New users get temp profiles
ToddAndMargo
Hi All,
Help! I have no clue what is going on. :'(
This just started two days ago.
Whenever I create any new user on my NT Domain Controller
and log into my WS08R2 Terminal Server with the new user's
Domain account, I get a message in the Event log and in
a pop up:
Your user profile was not loaded correctly you have
been logged on with a temporary profile (Event ID 1151)
*THIS IS NOT THE VISTA ERROR* that is resolved by deleting
the corrupted key in "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\ProfileList". The key NEVER gets created.
Also in my event log, I get Event ID 1515:
Windows has backed up this user's profile. Windows will
automatically try to use the backed up profile the next
time this user logs on.
And Event 1508:
Windows was unable to load the registry. This is often
caused by insufficient memory or insufficient security
rights. DETAIL - The process cannot access the file
because it is being used by another process
Other symptoms:
1) the users C:\Users\xxxxx directory never gets created
2) I can edit the registry through Regedit till my eyes pop out
3) My "netlogon" script, does not run on the new users (old users
work fine). I can run my netlogon script manually without event
4) deleting the user and recreating it has no symptom change
5) addition new users have same symptom
I have Googled till my eyes burn. All I get is how to fix
this in Vista. What in the world is going on?
Many thanks,
-T
Ace Fekay [MCT]
news:uWIzXVzX...@TK2MSFTNGP04.phx.gbl...
Do you have a profile path setup in the user's ADUC properties? If so, what
are the share and NTFS permissions on the user's folder the path is pointing
to?
Is SMS or SCOM involved?
--
Ace
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.
Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.
ToddAndMargo
Hi Ace,
Thank you for the help. I am going nuts here. :'(
Not to sound too ignorant here, but what are "ADUC",
"SMS", and "SCOM"?
On the NTFS, do you mean "C:\Users" individual folder? It never
gets created. He gets "C:\Users\TEMP", which gets erased when
he logs out. I tried copying and renaming TEMP to his real name,
with his permissions, but next time he logs in, he gets TEMP again.
Many thanks,
-T
Meinolf Weber [MVP-DS]
See inline.
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
AD UC is Active directory users and computers, where you find on the user
account properties the profile path mentioned by Ace.
SMS is System Management service http://www.microsoft.com/smserver/evaluation/datasheets/default.mspx
SCOM is System Center Operqations manager http://www.microsoft.com/systemcenter/operationsmanager/en/us/default.aspx
> On the NTFS, do you mean "C:\Users" individual folder? It never
> gets created. He gets "C:\Users\TEMP", which gets erased when
> he logs out. I tried copying and renaming TEMP to his real name,
> with his permissions, but next time he logs in, he gets TEMP again.
If users logon with a TEMP profile this normally means you use a roaming
profile stored on a server(user account properties the profile path) in the
network, which they are not able to access, either the NTFS permissions or
the share permissions on that folder are not correct.
Also you are not able to modify TEMP folders because they will be deleted
when the user logoff.
> Many thanks,
> -T
ToddAndMargo
>> On the NTFS, do you mean "C:\Users" individual folder? It never
>> gets created. He gets "C:\Users\TEMP", which gets erased when
>> he logs out. I tried copying and renaming TEMP to his real name,
>> with his permissions, but next time he logs in, he gets TEMP again.
>
> If users logon with a TEMP profile this normally means you use a roaming
> profile stored on a server(user account properties the profile path) in
> the network, which they are not able to access, either the NTFS
> permissions or the share permissions on that folder are not correct.
>
> Also you are not able to modify TEMP folders because they will be
> deleted when the user logoff.
Hi Meinolf,
The server in question (WS08R2 Terminal Server) is not a domain
controller of any flavor. So no Active Directory (AD). The NT
Domain Controller also does not have AD.
By "Roaming", are you referring to "%userprofile%\AppData\Roaming"?
If so, new Domain users do not get one as "%userprofile%" never
gets created.
By "roaming, might you be referring to the registry settings in
"HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\WindowsNT\
CurrentVersion\ProfileList"? If so, they exist for current
users from the Domain, but do not get created for new Domain
users.
In WS08, are "roaming" profiles those profiles that are not local
(those imported from the Domain controller)? Or are you referring to
something else?
I have not tried creating a local users and seeing what happens.
