Solved

Random user profile corruption

Posted on 2016-08-15
10
989 Views
Last Modified: 2016-08-15
I have a client that uses one (1) domain user account to login to all 16 computers on his network (holdover protocol from previous setup for simplicity purposes). We just recently upgraded to Windows Server2012 from Server2008 for his single network server. All clients are running Windows 7 64 bit and logging into the network using the same AD user which has Admin rights on local computer (this is a requirement of the software they are running). Since the upgrade there have been several computers that, on occasion, will lose their local profile and come up with the default profile. This is not a predictable occurrence and has only happened to 4 or 5 client computers on a sporadic basis (once a week or so) some on more than one occasion.  We've been resolving the issue with a system restore which seems to work but gets annoying and takes time to run. Would there be anyone with an idea as to why this issue occurs and what I can do to relieve the situation? Thanks for you input!
0
Comment
Question by:ServerDoc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 23

Expert Comment

by:yo_bee
ID: 41756309
Are you using any Roaming Profiles features (Native to AD or Third Party like Citrix)?
0
 
LVL 9

Expert Comment

by:James Rankin
ID: 41756313
This is just a local profile on all the machines, not a roaming profile, yes?

Profile corruption (as it is) can be caused by incorrect permissions getting written to the filesystem or Registry, processes holding onto Registry keys or files, or any number of things. A good test is to see, after the user has logged out, if you can log on as a different user and delete their local profile. If you can't, something is hooked into it, and you can find what this is by using Process Monitor and checking for the target username in the folder path.
0
 

Author Comment

by:ServerDoc
ID: 41756317
No roaming profiles... All profiles are local workstation profiles.
0
WordPress Tutorial 4: Recommended Plugins

Now that you have WordPress installed, understand the interface, and know how to install new parts, let’s take a look at our recommended plugins.

 
LVL 9

Expert Comment

by:James Rankin
ID: 41756318
If you are using a roaming profile (which would be defined in AD), and the same user is logged into 16 machines simultaneously, this would definitely cause corruption (as potentially 16 user sessions try to write to the same profile area). However as you said local, I'm discounting this possibility for now - confirmation would be good.
0
 
LVL 9

Expert Comment

by:James Rankin
ID: 41756319
OK, no roaming then :-)
0
 

Author Comment

by:ServerDoc
ID: 41756342
Confirming... No roaming profiles.
0
 

Author Comment

by:ServerDoc
ID: 41756350
Here is something to chew on... These events are recorded in the Application Event Log when starting up the affected computers. Thanks for your input!

Log Name:      Application
Source:        Microsoft-Windows-User Profiles Service
Date:          8/10/2016 7:06:35 AM
Event ID:      1508
Task Category: None
Level:         Error
Keywords:      
User:          SYSTEM
Computer:      <computer_name>.<domain_name>.local
Description:
Windows was unable to load the registry. This problem is often caused by insufficient memory or insufficient security rights.

 DETAIL - The process cannot access the file because it is being used by another process.
 for C:\Users\<user_name>.<domain_name>\ntuser.dat
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-User Profiles Service" Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" />
    <EventID>1508</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2016-08-10T11:06:35.077956500Z" />
    <EventRecordID>36366</EventRecordID>
    <Correlation />
    <Execution ProcessID="1084" ThreadID="2552" />
    <Channel>Application</Channel>
    <Computer><computer_name>.<domain_name>.local</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData Name="EVENT_REGLOADKEYFAILED">
    <Data Name="Error">The process cannot access the file because it is being used by another process.
</Data>
    <Data Name="File">C:\Users\<user_name>.<domain_name>\ntuser.dat</Data>
  </EventData>
</Event>


Log Name:      Application
Source:        Microsoft-Windows-User Profiles Service
Date:          8/10/2016 7:06:35 AM
Event ID:      1502
Task Category: None
Level:         Error
Keywords:      
User:          <domain_name>\<user_name>
Computer:      <computer_name>.<domain_name>.local
Description:
Windows cannot load the locally stored profile. Possible causes of this error include insufficient security rights or a corrupt local profile.

 DETAIL - The process cannot access the file because it is being used by another process.

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-User Profiles Service" Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" />
    <EventID>1502</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2016-08-10T11:06:35.077956500Z" />
    <EventRecordID>36367</EventRecordID>
    <Correlation />
    <Execution ProcessID="1084" ThreadID="2552" />
    <Channel>Application</Channel>
    <Computer><computer_name>.<domain_name>.local</Computer>
    <Security UserID="S-1-5-21-3524821448-4228481947-2484035581-1138" />
  </System>
  <EventData>
    <Data Name="Error">The process cannot access the file because it is being used by another process.
</Data>
  </EventData>
</Event>


Log Name:      Application
Source:        Microsoft-Windows-User Profiles Service
Date:          8/10/2016 7:06:35 AM
Event ID:      1515
Task Category: None
Level:         Error
Keywords:      
User:          <domain_name>\<user_name>
Computer:      <computer_name>.<domain_name>.local
Description:
Windows has backed up this user profile. Windows will automatically try to use the backup profile the next time this user logs on.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-User Profiles Service" Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" />
    <EventID>1515</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2016-08-10T11:06:35.077956500Z" />
    <EventRecordID>36368</EventRecordID>
    <Correlation />
    <Execution ProcessID="1084" ThreadID="2552" />
    <Channel>Application</Channel>
    <Computer><computer_name>.<domain_name>.local</Computer>
    <Security UserID="S-1-5-21-3524821448-4228481947-2484035581-1138" />
  </System>
  <EventData>
  </EventData>
</Event>



