Roaming profiles remaining on machines after log off

Posted on 2006-03-21
Last Modified: 2011-09-20

In our scenario we have roaming profiles, but we have the GPO setting enabled to delete these profiles (computer config/admin templates/system/user profile/delete cached copies of roaming profiles set to enabled). This is set at the domain level of the organisation and there is only one domain. This is so that if the profile becomes corrupt there won't be any local remnants of it and we also found that as we're a uni campus with many students logging on to one machine we eventually end up with the hard disk becoming full!

However, if I look on to a machine I still see remnants of users profiles, but I also see folders that are something like %username%.%domainname%.001, %username%.%domainname%.002, %username%.%domainname%.003 where %username% is the username and %domainname% is the domain name. It looks like the folders are incrementing with each log on, which is actually the reverse of what we are trying to achieve! From this I'm assuming that the policy itself isn't working, but we're not getting any clues as to why. There's no event log messages saying that GPO's aren't being applied, no blocking of inheritance, etc. Two of us have been through the AD completely and double checked everything individually and we can't see anything wrong there, so any help would be very much appreciated.

Question by:ian_chard
    LVL 6

    Author Comment

    I should also add that we've even created local policies on the machines too to double check and this is still happening.
    LVL 4

    Accepted Solution

    Usually this happens when a program keeps a lock on the registry (user.dat)

    Install User Profile Hive Cleanup Service read the documentation to enable verbose modes in the event view to locate wich program is causing the problem.

    If you can't solve the program wich is causing the problem you can always force to close any locks with this software, wich in return windows will be able to remove the profile after logoff.
    LVL 51

    Expert Comment

    Good point Maasdriel - this does cause some issues for sure.

    You also want to check permissions to make sure they can delete their profile directory.  Sometimes the permissions get a little out of sync.

    LVL 1

    Expert Comment

    UPHCLEAN suggested above should be able to solve the problem. As suggested, it is important to also use UPHCLEAN to report in ebent logs, the name of the process keeping the file in use. This may enable you to find the root cause and if you can eliminate it, you will not need to install UPHCLEAN on all computers.
    Other than that, I can just add that running  "gpresult" at command prompt on a  Windows XP workstation will provide you the list of Domain GPOs currently APPLIED on workstation. This would save you time in the future when trying to ensure a certain domain GPO is actually applied.
    LVL 6

    Author Comment

    Thanks for the responses. Permissions are definitely ruled out, as I get the same problem and I'm domain admin, enterprise admin, etc, etc.

    I've installed UPHC on my machine now and plan on trialling it tomorrow and Friday on some of our normal users machines to see if it cures things and will post back then with any events, etc or allocate points if it cures our problem.

    Many thanks again

    LVL 4

    Expert Comment

    Not sure how far you are with testing.

    But heres some extra info.

    If svhost.exe (or some other general windows related file) is causing the problem its more dificult to locate what the problem is.

    You can do this by enabling this.

    You can also have UPHClean log the call stack that is responsible for the
    profile hive handle.  This is necessary to find out what software is
    responsible for the hive handle in processes used for many purposes (e.g.
    svchost.exe, dllhost.exe, winmgmt.exe).  To enable call stack logging use the
    registry editor to set:

    HKLM\System\CurrentControlSet\Services\UPHClean\Parameters\CALLSTACK_LOG to 1.

    Logging the call stack is computationally and memory intensive.  You should use
    this option to collect information and then turn it off.  To get more accurate
    call stack logging it may be necessary to get symbols installed on the
    computer.  You can read about getting symbols at:

    An event msg could show up something like this:

    SOURCE Eventlog
    The following handles opened in user profile hive DOMAIN\USER (S-1-5-21-111111111-11111111111-111111111-1111) are preventing the profile from unloading:
    svchost.exe (1064)
      HKCU (0x3ac)
          0x77fab4b7 ADVAPI32!<no symbol>
          0x77f772b1 ADVAPI32!IsTextUnicode+0x9cb4
          0x77f46b20 ADVAPI32!RegOpenKeyExW+0xa8
          0x77f4773e ADVAPI32!RegOpenKeyW+0x2f
          0x77f4b2dc ADVAPI32!SaferComputeTokenFromLevel+0x587
          0x77f4b296 ADVAPI32!SaferComputeTokenFromLevel+0x541
          0x77f49e9e ADVAPI32!IdentifyCodeAuthzLevelW+0xd9
          0x7c819653 kernel32!BasepCheckWinSaferRestrictions+0x17e
          0x7c818d2c kernel32!GetNlsSectionName+0x10cb
          0x77f67838 ADVAPI32!CreateProcessAsUserW+0xc3
          0x76a642fd rpcss!<no symbol>
          0x76a5deaf rpcss!<no symbol>
          0x77da9dc9 RPCRT4!CheckVerificationTrailer+0x75
          0x77e2321a RPCRT4!NdrStubCall2+0x215
          0x77e236ee RPCRT4!NdrServerCall2+0x19
          0x77da988c RPCRT4!NdrGetTypeFlags+0x1c9
          0x77da97f1 RPCRT4!NdrGetTypeFlags+0x12e
          0x77da971d RPCRT4!NdrGetTypeFlags+0x5a
          0x77dabd0d RPCRT4!NdrConformantArrayFree+0x42e
          0x77dabb6a RPCRT4!NdrConformantArrayFree+0x28b
          0x77da6784 RPCRT4!I_RpcBCacheFree+0x14c
          0x77da6c22 RPCRT4!I_RpcBCacheFree+0x5ea
          0x77da6a3b RPCRT4!I_RpcBCacheFree+0x403
          0x77da6c0a RPCRT4!I_RpcBCacheFree+0x5d2
          0x7c80b50b kernel32!GetModuleFileNameA+0x1b4

    If this is the case you will need to install "Debugging Tools for Windows".  (32bit) (64bit)

    And the symbols for the corresponding Windows OS version.

    And debug the information to locate the true problem.

    Hope this helps.

    LVL 6

    Author Comment

    Points awarded to Maasdriel as he was the first to reply to use UPHCleaner, this resolved the issue on the test clients.

    Many thanks

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
    ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
    In this sixth video of the Xpdf series, we discuss and demonstrate the PDFtoPNG utility, which converts a multi-page PDF file to separate color, grayscale, or monochrome PNG files, creating one PNG file for each page in the PDF. It does this via a c…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now