Solved

Directories keep resurrecting themselves in profile share!

Posted on 2006-11-02
15
261 Views
Last Modified: 2010-04-18
Hi Experts,

I wonder if someone can shed some light on this strange issue.

We have deleted some people's profiles from a share on the file server, and deleted the profiles from their local XP machines also. Yet overnight, the old profiles seem to resurrect themslelves, requiring re-deletion. Could there be some replication configured that I am unaware of? Where would this be set up?

Thanks. Investigation is ongoing!!
0
Comment
Question by:georgemason
  • 6
  • 4
  • 3
  • +1
15 Comments
 
LVL 9

Expert Comment

by:robjeeves
Comment Utility
G'day mate.  Is this in a domain environment?  If so do the users have roaming profiles? If so soon as they log off they will indeed copy their new profiles back to the roaming path.  Take a looks at the user properties in Active Directory Users & Computers.  Check to see if there is a roaming profile set for the user

Hope this helps

Rob
0
 
LVL 43

Accepted Solution

by:
Steve Knight earned 75 total points
Comment Utility
Check the date/time of the ntuser.dat.  If the file is older than when you deleted them then yes you have somethign re-creating them such as maybe a script syncronishing two servers?  If ntuser.dat is being updated then a user is logging off from a machine using that roaming profile.

Having said that are these just empty directories?
0
 
LVL 1

Author Comment

by:georgemason
Comment Utility
Hi Rob,

Yes it's a domain environment, sorry should have been clearer. Basically we logged onto the users machine as an admin, deleted the local copy of their roaming profile from the machine, then in the same session browsed to the server and deleted their profile from the share.

Lo and behold, the next morning, the profile was back on the server (and their machine) in all its 4.5GB glory.

It's got me very confused!

George
0
 
LVL 1

Author Comment

by:georgemason
Comment Utility
- dragon-it - no these are anything but empty! 4.6gb to be precise. I too suspect some sort of file synchronisation from somewhere but am so far unable to track it down.

However a previous administrator of this server was running a util on there known as Handy Backup - this is a file sync shareware app << shudder >> and although the license has expired I think it might be the culprit.

I'm performing a controlled deletion this evening and we shall see what's there tomorrow!

Thanks. G
0
 
LVL 43

Expert Comment

by:Steve Knight
Comment Utility
As I said if the ntuser.dat is a new date/time then it is the user putting it back effectively.  If this isn;t possible because the user hasnt logged in then something funny's up!

Let us know how it goes.

Steve
0
 
LVL 51

Expert Comment

by:Netman66
Comment Utility
It's possible the user has Offline folders enabled for the profile share.  In this case you need to find the Offline cache and remove it otherwise it will simply recopy everything you deleted.

0
 
LVL 9

Expert Comment

by:robjeeves
Comment Utility
mmmmmm, nice idea Netmann66.  Am curious to find out the outcome . . .
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 51

Assisted Solution

by:Netman66
Netman66 earned 50 total points
Comment Utility
The only other logical explanation would be if the Profile share is on a DFS share that is being replicated back from another replica.

0
 
LVL 1

Author Comment

by:georgemason
Comment Utility
Right, here's an update....

The user is using a completely different profile now, and the problem has gone away. One piece of info that I should have shared with you is that historically a user profile migration had occured between two drives on the server, by the aforementioned admin, using techniques unknown. I think is the root of the problem. The new profile created for the user above was created in the current profile share and therefore did not exist in the old area. Previously the directories existed in both for most users (maybe you're getting a picture of how the previous guy operated!!).

Last night I created some test directories in the old profile share - sure enough, this morning, they are all present in the new profile share. Therefore there is obviously some process copying data between the shares. This is doubly annoying as I finished this profile migration with a nice script that ensured that profiles were copied in a controlled way..... deep breath.....

So the question is, what is installed on this box which is doing the mischievous synchronisation of profile shares? There are 2 likely culprits, I would appreciate your collective input:

1) Handy Backup. A piece of shareware used to copy between directories, but claiming that it has expired, and not running as a service as far as I can tell (will look into this more).
2) DFS (good suggestion netman66). It seems to be installed on the server, but not configured correctly. There is a share configured although I don't think it's active, errors when I try to view its properties.
0
 
LVL 43

Expert Comment

by:Steve Knight
Comment Utility
It might just be a robocopy or xcopy job in scheduled tasks - he no doubt used d$ or whatever to carry out the replication but otherwise might be worth removing the profiles share from the other server for starters.
0
 
LVL 1

Author Comment

by:georgemason
Comment Utility
Am in the process of doing exactly that. I had already checked scheduled tasks and there's nothing in there, or from the cmd line using at.

I think it's Handy Backup. Shame, I would have liked to find out what was causing the issue, but I think I might just have to take steps to stop it happening without fully knowing what was causing it.
0
 
LVL 43

Expert Comment

by:Steve Knight
Comment Utility
You could narrow down WHEN it is happening by checking the create time on the folders potentially.  If not write a batch file which does this and run it one the server.  When the path appears it will print the time and stop.


:start
if exist D:\profiles\testuser\ntuser.dat echo %time% & pause
REM Pause approx. 2 mins
ping localhost -n 120
goto start
0
 
LVL 1

Author Comment

by:georgemason
Comment Utility
OK I've ununstalled Handy Backup and moved the old profile directory (he must have been referring to its location using the C$ share as I'd already unshared the dir before any of this happened). I've created a test directory in the old profile directory to see whether it gets copied across - although I see no way that it could - but you never know!!

I'll split the points between you all as you have all given me ideas which helped me track down what was happening. Thanks to you all.
0
 
LVL 9

Expert Comment

by:robjeeves
Comment Utility
"I'll split the points between you all as you have all given me ideas which helped me track down what was happening. Thanks to you all."

I feel left out of the points George :-) I'll struggle on though.

Good luck tracking it down mate. Problems like this are great cos thanks to steve we all get a little batch file to check for a path and loop until it appears. I love Experts Exchange.

Rob
0
 
LVL 1

Author Comment

by:georgemason
Comment Utility
Oh mate, sorry about that, I missed you out at the top there. Next time eh? :-)

In the end I copped out and uninstalled that Handy Backup shareware, and I think that's it licked. Would have liked to be more scientific about it but the users were breathing down my next as their profiles kept getting polluted with old stuff which they had to delete every morning! How to make friends and influence people - I think not.

Thanks for your help tho.

George
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

I guess it is not common knowledge to most Wintel engineers/administrators: If you have an SNMP-based monitoring system in your environment (and it's common to have SNMP or Syslog) it's reasonably easy to enable monitoring of the Windows Event logs,…
Many of us need to configure DHCP server(s) in their environment. We can do that simply via DHCP console on server or using MMC snap-in on each computer with Administrative Tools installed in a network. But what if we have to configure many DHCP ser…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now