• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 100
  • Last Modified:

RDS Temporary Profiles

Hi,

Got a bit of a problem with a brand new setup....

Two Server 2012 Servers, one as a Domain controller, one as a Terminal Server. Both are Dedicated servers from Fasthosts, and i've created a LAN between the two. I can ping them from each other using names just fine.

Terminal Server has the DNS pointed to the Domain Controller IP address and dns resolves perfectly. Navigating through windows to \\DomainController\Folder Name also works fine.

However, in RDS setup i have it configured for Virtual Disks to \\DomainController\Folder - it creates the VHD files fine, but every time any user logs on it generates a temporary profile for the user. I've tried multiple things, registry, making sure its completely read/write happy but its just not working :( Any thoughts?

Josh
0
joshhough
Asked:
joshhough
  • 10
  • 8
2 Solutions
 
Tomas ValentaIT ManagerCommented:
Can you check the Event log for User Profile Service for error messages ? Do you have configured Terminal services Profile user property in domain ? Also check GPO objects used for terminal services.
0
 
joshhoughAuthor Commented:
Hi,

We have some of these:
Log Name:      Application
Source:        Microsoft-Windows-User Profiles Service
Date:          05/09/2016 14:57:35
Event ID:      1508
Task Category: None
Level:         Error
Keywords:      
User:          SYSTEM
Computer:      SK-TS1.SK.local
Description:
Windows was unable to load the registry. This problem is often caused by insufficient memory or insufficient security rights.

DETAIL - The process cannot access the file because it is being used by another process.
 for C:\Users\Administrator\ntuser.dat
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-User Profiles Service" Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" />
    <EventID>1508</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2016-09-05T13:57:35.610207700Z" />
    <EventRecordID>24240</EventR




However there doesn't seem to be any for the actual users such as 'jh' who is setup as a user (in this case me)

Josh
0
 
Tomas ValentaIT ManagerCommented:
OK, so go to the Group policy snapin and run Modeling or RsOP for user "jh" and terminal server to find what GPO's impact this user. Also put here info from Active Directory Users and Computers properties of this user - Terminal services profile. Tell me the permission of the "c:\Users" folder.
Normally this issue (user have temporary profile loaded) is related to permission or the user profile is locked by another process
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
joshhoughAuthor Commented:
Hi,

I've attached a Screenshot of the GPO Modeling Wizard. The Permissions of the 'C:\Users' Folder on the Terminal Server shows that users have 'Read & Execute' so i'm guessing changing this to the group 'RDSUsers' for Full Control would make a difference - or even setting it to 'Everyone' Read/Write for now to test?

Under Remote Desktop Services for the User in AD it shows blank on all profile locations etc.

Josh
GPO-Wizard.fw.png
0
 
Tomas ValentaIT ManagerCommented:
The important is permission of System because this account is responsible for creating of folder. This must be full control.
Can you list the RDSUsers GPO settings, please ?
If the
Check this link https://technet.microsoft.com/en-us/library/jj649075(v=ws.11).aspx and turn on
debug log. Try to logon by "jh", logoff and turn logging off. Then check event log for more detail.  

And here is described the very similar issue:
https://social.technet.microsoft.com/Forums/itmanagement/en-US/68bc8da5-c7bc-403e-97e0-ba48a9cb17a2/2012-r2-rds-temporary-profile-issue?forum=winserverTS
0
 
joshhoughAuthor Commented:
I've made sure System has full control, it does. I've also added 'Everyone' to full control (just to see if its something odd) and that hasn't helped either

Is there a way to quickly export GPO settings? Whats weird is i've done things like blocking access to the powershell icon etc. but these settings never seem to apply despite the fact the affected user group is 'RDSUsers' and its an enforced policy. I've since deleted the enforcement and removed RDSUsers from the group it applies to in the hope that makes a difference. Now the GPO doesnt show as applying in the modelling wizard but again still it says temporary profile
0
 
Tomas ValentaIT ManagerCommented:
Export GPO can be done by these two ways:
in GPO console right click on GPO object and Backup or Save report. The second is one html or xml file, the first one is complete AD structure so beter is Save report.
GPO is great tool but sometimes is living its own live. You can try to add in Security filtering Authenticated users group. Member of this group is also domain computer. Also Group must have as a minimum Read and Apply group policy permission on GPO.
0
 
joshhoughAuthor Commented:
I've attached the GPO i set - whats your thoughts?

Josh
RDSUsers-GPO.htm
0
 
Tomas ValentaIT ManagerCommented:
OK, it looks great. What do you have in Virtual desktop collection - section User Profile Disks ? If you have checked "Store all users settings on the user profile disk" try to temporary change to "Store only - Downloads" and try to logon.
0
 
joshhoughAuthor Commented:
Changing it to Downloads only doesn't work. I still get the same error and bear in mind this is obviously without GPO having any effect at the moment as i have disabled it for now.
0
 
Tomas ValentaIT ManagerCommented:
and if you uncheck enable user profile disk still temporary folders ?
0
 
joshhoughAuthor Commented:
Thats right sadly
0
 
Tomas ValentaIT ManagerCommented:
Check this registry - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList and if there are profiles directed to the temporary profile folder
delete them and try to logon
0
 
joshhoughAuthor Commented:
So this is on the TS as opposed to the DC right? On the Terminal Server there are no users directed to the Temporary folder or any that even resemble temporary.
0
 
joshhoughAuthor Commented:
I have now rebuilt the terminal server, and i still now get the Temporary Profile issue again, it's infuriating and just doesn't make any sense as it is even creating the UVHD files!

Josh
0
 
Tomas ValentaIT ManagerCommented:
can you check the permission on share \\DomainController\Folder and also permission on file system, please ? Especially effective permission on vhd file. Also you can turn of file auditing on Folder for unsuccessful attempts and maybe we can catch it.
0
 
joshhoughAuthor Commented:
So i got Microsoft Break-Fix troubleshooting on the case as i didn't have the time to go through everything. It transpired that there was something not quite right with the Security Group i had created 'RDSUsers' as even after reinstalling the terminal server it didn't work.

By removing users from this group, suddenly it did. What caused it, no idea, Microsoft didn't investigate that to tell me. Possible permission issues or maybe an issue with the User Profile Service, not sure. But at least it's working now!

Josh
0
 
joshhoughAuthor Commented:
It transpired that the issue was to do with the users being part of a security group i had created. Microsoft Break Fix troubleshooting found the issue.
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

  • 10
  • 8
Tackle projects and never again get stuck behind a technical roadblock.
Join Now