Active Directory roaming profile permission issue on folder C:\Users\<user>\AppData\Roaming\Microsoft\Installer

windows active-directory permissions windows-server-2019 roaming-profile
5,703

After 11 month we managed to figure the problem out:

We have a policy on our domain controller that requires a domain admin to login to install software. This makes sure that users aren't able to just install all kinds of software on our workstations.

However we needed a way for some programs that lot's of people use to be rolled out on workstations. This is where we created this problem; we used gpo's to rollout software that can be installed via 'Control panel > Programs and features > Install a program from the network'.

Whenever a user uses this way to "install" rolled out software, it creates the 'Microsoft/Installer' folder in roaming with admin permissions and is not able to sync anymore.

We have bid farewell of this way of software management and removed the 'Installer' folder from the local profile and the smb profile, this has fixed the problem completely.

Share:
5,703
Rick Jelier
Author by

Rick Jelier

Updated on September 18, 2022

Comments

  • Rick Jelier
    Rick Jelier almost 2 years

    I have a problem with one specific folder while user profiles are synced at logon. Let me explain the situation:

    I have:

    • A user account (MYDOMAIN\accountname)
    • Security group 'Access to WADUP_RW'
    • A SMB share (\\my-smb\WADUP)
    • A pc with Windows 10 pro installed (Up-to-date) and joined into MYDOMAIN

    Permissions on the WADUP folder on \\my-smb:

    • 'Access to WADUP_RW' has read and write access
    • Domain Admins and Enterprise Admins groups have read and write access

    Configuration for the user account:

    • Profile path: \\my-smb\WADUP\accountname

    The problem I'm having:

    1. Log in accountname on the pc.
    2. \\my-smb\WADUP\accountname folder is created. (Owner is accountname)
    3. Log out accountname on the pc.
    4. All data in user profile is being saved to the \\my-smb\WADUP\accountname
    5. So far so good
    6. Now I log in accountname on the pc again
    7. I get the error 'There was a problem with your roaming profile. You have been logged on with your previously saved local profile. Please see the event log for details or contact your administrator.'
    8. I check the event log, which says that \\?\UNC\my-smb\WADUP\accountname\AppData\Roaming\Microsoft\Installer can't be copied to \\?\C:\Users\accountname\AppData\Roaming\Microsoft\Installer with DETAIL - Access is denied

    9. I check the folder C:\Users\accountname\AppData\Roaming\Microsoft\Installer permissions, which are:

      • Everyone: Read
      • System: Full control
      • Administrators (PC\Administrators) Full control

    What I've tried:

    • Changed SMB server, made no difference.
    • Manually changed the folder permissions to everyone: Read and write. Though the permissions reset whenever I logged out.
    • All Pc's do it but they are the same windows version.
  • Rick Jelier
    Rick Jelier about 4 years
    I already have stumbled upon that post indeed, I really want to do this but it feels like a workaround. Plus the fact that the problem I am having doesn't show up anywhere else makes me worry it's not a bug in Windows but actually a misconfiguration in my setup.
  • Hrihaan
    Hrihaan about 4 years
    I didn't notice anything actually wrong with your setup, but Microsoft does have a helpful documentation on deploying roaming profiles you might want to review and compare to your setup. The document has a lot of steps that don't relate to your smaller setup, but it's a good reference for best practices.
  • Rick Jelier
    Rick Jelier about 4 years
    Hi, we already tried this but the folder reappears after login on the local machine.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Access Denied to SYSVOL from DC when using UNC path
How do I grant local administrator rights, but not Domain Administrator Rights?
Can/how non Windows domain machines access a share on the domain
how to extract all permissions that a domain user have on the network
Slow logins with roaming profiles
Giving AD user accounts admin access on specific machines
Linux acls uses wrong gid for domain groups, but numerical gids ok
What does it mean to grant/set permissions for NETWORK SERVICE on a network share?
Is it safe to delete "Account Unknown" entries from Windows ACLs in a domain environment?
Granting Domain Admin privileges to a cross-forest user account?