This article was previously published under Q327259
For a Microsoft Windows 2000 SP4 and Windows XP SP1 version of this article, see 327462.
Versions of Microsoft Windows 2000 earlier than Service Pack 4 (SP4) and versions of Microsoft Windows XP earlier than Service Pack 1 (SP1) do not check the permissions of the target roaming profile folder if the folder already exists when a roaming user profile is created. This behavior might permit an individual to create another user's roaming profile folder in advance and to set permissions that might permit the creator of the folder to visit the folder later. The creator might then be able to modify the user's roaming user profile or to deny access to the legitimate user. Windows Server 2003, Windows XP Service Pack 1 (SP1), and Windows 2000 SP4 checks for correct permissions and does not permit roaming if the permissions are not those that Windows requires. This article discusses this new behavior in the products that are listed at the beginning of this article.
Windows Server 2003 uses the following steps to confirm correct security for roaming user profile folders:
Windows Server 2003 determines if the roaming profile folder exists and that either the user or the Administrators group is the owner of the folder.
Windows Server 2003 considers the folder legitimate and copies files to the folder during the logoff process and from the folder during the logon process if the following conditions are true:
The user or the Administrators group owns the folder.
The "Do not check for user ownership of Roaming Profile Folders" policy is not set.
When these conditions are not true, Windows Server 2003 does not copy any files from or to the folder. Windows Server 2003 displays an error message and logs an event in the System event log.
Windows Server 2003 creates the folder in its current secure manner if no cached profile exists, the user's cached profile, or a temporary profile is issued.
Windows Server 2003 assumes that the folder is legitimate if the "Do not check for user ownership of Roaming Profile Folders" policy is set and the ownership of the folder is not checked.
When you log on as a user that has a roaming profile and Windows Server 2003 determines that the roaming profile folder is not legitimate, you receive the following error message:
Windows did not load your roaming profile and is attempting to log you on with your local profile. Changes to the profile will not be copied to the server when you logoff. Windows did not load your profile because a server copy of the profile folder already exists that does not have the correct security. Either the current user or the Administrator's group must be the owner of the folder. Contact your network administrator.
This new policy prevents Windows Server 2003 from checking for correct permissions on a user's roaming profile folder. Windows Server 2003 does not copy files to or from the roaming profile folder if the following conditions exist:
You turn off or do not configure this setting.
The roaming user profile folder exists.
Neither the user nor the Administrators group is the owner of the folder.
If you turn on this setting, the behavior is the same as versions of Windows that are earlier than Windows Server 2003 or Microsoft Windows XP without SP1.
To change the "Do not check for user ownership of Roaming Profile Folders" policy setting: