Linux – “Group policy client service failed. The logon access is denied” when copying roaming profiles to new server. (Samba)

The feature you're looking for is folder redirection. This feature, on it's own or in combination with roaming user profiles (I recommend using both) will allow you to keep the largest folders of the user's profiles on the server and speed up logon times.

I also recommend creating the folders and setting the permissions yourself on the destination folders. The OS default method seems buggy brain-damaged to me.

Edit:

My issue with the built-in functionality that allows clients to create the folders is that I stronly prefer not to have a world-writable folder for such a critical purpose (redirected user folders) on my server computers. I'm not sure that Microsoft has ever cleaned up the idiotic "feature" where the client blocks NTFS permission inheritance when it creates the user's folder and applies permission to it, either. I want to be in control of my filesystem permissions, I want inheritance turned on throughout the entire folder hierarchy, and I don't want a world-writable folder laying around on my servers.

I generally redirect "My Documents", "Desktop", and "Application Data". I always disable the idiotic "Grant the user exclusive access..." functionality (since it screws up my NTFS permission inheritance hierarchy). I may do redirection based on group membership if I have multiple destination file server computers and want all my redirection handled in a single GPO... that's more of a GPO design concern than a Folder Redirection configuration issue.

"AppData" redirection has been somewhat problematic. I've had issues with Adobe Reader 9.0 versions and the current Apple iTunes 9.2 versions not working properly when the user has a redirected AppData folders. Still, with the huge proliferation of small files that get created there, leaving "AppData" in the user's roaming user profile isn't an option if you want short logon / logoff times.

Generally I wouldn't exclude any "normal" users from Folder Redirection. Administrative and service account context users would be excluded, typically by being located elsewhere in the OU hierarchy such that the GPO applying Folder Redirection settings doesn't apply. WMI filters aren't useful because Folder Redirection is a user setting, and WMI filters only apply to computers.

Slow links and disconnected computers are good candidates for Offline Files. If a user isn't ever going to be connected to the LAN with high speed I might be apt not to use Folder Redirection at all, but I don't have any situations where that's the case in my current Customer base so I haven't really thought about it. Offline Files works very well in Windows 7 and Windows Vista. It works acceptably in Windows XP if the user's redirected folders are under 2GB in size. Anything more than 2GB and it starts working poorly because of a frustrating signed 32-bit integer size limit on the amount of data that will be automatically cached by Offline Files.

We have found the problem was in the permissions of the registry hive itself in ntuser.man. So whilst the permissions were correct on the file itself, the registry could not be loaded by the shared users.

This was solved by loading ntuser.man (Load Hive in regedit) and making sure the permissions on it were set to allow access to the entire group of users, instead of just the one.

It all seems to be working fine now.