We help IT Professionals succeed at work.

New Users Cannot Create Roaming Profile Folder

381 Views
Last Modified: 2017-03-07
2016/12/18 malware hits customer network and destroys tons of data and multiple servers – including one domain controller and all of the group policies.

2016/12/18 – 2016/27  I restore or rebuild from scratch multiple servers, restore user data, domain controller, GPO’s etc.

2017/01/03 – Customer is hit again with new strain of similar malware, although updated antivirus had been installed, a user with elevated privileges removed it.

2017/01/04 – 2017/01/08  I again rebuild servers and GPO’s, and restore data, and setup NetLogon debugging, as well as file/folder auditing.

•      No more outbreaks


Pre-existing users who have been configured to connect to their roaming profiles continue to do so.

Any new user created cannot populate new roaming user profiles on existing roaming profile share. All new users get the common “User profile cannot be loaded”.
 

I have duplicated the same AD / file server / security group / user account relationship in my lab and it works perfectly – in fact difficult to break.

I have followed exactly these articles:
https://technet.microsoft.com/en-us/library/jj649079(v=ws.11).aspx
http://www.mcbsys.com/blog/2010/10/reset-roaming-profile-and-folder-redirection-permissions/
http://jeffgraves.me/2013/
http://www.grouppolicy.biz/2010/08/best-practice-roaming-profiles-and-folder-redirection-a-k-a-user-virtualization/

All new users are in exactly the same security groups as the pre-existing users. All new users attempt to connect/create roaming user profiles within the same file server / folder.

To isolate, I moved to brand new workstations, brand new file server, brand new accounts – to rule out anything corrupt on the previous objects. Same exact results.
The new builds were fresh ISO builds, not templates.

I have run packet captures in my lab (where roaming profiles work) and 2 on customer network (one where pre-existing users succeed, where new users fail) and compared them. The successful logons look identical except for a DFS query (DFS is not running so this is curious). The failed logons don’t even appear to try and create the roaming profile folder:

Some of the test workstations were physical machines, some were virtual machines – but I made sure to use new builds of both.
Servers have to be virtual for now.

Checked VMware guest tools, VMware guest versions, NIC types and drivers, etc. All are legit.

Of note:  same users that fail the roaming profile logon can logon (without roaming) and map a drive to the  _EXACT_  location of where their roaming profiles  _should_  be. So permissions don’t seem to be an issue.
I’ve turned up debugging and auditing and the only profile related errors are:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Log Name:      Application
Source:        Microsoft-Windows-Winlogon
Date:          3/6/2017 4:02:51 PM
Event ID:      6004
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      winr2stg.domain.local
Description:
The winlogon notification subscriber <Profiles> failed a critical notification event.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Winlogon" Guid="{DBE9B383-7CF3-4331-91CC-A3CB16A3B538}" EventSourceName="Wlclntfy" />
    <EventID Qualifiers="32768">6004</EventID>
    <Version>0</Version>
    <Level>3</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2017-03-07T00:02:51.000000000Z" />
    <EventRecordID>1476</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>Application</Channel>
    <Computer>winr2stg.domain.local</Computer>
    <Security />
  </System>
  <EventData>
    <Data>Profiles</Data>
    <Binary>F4010000</Binary>
  </EventData>
</Event>


Log Name:      Application
Source:        Microsoft-Windows-User Profiles Service
Date:          3/6/2017 4:02:51 PM
Event ID:      1520
Task Category: None
Level:         Error
Keywords:      
User:          domain\pac.man
Computer:      winr2stg.domain.local
Description:
Windows cannot log you on because your roaming mandatory profile is not available. This error may be caused by incorrect file system permissions or network problems.

DETAIL - The system cannot find the file specified.

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-User Profiles Service" Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" />
    <EventID>1520</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2017-03-07T00:02:51.817433400Z" />
    <EventRecordID>1477</EventRecordID>
    <Correlation />
    <Execution ProcessID="788" ThreadID="1328" />
    <Channel>Application</Channel>
    <Computer>winr2stg.domain.local</Computer>
    <Security UserID="S-1-5-21-2901645698-1785784430-4210207855-17122" />
  </System>
  <EventData>
    <Data Name="Error">The system cannot find the file specified.
</Data>
  </EventData>
</Event>


Log Name:      Application
Source:        Microsoft-Windows-User Profiles Service
Date:          3/6/2017 4:02:51 PM
Event ID:      1500
Task Category: None
Level:         Error
Keywords:      
User:          domain\pac.man
Computer:      winr2stg.domain.local
Description:
Windows cannot log you on because your profile cannot be loaded. Check that you are connected to the network, and that your network is functioning correctly.

DETAIL - The system cannot find the file specified.

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-User Profiles Service" Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" />
    <EventID>1500</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2017-03-07T00:02:51.817433400Z" />
    <EventRecordID>1478</EventRecordID>
    <Correlation />
    <Execution ProcessID="788" ThreadID="1328" />
    <Channel>Application</Channel>
    <Computer>winr2stg.domain.local</Computer>
    <Security UserID="S-1-5-21-2901645698-1785784430-4210207855-17122" />
  </System>
  <EventData>
    <Data Name="Error">The system cannot find the file specified.
</Data>
  </EventData>
</Event>


Log Name:      Application
Source:        Microsoft-Windows-Winlogon
Date:          3/6/2017 4:02:59 PM
Event ID:      6001
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      winr2stg.domain.local
Description:
The winlogon notification subscriber <Sens> failed a notification event.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Winlogon" Guid="{DBE9B383-7CF3-4331-91CC-A3CB16A3B538}" EventSourceName="Wlclntfy" />
    <EventID Qualifiers="32768">6001</EventID>
    <Version>0</Version>
    <Level>3</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2017-03-07T00:02:59.000000000Z" />
    <EventRecordID>1479</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>Application</Channel>
    <Computer>winr2stg.domain.local</Computer>
    <Security />
  </System>
  <EventData>
    <Data>Sens</Data>
    <Binary>F0030000</Binary>
  </EventData>
</Event>
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

I also had other IT staff double-check my work and they agree it aligns with best practice.

I’ve done this many times in the past and never had this kind of issue before.

There are no mandatory profiles, and never were.

I have created several test servers without any form of antivirus and the results are the same.

I turned on debugging per this article:
https://technet.microsoft.com/en-us/library/jj649075%28v=ws.11%29.aspx?f=255&MSPPError=-2147217396#Events_Step3Enablingandviewinganalyticanddebuglogs
...and it managed to log almost nothing at all.

Thanks in advance for anyone’s insight,
Comment
Watch Question

This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION

Author

Commented:
Found my own answer.

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions