ian_chard
asked on
Roaming profiles remaining on machines after log off
Hi,
In our scenario we have roaming profiles, but we have the GPO setting enabled to delete these profiles (computer config/admin templates/system/user profile/delete cached copies of roaming profiles set to enabled). This is set at the domain level of the organisation and there is only one domain. This is so that if the profile becomes corrupt there won't be any local remnants of it and we also found that as we're a uni campus with many students logging on to one machine we eventually end up with the hard disk becoming full!
However, if I look on to a machine I still see remnants of users profiles, but I also see folders that are something like %username%.%domainname%.00 1, %username%.%domainname%.00 2, %username%.%domainname%.00 3 where %username% is the username and %domainname% is the domain name. It looks like the folders are incrementing with each log on, which is actually the reverse of what we are trying to achieve! From this I'm assuming that the policy itself isn't working, but we're not getting any clues as to why. There's no event log messages saying that GPO's aren't being applied, no blocking of inheritance, etc. Two of us have been through the AD completely and double checked everything individually and we can't see anything wrong there, so any help would be very much appreciated.
Thanks
Ian
In our scenario we have roaming profiles, but we have the GPO setting enabled to delete these profiles (computer config/admin templates/system/user profile/delete cached copies of roaming profiles set to enabled). This is set at the domain level of the organisation and there is only one domain. This is so that if the profile becomes corrupt there won't be any local remnants of it and we also found that as we're a uni campus with many students logging on to one machine we eventually end up with the hard disk becoming full!
However, if I look on to a machine I still see remnants of users profiles, but I also see folders that are something like %username%.%domainname%.00
Thanks
Ian
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Good point Maasdriel - this does cause some issues for sure.
You also want to check permissions to make sure they can delete their profile directory. Sometimes the permissions get a little out of sync.
You also want to check permissions to make sure they can delete their profile directory. Sometimes the permissions get a little out of sync.
UPHCLEAN suggested above should be able to solve the problem. As suggested, it is important to also use UPHCLEAN to report in ebent logs, the name of the process keeping the file in use. This may enable you to find the root cause and if you can eliminate it, you will not need to install UPHCLEAN on all computers.
Other than that, I can just add that running "gpresult" at command prompt on a Windows XP workstation will provide you the list of Domain GPOs currently APPLIED on workstation. This would save you time in the future when trying to ensure a certain domain GPO is actually applied.
Other than that, I can just add that running "gpresult" at command prompt on a Windows XP workstation will provide you the list of Domain GPOs currently APPLIED on workstation. This would save you time in the future when trying to ensure a certain domain GPO is actually applied.
ASKER
Thanks for the responses. Permissions are definitely ruled out, as I get the same problem and I'm domain admin, enterprise admin, etc, etc.
I've installed UPHC on my machine now and plan on trialling it tomorrow and Friday on some of our normal users machines to see if it cures things and will post back then with any events, etc or allocate points if it cures our problem.
Many thanks again
Ian
I've installed UPHC on my machine now and plan on trialling it tomorrow and Friday on some of our normal users machines to see if it cures things and will post back then with any events, etc or allocate points if it cures our problem.
Many thanks again
Ian
Not sure how far you are with testing.
But heres some extra info.
If svhost.exe (or some other general windows related file) is causing the problem its more dificult to locate what the problem is.
You can do this by enabling this.
SOURCE README.TXT (C:\Program Files\UPHCLEAN\README.TXT)
-------------------------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ----------
You can also have UPHClean log the call stack that is responsible for the
profile hive handle. This is necessary to find out what software is
responsible for the hive handle in processes used for many purposes (e.g.
svchost.exe, dllhost.exe, winmgmt.exe). To enable call stack logging use the
registry editor to set:
HKLM\System\CurrentControl Set\Servic es\UPHClea n\Paramete rs\CALLSTA CK_LOG to 1.
Logging the call stack is computationally and memory intensive. You should use
this option to collect information and then turn it off. To get more accurate
call stack logging it may be necessary to get symbols installed on the
computer. You can read about getting symbols at:
http://www.microsoft.com/whdc/ddk/debugging/symbols.mspx
-------------------------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ----------
An event msg could show up something like this:
SOURCE Eventlog
-------------------------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ----------
The following handles opened in user profile hive DOMAIN\USER (S-1-5-21-111111111-111111 11111-1111 11111-1111 ) are preventing the profile from unloading:
svchost.exe (1064)
HKCU (0x3ac)
0x77fab4b7 ADVAPI32!<no symbol>
0x77f772b1 ADVAPI32!IsTextUnicode+0x9 cb4
0x77f46b20 ADVAPI32!RegOpenKeyExW+0xa 8
0x77f4773e ADVAPI32!RegOpenKeyW+0x2f
0x77f4b2dc ADVAPI32!SaferComputeToken FromLevel+ 0x587
0x77f4b296 ADVAPI32!SaferComputeToken FromLevel+ 0x541
0x77f49e9e ADVAPI32!IdentifyCodeAuthz LevelW+0xd 9
0x7c819653 kernel32!BasepCheckWinSafe rRestricti ons+0x17e
0x7c818d2c kernel32!GetNlsSectionName +0x10cb
0x77f67838 ADVAPI32!CreateProcessAsUs erW+0xc3
0x76a642fd rpcss!<no symbol>
0x76a5deaf rpcss!<no symbol>
0x77da9dc9 RPCRT4!CheckVerificationTr ailer+0x75
0x77e2321a RPCRT4!NdrStubCall2+0x215
0x77e236ee RPCRT4!NdrServerCall2+0x19
0x77da988c RPCRT4!NdrGetTypeFlags+0x1 c9
0x77da97f1 RPCRT4!NdrGetTypeFlags+0x1 2e
0x77da971d RPCRT4!NdrGetTypeFlags+0x5 a
0x77dabd0d RPCRT4!NdrConformantArrayF ree+0x42e
0x77dabb6a RPCRT4!NdrConformantArrayF ree+0x28b
0x77da6784 RPCRT4!I_RpcBCacheFree+0x1 4c
0x77da6c22 RPCRT4!I_RpcBCacheFree+0x5 ea
0x77da6a3b RPCRT4!I_RpcBCacheFree+0x4 03
0x77da6c0a RPCRT4!I_RpcBCacheFree+0x5 d2
0x7c80b50b kernel32!GetModuleFileName A+0x1b4
-------------------------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ----------
If this is the case you will need to install "Debugging Tools for Windows".
http://www.microsoft.com/whdc/devtools/debugging/installx86.mspx (32bit)
http://www.microsoft.com/whdc/devtools/debugging/install64bit.mspx (64bit)
And the symbols for the corresponding Windows OS version.
http://www.microsoft.com/whdc/devtools/debugging/symbolpkg.mspx
And debug the information to locate the true problem.
Hope this helps.
Respectfully,
Maasdriel
But heres some extra info.
If svhost.exe (or some other general windows related file) is causing the problem its more dificult to locate what the problem is.
You can do this by enabling this.
SOURCE README.TXT (C:\Program Files\UPHCLEAN\README.TXT)
--------------------------
You can also have UPHClean log the call stack that is responsible for the
profile hive handle. This is necessary to find out what software is
responsible for the hive handle in processes used for many purposes (e.g.
svchost.exe, dllhost.exe, winmgmt.exe). To enable call stack logging use the
registry editor to set:
HKLM\System\CurrentControl
Logging the call stack is computationally and memory intensive. You should use
this option to collect information and then turn it off. To get more accurate
call stack logging it may be necessary to get symbols installed on the
computer. You can read about getting symbols at:
http://www.microsoft.com/whdc/ddk/debugging/symbols.mspx
--------------------------
An event msg could show up something like this:
SOURCE Eventlog
--------------------------
The following handles opened in user profile hive DOMAIN\USER (S-1-5-21-111111111-111111
svchost.exe (1064)
HKCU (0x3ac)
0x77fab4b7 ADVAPI32!<no symbol>
0x77f772b1 ADVAPI32!IsTextUnicode+0x9
0x77f46b20 ADVAPI32!RegOpenKeyExW+0xa
0x77f4773e ADVAPI32!RegOpenKeyW+0x2f
0x77f4b2dc ADVAPI32!SaferComputeToken
0x77f4b296 ADVAPI32!SaferComputeToken
0x77f49e9e ADVAPI32!IdentifyCodeAuthz
0x7c819653 kernel32!BasepCheckWinSafe
0x7c818d2c kernel32!GetNlsSectionName
0x77f67838 ADVAPI32!CreateProcessAsUs
0x76a642fd rpcss!<no symbol>
0x76a5deaf rpcss!<no symbol>
0x77da9dc9 RPCRT4!CheckVerificationTr
0x77e2321a RPCRT4!NdrStubCall2+0x215
0x77e236ee RPCRT4!NdrServerCall2+0x19
0x77da988c RPCRT4!NdrGetTypeFlags+0x1
0x77da97f1 RPCRT4!NdrGetTypeFlags+0x1
0x77da971d RPCRT4!NdrGetTypeFlags+0x5
0x77dabd0d RPCRT4!NdrConformantArrayF
0x77dabb6a RPCRT4!NdrConformantArrayF
0x77da6784 RPCRT4!I_RpcBCacheFree+0x1
0x77da6c22 RPCRT4!I_RpcBCacheFree+0x5
0x77da6a3b RPCRT4!I_RpcBCacheFree+0x4
0x77da6c0a RPCRT4!I_RpcBCacheFree+0x5
0x7c80b50b kernel32!GetModuleFileName
--------------------------
If this is the case you will need to install "Debugging Tools for Windows".
http://www.microsoft.com/whdc/devtools/debugging/installx86.mspx (32bit)
http://www.microsoft.com/whdc/devtools/debugging/install64bit.mspx (64bit)
And the symbols for the corresponding Windows OS version.
http://www.microsoft.com/whdc/devtools/debugging/symbolpkg.mspx
And debug the information to locate the true problem.
Hope this helps.
Respectfully,
Maasdriel
ASKER
Points awarded to Maasdriel as he was the first to reply to use UPHCleaner, this resolved the issue on the test clients.
Many thanks
Ian
Many thanks
Ian
ASKER