Problem Disabling Roaming Profiles on Grouped Users

Posted by user43207 on Server Fault See other posts from Server Fault or by user43207
Published on 2010-05-15T01:43:35Z Indexed on 2010/05/15 1:55 UTC
Read the original article Hit count: 706

Filed under:

I'm having some serious issues getting a group of users to stop using roaming profiles.

As expected, I have roaming profiles enabled accross the domain. - But am doing GPO filtering, limiting the scope. I originally had it set to authenticated users for Roaming, but as the domain has branched out to multiple locations, I've limited the scope to only people that are near the central office.

The GPO that I have linked filtered to a group I have created that include users that I don't want to have roaming profiles. This GPO is sitting at the root of the domain, with the "Forced" setting enabled, so it should override any setting below it. *On a side note, it is the ONLY GPO that I have set to "Forced" right now.

I know the GPO is working, since I can see the original registy settings on a user that logged in under roaming profiles - and then that same user logging in after I made the Group Policy changes, the registry reflects a local profile.

But unfortunately, even after making those settings - the user is given a roaming profile on one of the servers.

A gpresult of that same user account (after the updated gpo) is listed in the code block below. You can see right at the top of that output, that it is infact dealing with a roaming profile. - And sure enough, on the server that's hosting the file share for roaming profiles, it creates a folder for the user once they log in.

For testing purposes, I've deleted all copies of the user's profile, roaming and local. But the problem is still here. - So I'm aparently missing something in the group policy settings on a wider scale.

Would anybody be able to point me in the direction of what I'm missing here?


*gpresult /r***

Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0 Copyright (C) Microsoft Corp. 1981-2001

Created On 5/15/2010 at 8:59:00 AM

RSOP data for ** on * : Logging Mode

OS Configuration: Member Workstation OS Version: 6.1.7600 Site Name: N/A Roaming Profile: \\profiles$** Local Profile: C:\Users*** Connected over a slow link?: No

USER SETTINGS

CN=*****,OU=*****,OU=*****,OU=*****,DC=*****,DC=*****

Last time Group Policy was applied: 5/15/2010 at 8:52:02 AM
Group Policy was applied from:      *****.*****.com
Group Policy slow link threshold:   500 kbps
Domain Name:                        USSLINDSTROM
Domain Type:                        Windows 2000

Applied Group Policy Objects
-----------------------------
    ForceLocalProfilesOnly
    InternetExplorer_*****
    GlobalPasswordPolicy

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
    DAgentFirewallExceptions
        Filtering:  Denied (Security)

    WSAdmin_*****
        Filtering:  Denied (Security)

    NetlogonFirewallExceptions
        Filtering:  Not Applied (Empty)

    NetLogon_*****
        Filtering:  Denied (Security)

    WSUSUpdateScheduleManualInstall
        Filtering:  Denied (Security)

    WSUSUpdateScheduleDaily_0300
        Filtering:  Denied (Security)

    WSUSUpdateScheduleThu_0100
        Filtering:  Denied (Security)

    AlternateSSLFirewallExceptions
        Filtering:  Denied (Security)

    SNMPFirewallExceptions
        Filtering:  Denied (Security)

    WSUSUpdateScheduleSun_0100
        Filtering:  Denied (Security)

    SQLServerFirewallExceptions
        Filtering:  Denied (Security)

    WSUSUpdateScheduleTue_0100
        Filtering:  Denied (Security)

    WSUSUpdateScheduleSat_0100
        Filtering:  Denied (Security)

    DisableUAC
        Filtering:  Denied (Security)

    ICMPFirewallExceptions
        Filtering:  Denied (Security)

    AdminShareFirewallExceptions
        Filtering:  Denied (Security)

    GPRefreshInterval
        Filtering:  Denied (Security)

    ServeRAIDFirewallExceptions
        Filtering:  Denied (Security)

    WSUSUpdateScheduleFri_0100
        Filtering:  Denied (Security)

    BlockFirewallExceptions(8400-8410)
        Filtering:  Denied (Security)

    WSUSUpdateScheduleWed_0100
        Filtering:  Denied (Security)

    Local Group Policy
        Filtering:  Not Applied (Empty)

    WSUS_*****
        Filtering:  Denied (Security)

    LogonAsService_Idaho
        Filtering:  Denied (Security)

    ReportServerFirewallExceptions
        Filtering:  Denied (Security)

    WSUSUpdateScheduleMon_0100
        Filtering:  Denied (Security)

    TFSFirewallExceptions
        Filtering:  Denied (Security)

    Default Domain Policy
        Filtering:  Not Applied (Empty)

    DenyServerSideRoamingProfiles
        Filtering:  Denied (Security)

    ShareConnectionsRemainAlive
        Filtering:  Denied (Security)

The user is a part of the following security groups
---------------------------------------------------
    Domain Users
    Everyone
    BUILTIN\Users
    BUILTIN\Administrators
    NT AUTHORITY\INTERACTIVE
    CONSOLE LOGON
    NT AUTHORITY\Authenticated Users
    This Organization
    LOCAL
    *****Users
    VPNAccess_*****
    NetAdmin_*****
    SiteAdmin_*****
    WSAdmin_*****
    VPNAccess_*****
    LocalProfileOnly_*****
    NetworkAdmin_*****
    LocalProfileOnly_*****
    VPNAccess_*****
    NetAdmin_*****
    Domain Admins
    WSAdmin_*****
    WSAdmin_*****
    *****
    *****
    Schema Admins
    *****
    Enterprise Admins
    Denied RODC Password Replication Group
    High Mandatory Level

© Server Fault or respective owner

Related posts about roaming-profile