Solved

RDS Temporary Profiles

Posted on 2016-09-05
18
14 Views
Last Modified: 2016-09-13
Hi,

Got a bit of a problem with a brand new setup....

Two Server 2012 Servers, one as a Domain controller, one as a Terminal Server. Both are Dedicated servers from Fasthosts, and i've created a LAN between the two. I can ping them from each other using names just fine.

Terminal Server has the DNS pointed to the Domain Controller IP address and dns resolves perfectly. Navigating through windows to \\DomainController\Folder Name also works fine.

However, in RDS setup i have it configured for Virtual Disks to \\DomainController\Folder - it creates the VHD files fine, but every time any user logs on it generates a temporary profile for the user. I've tried multiple things, registry, making sure its completely read/write happy but its just not working :( Any thoughts?

Josh
0
Comment
Question by:joshhough
  • 10
  • 8
18 Comments
 
LVL 9

Expert Comment

by:Tomas Valenta
ID: 41784763
Can you check the Event log for User Profile Service for error messages ? Do you have configured Terminal services Profile user property in domain ? Also check GPO objects used for terminal services.
0
 
LVL 1

Author Comment

by:joshhough
ID: 41784782
Hi,

We have some of these:
Log Name:      Application
Source:        Microsoft-Windows-User Profiles Service
Date:          05/09/2016 14:57:35
Event ID:      1508
Task Category: None
Level:         Error
Keywords:      
User:          SYSTEM
Computer:      SK-TS1.SK.local
Description:
Windows was unable to load the registry. This problem is often caused by insufficient memory or insufficient security rights.

DETAIL - The process cannot access the file because it is being used by another process.
 for C:\Users\Administrator\ntuser.dat
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-User Profiles Service" Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" />
    <EventID>1508</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2016-09-05T13:57:35.610207700Z" />
    <EventRecordID>24240</EventR




However there doesn't seem to be any for the actual users such as 'jh' who is setup as a user (in this case me)

Josh
0
 
LVL 9

Expert Comment

by:Tomas Valenta
ID: 41784807
OK, so go to the Group policy snapin and run Modeling or RsOP for user "jh" and terminal server to find what GPO's impact this user. Also put here info from Active Directory Users and Computers properties of this user - Terminal services profile. Tell me the permission of the "c:\Users" folder.
Normally this issue (user have temporary profile loaded) is related to permission or the user profile is locked by another process
0
 
LVL 1

Author Comment

by:joshhough
ID: 41784879
Hi,

I've attached a Screenshot of the GPO Modeling Wizard. The Permissions of the 'C:\Users' Folder on the Terminal Server shows that users have 'Read & Execute' so i'm guessing changing this to the group 'RDSUsers' for Full Control would make a difference - or even setting it to 'Everyone' Read/Write for now to test?

Under Remote Desktop Services for the User in AD it shows blank on all profile locations etc.

Josh
GPO-Wizard.fw.png
0
 
LVL 9

Expert Comment

by:Tomas Valenta
ID: 41784916
The important is permission of System because this account is responsible for creating of folder. This must be full control.
Can you list the RDSUsers GPO settings, please ?
If the
Check this link https://technet.microsoft.com/en-us/library/jj649075(v=ws.11).aspx and turn on
debug log. Try to logon by "jh", logoff and turn logging off. Then check event log for more detail.  

And here is described the very similar issue:
https://social.technet.microsoft.com/Forums/itmanagement/en-US/68bc8da5-c7bc-403e-97e0-ba48a9cb17a2/2012-r2-rds-temporary-profile-issue?forum=winserverTS
0
 
LVL 1

Author Comment

by:joshhough
ID: 41785695
I've made sure System has full control, it does. I've also added 'Everyone' to full control (just to see if its something odd) and that hasn't helped either

Is there a way to quickly export GPO settings? Whats weird is i've done things like blocking access to the powershell icon etc. but these settings never seem to apply despite the fact the affected user group is 'RDSUsers' and its an enforced policy. I've since deleted the enforcement and removed RDSUsers from the group it applies to in the hope that makes a difference. Now the GPO doesnt show as applying in the modelling wizard but again still it says temporary profile
0
 
LVL 9

Expert Comment

by:Tomas Valenta
ID: 41785744
Export GPO can be done by these two ways:
in GPO console right click on GPO object and Backup or Save report. The second is one html or xml file, the first one is complete AD structure so beter is Save report.
GPO is great tool but sometimes is living its own live. You can try to add in Security filtering Authenticated users group. Member of this group is also domain computer. Also Group must have as a minimum Read and Apply group policy permission on GPO.
0
 
LVL 1

Author Comment

by:joshhough
ID: 41785852
I've attached the GPO i set - whats your thoughts?

Josh
RDSUsers-GPO.htm
0
 
LVL 9

Expert Comment

by:Tomas Valenta
ID: 41785901
OK, it looks great. What do you have in Virtual desktop collection - section User Profile Disks ? If you have checked "Store all users settings on the user profile disk" try to temporary change to "Store only - Downloads" and try to logon.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 1

Author Comment

by:joshhough
ID: 41785920
Changing it to Downloads only doesn't work. I still get the same error and bear in mind this is obviously without GPO having any effect at the moment as i have disabled it for now.
0
 
LVL 9

Expert Comment

by:Tomas Valenta
ID: 41785937
and if you uncheck enable user profile disk still temporary folders ?
0
 
LVL 1

Author Comment

by:joshhough
ID: 41786019
Thats right sadly
0
 
LVL 9

Expert Comment

by:Tomas Valenta
ID: 41786030
Check this registry - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList and if there are profiles directed to the temporary profile folder
delete them and try to logon
0
 
LVL 1

Author Comment

by:joshhough
ID: 41786037
So this is on the TS as opposed to the DC right? On the Terminal Server there are no users directed to the Temporary folder or any that even resemble temporary.
0
 
LVL 1

Author Comment

by:joshhough
ID: 41787531
I have now rebuilt the terminal server, and i still now get the Temporary Profile issue again, it's infuriating and just doesn't make any sense as it is even creating the UVHD files!

Josh
0
 
LVL 9

Assisted Solution

by:Tomas Valenta
Tomas Valenta earned 500 total points
ID: 41787861
can you check the permission on share \\DomainController\Folder and also permission on file system, please ? Especially effective permission on vhd file. Also you can turn of file auditing on Folder for unsuccessful attempts and maybe we can catch it.
0
 
LVL 1

Accepted Solution

by:
joshhough earned 0 total points
ID: 41789949
So i got Microsoft Break-Fix troubleshooting on the case as i didn't have the time to go through everything. It transpired that there was something not quite right with the Security Group i had created 'RDSUsers' as even after reinstalling the terminal server it didn't work.

By removing users from this group, suddenly it did. What caused it, no idea, Microsoft didn't investigate that to tell me. Possible permission issues or maybe an issue with the User Profile Service, not sure. But at least it's working now!

Josh
0
 
LVL 1

Author Closing Comment

by:joshhough
ID: 41795701
It transpired that the issue was to do with the users being part of a security group i had created. Microsoft Break Fix troubleshooting found the issue.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

The article will show you how you can maintain a simple logfile of all Startup and Shutdown events on Windows servers and desktops with PowerShell. The script can be easily adapted into doing more like gracefully silencing/updating your monitoring s…
The reason that corporations and businesses use Windows servers is because it supports custom modifications to adapt to the business and what it needs. Most individual users won’t need such powerful options. Here I’ll explain how you can enable Wind…
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now