How Do I troubleshoot Windows User Profile Issues?
There are three primary types of user profile available in Windows 2003/XP/2000.
Local User Profile. Created the first time that a user interactively logs on to a machine, the local user profile is stored on the local disk. Any changes made to the local user profile are specific to the computer on which the changes are made.
- Roaming User Profile. A copy of the local profile is copied to, and stored on a server share. This profile is downloaded every time that a user logs on to any computer on the network, and any changes made to a roaming user profile are synchronized with the server copy upon logoff.
- Mandatory User Profile. A type of profile that administrators can use to specify particular settings for users. Only system administrators can make changes to mandatory user profiles. Changes made by the user to desktop settings are lost when the user logs off.
-Contents of a Profile
A user profile consists of:
- A registry hive. The registry hive is NTuser.dat in file form, and is loaded by the user profile component at logon, and mapped to HKEY_CURRENT_USER by the registry. The user hive maintains the user’s registry based preferences and configuration. Settings stored in the registry are owned by individual components; the profile code does not monitor or control access to any configuration contained in the user’s registry.
The following executables and binaries are used by user profiles and shipped with the OS, all located in %SystemRoot%\system32:
- Userenv.dll
- Proquota.exe
- Profmap.dll
- Sysdm.cpl
The Logon Process
-Local Profile (New User)
1.The user logs on.
2.The operating system checks the list of user profiles located in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList to determine if a local profile exists for the user.
3.Because this is a new user, no local profile is found. If the computer is part of a domain, the operating system checks if a domain wide default profile exists in a folder named Default User on the domain controller’s NETLOGON share.
o If a domain wide profile exists, it is copied to a subfolder on the local computer with the username under %SYSTEMDRIVE%\Documents and Settings\. For example, a new user with the username JDoe would have a profile created in %SYSTEMDRIVE%\Documents and Settings\JDoe.
o If a default domain profile does not exist, then the local default profile is copied from the %Systemdrive%\Documents and Settings\Default User folder to a subfolder on the local computer with a username under %Systemdrive%\Documents and Settings\.
4. If the computer is not part of a domain, the local default profile is copied from the %Systemdrive%\Documents and Settings\Default User folder to a subfolder on the local computer with a username under %Systemdrive%\Documents and Settings\.
5. The user’s registry hive (NTUSER.DAT) is mapped to the HKEY_CURRENT_USER portion of the registry.
6. The users %userprofile% environment variable is updated with the value of the local profile folder
7. When the user logs off, a profile is saved to the local hard disk of the computer.
-Local Profile (Existing User)
1.The user logs on.
2.Windows checks the list of user profiles located in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList to get the path to the user’s profile.
3.The user’s registry hive (NTUSER.DAT) is mapped to the HKEY_CURRENT_USER portion of the registry.
4.The users %userprofile% environment variable is updated with the value of the local profile folder.
5.When the user logs off, the profile is saved to the local hard disk of the computer.
-Roaming Profile (New User)
1.The user logs on.
2.The path to the users roaming profile is retrieved from the user object on the Domain Controller.
3.Windows checks to see if a profile exists in the roaming path, if no profile exists a folder is created.
4.Windows checks the list of user profiles located in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList to determine if a cached copy of the profile exists. If a local copy of the profile is not found, and the computer is part of a domain, Windows checks to determine if a domain wide default profile exists in the Default User folder on the domain controller’s NETLOGON share.
o If a domain wide profile exists, it is copied to a subfolder on the local computer with their username under %Systemdrive%\Documents and Settings\.
o If a default domain profile does not exist, then the local default profile is copied from the %Systemdrive%\Documents and Settings\Default User folder to a subfolder on the local computer with their username under %Systemdrive%\Documents and Settings\.
3. The user’s registry hive (NTUSER.DAT) is mapped to the HKEY_CURRENT_USER portion of the registry.
4. The users %userprofile% environment variable is updated with the value of the local profile folder
5. The user can then run applications and edit documents as normal. When the user logs off, their local profile is copied to the path configured by the administrator. If a profile already exists on the server, the local profile is merged with the server copy (see merge algorithm later in this document for more details).
-Roaming Profile (Existing User)
1.The user logs on.
2.The path to the users roaming profile is retrieved from the user object on the Domain Controller.
3.Windows checks to see if a profile exists in the roaming path, if no profile exists a folder is created.
4.Windows checks the list of user profiles located in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList to get the path to the user’s cached profile if it exists.
5.The contents of the local cached profile are compared with the copy of the profile on the server, and the two profiles are merged. (See the new merge algorithm later in this paper for more details).
6.The user’s registry hive (NTUSER.DAT) is mapped to the HKEY_CURRENT_USER portion of the registry.
