.DLL.
Roaming profile fails to copy down at login after applying Windows XP SP1 or Windows 2000 SP4.
Roaming profile fails to copy down at login after applying a post-Windows XP or post-Windows 2000 SP3 update.
Message: "Windows did not load your roaming profile and is attempting to log you on with your local profile.  Changes to the profile will not be copied to the server when you logoff.  Windows did not load your profile because a server copy of the profile folder already exists that does not have the correct security.  Either the current user or the Administrator's group must be the owner of the folder.  Contact your network administrator."
Message: "Your roaming profile is not available. You are logged on with the locally stored profile. Changes to the profile will not be copied to the server. Possible causes of this error include network problems or insufficient security rights. If this problem persists, contact your network administrator."

Resolution

Fixed in the Novell Client 4.83 SP3 for Windows NT/2000/XP
To disable the new Windows default behavior, create the following flag value in the registry of the workstations where the update has been installed:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"CompatibleRUPSecurity"=dword:00000001

This flag disables the Windows-specific security check being attempted against the roaming profile directory in Windows XP SP1 and Windows 2000 SP4.

In the Novell Client 4.83 SP2 for Windows NT/2000/XP and Novell Client 4.90 for Windows NT/2000/XP, NWGINA.DLL was updated to create this policy automatically on Microsoft Windows XP machines. 

Microsoft Windows 2000 SP4 was released after the Novell Client 4.83 SP2 for Windows NT/2000/XP and Novell Client 4.90 for Windows NT/2000/XP, and the fix implemented for Windows XP does not apply to Windows 2000 SP4.  Therefore this issue will have to be addressed separately for Windows 2000 SP4 in post-4.83 SP2 & post-4.90 updates for the Novell client.

For Microsoft Windows 2000 SP4 workstations, currently the policy will have to be established manually as described in the Microsoft Knowledgebase articles cited below.


Background:

Windows XP SP1 and Windows 2000 SP4 implement a new default "check whom is the owner of the remote profile directory" step in the USERENV process of downloading a remote profile.  USERENV by default attempts to retrieve Windows security information (such as the Windows SID identifying the owner of the remote directory) for the directory where the remote profile is being stored.

Microsoft describes this new policy in Q327462, Windows XP SP1 and Windows 2000 SP4 Check for Existing Roaming User Profile Folders When a Roaming User Profile Is Created.

This is the same code base used for post-XP and post-2000 SP3 hotfixes, and this issue has been confirmed to occur on Windows XP (non-SP1) and Windows 2000 SP3 machines where hotfixes or security updates which included an updated USERENV.DLL.  For example, the USERENV.DLL v5.0.2195.6794 from KB 824141 for Windows 2000 SP3 use will cause the symptoms in this document to occur on a Windows 2000 SP3 workstation.

A remote NetWare-based directory itself (regardless of whether that directory is being accessed via the NetWare NCP or Windows CIFS protocol) does not have the Windows-specific security information that will satisfy this interrogation, given that NetWare file system security is based on NDS information and entry IDs and not on Windows account information or SID identifiers.

The default Windows security information assigned (when actual Windows security information is unavailable) and/or lack of security information to satisfy the new "check whom is the owner of the remote profile directory" step in USERENV causes the conclusion that the interactive user does not have sufficient ownership of the remote profile directory.

Windows XP Professional SP1 and Windows 2000 SP4 and later workstations will present the above described message when attempting to login with a Windows user account that stores a remote profile in a NetWare-based directory.

A USERENV debug log generated from Windows XP Professional SP1 workstation exhibiting this issue will show entries similar to one of the following two examples:

USERENV(20c.210) 18:15:38:854 IsCentralProfileReachable:  Entering
USERENV(20c.210) 18:15:38:854 CheckRoamingShareOwnership: checking ownership for \\myserver\datavolume\users\mytestuser
USERENV(20c.210) 18:15:38:864 CheckRoamingShareOwnership: owner is S-1-1-0!
USERENV(20c.210) 18:15:38:864 IsCentralProfileReachable: Ownership check failed with 8007051B
USERENV(20c.210) 18:15:38:864 RestoreUserProfile: IsCentralProfileReachable returned FALSE. error = 1307
USERENV(20c.210) 18:15:38:864 ReportError: Impersonating user.
USERENV(20c.210) 18:15:38:884 ReportError: Logging Error <Windows did not load your roaming profile and is attempting to log you on with your local profile. Changes to the profile will not be copied to the server when you logoff. Windows did not load your profile because a server copy of the profile folder already exists that does not have the correct security. Either the current user or the Administrator's group must be the owner of the folder. Contact your network administrator.>

USERENV(204.208) 20:27:40:520 IsCentralProfileReachable:  Entering
USERENV(204.208) 20:27:58:827 CheckRoamingShareOwnership: checking ownership for E:\users\mytestuser
USERENV(204.208) 20:31:26:866 CheckRoamingShareOwnership : GetFileSecurity failed with 50
USERENV(204.208) 20:31:26:876 IsCentralProfileReachable: Ownership check failed with 80070032
USERENV(204.208) 20:31:26:876 RestoreUserProfile: IsCentralProfileReachable returned FALSE. error = 50
USERENV(204.208) 20:31:26:876 ReportError: Impersonating user.
USERENV(204.208) 20:31:26:876 ReportError: Logging Error <Your roaming profile is not available. You are logged on with the locally stored profile. Changes to the profile will not be copied to the server. Possible causes of this error include network problems or insufficient security rights. If this problem persists, contact your network administrator.>

For more information on generating a USERENV debug log file for troubleshooting roaming profile issues, see Q221833, How to Enable User Environment Debug Logging in Retail Builds of Windows.

.

Additional Information

Formerly known as TID# 10074402