Server 2008 R2 Issues with roaming profiles and share permissions since backup restore

MadPC
MadPC used Ask the Experts™
on
Hi,

I have a windows server 2008 which was recentley hit by teslacrypt virus - For those who don't know, this virus attacks shared folders/USB drives and encrypts files to the point where they are useless unless a ransom is paid via bitcoin.

I didn't pay the ransom, instead I relied on backups using symantec backup exec. The infected folders were:

StaffProfiles (used for each staff login using roaming profiles)
StaffCommon (a simple data share folder for all staff access)
APPS (again, just data containing mainly software installers)

The way backup exec works, it will restore the files from the backup, but if the folder already contains files not included in the backup it will simply restore the unencrypted files but also leave the encrypted files in place, obviously not ideal so I thought it would be best to empty the contents of the above shares and restore a clean backup, this has worked perfectly, however since doing so we have the following problems...

any user within the 'StaffUser' group can now only logon to their roaming profile as a temporary profile - With exception of the domain administrator account which works fine.

The DC won't sync the time using w32tm /sync from any client - Although I suspect this was an issue prior to the restore as the time was way out on some machines.

If I create a new profile within the 'StaffUser' group using the 'copy' (to copy one of the original staff profiles) I get an error message > "The \\dc\staff\setupcopy home folder was not created because: The network name cannot be found. The user account has been created with the new home folder value but you must created the folder manually" - If I setup a new user without copying an existing profile this works fine and the profile is allowed to login without a temporary profile, although the user has to be individually added to share permissions.

I suspect there is a problem somewhere with the main 'StaffUsers' group no longer connecting to the profile folders since the restore - Although I can see the group within the AD it is not seen when searching the AD to add to the shares.

Any advice more than welcomed!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Senior Citrix Engineer
Commented:
Your best bet is to just completely wipe those directories out, scan the system, and then restore the directories from backups.  

You should use your w32tm to sync your DC against an internet source, not from a client machine.  The rest of the machines will naturally sync their time from the DC.  If you have multiple DC's then do it from the PDC emulator and then sync the other DC's to that one, or sync them all from the same time source.  

The complete restore & time sync will likely help with the profile issue.  The side piece to that.. is that you should delete the existing profiles (I suggest using delprof2.exe from Helge Klein) to delete the profiles.  It will also take the extra step of cleaning up stale registry entries.

https://helgeklein.com/free-tools/delprof2-user-profile-deletion-tool/

Coralon
This sounds to me like a problem with the NTFS security/sharing and owner permissions on those shares and folders that you restored from backup.  Since it works fine when you create a new profile, that seems the most logical conclusion and I would check that first before going any further.  Each profile folder has to have the local or domain Administrators group as the owner, and the user has to have Full rights to the folder and all contents within the folder.

Another approach is to just can the old profile folders and create a new profile for all users.  If their Documents folders are redirected separately, this might be a viable solution. If the Documents folders are redirected along with the profile, then you're going to need to restore them separately. First off, the user has to be the owner and have Full permission to the Documents folder.

Author

Commented:
I removed all infected shares and restored them, the issue was resolved when the sharing was recreated, both answers assisted, thank you!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial