Link to home
Start Free TrialLog in
Avatar of joshhough
joshhoughFlag for United Kingdom of Great Britain and Northern Ireland

asked on

RDS Temporary Profiles

Hi,

Got a bit of a problem with a brand new setup....

Two Server 2012 Servers, one as a Domain controller, one as a Terminal Server. Both are Dedicated servers from Fasthosts, and i've created a LAN between the two. I can ping them from each other using names just fine.

Terminal Server has the DNS pointed to the Domain Controller IP address and dns resolves perfectly. Navigating through windows to \\DomainController\Folder Name also works fine.

However, in RDS setup i have it configured for Virtual Disks to \\DomainController\Folder - it creates the VHD files fine, but every time any user logs on it generates a temporary profile for the user. I've tried multiple things, registry, making sure its completely read/write happy but its just not working :( Any thoughts?

Josh
Avatar of Tomas Valenta
Tomas Valenta
Flag of Czechia image

Can you check the Event log for User Profile Service for error messages ? Do you have configured Terminal services Profile user property in domain ? Also check GPO objects used for terminal services.
Avatar of joshhough

ASKER

Hi,

We have some of these:
Log Name:      Application
Source:        Microsoft-Windows-User Profiles Service
Date:          05/09/2016 14:57:35
Event ID:      1508
Task Category: None
Level:         Error
Keywords:      
User:          SYSTEM
Computer:      SK-TS1.SK.local
Description:
Windows was unable to load the registry. This problem is often caused by insufficient memory or insufficient security rights.

DETAIL - The process cannot access the file because it is being used by another process.
 for C:\Users\Administrator\ntuser.dat
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-User Profiles Service" Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" />
    <EventID>1508</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2016-09-05T13:57:35.610207700Z" />
    <EventRecordID>24240</EventR




However there doesn't seem to be any for the actual users such as 'jh' who is setup as a user (in this case me)

Josh
OK, so go to the Group policy snapin and run Modeling or RsOP for user "jh" and terminal server to find what GPO's impact this user. Also put here info from Active Directory Users and Computers properties of this user - Terminal services profile. Tell me the permission of the "c:\Users" folder.
Normally this issue (user have temporary profile loaded) is related to permission or the user profile is locked by another process
Hi,

I've attached a Screenshot of the GPO Modeling Wizard. The Permissions of the 'C:\Users' Folder on the Terminal Server shows that users have 'Read & Execute' so i'm guessing changing this to the group 'RDSUsers' for Full Control would make a difference - or even setting it to 'Everyone' Read/Write for now to test?

Under Remote Desktop Services for the User in AD it shows blank on all profile locations etc.

Josh
GPO-Wizard.fw.png
The important is permission of System because this account is responsible for creating of folder. This must be full control.
Can you list the RDSUsers GPO settings, please ?
If the
Check this link https://technet.microsoft.com/en-us/library/jj649075(v=ws.11).aspx and turn on
debug log. Try to logon by "jh", logoff and turn logging off. Then check event log for more detail.  

And here is described the very similar issue:
https://social.technet.microsoft.com/Forums/itmanagement/en-US/68bc8da5-c7bc-403e-97e0-ba48a9cb17a2/2012-r2-rds-temporary-profile-issue?forum=winserverTS
I've made sure System has full control, it does. I've also added 'Everyone' to full control (just to see if its something odd) and that hasn't helped either

Is there a way to quickly export GPO settings? Whats weird is i've done things like blocking access to the powershell icon etc. but these settings never seem to apply despite the fact the affected user group is 'RDSUsers' and its an enforced policy. I've since deleted the enforcement and removed RDSUsers from the group it applies to in the hope that makes a difference. Now the GPO doesnt show as applying in the modelling wizard but again still it says temporary profile
Export GPO can be done by these two ways:
in GPO console right click on GPO object and Backup or Save report. The second is one html or xml file, the first one is complete AD structure so beter is Save report.
GPO is great tool but sometimes is living its own live. You can try to add in Security filtering Authenticated users group. Member of this group is also domain computer. Also Group must have as a minimum Read and Apply group policy permission on GPO.
I've attached the GPO i set - whats your thoughts?

Josh
RDSUsers-GPO.htm
OK, it looks great. What do you have in Virtual desktop collection - section User Profile Disks ? If you have checked "Store all users settings on the user profile disk" try to temporary change to "Store only - Downloads" and try to logon.
Changing it to Downloads only doesn't work. I still get the same error and bear in mind this is obviously without GPO having any effect at the moment as i have disabled it for now.
and if you uncheck enable user profile disk still temporary folders ?
Thats right sadly
Check this registry - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList and if there are profiles directed to the temporary profile folder
delete them and try to logon
So this is on the TS as opposed to the DC right? On the Terminal Server there are no users directed to the Temporary folder or any that even resemble temporary.
I have now rebuilt the terminal server, and i still now get the Temporary Profile issue again, it's infuriating and just doesn't make any sense as it is even creating the UVHD files!

Josh
SOLUTION
Avatar of Tomas Valenta
Tomas Valenta
Flag of Czechia image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
It transpired that the issue was to do with the users being part of a security group i had created. Microsoft Break Fix troubleshooting found the issue.