Partial user profiles created on domain controller
Periodically, the domain controller will start to show up with end users profiles on the server, almost as if they had logged into the server. Sometimes they are sporadic creations, others they are all created within minutes of each other. When enoigh of them are created, the server comes to its knees. Rebooting will allow the server to run up to 24hrs or so, but will eventuially slow to a crawl again. Deleting the profiles results in a longer period of normal performance.
User do NOT have rights to login. Terminal services is not in use. Roaming profiles in not in use. Just a plain domain controller with file/print.
I suspected Syamntec AV as the issue, so I uninstalled it from the server. THere is definately less of the phantom profile creation since doing this, but it still happens every once in awhile... the clients still have Symantec AV installed though. I have yet to find anything that definatively points to Symantec Antivirus as the culrpit though, so have not went down the road of uninstalling the clients - as that would introduce more risk.
Of interest, the profiles created are not full profiles... just a shell of some of the related folders - with no files. Example below:
C:\Documents and Settings\lsmith>dir /b/a:d/s
C:\Documents and Settings\lsmith\Applicatio
C:\Documents and Settings\lsmith\Cookies
C:\Documents and Settings\lsmith\Local Settings
C:\Documents and Settings\lsmith\Applicatio
C:\Documents and Settings\lsmith\Applicatio
C:\Documents and Settings\lsmith\Applicatio
C:\Documents and Settings\lsmith\Applicatio
C:\Documents and Settings\lsmith\Applicatio
C:\Documents and Settings\lsmith\Applicatio
C:\Documents and Settings\lsmith\Applicatio
C:\Documents and Settings\lsmith\Local Settings\Application Data
C:\Documents and Settings\lsmith\Local Settings\History
C:\Documents and Settings\lsmith\Local Settings\Temp
C:\Documents and Settings\lsmith\Local Settings\Temporary Internet Files
C:\Documents and Settings\lsmith\Local Settings\Application Data\Microsoft
C:\Documents and Settings\lsmith\Local Settings\Application Data\Microsoft\Internet Explorer
C:\Documents and Settings\lsmith\Local Settings\Application Data\Microsoft\Media Player
C:\Documents and Settings\lsmith\Local Settings\Application Data\Microsoft\Windows Media
C:\Documents and Settings\lsmith\Local Settings\Application Data\Microsoft\Windows Media\10.0
C:\Documents and Settings\lsmith\Local Settings\History\History.I
C:\Documents and Settings\lsmith\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\lsmith\Local Settings\Temporary Internet Files\Content.IE5\25L4MF45
C:\Documents and Settings\lsmith\Local Settings\Temporary Internet Files\Content.IE5\BJXBOEM5
C:\Documents and Settings\lsmith\Local Settings\Temporary Internet Files\Content.IE5\S3YAPNQ0
C:\Documents and Settings\lsmith\Local Settings\Temporary Internet Files\Content.IE5\SX7H2G3S
C:\Documents and Settings\lsmith>
User do NOT have rights to login. Terminal services is not in use. Roaming profiles in not in use. Just a plain domain controller with file/print.
I suspected Syamntec AV as the issue, so I uninstalled it from the server. THere is definately less of the phantom profile creation since doing this, but it still happens every once in awhile... the clients still have Symantec AV installed though. I have yet to find anything that definatively points to Symantec Antivirus as the culrpit though, so have not went down the road of uninstalling the clients - as that would introduce more risk.
Of interest, the profiles created are not full profiles... just a shell of some of the related folders - with no files. Example below:
C:\Documents and Settings\lsmith>dir /b/a:d/s
C:\Documents and Settings\lsmith\Applicatio
C:\Documents and Settings\lsmith\Cookies
C:\Documents and Settings\lsmith\Local Settings
C:\Documents and Settings\lsmith\Applicatio
C:\Documents and Settings\lsmith\Applicatio
C:\Documents and Settings\lsmith\Applicatio
C:\Documents and Settings\lsmith\Applicatio
C:\Documents and Settings\lsmith\Applicatio
C:\Documents and Settings\lsmith\Applicatio
C:\Documents and Settings\lsmith\Applicatio
C:\Documents and Settings\lsmith\Local Settings\Application Data
C:\Documents and Settings\lsmith\Local Settings\History
C:\Documents and Settings\lsmith\Local Settings\Temp
C:\Documents and Settings\lsmith\Local Settings\Temporary Internet Files
C:\Documents and Settings\lsmith\Local Settings\Application Data\Microsoft
C:\Documents and Settings\lsmith\Local Settings\Application Data\Microsoft\Internet Explorer
C:\Documents and Settings\lsmith\Local Settings\Application Data\Microsoft\Media Player
C:\Documents and Settings\lsmith\Local Settings\Application Data\Microsoft\Windows Media
C:\Documents and Settings\lsmith\Local Settings\Application Data\Microsoft\Windows Media\10.0
C:\Documents and Settings\lsmith\Local Settings\History\History.I
C:\Documents and Settings\lsmith\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\lsmith\Local Settings\Temporary Internet Files\Content.IE5\25L4MF45
C:\Documents and Settings\lsmith\Local Settings\Temporary Internet Files\Content.IE5\BJXBOEM5
C:\Documents and Settings\lsmith\Local Settings\Temporary Internet Files\Content.IE5\S3YAPNQ0
C:\Documents and Settings\lsmith\Local Settings\Temporary Internet Files\Content.IE5\SX7H2G3S
C:\Documents and Settings\lsmith>
Hiya
What version of Symantec are you running and how is it configured ?
Standard out of the box configuration or something else ?
I've got a feeling that it's due to the My Docs redirection, how many users have you got ?
Thanks
Si
What version of Symantec are you running and how is it configured ?
Standard out of the box configuration or something else ?
I've got a feeling that it's due to the My Docs redirection, how many users have you got ?
Thanks
Si
ASKER
Version: 10.1.4.4000
Engine 71.4.0.15
Base setup of only the AV solution (no Symantec firewall, etc). Symantec was uninstalled from the server a few weeks ago. Pretty sure when I did uninstall it I saw a ton of end users profiles get created right att hat moment of removal... thus my suspicion it is Symantec related in some way. Only problem is, I have seen a few profiles get created since removal... though not anywhere as bad as when Symantec was still installed.
Less than 30 users... This Symantec and My Docs folder redirection setup is a common setup for us. Works great across dozens of clients.
Engine 71.4.0.15
Base setup of only the AV solution (no Symantec firewall, etc). Symantec was uninstalled from the server a few weeks ago. Pretty sure when I did uninstall it I saw a ton of end users profiles get created right att hat moment of removal... thus my suspicion it is Symantec related in some way. Only problem is, I have seen a few profiles get created since removal... though not anywhere as bad as when Symantec was still installed.
Less than 30 users... This Symantec and My Docs folder redirection setup is a common setup for us. Works great across dozens of clients.
ASKER
One of the profiles created today was not even a user... it was a profile with the name of the laptop.
ASKER
Bueller...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hi Compushare
currently, i am also facing the same problem as u mentioned in the following. could you share with me your experiences on how did u managed to resolve this issue? our environment is pretty similar,
- windows 2003 without terminal services,
- server slow downs within a day - requires to restart the server,
- domain user accounts are created in the server without user physical login
- server also serves as dc/ad, file server and symantec antivirus 10.1.0.394
cheers
manfred
currently, i am also facing the same problem as u mentioned in the following. could you share with me your experiences on how did u managed to resolve this issue? our environment is pretty similar,
- windows 2003 without terminal services,
- server slow downs within a day - requires to restart the server,
- domain user accounts are created in the server without user physical login
- server also serves as dc/ad, file server and symantec antivirus 10.1.0.394
cheers
manfred
ASKER
My assumption is you are using folder redirection, such as the My Documents folder. Additionally, you are redirecting to a share on the Domain Controller. If so:
1) Decrypt any encrypted files on your Domain Controllers
2) Edit the Default Domain Controllers policy to disallow encrypted files on Domain Controllers. Since some folks get all huffy about editing the default policies, you can make a different GPO, with higher precedence, and apply it to your DCs.
The issue never returned.
1) Decrypt any encrypted files on your Domain Controllers
2) Edit the Default Domain Controllers policy to disallow encrypted files on Domain Controllers. Since some folks get all huffy about editing the default policies, you can make a different GPO, with higher precedence, and apply it to your DCs.
The issue never returned.
ASKER
* My Documents folder redirection is also in place.
* This issue also cropped up last summer. After extensive troubleshooting, it just stopped on day... but the issue came out of nowhere again within the last few weeks. Last summer, w I finally gave up and went the route of migrating user data to a new server in a plan to rebuild the problem server. That plan stopped when the issue "followed" the data (after migrating end user data/printers to new server).