Roaming profiles remaining on machines after log off


In our scenario we have roaming profiles, but we have the GPO setting enabled to delete these profiles (computer config/admin templates/system/user profile/delete cached copies of roaming profiles set to enabled). This is set at the domain level of the organisation and there is only one domain. This is so that if the profile becomes corrupt there won't be any local remnants of it and we also found that as we're a uni campus with many students logging on to one machine we eventually end up with the hard disk becoming full!

However, if I look on to a machine I still see remnants of users profiles, but I also see folders that are something like %username%.%domainname%.001, %username%.%domainname%.002, %username%.%domainname%.003 where %username% is the username and %domainname% is the domain name. It looks like the folders are incrementing with each log on, which is actually the reverse of what we are trying to achieve! From this I'm assuming that the policy itself isn't working, but we're not getting any clues as to why. There's no event log messages saying that GPO's aren't being applied, no blocking of inheritance, etc. Two of us have been through the AD completely and double checked everything individually and we can't see anything wrong there, so any help would be very much appreciated.

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ian_chardAuthor Commented:
I should also add that we've even created local policies on the machines too to double check and this is still happening.
Usually this happens when a program keeps a lock on the registry (user.dat)

Install User Profile Hive Cleanup Service read the documentation to enable verbose modes in the event view to locate wich program is causing the problem.

If you can't solve the program wich is causing the problem you can always force to close any locks with this software, wich in return windows will be able to remove the profile after logoff.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Good point Maasdriel - this does cause some issues for sure.

You also want to check permissions to make sure they can delete their profile directory.  Sometimes the permissions get a little out of sync.

IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

UPHCLEAN suggested above should be able to solve the problem. As suggested, it is important to also use UPHCLEAN to report in ebent logs, the name of the process keeping the file in use. This may enable you to find the root cause and if you can eliminate it, you will not need to install UPHCLEAN on all computers.
Other than that, I can just add that running  "gpresult" at command prompt on a  Windows XP workstation will provide you the list of Domain GPOs currently APPLIED on workstation. This would save you time in the future when trying to ensure a certain domain GPO is actually applied.
ian_chardAuthor Commented:
Thanks for the responses. Permissions are definitely ruled out, as I get the same problem and I'm domain admin, enterprise admin, etc, etc.

I've installed UPHC on my machine now and plan on trialling it tomorrow and Friday on some of our normal users machines to see if it cures things and will post back then with any events, etc or allocate points if it cures our problem.

Many thanks again

Not sure how far you are with testing.

But heres some extra info.

If svhost.exe (or some other general windows related file) is causing the problem its more dificult to locate what the problem is.

You can do this by enabling this.

You can also have UPHClean log the call stack that is responsible for the
profile hive handle.  This is necessary to find out what software is
responsible for the hive handle in processes used for many purposes (e.g.
svchost.exe, dllhost.exe, winmgmt.exe).  To enable call stack logging use the
registry editor to set:

HKLM\System\CurrentControlSet\Services\UPHClean\Parameters\CALLSTACK_LOG to 1.

Logging the call stack is computationally and memory intensive.  You should use
this option to collect information and then turn it off.  To get more accurate
call stack logging it may be necessary to get symbols installed on the
computer.  You can read about getting symbols at:

An event msg could show up something like this:

SOURCE Eventlog
The following handles opened in user profile hive DOMAIN\USER (S-1-5-21-111111111-11111111111-111111111-1111) are preventing the profile from unloading:
svchost.exe (1064)
  HKCU (0x3ac)
      0x77fab4b7 ADVAPI32!<no symbol>
      0x77f772b1 ADVAPI32!IsTextUnicode+0x9cb4
      0x77f46b20 ADVAPI32!RegOpenKeyExW+0xa8
      0x77f4773e ADVAPI32!RegOpenKeyW+0x2f
      0x77f4b2dc ADVAPI32!SaferComputeTokenFromLevel+0x587
      0x77f4b296 ADVAPI32!SaferComputeTokenFromLevel+0x541
      0x77f49e9e ADVAPI32!IdentifyCodeAuthzLevelW+0xd9
      0x7c819653 kernel32!BasepCheckWinSaferRestrictions+0x17e
      0x7c818d2c kernel32!GetNlsSectionName+0x10cb
      0x77f67838 ADVAPI32!CreateProcessAsUserW+0xc3
      0x76a642fd rpcss!<no symbol>
      0x76a5deaf rpcss!<no symbol>
      0x77da9dc9 RPCRT4!CheckVerificationTrailer+0x75
      0x77e2321a RPCRT4!NdrStubCall2+0x215
      0x77e236ee RPCRT4!NdrServerCall2+0x19
      0x77da988c RPCRT4!NdrGetTypeFlags+0x1c9
      0x77da97f1 RPCRT4!NdrGetTypeFlags+0x12e
      0x77da971d RPCRT4!NdrGetTypeFlags+0x5a
      0x77dabd0d RPCRT4!NdrConformantArrayFree+0x42e
      0x77dabb6a RPCRT4!NdrConformantArrayFree+0x28b
      0x77da6784 RPCRT4!I_RpcBCacheFree+0x14c
      0x77da6c22 RPCRT4!I_RpcBCacheFree+0x5ea
      0x77da6a3b RPCRT4!I_RpcBCacheFree+0x403
      0x77da6c0a RPCRT4!I_RpcBCacheFree+0x5d2
      0x7c80b50b kernel32!GetModuleFileNameA+0x1b4

If this is the case you will need to install "Debugging Tools for Windows".  (32bit) (64bit)

And the symbols for the corresponding Windows OS version.

And debug the information to locate the true problem.

Hope this helps.

ian_chardAuthor Commented:
Points awarded to Maasdriel as he was the first to reply to use UPHCleaner, this resolved the issue on the test clients.

Many thanks
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.