Error applying security and log on problems due to locked profile

Users sometimes gets the message that the profile can't be loaded and a local profile is loaded instead. When I try to reset the security in the profile on the server with Properties-Security-Advanced and then Replace permission entries on all child objects I get the message "An error occur when applying security information to.....Access is denied" on an specific URL in the profile. When I then shutdown the server with the profiles, this will be fixed and the user can log on and gets the profile in a normal way.

But to shutdown a server is not the best way to "solve" this problem. Is there another solution to free the profile on the server?  I have implemented UPHClean on one specific pc where the user has this problem with the profile, but it seems not to solve the problem.

So is there any permanent solution for this problem?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

You have UPHCLean listed in the tag.  This should address the issue.
Are these users access a terminal server as well as a workstation?
You should define a separate profile for terminal server use.

Do you include in your GPO to add the administrators group to the security settings of the roaming profile?

What you can check when this situation occurs is whether the specific file/resource is seen as in use on the server.  If the user is seen as using the file, you can disconnect them from the resource and see if that fixes the issue.

Do you have an anti-virus application on the fileserver?  Double check that it is up-to-date and perhaps has this as a known issue.
McAfee, Trend Micro and Symantec had some version that under intermittent circumstances under which they would lock a file.

SommelierRHSAuthor Commented:
Yes one user access both a terminal server and a workstation. So I get your message here. But the problem occurs even after I have "loosen up" the profile by restarting the server and this user only has been working a couple of days with his pc.

Not in a GPO, but directly in his profile on the server.

When this occurs I always tell the user to log off, and then still the specific file in the profile seems to be in use. So how can I make a disconnection on the (profile-)server (no terminal server)? And the core question still is could I resolve it in another way than to restart the server?

Yes I have a anti-virus application on the server, but it works fine and I have 30 more users who don't have this problem.

So what more to do?
Battled this issue myself.  The problem starts when the ntuser.dat file includes both workstation and Server data.Using folder redirection with roaming profiles that point to one share for the workstation login profiles and another for the terminal server login profiles resolves the conflict while allowing the individual to access the same documents and maintain most of the same application settings/options without wasting too much space.
With the folders redirected (my documents, application date, start menu, and desktop) provided you use office templates to relocate where outlook stores the pst file, the porfile will often take up less than 30MB.
Exploring ASP.NET Core: Fundamentals

Learn to build web apps and services, IoT apps, and mobile backends by covering the fundamentals of ASP.NET Core and  exploring the core foundations for app libraries.

SommelierRHSAuthor Commented:
Thanks for your research. I will try your advices during the next two days. Will be back in the beginning of next week.

Have a nice weekend!
SommelierRHSAuthor Commented:
I just remember a case in another organization a couple of months ago,where we solved profiles problems with the combination terminal server and workstation included. The problem existed when we had two Windows 2003 Servers as dc, Windows 2008 server as terminal server and workstations with Windows XP. When we changed the terminal server to a Windows 2003 server, the problems dissapeared.

In my case right now I have a Windows 2003 Server as the terminal server and workstations with Windows XP and from when this problems started a change from a SBS 2003 as dc to a Windows 2008 server as dc. Seems that the problem exists when a Windows Server 2008 is involded towards a workstation with XP.

So arnold, which mixture was your set up in your last research?
XP with windows 2003.
You could try adding the client preferences to the workstations.
windows 2k3 and windows XP use the same profile storage mechanism while Vista, win2k8 and windows 7 use a different profile.V2.
In the example you had with win XP workstations with win2k8 terminal server the profiles will be separate even if the profile is defined as \\domain\userprofiles\username in the AD.
In the share \\domain\userprofiles\ there will be two directories one for username and one for username.V2.
The difficulties you likely experienced are that the documents/settings that were available on one system were not accessible on the other.  A way to address this is to use Folder redirection.

in the setup you have and I dealt with, the same ntuser.dat file was being access/update by both winxp and win2k3.
On winxp, I added the MS User Hive Cleanup tool, which deals with releasing the user settings upon logout. With the tool, the profile was freed up to synchronize.  On the server, if the user's resources are not released in time, the profile might not completely synchronize and might appear as "in use" on subsequent access from a different system (did not explore to see whether in these types of situation there is a "marker" in the profile in the share.)

There were some discussions I've seen dealing with win2k8 as a DC.
Do not remember whether the discussion dealt with the Domain/forest functional level.

If you decide to go with the separate profile setup for terminal server and workstation while maintaining access to the same documents no matter the access method, you should setup folder redirection first.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Legacy OS

From novice to tech pro — start learning today.