Solved

Error applying security and log on problems due to locked profile

Posted on 2009-06-30
6
535 Views
Last Modified: 2012-05-07
Users sometimes gets the message that the profile can't be loaded and a local profile is loaded instead. When I try to reset the security in the profile on the server with Properties-Security-Advanced and then Replace permission entries on all child objects I get the message "An error occur when applying security information to.....Access is denied" on an specific URL in the profile. When I then shutdown the server with the profiles, this will be fixed and the user can log on and gets the profile in a normal way.

But to shutdown a server is not the best way to "solve" this problem. Is there another solution to free the profile on the server?  I have implemented UPHClean on one specific pc where the user has this problem with the profile, but it seems not to solve the problem.

So is there any permanent solution for this problem?
0
Comment
Question by:SommelierRHS
  • 3
  • 3
6 Comments
 
LVL 76

Expert Comment

by:arnold
ID: 24759653
You have UPHCLean listed in the tag.  This should address the issue.
Are these users access a terminal server as well as a workstation?
You should define a separate profile for terminal server use.

Do you include in your GPO to add the administrators group to the security settings of the roaming profile?

What you can check when this situation occurs is whether the specific file/resource is seen as in use on the server.  If the user is seen as using the file, you can disconnect them from the resource and see if that fixes the issue.


Do you have an anti-virus application on the fileserver?  Double check that it is up-to-date and perhaps has this as a known issue.
McAfee, Trend Micro and Symantec had some version that under intermittent circumstances under which they would lock a file.

0
 

Author Comment

by:SommelierRHS
ID: 24764368
Yes one user access both a terminal server and a workstation. So I get your message here. But the problem occurs even after I have "loosen up" the profile by restarting the server and this user only has been working a couple of days with his pc.

Not in a GPO, but directly in his profile on the server.

When this occurs I always tell the user to log off, and then still the specific file in the profile seems to be in use. So how can I make a disconnection on the (profile-)server (no terminal server)? And the core question still is could I resolve it in another way than to restart the server?

Yes I have a anti-virus application on the server, but it works fine and I have 30 more users who don't have this problem.

So what more to do?
0
 
LVL 76

Expert Comment

by:arnold
ID: 24764486
Battled this issue myself.  The problem starts when the ntuser.dat file includes both workstation and Server data.Using folder redirection with roaming profiles that point to one share for the workstation login profiles and another for the terminal server login profiles resolves the conflict while allowing the individual to access the same documents and maintain most of the same application settings/options without wasting too much space.
With the folders redirected (my documents, application date, start menu, and desktop) provided you use office templates to relocate where outlook stores the pst file, the porfile will often take up less than 30MB.
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:SommelierRHS
ID: 24767498
Thanks for your research. I will try your advices during the next two days. Will be back in the beginning of next week.

Have a nice weekend!
0
 

Author Comment

by:SommelierRHS
ID: 24770266
I just remember a case in another organization a couple of months ago,where we solved profiles problems with the combination terminal server and workstation included. The problem existed when we had two Windows 2003 Servers as dc, Windows 2008 server as terminal server and workstations with Windows XP. When we changed the terminal server to a Windows 2003 server, the problems dissapeared.

In my case right now I have a Windows 2003 Server as the terminal server and workstations with Windows XP and from when this problems started a change from a SBS 2003 as dc to a Windows 2008 server as dc. Seems that the problem exists when a Windows Server 2008 is involded towards a workstation with XP.

So arnold, which mixture was your set up in your last research?
0
 
LVL 76

Accepted Solution

by:
arnold earned 500 total points
ID: 24771486
XP with windows 2003.
You could try adding the client preferences to the workstations.
windows 2k3 and windows XP use the same profile storage mechanism while Vista, win2k8 and windows 7 use a different profile.V2.
In the example you had with win XP workstations with win2k8 terminal server the profiles will be separate even if the profile is defined as \\domain\userprofiles\username in the AD.
In the share \\domain\userprofiles\ there will be two directories one for username and one for username.V2.
The difficulties you likely experienced are that the documents/settings that were available on one system were not accessible on the other.  A way to address this is to use Folder redirection.

in the setup you have and I dealt with, the same ntuser.dat file was being access/update by both winxp and win2k3.
On winxp, I added the MS User Hive Cleanup tool, which deals with releasing the user settings upon logout. With the tool, the profile was freed up to synchronize.  On the server, if the user's resources are not released in time, the profile might not completely synchronize and might appear as "in use" on subsequent access from a different system (did not explore to see whether in these types of situation there is a "marker" in the profile in the share.)

There were some discussions I've seen dealing with win2k8 as a DC.
Do not remember whether the discussion dealt with the Domain/forest functional level.

If you decide to go with the separate profile setup for terminal server and workstation while maintaining access to the same documents no matter the access method, you should setup folder redirection first.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Hallo! I guess almost every Windows Administrator must have got stumped with this question "Where does WINDOWS store a users cached credentials? Every user who had once logged onto a Server/Desktop while it was connected to the domain could sti…
This is a little timesaver I have been using for setting up Microsoft Small Business Server (SBS) in the simplest possible way. It may not be appropriate for every customer. However, when you get a situation where the person who owns the server is i…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now