Error applying security and log on problems due to locked profile

Posted on 2009-06-30
Last Modified: 2012-05-07
Users sometimes gets the message that the profile can't be loaded and a local profile is loaded instead. When I try to reset the security in the profile on the server with Properties-Security-Advanced and then Replace permission entries on all child objects I get the message "An error occur when applying security information to.....Access is denied" on an specific URL in the profile. When I then shutdown the server with the profiles, this will be fixed and the user can log on and gets the profile in a normal way.

But to shutdown a server is not the best way to "solve" this problem. Is there another solution to free the profile on the server?  I have implemented UPHClean on one specific pc where the user has this problem with the profile, but it seems not to solve the problem.

So is there any permanent solution for this problem?
Question by:SommelierRHS
  • 3
  • 3
LVL 77

Expert Comment

ID: 24759653
You have UPHCLean listed in the tag.  This should address the issue.
Are these users access a terminal server as well as a workstation?
You should define a separate profile for terminal server use.

Do you include in your GPO to add the administrators group to the security settings of the roaming profile?

What you can check when this situation occurs is whether the specific file/resource is seen as in use on the server.  If the user is seen as using the file, you can disconnect them from the resource and see if that fixes the issue.

Do you have an anti-virus application on the fileserver?  Double check that it is up-to-date and perhaps has this as a known issue.
McAfee, Trend Micro and Symantec had some version that under intermittent circumstances under which they would lock a file.


Author Comment

ID: 24764368
Yes one user access both a terminal server and a workstation. So I get your message here. But the problem occurs even after I have "loosen up" the profile by restarting the server and this user only has been working a couple of days with his pc.

Not in a GPO, but directly in his profile on the server.

When this occurs I always tell the user to log off, and then still the specific file in the profile seems to be in use. So how can I make a disconnection on the (profile-)server (no terminal server)? And the core question still is could I resolve it in another way than to restart the server?

Yes I have a anti-virus application on the server, but it works fine and I have 30 more users who don't have this problem.

So what more to do?
LVL 77

Expert Comment

ID: 24764486
Battled this issue myself.  The problem starts when the ntuser.dat file includes both workstation and Server data.Using folder redirection with roaming profiles that point to one share for the workstation login profiles and another for the terminal server login profiles resolves the conflict while allowing the individual to access the same documents and maintain most of the same application settings/options without wasting too much space.
With the folders redirected (my documents, application date, start menu, and desktop) provided you use office templates to relocate where outlook stores the pst file, the porfile will often take up less than 30MB.
Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.


Author Comment

ID: 24767498
Thanks for your research. I will try your advices during the next two days. Will be back in the beginning of next week.

Have a nice weekend!

Author Comment

ID: 24770266
I just remember a case in another organization a couple of months ago,where we solved profiles problems with the combination terminal server and workstation included. The problem existed when we had two Windows 2003 Servers as dc, Windows 2008 server as terminal server and workstations with Windows XP. When we changed the terminal server to a Windows 2003 server, the problems dissapeared.

In my case right now I have a Windows 2003 Server as the terminal server and workstations with Windows XP and from when this problems started a change from a SBS 2003 as dc to a Windows 2008 server as dc. Seems that the problem exists when a Windows Server 2008 is involded towards a workstation with XP.

So arnold, which mixture was your set up in your last research?
LVL 77

Accepted Solution

arnold earned 500 total points
ID: 24771486
XP with windows 2003.
You could try adding the client preferences to the workstations.
windows 2k3 and windows XP use the same profile storage mechanism while Vista, win2k8 and windows 7 use a different profile.V2.
In the example you had with win XP workstations with win2k8 terminal server the profiles will be separate even if the profile is defined as \\domain\userprofiles\username in the AD.
In the share \\domain\userprofiles\ there will be two directories one for username and one for username.V2.
The difficulties you likely experienced are that the documents/settings that were available on one system were not accessible on the other.  A way to address this is to use Folder redirection.

in the setup you have and I dealt with, the same ntuser.dat file was being access/update by both winxp and win2k3.
On winxp, I added the MS User Hive Cleanup tool, which deals with releasing the user settings upon logout. With the tool, the profile was freed up to synchronize.  On the server, if the user's resources are not released in time, the profile might not completely synchronize and might appear as "in use" on subsequent access from a different system (did not explore to see whether in these types of situation there is a "marker" in the profile in the share.)

There were some discussions I've seen dealing with win2k8 as a DC.
Do not remember whether the discussion dealt with the Domain/forest functional level.

If you decide to go with the separate profile setup for terminal server and workstation while maintaining access to the same documents no matter the access method, you should setup folder redirection first.

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Introduction: I have always been a big fan of Windows but my liking towards it is slowly being eroded by the variety of other Applications that I encounter, when I browse the Web. Most of the software available is free and maybe Open Source too. …
Citrix XenApp, Internet Explorer 11 set to Enterprise Mode and using central hosted sites.xml file.
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question