7.The users %userprofile% environment variable is updated with the value of the local profile folder
8.The user can then run applications and edit documents as normal. When the user logs off, the local profile is copied to the path configured by the administrator. If a profile already exists on the server, the local profile is merged with the server copy.
Troubleshooting Common Issues
-User Receives Errors at Logon:
1)-“Windows did not load your roaming profile and is attempting to log you on with your local profile.”
Verbatim Error:
“Windows did not load your roaming profile and is attempting to log you on with your local profile. Changes to the profile will not be copied to the server when you logoff. Windows did not load your profile because a server copy of the profile folder already exists that does not have the correct security. Either the current user or the Administrator’s group must be the owner of the folder. Contact your network administrator.”
- Windows XP SP1, Windows 2000 SP4 and Windows Server 2003 enable by default an ownership check of a roaming profile. If this fails, the user doesn’t load the roaming profile.
Related Articles:
327462 Windows XP SP1 and Windows 2000 SP4 Check for Existing Roaming User
http://support.microsoft.com/?id=327462
327259 Windows Server 2003 Checks for Pre-Created Roaming Profile Folders When
http://support.microsoft.com/?id=327259
2)-“Windows cannot locate your roaming profile and is attempting to log you on with your local profile”
Verbatim Error:
“Windows cannot locate your roaming profile and is attempting to log you on with your local profile. Changes to the profile will not be propagated to the server. DETAIL: Network path was not found.”
If you have not logged on to this workstation before, you also receive the following error message:
“Windows cannot find the local profile and is logging you on with a temporary profile. Changes to your profile will be lost when you log off.”
RESOLUTION:
This behavior can occur if the server that hosts the roaming profile is not available or cannot be reached by the workstation.
Ensure that the client has connectivity and can resolve the server that is hosting the roaming profile. This may require the assistance of the networking team if the issue is network related.
3)- Is the Error Received related to Network Path not Found? (error code = 53)?
Resolution:
Is the Profile Path defined in the User Account object correct? In cases where the roaming profile is not loading correctly it is necessary to check the profile path setting on the users account. Verify the path is accessible. If it is not a UNC path try a UNC path and verify if it works. Does a UNC Profile Path work? If not then verify that the User has the appropriate permissions for the Profile Remote Storage location.
Related Articles:
257848 “Access Denied” Error Message When Updating Roaming User Profile
http://support.microsoft.com/?id=257848
4)- Is the user receiving a logon permissions failure message?
If so then begin by evaluating the current Group Policy settings, specifically the User Rights Assignments and determine with the customer if they are appropriate for the user that is trying to logon. The articles listed below are the most common permissions related logon failure issues. .
Related Articles:
276590 Error Message: The Local Policy of This System Does Not Permit You to
http://support.microsoft.com/?id=276590
285793 Error Message: The Local Policy of This System Does Not Permit You to
http://support.microsoft.com/?id=285793
5)- Does the user receive a blank screen or “The Operating System Cannot Load Profile” error message at logon?
Is the User failing to logon, being logged on with a Temporary Profile or a duplicate, i.e. username.000, .001, etc? Check to see that the Default User profile is present. If missing or suspecting damage or misconfiguration, create a new clean Default user by copying a new Profile in its place.
Related Articles:
248040 New Users Receive “User Environment” Error Message and Do Not
http://support.microsoft.com/?id=248040
6)- Is the User receiving resource errors upon logon?
Typical Error:
Event Type: Error
Event Source: Userenv
Event ID: 1000
Date: 1/6/2004
Time: 10:33:48 AM
User: NT AUTHORITY\SYSTEM
Computer: SRV-TS01
Description: Windows cannot log you on because the profile cannot be loaded. Contact your network administrator. DETAIL - Insufficient
system resources exist to complete the requested service.
Check the following registry Keys: MaxWorkItems and MaxMpxCnt. Does increasing these values resolve the logon failures? If so then
performance tuning was required. If further work is needed, the customer should discuss this with the Performance team.
If this does not resolve the problem then check the Registry Size Limit. Is it near the limit or exceeding? If so you will need to increase the Registry Size limit to accomodate the Profile and System registries and retest.
If this does not resolve the issue then Enable Userenv Logging and examine it for failures.
Related Articles:
232476 Terminal Server Client Connections and Logon Limited by MaxWorkItem and http://support.microsoft.com/?id=232476
189119 UserEnv Returns Corrupted Profile for All Failures Including RSL Exceeded
http://support.microsoft.com/?id=189119
221833 How to enable user environment debug logging in retail builds of Windows
http://kb/article.asp?id=Q221833
7)- Is the User receiving Registry Corruption errors?
