Solved

Random user profile corruption

Posted on 2016-08-15
10
661 Views
Last Modified: 2016-08-15
I have a client that uses one (1) domain user account to login to all 16 computers on his network (holdover protocol from previous setup for simplicity purposes). We just recently upgraded to Windows Server2012 from Server2008 for his single network server. All clients are running Windows 7 64 bit and logging into the network using the same AD user which has Admin rights on local computer (this is a requirement of the software they are running). Since the upgrade there have been several computers that, on occasion, will lose their local profile and come up with the default profile. This is not a predictable occurrence and has only happened to 4 or 5 client computers on a sporadic basis (once a week or so) some on more than one occasion.  We've been resolving the issue with a system restore which seems to work but gets annoying and takes time to run. Would there be anyone with an idea as to why this issue occurs and what I can do to relieve the situation? Thanks for you input!
0
Comment
Question by:ServerDoc
10 Comments
 
LVL 22

Expert Comment

by:yo_bee
ID: 41756309
Are you using any Roaming Profiles features (Native to AD or Third Party like Citrix)?
0
 
LVL 9

Expert Comment

by:James Rankin
ID: 41756313
This is just a local profile on all the machines, not a roaming profile, yes?

Profile corruption (as it is) can be caused by incorrect permissions getting written to the filesystem or Registry, processes holding onto Registry keys or files, or any number of things. A good test is to see, after the user has logged out, if you can log on as a different user and delete their local profile. If you can't, something is hooked into it, and you can find what this is by using Process Monitor and checking for the target username in the folder path.
0
 

Author Comment

by:ServerDoc
ID: 41756317
No roaming profiles... All profiles are local workstation profiles.
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 9

Expert Comment

by:James Rankin
ID: 41756318
If you are using a roaming profile (which would be defined in AD), and the same user is logged into 16 machines simultaneously, this would definitely cause corruption (as potentially 16 user sessions try to write to the same profile area). However as you said local, I'm discounting this possibility for now - confirmation would be good.
0
 
LVL 9

Expert Comment

by:James Rankin
ID: 41756319
OK, no roaming then :-)
0
 

Author Comment

by:ServerDoc
ID: 41756342
Confirming... No roaming profiles.
0
 

Author Comment

by:ServerDoc
ID: 41756350
Here is something to chew on... These events are recorded in the Application Event Log when starting up the affected computers. Thanks for your input!

Log Name:      Application
Source:        Microsoft-Windows-User Profiles Service
Date:          8/10/2016 7:06:35 AM
Event ID:      1508
Task Category: None
Level:         Error
Keywords:      
User:          SYSTEM
Computer:      <computer_name>.<domain_name>.local
Description:
Windows was unable to load the registry. This problem is often caused by insufficient memory or insufficient security rights.

 DETAIL - The process cannot access the file because it is being used by another process.
 for C:\Users\<user_name>.<domain_name>\ntuser.dat
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-User Profiles Service" Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" />
    <EventID>1508</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2016-08-10T11:06:35.077956500Z" />
    <EventRecordID>36366</EventRecordID>
    <Correlation />
    <Execution ProcessID="1084" ThreadID="2552" />
    <Channel>Application</Channel>
    <Computer><computer_name>.<domain_name>.local</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData Name="EVENT_REGLOADKEYFAILED">
    <Data Name="Error">The process cannot access the file because it is being used by another process.
</Data>
    <Data Name="File">C:\Users\<user_name>.<domain_name>\ntuser.dat</Data>
  </EventData>
</Event>


Log Name:      Application
Source:        Microsoft-Windows-User Profiles Service
Date:          8/10/2016 7:06:35 AM
Event ID:      1502
Task Category: None
Level:         Error
Keywords:      
User:          <domain_name>\<user_name>
Computer:      <computer_name>.<domain_name>.local
Description:
Windows cannot load the locally stored profile. Possible causes of this error include insufficient security rights or a corrupt local profile.

 DETAIL - The process cannot access the file because it is being used by another process.

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-User Profiles Service" Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" />
    <EventID>1502</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2016-08-10T11:06:35.077956500Z" />
    <EventRecordID>36367</EventRecordID>
    <Correlation />
    <Execution ProcessID="1084" ThreadID="2552" />
    <Channel>Application</Channel>
    <Computer><computer_name>.<domain_name>.local</Computer>
    <Security UserID="S-1-5-21-3524821448-4228481947-2484035581-1138" />
  </System>
  <EventData>
    <Data Name="Error">The process cannot access the file because it is being used by another process.
</Data>
  </EventData>
</Event>


Log Name:      Application
Source:        Microsoft-Windows-User Profiles Service
Date:          8/10/2016 7:06:35 AM
Event ID:      1515
Task Category: None
Level:         Error
Keywords:      
User:          <domain_name>\<user_name>
Computer:      <computer_name>.<domain_name>.local
Description:
Windows has backed up this user profile. Windows will automatically try to use the backup profile the next time this user logs on.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-User Profiles Service" Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" />
    <EventID>1515</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2016-08-10T11:06:35.077956500Z" />
    <EventRecordID>36368</EventRecordID>
    <Correlation />
    <Execution ProcessID="1084" ThreadID="2552" />
    <Channel>Application</Channel>
    <Computer><computer_name>.<domain_name>.local</Computer>
    <Security UserID="S-1-5-21-3524821448-4228481947-2484035581-1138" />
  </System>
  <EventData>
  </EventData>
</Event>



