Solved

Random user profile corruption

Posted on 2016-08-15
10
126 Views
Last Modified: 2016-08-15
I have a client that uses one (1) domain user account to login to all 16 computers on his network (holdover protocol from previous setup for simplicity purposes). We just recently upgraded to Windows Server2012 from Server2008 for his single network server. All clients are running Windows 7 64 bit and logging into the network using the same AD user which has Admin rights on local computer (this is a requirement of the software they are running). Since the upgrade there have been several computers that, on occasion, will lose their local profile and come up with the default profile. This is not a predictable occurrence and has only happened to 4 or 5 client computers on a sporadic basis (once a week or so) some on more than one occasion.  We've been resolving the issue with a system restore which seems to work but gets annoying and takes time to run. Would there be anyone with an idea as to why this issue occurs and what I can do to relieve the situation? Thanks for you input!
0
Comment
Question by:ServerDoc
10 Comments
 
LVL 21

Expert Comment

by:yo_bee
Comment Utility
Are you using any Roaming Profiles features (Native to AD or Third Party like Citrix)?
0
 
LVL 8

Expert Comment

by:James Rankin
Comment Utility
This is just a local profile on all the machines, not a roaming profile, yes?

Profile corruption (as it is) can be caused by incorrect permissions getting written to the filesystem or Registry, processes holding onto Registry keys or files, or any number of things. A good test is to see, after the user has logged out, if you can log on as a different user and delete their local profile. If you can't, something is hooked into it, and you can find what this is by using Process Monitor and checking for the target username in the folder path.
0
 

Author Comment

by:ServerDoc
Comment Utility
No roaming profiles... All profiles are local workstation profiles.
0
 
LVL 8

Expert Comment

by:James Rankin
Comment Utility
If you are using a roaming profile (which would be defined in AD), and the same user is logged into 16 machines simultaneously, this would definitely cause corruption (as potentially 16 user sessions try to write to the same profile area). However as you said local, I'm discounting this possibility for now - confirmation would be good.
0
 
LVL 8

Expert Comment

by:James Rankin
Comment Utility
OK, no roaming then :-)
0
Why do Marketing keep bothering you?

Is your marketing department constantly asking for new email signature updates? Are they requesting a different design for every department? Do they need yet another banner added? Don’t let it get you down! There is an easy way to manage all of these requests...

 

Author Comment

by:ServerDoc
Comment Utility
Confirming... No roaming profiles.
0
 

Author Comment

by:ServerDoc
Comment Utility
Here is something to chew on... These events are recorded in the Application Event Log when starting up the affected computers. Thanks for your input!

Log Name:      Application
Source:        Microsoft-Windows-User Profiles Service
Date:          8/10/2016 7:06:35 AM
Event ID:      1508
Task Category: None
Level:         Error
Keywords:      
User:          SYSTEM
Computer:      <computer_name>.<domain_name>.local
Description:
Windows was unable to load the registry. This problem is often caused by insufficient memory or insufficient security rights.

 DETAIL - The process cannot access the file because it is being used by another process.
 for C:\Users\<user_name>.<domain_name>\ntuser.dat
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-User Profiles Service" Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" />
    <EventID>1508</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2016-08-10T11:06:35.077956500Z" />
    <EventRecordID>36366</EventRecordID>
    <Correlation />
    <Execution ProcessID="1084" ThreadID="2552" />
    <Channel>Application</Channel>
    <Computer><computer_name>.<domain_name>.local</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData Name="EVENT_REGLOADKEYFAILED">
    <Data Name="Error">The process cannot access the file because it is being used by another process.
</Data>
    <Data Name="File">C:\Users\<user_name>.<domain_name>\ntuser.dat</Data>
  </EventData>
</Event>


Log Name:      Application
Source:        Microsoft-Windows-User Profiles Service
Date:          8/10/2016 7:06:35 AM
Event ID:      1502
Task Category: None
Level:         Error
Keywords:      
User:          <domain_name>\<user_name>
Computer:      <computer_name>.<domain_name>.local
Description:
Windows cannot load the locally stored profile. Possible causes of this error include insufficient security rights or a corrupt local profile.

 DETAIL - The process cannot access the file because it is being used by another process.

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-User Profiles Service" Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" />
    <EventID>1502</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2016-08-10T11:06:35.077956500Z" />
    <EventRecordID>36367</EventRecordID>
    <Correlation />
    <Execution ProcessID="1084" ThreadID="2552" />
    <Channel>Application</Channel>
    <Computer><computer_name>.<domain_name>.local</Computer>
    <Security UserID="S-1-5-21-3524821448-4228481947-2484035581-1138" />
  </System>
  <EventData>
    <Data Name="Error">The process cannot access the file because it is being used by another process.
</Data>
  </EventData>
</Event>


Log Name:      Application
Source:        Microsoft-Windows-User Profiles Service
Date:          8/10/2016 7:06:35 AM
Event ID:      1515
Task Category: None
Level:         Error
Keywords:      
User:          <domain_name>\<user_name>
Computer:      <computer_name>.<domain_name>.local
Description:
Windows has backed up this user profile. Windows will automatically try to use the backup profile the next time this user logs on.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-User Profiles Service" Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" />
    <EventID>1515</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2016-08-10T11:06:35.077956500Z" />
    <EventRecordID>36368</EventRecordID>
    <Correlation />
    <Execution ProcessID="1084" ThreadID="2552" />
    <Channel>Application</Channel>
    <Computer><computer_name>.<domain_name>.local</Computer>
    <Security UserID="S-1-5-21-3524821448-4228481947-2484035581-1138" />
  </System>
  <EventData>
  </EventData>
</Event>