Log Name:      Application
Source:        Microsoft-Windows-User Profiles Service
Date:          8/10/2016 7:06:35 AM
Event ID:      1511
Task Category: None
Level:         Error
Keywords:      
User:          <domain_name>\<user_name>
Computer:      <computer_name>.<domain_name>.local
Description:
Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-User Profiles Service" Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" />
    <EventID>1511</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2016-08-10T11:06:35.140356600Z" />
    <EventRecordID>36369</EventRecordID>
    <Correlation />
    <Execution ProcessID="1084" ThreadID="2552" />
    <Channel>Application</Channel>
    <Computer><computer_name>.<domain_name>.local</Computer>
    <Security UserID="S-1-5-21-3524821448-4228481947-2484035581-1138" />
  </System>
  <EventData>
  </EventData>
</Event>


Log Name:      Application
Source:        Microsoft-Windows-User Profiles Service
Date:          8/10/2016 7:06:36 AM
Event ID:      1508
Task Category: None
Level:         Error
Keywords:      
User:          SYSTEM
Computer:      <computer_name>.<domain_name>.local
Description:
Windows was unable to load the registry. This problem is often caused by insufficient memory or insufficient security rights.

 DETAIL - Access is denied.
 for C:\Users\TEMP\ntuser.dat
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-User Profiles Service" Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" />
    <EventID>1508</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2016-08-10T11:06:36.591159100Z" />
    <EventRecordID>36373</EventRecordID>
    <Correlation />
    <Execution ProcessID="1084" ThreadID="2552" />
    <Channel>Application</Channel>
    <Computer><computer_name>.<domain_name>.local</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData Name="EVENT_REGLOADKEYFAILED">
    <Data Name="Error">Access is denied.
</Data>
    <Data Name="File">C:\Users\TEMP\ntuser.dat</Data>
  </EventData>
</Event>



Log Name:      Application
Source:        Microsoft-Windows-User Profiles Service
Date:          8/10/2016 7:06:36 AM
Event ID:      1505
Task Category: None
Level:         Error
Keywords:      
User:          <domain_name>\<user_name>
Computer:      <computer_name>.<domain_name>.local
Description:
Windows cannot load the user's profile but has logged you on with the default profile for the system.

 DETAIL - Access is denied.

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-User Profiles Service" Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" />
    <EventID>1505</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2016-08-10T11:06:36.606759100Z" />
    <EventRecordID>36374</EventRecordID>
    <Correlation />
    <Execution ProcessID="1084" ThreadID="2552" />
    <Channel>Application</Channel>
    <Computer><computer_name>.<domain_name>.local</Computer>
    <Security UserID="S-1-5-21-3524821448-4228481947-2484035581-1138" />
  </System>
  <EventData>
    <Data Name="Error">Access is denied.
</Data>
  </EventData>
</Event>
0
 
LVL 9

Accepted Solution

by:
James Rankin earned 250 total points
ID: 41756390
OK, this looks like a smoking gun

Windows was unable to load the registry. This problem is often caused by insufficient memory or insufficient security rights.

 DETAIL - The process cannot access the file because it is being used by another process.
 for C:\Users\<user_name>.<domain_name>\ntuser.dat


This means the Registry file for the user (ntuser.dat) is in use by something, and can't load it - hence temporary profile used.

Run Process Explorer (https://technet.microsoft.com/en-gb/sysinternals/bb896653) and see if you can find a reference to the ntuser.dat for that particular user in the Find | Find Handle or DLL function. Look for the full path to the user's ntuser.dat file in here, and see if you can find what process has it open.

Once you find that, you can then try and work out why it isn't closing...
0
 
LVL 26

Assisted Solution

by:Tony Johncock
Tony Johncock earned 250 total points
ID: 41756403
How often is the affected machine(s) rebooted? Although great progress was made, it is still possible for profiles to have parts of them held open.

Also and especially if they reuse the account for services.

Has anyone done a disk scan to see if it has any errors? I assume it's got plenty of free space?

As to this whole "the application needs administrator rights"...no it doesn't.

Lazy programming may make it appear this way but it's simply not true. I have come across this dozens of times over the years - particularly with Citrix and Remote Desktop Services - but it is not true.

Using the admin/domain admin accounts to log on and do day-to-day work is dumb and exposes the system to all sorts of potential havoc.

Get a hold of Sysinternals' Process Monitor. Run it up, launch the application that "needs" these elevated rights and filter on it's executable.

Highlight the access denied errors and release the permissions on the necessary keys and files.

Problem solved. A bit of work will protect the servers.

I cannot believe, in 2016, we still get the "application needs admin rights" excuse.

Also - why the same user account? What about accountability? Anyone can do anything either on purpose or (usually more likely) by accident and there's no way to pin down who did it.

Someone needs to take a step back, to do some thinking about how things are configured and where to go from here. It'll take work to begin with, but will lead to more stable, usable and secure systems in the longer term.
0
 

Author Comment

by:ServerDoc
ID: 41756519
Thanks James, and Tony... I'll go hunting with Process Explorer and see what I find. May take a few days but I'll let you know when I figure it out. You've given me a direction to look now.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The following article is comprised of the pearls we have garnered deploying virtualization solutions since Virtual Server 2005 and subsequent 2008 RTM+ Hyper-V in standalone and clustered environments.
This article helps those who get the 0xc004d307 error when trying to rearm (reset the license) Office 2013 in a Virtual Desktop Infrastructure (VDI) and/or those trying to prep the master image for Microsoft Key Management (KMS) activation. (i.e.- C…
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question