Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Error applying security and log on problems due to locked profile

Posted on 2009-06-30
Medium Priority
Last Modified: 2012-05-07
Users sometimes gets the message that the profile can't be loaded and a local profile is loaded instead. When I try to reset the security in the profile on the server with Properties-Security-Advanced and then Replace permission entries on all child objects I get the message "An error occur when applying security information to.....Access is denied" on an specific URL in the profile. When I then shutdown the server with the profiles, this will be fixed and the user can log on and gets the profile in a normal way.

But to shutdown a server is not the best way to "solve" this problem. Is there another solution to free the profile on the server?  I have implemented UPHClean on one specific pc where the user has this problem with the profile, but it seems not to solve the problem.

So is there any permanent solution for this problem?
Question by:SommelierRHS
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
LVL 80

Expert Comment

ID: 24759653
You have UPHCLean listed in the tag.  This should address the issue.
Are these users access a terminal server as well as a workstation?
You should define a separate profile for terminal server use.

Do you include in your GPO to add the administrators group to the security settings of the roaming profile?

What you can check when this situation occurs is whether the specific file/resource is seen as in use on the server.  If the user is seen as using the file, you can disconnect them from the resource and see if that fixes the issue.

Do you have an anti-virus application on the fileserver?  Double check that it is up-to-date and perhaps has this as a known issue.
McAfee, Trend Micro and Symantec had some version that under intermittent circumstances under which they would lock a file.


Author Comment

ID: 24764368
Yes one user access both a terminal server and a workstation. So I get your message here. But the problem occurs even after I have "loosen up" the profile by restarting the server and this user only has been working a couple of days with his pc.

Not in a GPO, but directly in his profile on the server.

When this occurs I always tell the user to log off, and then still the specific file in the profile seems to be in use. So how can I make a disconnection on the (profile-)server (no terminal server)? And the core question still is could I resolve it in another way than to restart the server?

Yes I have a anti-virus application on the server, but it works fine and I have 30 more users who don't have this problem.

So what more to do?
LVL 80

Expert Comment

ID: 24764486
Battled this issue myself.  The problem starts when the ntuser.dat file includes both workstation and Server data.Using folder redirection with roaming profiles that point to one share for the workstation login profiles and another for the terminal server login profiles resolves the conflict while allowing the individual to access the same documents and maintain most of the same application settings/options without wasting too much space.
With the folders redirected (my documents, application date, start menu, and desktop) provided you use office templates to relocate where outlook stores the pst file, the porfile will often take up less than 30MB.
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.


Author Comment

ID: 24767498
Thanks for your research. I will try your advices during the next two days. Will be back in the beginning of next week.

Have a nice weekend!

Author Comment

ID: 24770266
I just remember a case in another organization a couple of months ago,where we solved profiles problems with the combination terminal server and workstation included. The problem existed when we had two Windows 2003 Servers as dc, Windows 2008 server as terminal server and workstations with Windows XP. When we changed the terminal server to a Windows 2003 server, the problems dissapeared.

In my case right now I have a Windows 2003 Server as the terminal server and workstations with Windows XP and from when this problems started a change from a SBS 2003 as dc to a Windows 2008 server as dc. Seems that the problem exists when a Windows Server 2008 is involded towards a workstation with XP.

So arnold, which mixture was your set up in your last research?
LVL 80

Accepted Solution

arnold earned 2000 total points
ID: 24771486
XP with windows 2003.
You could try adding the client preferences to the workstations.
windows 2k3 and windows XP use the same profile storage mechanism while Vista, win2k8 and windows 7 use a different profile.V2.
In the example you had with win XP workstations with win2k8 terminal server the profiles will be separate even if the profile is defined as \\domain\userprofiles\username in the AD.
In the share \\domain\userprofiles\ there will be two directories one for username and one for username.V2.
The difficulties you likely experienced are that the documents/settings that were available on one system were not accessible on the other.  A way to address this is to use Folder redirection.

in the setup you have and I dealt with, the same ntuser.dat file was being access/update by both winxp and win2k3.
On winxp, I added the MS User Hive Cleanup tool, which deals with releasing the user settings upon logout. With the tool, the profile was freed up to synchronize.  On the server, if the user's resources are not released in time, the profile might not completely synchronize and might appear as "in use" on subsequent access from a different system (did not explore to see whether in these types of situation there is a "marker" in the profile in the share.)

There were some discussions I've seen dealing with win2k8 as a DC.
Do not remember whether the discussion dealt with the Domain/forest functional level.

If you decide to go with the separate profile setup for terminal server and workstation while maintaining access to the same documents no matter the access method, you should setup folder redirection first.

Featured Post

Tech or Treat!

Submit an article about your scariest tech experience—and the solution—and you’ll be automatically entered to win one of 4 fantastic tech gadgets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many times while working on a computer regardless of any Operating System, lag and crashes seem to creep in, hindering your working speed. Sometimes, it can also cause your work to be lost unexpectedly and as a result, you are unable to meet your de…
Ever notice how you can't use a new drive in Windows without having Windows assigning a Disk Signature?  Ever have a signature collision problem (especially with Virtual Machines?)  This article is intended to help you understand what's going on and…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question