Log Name:      Application
Source:        Microsoft-Windows-User Profiles Service
Date:          8/10/2016 7:06:35 AM
Event ID:      1511
Task Category: None
Level:         Error
Keywords:      
User:          <domain_name>\<user_name>
Computer:      <computer_name>.<domain_name>.local
Description:
Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-User Profiles Service" Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" />
    <EventID>1511</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2016-08-10T11:06:35.140356600Z" />
    <EventRecordID>36369</EventRecordID>
    <Correlation />
    <Execution ProcessID="1084" ThreadID="2552" />
    <Channel>Application</Channel>
    <Computer><computer_name>.<domain_name>.local</Computer>
    <Security UserID="S-1-5-21-3524821448-4228481947-2484035581-1138" />
  </System>
  <EventData>
  </EventData>
</Event>


Log Name:      Application
Source:        Microsoft-Windows-User Profiles Service
Date:          8/10/2016 7:06:36 AM
Event ID:      1508
Task Category: None
Level:         Error
Keywords:      
User:          SYSTEM
Computer:      <computer_name>.<domain_name>.local
Description:
Windows was unable to load the registry. This problem is often caused by insufficient memory or insufficient security rights.

 DETAIL - Access is denied.
 for C:\Users\TEMP\ntuser.dat
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-User Profiles Service" Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" />
    <EventID>1508</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2016-08-10T11:06:36.591159100Z" />
    <EventRecordID>36373</EventRecordID>
    <Correlation />
    <Execution ProcessID="1084" ThreadID="2552" />
    <Channel>Application</Channel>
    <Computer><computer_name>.<domain_name>.local</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData Name="EVENT_REGLOADKEYFAILED">
    <Data Name="Error">Access is denied.
</Data>
    <Data Name="File">C:\Users\TEMP\ntuser.dat</Data>
  </EventData>
</Event>



Log Name:      Application
Source:        Microsoft-Windows-User Profiles Service
Date:          8/10/2016 7:06:36 AM
Event ID:      1505
Task Category: None
Level:         Error
Keywords:      
User:          <domain_name>\<user_name>
Computer:      <computer_name>.<domain_name>.local
Description:
Windows cannot load the user's profile but has logged you on with the default profile for the system.

 DETAIL - Access is denied.

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-User Profiles Service" Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" />
    <EventID>1505</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2016-08-10T11:06:36.606759100Z" />
    <EventRecordID>36374</EventRecordID>
    <Correlation />
    <Execution ProcessID="1084" ThreadID="2552" />
    <Channel>Application</Channel>
    <Computer><computer_name>.<domain_name>.local</Computer>
    <Security UserID="S-1-5-21-3524821448-4228481947-2484035581-1138" />
  </System>
  <EventData>
    <Data Name="Error">Access is denied.
</Data>
  </EventData>
</Event>
0
 
LVL 8

Accepted Solution

by:
James Rankin earned 250 total points
Comment Utility
OK, this looks like a smoking gun

Windows was unable to load the registry. This problem is often caused by insufficient memory or insufficient security rights.

 DETAIL - The process cannot access the file because it is being used by another process.
 for C:\Users\<user_name>.<domain_name>\ntuser.dat


This means the Registry file for the user (ntuser.dat) is in use by something, and can't load it - hence temporary profile used.

Run Process Explorer (https://technet.microsoft.com/en-gb/sysinternals/bb896653) and see if you can find a reference to the ntuser.dat for that particular user in the Find | Find Handle or DLL function. Look for the full path to the user's ntuser.dat file in here, and see if you can find what process has it open.

Once you find that, you can then try and work out why it isn't closing...
0
 
LVL 25

Assisted Solution

by:Tony1044
Tony1044 earned 250 total points
Comment Utility
How often is the affected machine(s) rebooted? Although great progress was made, it is still possible for profiles to have parts of them held open.

Also and especially if they reuse the account for services.

Has anyone done a disk scan to see if it has any errors? I assume it's got plenty of free space?

As to this whole "the application needs administrator rights"...no it doesn't.

Lazy programming may make it appear this way but it's simply not true. I have come across this dozens of times over the years - particularly with Citrix and Remote Desktop Services - but it is not true.

Using the admin/domain admin accounts to log on and do day-to-day work is dumb and exposes the system to all sorts of potential havoc.

Get a hold of Sysinternals' Process Monitor. Run it up, launch the application that "needs" these elevated rights and filter on it's executable.

Highlight the access denied errors and release the permissions on the necessary keys and files.

Problem solved. A bit of work will protect the servers.

I cannot believe, in 2016, we still get the "application needs admin rights" excuse.

Also - why the same user account? What about accountability? Anyone can do anything either on purpose or (usually more likely) by accident and there's no way to pin down who did it.

Someone needs to take a step back, to do some thinking about how things are configured and where to go from here. It'll take work to begin with, but will lead to more stable, usable and secure systems in the longer term.
0
 

Author Comment

by:ServerDoc
Comment Utility
Thanks James, and Tony... I'll go hunting with Process Explorer and see what I find. May take a few days but I'll let you know when I figure it out. You've given me a direction to look now.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
If you need to start windows update installation remotely or as a scheduled task you will find this very helpful.
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now