The only local users are Administrator" and "Guest", which is
disabled.
By TEMP I mean "C:\users\TEMP" not "%userprofile%\AppData\Local\Temp"
When a new Domain user logs in, say "foo", instead of getting
a "C:\Users\foo" directory created, he gets "C:\Users\TEMP".
Foo can modify to his hearts content inside it, but
Foo gets his "C:\Users\TEMP" erased when he logs out, loosing
everything.
What NTFS permissions does your "C:\Users" have?
Mine:
Everyone: Read and Execute, List, Read
System: everything
Administrators (local): everything
Uses (local): Read and Execute, List, Read
Many thanks,
-T
ToddAndMargo
> I have not tried creating a local users and seeing what happens.
> The only local users are Administrator" and "Guest", which is
> disabled.
Update. I can create a local user account without problems.
Ace Fekay [MCT]
So it works with a user account that you created?
With Terminal services, you would create the user account in Computer
Management, Local Users, etc. You can specify roaming profiles, logon
scripts, etc.
When a user, such as "Bob" would log on and only seeing a temp folder, where
was Bob's account created? On this machine, or in AD? But you said you don't
have AD? I'm a little confused.
Ace
ToddAndMargo
Hi Ace,
All users that are created locally on the Terminal Server
(TS) do not have a problem.
New users that reside on a separate computer acting as an
"NT Domain Controller" can log into the TS, but get
%userprofile% = C:\Users\TEMP. This behavior was
first observed last Wednesday. Old users on the
NT Domain Controller work fine.
Think of my "NT Domain Controller" as an "old"
"NT 4.0" Primary Domain Controller (PDC). No AD.
(samba-3.0.33-3.15.el5_4)
Things that have changed since last Wednesday:
1) installed Cobian Backup on the TS
2) upgraded my NT Domain Controller
I am thinking of turning off Cobian's service
tomorrow and seeing if a new user I created on
the PDC can get in without the TEMP problem. I
am thinking that Cobian may be holding something
open in the registry.
Event 1508: Windows was unable to load the registry
I am thinking that this may be the cause. Otherwise,
I will revert the PDC Tuesday when I am out at the
customer's site.
It would be really, really nice if Windows would tell
me exactly why it can't create a roaming user account.
But, then again, it may have (error 1508). Still,
it could be a bit more verbose.
I will keep everyone apprised. Thank you for all
the help.
-T
Meinolf Weber [MVP-DS]
Hello ToddAndMargo,
Please clarify the "New users that reside on a separate computer acting as
an NT Domain Controller",is that machine a NT4 PDC or not, you stated something
with samba-3.0.33-3.15.el5_4 server?
Is the firewall disabled form the 2008 R2 machine?
Also 2008 and higher have a a higher level of security configuration which
blocks connectivity with with NT4 in a domain.
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Ace Fekay [MCT]
news:6cb2911d935a8...@msnews.microsoft.com...
> Hello ToddAndMargo,
>
> Please clarify the "New users that reside on a separate computer acting as
> an NT Domain Controller",is that machine a NT4 PDC or not, you stated
> something with samba-3.0.33-3.15.el5_4 server?
>
> Is the firewall disabled form the 2008 R2 machine?
>
> Also 2008 and higher have a a higher level of security configuration which
> blocks connectivity with with NT4 in a domain.
>
> Best regards
>
> Meinolf Weber
Hi Meinolf,
It appears he has an old NT4 domain.
To Todd&Margo:
AD or NT4, they are domains. So when you create a domain account, it doesn't
"work." Check all properties of the new domain account and compare it to a
domain user account that does work. It's possible you have a roaming profile
set on other accuonts that was not set on the new account, or that the
security on the 2008 machine, as Meinolf indicated.
Ace
ToddAndMargo
Meinolf Weber [MVP-DS] wrote:
> Hello ToddAndMargo,
>
> Please clarify the "New users that reside on a separate computer acting
> as an NT Domain Controller",is that machine a NT4 PDC or not, you stated
> something with samba-3.0.33-3.15.el5_4 server?
If you configure it as such, Samba acts as an "NT Domain
Controller". I have mine configured as an "NT 4.0 PDC".
>
> Is the firewall disabled form the 2008 R2 machine?
Tried the firewall both on and off: no symptom change.
