JSI Tip 5745. Windows XP SP1 checks permissions on an existing profile folder when a roaming profile is created?

Prior to SP1, Windows XP did NOT check the permissions on a pre-existing profile folder when a new roaming profile was created.

Windows XP XP1 checks the permissions on a pre-existing profile folder, to prevent persons other than the user and Administrators from being the owner of the profile folder.

Windows XP XP1 checks:

1. If the roaming profile folder does not exist, the folder is created in the usual secure manner.

2. If the Do not check for user ownership of Roaming Profile Folders policy is enabled, permissions on a pre-existing profile folder are NOT checked and assumed to be legitimate.

3. If the folder is owned by the user or the Administrators group, the profile is created.

4. If the folder is NOT owned by the user of the Administrators group, a cached profile or a temporary profile is used,  the user receives the standard temporary profile message, and the following event is logged:

Event ID: 1526
Severity: Error
Windows did not load your roaming profile and is attempting to log you on with your local profile. Changes to the profile will not be copied to the server when you logoff. Windows did not load your profile because a server copy of the profile folder already exists that does not have the correct security. Either the current user or the Administrator's group must be the owner of the folder. Contact your network administrator.

To turn off this new security provision, Enable the Do not check for user ownership of Roaming Profile Folders GPO at Computer Configuration / Administrative Templates / System / User Profiles.

If the policy is Not Defined, you can enable it using the registry:

REGEDIT4

[HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsSystem]
"CompatibleRUPSecurity"=dword:00000001