Issue:
Because only one Terminal Services User Profile Path setting can be configured in a user account you have implemented an environment variable for use in this setting. This allows different Terminal Servers to store TS Profiles in different locations and prevents incompatible settings from different Terminal Servers from overlapping. In the screen shot below %TSProfilePath% would be set as needed on all Terminal Servers.
However, several issues have now presented themselves.
1) Some users receive “Access Denied” when creating the roaming profile during a user logon attempt immediately after setting the Environment variable on the TS Server.
2) Application TS Servers without the environment variable are storing profiles in %SystemRoot%\System32\%variable%
3) Administration Only TS Servers without the environment variable are storing profiles in %SystemRoot%\System32\%variable%
Solutions:
1) Some users receive “Access Denied” (see picture below) when creating the roaming profile during a user logon attempt immediately after setting the Environment variable on the TS Server.
a. Solution: The server must be rebooted so all the server services can know of the new environment variable and its setting. After the reboot if you are still receiving Access Denied check the Share and NTFS permissions where the TS profiles are being stored.
b. Prior to the reboot the system will attempt to store the profile in %SystemRoot%\System32\%variable% which the user may not have access to.
2) Application TS Servers without the environment variable are storing profiles in %SystemRoot%\System32\%variable%
a. Administrators Group
i. Domain user accounts that are members of the Local Administrators group will have their user account stored in %SystemRoot%\System32\%variable% instead of the default location of “C:\Documents and Settings”
ii. These users will not receive any error message during logon.
b. Remote Desktop Users Group (non-admins)
i. Domain user accounts that are a member of this group will still receive the “User Environment” dialog box showing “Access Denied” but will also receive a message regarding “Windows cannot find the local profile and is logging you in with a temporary profile”.
c. Solution: Implement the needed Environment Variable on all the Application TS Servers. Configure the variable for a different network location if needed, or even configure it for “C:\Documents and Settings” or similar local path. The key here is that the Environment variable must exist on the TS Server and must point to a valid location.
4) Administration Only TS Servers without the environment variable are storing profiles in %SystemRoot%\System32\%variable%
a. Administrators Group
i. Same issue as in the “Application TS Server”
b. Remote Desktop User Group (non-admin)
i. Same issue as in the “Application TS Server”
c. Solutions: Choose one or more of the following.
i. Recommended: Implement a Domain GPO for all Administration Only TS Servers that forces local profiles only.
1. Computer Configuration /Administrative Templates / System / User Profiles Settings / Allow only local user profiles
a. Enabled
2. Apply to the Administration Only TS Servers via the Domain or selected OU’s
ii. Implement a local GPO on the affected servers that forces local profiles only.
1. Computer Configuration /Administrative Templates / System / User Profiles Settings / Allow only local user profiles
a. Enabled
2. This is the same as setting the following value in the registry
a. HKLM\Software\Policies\Microsoft\Windows\System
i. LocalProfile (REG_DWORD): 1
iii. Configure the needed Environment variable on the affected server(s) to use the local path “C:\Documents and Settings”