>
> Also 2008 and higher have a a higher level of security configuration
> which blocks connectivity with with NT4 in a domain.
Too many things on the PDC are working for that to be a suspect.
The old domain users on the TS got there the exact same why
I am trying to get the new users on.
Update: Cobian is not responsible
-T
ToddAndMargo
I fixed it.
<Editorial comment> AAAAAAAAAAAAAAAAAAAAAAAAAAAHHHHHHHHHH
HHHHHHHHHHHHHHHHHHHHHHH!!!!</Editorial Comment>
These two things led me to the fix:
1) Event ID 1515: Windows has backed up this user profile. Windows
will automatically try to use the backup profile the next time
this user logs on.
2) "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\ProfileList".
As I stated before, "ProfilesList" did not have my new user
in it. So I got cleaver (a weasel word for "desperate") and
found where "ProfilesList" had created a key for TEMP and
renamed TEMP's "ProfileImagePath" to my actual (new) user's name.
When the user logged out, the entire key with my modification
in it got erased. Rats.
Then I logged back in with my new user and checked "ProfilesList"
again. There he was back as TEMP and "ProfileImagePath" =
C:\Users\TEMP. But this time I had an interesting addition.
TEMP's key had a second idential key underneath it it, with a
".bak" at the end of the key name. So, I erased the ".bak" key
and again renamed TEMP's "ProfileImagePath" to my actual (new)
user's name (again).
I have now logged in and out three time correctly. (Verified
by "echo %userprofile%" and by checking his "ProfilesList"
entry.)
There are times I hate Windows.
Thank you all for being there for me to bounce things off
of. Never underestimate the power of having to write
things down to other professionals to straighten your
brains out.
Many, many thanks,
-T
Ace Fekay [MCT]
Consider it a challenge that you've overcome, learned from, and moved on!
Good to hear you figured it out.
:-)
Ace
ToddAndMargo
>> <Editorial comment> AAAAAAAAAAAAAAAAAAAAAAAAAAAHHHHHHHHHH
>> HHHHHHHHHHHHHHHHHHHHHHH!!!!</Editorial Comment>
> Consider it a challenge that you've overcome, learned from, and moved on!
> Good to hear you figured it out.
>
> :-)
>
> Ace
Challenge: yes.
Learned from: yes.
Moved on: I don't think so. Not until I forget the
$850.00 in free consulting I had to give away. That
really, really hurt. It will remain burned into my
memory for a very, very long time. Sometimes I
really hate Windows, even though it puts a lot of
food on my table. Maybe I will forget when the next
big Windows job that comes along that I can actually get
paid for.
:-)
-T
Ace Fekay [MCT]
You mean you didn't charge them for your time? Was it your fault?
Ace
ToddAndMargo
>> Moved on: I don't think so. Not until I forget the
>> $850.00 in free consulting I had to give away. That
>> really, really hurt. It will remain burned into my
>> memory for a very, very long time. Sometimes I
>> really hate Windows, even though it puts a lot of
>> food on my table. Maybe I will forget when the next
>> big Windows job that comes along that I can actually get
>> paid for.
>>
>> :-)
>>
>> -T
>
>
> You mean you didn't charge them for your time? Was it your fault?
>
> Ace
It was not my fault. It was "Windows being Windows". The thing
here is that the customer is my oldest customer of 15 years
and they have put a lot of food on my table. They also are
extremely considerate of me. The problem was that you can
not charge the customer for that many hours for a problem
as simple (or so it would seem to the customer) as not being
able to add a new user. It is a customer service thing.
I have an auto repair customer who had a similar problem.
A customer had been to several mechanics trying to find out
why his car blew a fuse every time he tried to start it.
When he finally got to my customer's place, he had spent
almost a thousand dollars trying to get it fixed. My
customer put five hours into finding that the owner's
kid had jammed a metallic gum wrapper into the cigarette
lighter. So my customer only charged him an hour. You
just can not charge a guy five hours to find a gum wrapper.
So, I chalked it up to good customer relations and only
charged my customer for three hour. I'd rather keep
this customer for another 15 years than insist on being
paid the full freight on the time it took me to
troubleshoot a failure to add new users.
Hopefully, this will not happen again for a few years.
-T
Ace Fekay [MCT]
That makes sense, and I agree. I do the same for my folks.
Ace