joshhough
asked on
RDS Temporary Profiles
Hi,
Got a bit of a problem with a brand new setup....
Two Server 2012 Servers, one as a Domain controller, one as a Terminal Server. Both are Dedicated servers from Fasthosts, and i've created a LAN between the two. I can ping them from each other using names just fine.
Terminal Server has the DNS pointed to the Domain Controller IP address and dns resolves perfectly. Navigating through windows to \\DomainController\Folder Name also works fine.
However, in RDS setup i have it configured for Virtual Disks to \\DomainController\Folder - it creates the VHD files fine, but every time any user logs on it generates a temporary profile for the user. I've tried multiple things, registry, making sure its completely read/write happy but its just not working :( Any thoughts?
Josh
Got a bit of a problem with a brand new setup....
Two Server 2012 Servers, one as a Domain controller, one as a Terminal Server. Both are Dedicated servers from Fasthosts, and i've created a LAN between the two. I can ping them from each other using names just fine.
Terminal Server has the DNS pointed to the Domain Controller IP address and dns resolves perfectly. Navigating through windows to \\DomainController\Folder Name also works fine.
However, in RDS setup i have it configured for Virtual Disks to \\DomainController\Folder - it creates the VHD files fine, but every time any user logs on it generates a temporary profile for the user. I've tried multiple things, registry, making sure its completely read/write happy but its just not working :( Any thoughts?
Josh
Can you check the Event log for User Profile Service for error messages ? Do you have configured Terminal services Profile user property in domain ? Also check GPO objects used for terminal services.
ASKER
Hi,
We have some of these:
Log Name: Application
Source: Microsoft-Windows-User Profiles Service
Date: 05/09/2016 14:57:35
Event ID: 1508
Task Category: None
Level: Error
Keywords:
User: SYSTEM
Computer: SK-TS1.SK.local
Description:
Windows was unable to load the registry. This problem is often caused by insufficient memory or insufficient security rights.
DETAIL - The process cannot access the file because it is being used by another process.
for C:\Users\Administrator\ntu ser.dat
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Us er Profiles Service" Guid="{89B1E9F0-5AFF-44A6- 9B44-0A07A 7CE5845}" />
<EventID>1508</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000 00</Keywor ds>
<TimeCreated SystemTime="2016-09-05T13: 57:35.6102 07700Z" />
<EventRecordID>24240</Even tR
However there doesn't seem to be any for the actual users such as 'jh' who is setup as a user (in this case me)
Josh
We have some of these:
Log Name: Application
Source: Microsoft-Windows-User Profiles Service
Date: 05/09/2016 14:57:35
Event ID: 1508
Task Category: None
Level: Error
Keywords:
User: SYSTEM
Computer: SK-TS1.SK.local
Description:
Windows was unable to load the registry. This problem is often caused by insufficient memory or insufficient security rights.
DETAIL - The process cannot access the file because it is being used by another process.
for C:\Users\Administrator\ntu
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Us
<EventID>1508</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000
<TimeCreated SystemTime="2016-09-05T13:
<EventRecordID>24240</Even
However there doesn't seem to be any for the actual users such as 'jh' who is setup as a user (in this case me)
Josh
OK, so go to the Group policy snapin and run Modeling or RsOP for user "jh" and terminal server to find what GPO's impact this user. Also put here info from Active Directory Users and Computers properties of this user - Terminal services profile. Tell me the permission of the "c:\Users" folder.
Normally this issue (user have temporary profile loaded) is related to permission or the user profile is locked by another process
Normally this issue (user have temporary profile loaded) is related to permission or the user profile is locked by another process
ASKER
Hi,
I've attached a Screenshot of the GPO Modeling Wizard. The Permissions of the 'C:\Users' Folder on the Terminal Server shows that users have 'Read & Execute' so i'm guessing changing this to the group 'RDSUsers' for Full Control would make a difference - or even setting it to 'Everyone' Read/Write for now to test?
Under Remote Desktop Services for the User in AD it shows blank on all profile locations etc.