Log Name:      Application
Source:        Microsoft-Windows-User Profiles Service
Date:          8/10/2016 7:06:35 AM
Event ID:      1511
Task Category: None
Level:         Error
Keywords:      
User:          <domain_name>\<user_name>
Computer:      <computer_name>.<domain_name>.local
Description:
Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-User Profiles Service" Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" />
    <EventID>1511</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2016-08-10T11:06:35.140356600Z" />
    <EventRecordID>36369</EventRecordID>
    <Correlation />
    <Execution ProcessID="1084" ThreadID="2552" />
    <Channel>Application</Channel>
    <Computer><computer_name>.<domain_name>.local</Computer>
    <Security UserID="S-1-5-21-3524821448-4228481947-2484035581-1138" />
  </System>
  <EventData>
  </EventData>
</Event>


Log Name:      Application
Source:        Microsoft-Windows-User Profiles Service
Date:          8/10/2016 7:06:36 AM
Event ID:      1508
Task Category: None
Level:         Error
Keywords:      
User:          SYSTEM
Computer:      <computer_name>.<domain_name>.local
Description:
Windows was unable to load the registry. This problem is often caused by insufficient memory or insufficient security rights.

 DETAIL - Access is denied.
 for C:\Users\TEMP\ntuser.dat
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-User Profiles Service" Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" />
    <EventID>1508</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2016-08-10T11:06:36.591159100Z" />
    <EventRecordID>36373</EventRecordID>
    <Correlation />
    <Execution ProcessID="1084" ThreadID="2552" />
    <Channel>Application</Channel>
    <Computer><computer_name>.<domain_name>.local</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData Name="EVENT_REGLOADKEYFAILED">
    <Data Name="Error">Access is denied.
</Data>
    <Data Name="File">C:\Users\TEMP\ntuser.dat</Data>
  </EventData>
</Event>



Log Name:      Application
Source:        Microsoft-Windows-User Profiles Service
Date:          8/10/2016 7:06:36 AM
Event ID:      1505
Task Category: None
Level:         Error
Keywords:      
User:          <domain_name>\<user_name>
Computer:      <computer_name>.<domain_name>.local
Description:
Windows cannot load the user's profile but has logged you on with the default profile for the system.

 DETAIL - Access is denied.

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-User Profiles Service" Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" />
    <EventID>1505</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2016-08-10T11:06:36.606759100Z" />
    <EventRecordID>36374</EventRecordID>
    <Correlation />
    <Execution ProcessID="1084" ThreadID="2552" />
    <Channel>Application</Channel>
    <Computer><computer_name>.<domain_name>.local</Computer>
    <Security UserID="S-1-5-21-3524821448-4228481947-2484035581-1138" />
  </System>
  <EventData>
    <Data Name="Error">Access is denied.
</Data>
  </EventData>
</Event>
0
 
LVL 9

Accepted Solution

by:
James Rankin earned 250 total points
ID: 41756390
OK, this looks like a smoking gun

Windows was unable to load the registry. This problem is often caused by insufficient memory or insufficient security rights.

 DETAIL - The process cannot access the file because it is being used by another process.
 for C:\Users\<user_name>.<domain_name>\ntuser.dat


This means the Registry file for the user (ntuser.dat) is in use by something, and can't load it - hence temporary profile used.

Run Process Explorer (https://technet.microsoft.com/en-gb/sysinternals/bb896653) and see if you can find a reference to the ntuser.dat for that particular user in the Find | Find Handle or DLL function. Look for the full path to the user's ntuser.dat file in here, and see if you can find what process has it open.

Once you find that, you can then try and work out why it isn't closing...
0
 
LVL 25

Assisted Solution

by:Tony Johncock
Tony Johncock earned 250 total points
ID: 41756403
How often is the affected machine(s) rebooted? Although great progress was made, it is still possible for profiles to have parts of them held open.

Also and especially if they reuse the account for services.

Has anyone done a disk scan to see if it has any errors? I assume it's got plenty of free space?

As to this whole "the application needs administrator rights"...no it doesn't.

Lazy programming may make it appear this way but it's simply not true. I have come across this dozens of times over the years - particularly with Citrix and Remote Desktop Services - but it is not true.

Using the admin/domain admin accounts to log on and do day-to-day work is dumb and exposes the system to all sorts of potential havoc.

Get a hold of Sysinternals' Process Monitor. Run it up, launch the application that "needs" these elevated rights and filter on it's executable.

Highlight the access denied errors and release the permissions on the necessary keys and files.

Problem solved. A bit of work will protect the servers.

I cannot believe, in 2016, we still get the "application needs admin rights" excuse.

Also - why the same user account? What about accountability? Anyone can do anything either on purpose or (usually more likely) by accident and there's no way to pin down who did it.

Someone needs to take a step back, to do some thinking about how things are configured and where to go from here. It'll take work to begin with, but will lead to more stable, usable and secure systems in the longer term.
0
 

Author Comment

by:ServerDoc
ID: 41756519
Thanks James, and Tony... I'll go hunting with Process Explorer and see what I find. May take a few days but I'll let you know when I figure it out. You've given me a direction to look now.
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A procedure for exporting installed hotfix details of remote computers using powershell
In this article, I will show you HOW TO: Install VMware Tools for Windows on a VMware Windows virtual machine on a VMware vSphere Hypervisor 6.5 (ESXi 6.5) Host Server, using the VMware Host Client. The virtual machine has Windows Server 2016 instal…
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum editing capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question