New users get temp profiles

Discussion in 'Windows Server' started by ToddAndMargo, Nov 6, 2009.

  1. ToddAndMargo

    ToddAndMargo Guest

    Hi All,

    Help! I have no clue what is going on. :'(

    This just started two days ago.

    Whenever I create any new user on my NT Domain Controller
    and log into my WS08R2 Terminal Server with the new user's
    Domain account, I get a message in the Event log and in
    a pop up:

    Your user profile was not loaded correctly you have
    been logged on with a temporary profile (Event ID 1151)

    *THIS IS NOT THE VISTA ERROR* that is resolved by deleting
    the corrupted key in "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
    NT\CurrentVersion\ProfileList". The key NEVER gets created.

    Also in my event log, I get Event ID 1515:

    Windows has backed up this user's profile. Windows will
    automatically try to use the backed up profile the next
    time this user logs on.

    And Event 1508:

    Windows was unable to load the registry. This is often
    caused by insufficient memory or insufficient security
    rights. DETAIL - The process cannot access the file
    because it is being used by another process

    Other symptoms:

    1) the users C:\Users\xxxxx directory never gets created

    2) I can edit the registry through Regedit till my eyes pop out

    3) My "netlogon" script, does not run on the new users (old users
    work fine). I can run my netlogon script manually without event

    4) deleting the user and recreating it has no symptom change

    5) addition new users have same symptom


    I have Googled till my eyes burn. All I get is how to fix
    this in Vista. What in the world is going on?

    Many thanks,
    -T
     
    ToddAndMargo, Nov 6, 2009
    #1
    1. Advertisements


  2. Do you have a profile path setup in the user's ADUC properties? If so, what
    are the share and NTFS permissions on the user's folder the path is pointing
    to?

    Is SMS or SCOM involved?

    --
    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Please reply back to the newsgroup or forum for collaboration benefit among
    responding engineers, and to help others benefit from your resolution.

    Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
    2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer

    For urgent issues, please contact Microsoft PSS directly. Please check
    http://support.microsoft.com for regional support phone numbers.
     
    Ace Fekay [MCT], Nov 7, 2009
    #2
    1. Advertisements

  3. ToddAndMargo

    ToddAndMargo Guest

    Hi Ace,

    Thank you for the help. I am going nuts here. :'(

    Not to sound too ignorant here, but what are "ADUC",
    "SMS", and "SCOM"?

    On the NTFS, do you mean "C:\Users" individual folder? It never
    gets created. He gets "C:\Users\TEMP", which gets erased when
    he logs out. I tried copying and renaming TEMP to his real name,
    with his permissions, but next time he logs in, he gets TEMP again.

    Many thanks,
    -T
     
    ToddAndMargo, Nov 7, 2009
    #3
  4. Hello ToddAndMargo,

    See inline.

    Best regards

    Meinolf Weber


    AD UC is Active directory users and computers, where you find on the user
    account properties the profile path mentioned by Ace.

    SMS is System Management service http://www.microsoft.com/smserver/evaluation/datasheets/default.mspx

    SCOM is System Center Operqations manager http://www.microsoft.com/systemcenter/operationsmanager/en/us/default.aspx
    If users logon with a TEMP profile this normally means you use a roaming
    profile stored on a server(user account properties the profile path) in the
    network, which they are not able to access, either the NTFS permissions or
    the share permissions on that folder are not correct.

    Also you are not able to modify TEMP folders because they will be deleted
    when the user logoff.
     
    Meinolf Weber [MVP-DS], Nov 7, 2009
    #4
  5. ToddAndMargo

    ToddAndMargo Guest

    Hi Meinolf,

    The server in question (WS08R2 Terminal Server) is not a domain
    controller of any flavor. So no Active Directory (AD). The NT
    Domain Controller also does not have AD.

    By "Roaming", are you referring to "%userprofile%\AppData\Roaming"?
    If so, new Domain users do not get one as "%userprofile%" never
    gets created.

    By "roaming, might you be referring to the registry settings in
    "HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\WindowsNT\
    CurrentVersion\ProfileList"? If so, they exist for current
    users from the Domain, but do not get created for new Domain
    users.

    In WS08, are "roaming" profiles those profiles that are not local
    (those imported from the Domain controller)? Or are you referring to
    something else?

    I have not tried creating a local users and seeing what happens.
    The only local users are Administrator" and "Guest", which is
    disabled.

    By TEMP I mean "C:\users\TEMP" not "%userprofile%\AppData\Local\Temp"

    When a new Domain user logs in, say "foo", instead of getting
    a "C:\Users\foo" directory created, he gets "C:\Users\TEMP".
    Foo can modify to his hearts content inside it, but
    Foo gets his "C:\Users\TEMP" erased when he logs out, loosing
    everything.

    What NTFS permissions does your "C:\Users" have?

    Mine:
    Everyone: Read and Execute, List, Read
    System: everything
    Administrators (local): everything
    Uses (local): Read and Execute, List, Read


    Many thanks,
    -T
     
    ToddAndMargo, Nov 7, 2009
    #5
  6. ToddAndMargo

    ToddAndMargo Guest

    Update. I can create a local user account without problems.
     
    ToddAndMargo, Nov 8, 2009
    #6

  7. So it works with a user account that you created?

    With Terminal services, you would create the user account in Computer
    Management, Local Users, etc. You can specify roaming profiles, logon
    scripts, etc.

    When a user, such as "Bob" would log on and only seeing a temp folder, where
    was Bob's account created? On this machine, or in AD? But you said you don't
    have AD? I'm a little confused.

    Ace
     
    Ace Fekay [MCT], Nov 8, 2009
    #7
  8. ToddAndMargo

    ToddAndMargo Guest

    Hi Ace,

    All users that are created locally on the Terminal Server
    (TS) do not have a problem.

    New users that reside on a separate computer acting as an
    "NT Domain Controller" can log into the TS, but get
    %userprofile% = C:\Users\TEMP. This behavior was
    first observed last Wednesday. Old users on the
    NT Domain Controller work fine.

    Think of my "NT Domain Controller" as an "old"
    "NT 4.0" Primary Domain Controller (PDC). No AD.
    (samba-3.0.33-3.15.el5_4)

    Things that have changed since last Wednesday:
    1) installed Cobian Backup on the TS
    2) upgraded my NT Domain Controller

    I am thinking of turning off Cobian's service
    tomorrow and seeing if a new user I created on
    the PDC can get in without the TEMP problem. I
    am thinking that Cobian may be holding something
    open in the registry.

    Event 1508: Windows was unable to load the registry

    I am thinking that this may be the cause. Otherwise,
    I will revert the PDC Tuesday when I am out at the
    customer's site.

    It would be really, really nice if Windows would tell
    me exactly why it can't create a roaming user account.
    But, then again, it may have (error 1508). Still,
    it could be a bit more verbose.

    I will keep everyone apprised. Thank you for all
    the help.

    -T
     
    ToddAndMargo, Nov 8, 2009
    #8
  9. Hello ToddAndMargo,

    Please clarify the "New users that reside on a separate computer acting as
    an NT Domain Controller",is that machine a NT4 PDC or not, you stated something
    with samba-3.0.33-3.15.el5_4 server?

    Is the firewall disabled form the 2008 R2 machine?

    Also 2008 and higher have a a higher level of security configuration which
    blocks connectivity with with NT4 in a domain.

    Best regards

    Meinolf Weber
     
    Meinolf Weber [MVP-DS], Nov 8, 2009
    #9
  10. Hi Meinolf,

    It appears he has an old NT4 domain.

    To Todd&Margo:

    AD or NT4, they are domains. So when you create a domain account, it doesn't
    "work." Check all properties of the new domain account and compare it to a
    domain user account that does work. It's possible you have a roaming profile
    set on other accuonts that was not set on the new account, or that the
    security on the 2008 machine, as Meinolf indicated.

    Ace
     
    Ace Fekay [MCT], Nov 8, 2009
    #10
  11. ToddAndMargo

    ToddAndMargo Guest

    If you configure it as such, Samba acts as an "NT Domain
    Controller". I have mine configured as an "NT 4.0 PDC".
    Tried the firewall both on and off: no symptom change.
    Too many things on the PDC are working for that to be a suspect.
    The old domain users on the TS got there the exact same why
    I am trying to get the new users on.