Josh
GPO-Wizard.fw.png
I've attached a Screenshot of the GPO Modeling Wizard. The Permissions of the 'C:\Users' Folder on the Terminal Server shows that users have 'Read & Execute' so i'm guessing changing this to the group 'RDSUsers' for Full Control would make a difference - or even setting it to 'Everyone' Read/Write for now to test?
Under Remote Desktop Services for the User in AD it shows blank on all profile locations etc.
Josh
GPO-Wizard.fw.png
The important is permission of System because this account is responsible for creating of folder. This must be full control.
Can you list the RDSUsers GPO settings, please ?
If the
Check this link https://technet.microsoft.com/en-us/library/jj649075(v=ws.11).aspx and turn on
debug log. Try to logon by "jh", logoff and turn logging off. Then check event log for more detail.
And here is described the very similar issue:
https://social.technet.microsoft.com/Forums/itmanagement/en-US/68bc8da5-c7bc-403e-97e0-ba48a9cb17a2/2012-r2-rds-temporary-profile-issue?forum=winserverTS
Can you list the RDSUsers GPO settings, please ?
If the
Check this link https://technet.microsoft.com/en-us/library/jj649075(v=ws.11).aspx and turn on
debug log. Try to logon by "jh", logoff and turn logging off. Then check event log for more detail.
And here is described the very similar issue:
https://social.technet.microsoft.com/Forums/itmanagement/en-US/68bc8da5-c7bc-403e-97e0-ba48a9cb17a2/2012-r2-rds-temporary-profile-issue?forum=winserverTS
ASKER
I've made sure System has full control, it does. I've also added 'Everyone' to full control (just to see if its something odd) and that hasn't helped either
Is there a way to quickly export GPO settings? Whats weird is i've done things like blocking access to the powershell icon etc. but these settings never seem to apply despite the fact the affected user group is 'RDSUsers' and its an enforced policy. I've since deleted the enforcement and removed RDSUsers from the group it applies to in the hope that makes a difference. Now the GPO doesnt show as applying in the modelling wizard but again still it says temporary profile
Is there a way to quickly export GPO settings? Whats weird is i've done things like blocking access to the powershell icon etc. but these settings never seem to apply despite the fact the affected user group is 'RDSUsers' and its an enforced policy. I've since deleted the enforcement and removed RDSUsers from the group it applies to in the hope that makes a difference. Now the GPO doesnt show as applying in the modelling wizard but again still it says temporary profile
Export GPO can be done by these two ways:
in GPO console right click on GPO object and Backup or Save report. The second is one html or xml file, the first one is complete AD structure so beter is Save report.
GPO is great tool but sometimes is living its own live. You can try to add in Security filtering Authenticated users group. Member of this group is also domain computer. Also Group must have as a minimum Read and Apply group policy permission on GPO.
in GPO console right click on GPO object and Backup or Save report. The second is one html or xml file, the first one is complete AD structure so beter is Save report.
GPO is great tool but sometimes is living its own live. You can try to add in Security filtering Authenticated users group. Member of this group is also domain computer. Also Group must have as a minimum Read and Apply group policy permission on GPO.
ASKER
OK, it looks great. What do you have in Virtual desktop collection - section User Profile Disks ? If you have checked "Store all users settings on the user profile disk" try to temporary change to "Store only - Downloads" and try to logon.
ASKER
Changing it to Downloads only doesn't work. I still get the same error and bear in mind this is obviously without GPO having any effect at the moment as i have disabled it for now.
and if you uncheck enable user profile disk still temporary folders ?
ASKER
Thats right sadly
Check this registry - HKEY_LOCAL_MACHINE\SOFTWAR E\Microsof t\Windows NT\CurrentVersion\ProfileL ist and if there are profiles directed to the temporary profile folder
delete them and try to logon
delete them and try to logon
ASKER
So this is on the TS as opposed to the DC right? On the Terminal Server there are no users directed to the Temporary folder or any that even resemble temporary.
ASKER
I have now rebuilt the terminal server, and i still now get the Temporary Profile issue again, it's infuriating and just doesn't make any sense as it is even creating the UVHD files!
Josh
Josh
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
It transpired that the issue was to do with the users being part of a security group i had created. Microsoft Break Fix troubleshooting found the issue.