    Update: Cobian is not responsible

    -T
     
    ToddAndMargo, Nov 9, 2009
    #11
  12. ToddAndMargo

    ToddAndMargo Guest

    Hi Ace and Meinolf,

    I fixed it.

    <Editorial comment> AAAAAAAAAAAAAAAAAAAAAAAAAAAHHHHHHHHHH
    HHHHHHHHHHHHHHHHHHHHHHH!!!!</Editorial Comment>

    These two things led me to the fix:

    1) Event ID 1515: Windows has backed up this user profile. Windows
    will automatically try to use the backup profile the next time
    this user logs on.

    2) "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
    NT\CurrentVersion\ProfileList".

    As I stated before, "ProfilesList" did not have my new user
    in it. So I got cleaver (a weasel word for "desperate") and
    found where "ProfilesList" had created a key for TEMP and
    renamed TEMP's "ProfileImagePath" to my actual (new) user's name.
    When the user logged out, the entire key with my modification
    in it got erased. Rats.

    Then I logged back in with my new user and checked "ProfilesList"
    again. There he was back as TEMP and "ProfileImagePath" =
    C:\Users\TEMP. But this time I had an interesting addition.
    TEMP's key had a second idential key underneath it it, with a
    ".bak" at the end of the key name. So, I erased the ".bak" key
    and again renamed TEMP's "ProfileImagePath" to my actual (new)
    user's name (again).

    I have now logged in and out three time correctly. (Verified
    by "echo %userprofile%" and by checking his "ProfilesList"
    entry.)

    There are times I hate Windows.

    Thank you all for being there for me to bounce things off
    of. Never underestimate the power of having to write
    things down to other professionals to straighten your
    brains out.

    Many, many thanks,
    -T
     
    ToddAndMargo, Nov 9, 2009
    #12

  13. Consider it a challenge that you've overcome, learned from, and moved on!
    Good to hear you figured it out.

    :)

    Ace
     
    Ace Fekay [MCT], Nov 9, 2009
    #13
  14. ToddAndMargo

    ToddAndMargo Guest

    Challenge: yes.

    Learned from: yes.

    Moved on: I don't think so. Not until I forget the
    $850.00 in free consulting I had to give away. That
    really, really hurt. It will remain burned into my
    memory for a very, very long time. Sometimes I
    really hate Windows, even though it puts a lot of
    food on my table. Maybe I will forget when the next
    big Windows job that comes along that I can actually get
    paid for.

    :)

    -T
     
    ToddAndMargo, Nov 10, 2009
    #14

  15. You mean you didn't charge them for your time? Was it your fault?

    Ace
     
    Ace Fekay [MCT], Nov 11, 2009
    #15
  16. ToddAndMargo

    ToddAndMargo Guest

    It was not my fault. It was "Windows being Windows". The thing
    here is that the customer is my oldest customer of 15 years
    and they have put a lot of food on my table. They also are
    extremely considerate of me. The problem was that you can
    not charge the customer for that many hours for a problem
    as simple (or so it would seem to the customer) as not being
    able to add a new user. It is a customer service thing.

    I have an auto repair customer who had a similar problem.
    A customer had been to several mechanics trying to find out
    why his car blew a fuse every time he tried to start it.
    When he finally got to my customer's place, he had spent
    almost a thousand dollars trying to get it fixed. My
    customer put five hours into finding that the owner's
    kid had jammed a metallic gum wrapper into the cigarette
    lighter. So my customer only charged him an hour. You
    just can not charge a guy five hours to find a gum wrapper.

    So, I chalked it up to good customer relations and only
    charged my customer for three hour. I'd rather keep
    this customer for another 15 years than insist on being
    paid the full freight on the time it took me to
    troubleshoot a failure to add new users.

    Hopefully, this will not happen again for a few years.

    -T
     
    ToddAndMargo, Nov 12, 2009
    #16

  17. That makes sense, and I agree. I do the same for my folks.

    Ace
     
    Ace Fekay [MCT], Nov 12, 2009
    #17
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.