Either provide a copy of Chkreg.exe to the customer to repair or verify their NTUser.dat or gather a copy of the NTuser.dat from the customer. For more information on obtaining CHKreg.exe and repairing registry corruption please see article below:
Related Articles:
822705 How to Troubleshoot Registry Corruption Issues
http://support.microsoft.com/?id=822705
8)- “User Environment: Windows cannot log you on because the profile cannot be loaded. Contact your network administrator.
DETAIL - The system cannot find the file specified.”
When you attempt to log on to a Windows 2000 Professional workstation as a domain user for the first time. This message is received if the Default User folder, in the Documents and Settings folder is missing.
Related Articles:
248040 New Users Receive “User Environment” Error Message and Do Not
http://support.microsoft.com/?id=248040
-XP Specific Logon Issues:
Is the problem specific to Windows XP clients?
1)- “The roaming profile cannot be found”
-If so then verify that the following is logged in the application log
When you view the application log, you see an event that is similar to the following:
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1521
Date: <Date>
Time: <Time>
User: <User>
Computer: <Computer_Name>
Description:
Windows cannot locate the server copy of your roaming profile and is attempting to log you on with your local profile. Changes to the profile will not be copied to the server when you logoff. Possible causes of this error include network problems or insufficient security rights. If this problem persists, contact your network administrator.
DETAIL - Windows cannot find the network path. Verify that the network path is correct and the destination computer is not busy or turned off. If Windows still cannot find the network path, contact your network administrator.
RESOLUTION:
831651 “The roaming profile cannot be found” error message when you log on to
http://support.microsoft.com/?id=831651
2)- “Windows cannot locate the server copy of your roaming profile and is attempting to log you on with your local profile. Changes to the profile will not be copied to the server when you logoff. You may receive this error message because of network problems or insufficient security rights. If this problem persists, contact your network administrator.
DETAIL - The network path was not found.”
RESOLUTION:
This issue may occur if your roaming profile or home folder is located on a computer that has ICF turned on.
832850 You receive a “Windows cannot locate the server copy of your roaming
To resolve this issue, use one of the following methods:
- Disable ICF on the computer that stores the user profile.
- Move the user’s roaming profile or home folder to a computer that has
ICF disabled.
Disable ICF
———–
Note ICF is designed to help protect computers that are directly connected to the Internet. ICF is available for local area network (LAN) or dial-up connections. It also
helps prevent Internet users from connecting to the shared resources on your computer. When you disable ICF, you remove the protection that it helps to provide. Disable ICF only if you understand the implications of doing so. For more information about ICF, see the “More Information” section of this article.
To disable ICF, follow these steps:
1. Click “Start” and then click “Control panel”.
2. Double-click “Networking and Internet Connections”, and then click
“Network Connections”.
3. Right-click the connection where you want to disable ICF, and then
click “Properties”.
4. Click the “Advanced” tab, under “Internet Connection Firewall”,
click to clear the “Protect my computer and network by limiting or
preventing access to this computer from the internet” check box, and
then click “OK”
5. Click “Close”.
Move the roaming user profile or home folder
——————————————–
To move a roaming user profile or a home folder, follow these steps:
1. Create and share folders on the destination computer for the
specific user.
2. Copy the existing user profile.
3. Configure the user account to use the roaming user profile and the
home folder.
Step 1: Create and share folders on the destination computer for the specific user
1. Log on as an administrator to the computer that you want to store
the user profile and the home folder, and then disable ICF on this
computer.
2. Create a folder in the Documents and Settings folder, and name the folder as user’s user name. For example:
c:\Documents and Settings\<username>_folder
3. Create a home folder and share it for the specific user, and set permissions on the home folder that permit the user to access the folder. For example:
D:\Home Directories\<username>Note For additional information about permissions for files and folders, see the “More information” section of this article.
Step 2: Copy the existing user profile
1. Log on to the computer with an account that has administrator
credentials.
2. Click “Start”, right-click “My Computer”, and then click
“Properties”.
3. Click the “Advanced” tab, and then click “Settings” under “User
Profiles”.
4. In the “Profiles stored on this computer” list, click the profile
that you want to copy, and then click “Copy To”.
5. In the “Copy To” dialog box, click “Browse”, locate the folder that
you created in step 1.2, and then click “OK” three times.
Step 3: Configure the user account to use the roaming user profile and home folder
Note A network administrator must complete this step. If you do not have network administrator credentials on your network, contact your network administrator to complete this step.
1. Log on to the domain controller with an account that has
administrator credentials.
2. Click “Start”, point to “Programs”, point to “Administrative Tools”,
and then click “Active Directory Users and Computers”.
3. Expand “Domain”, and then click the folder where the users are
located. Typically, users are located in the Users folder.
4. In the list of user names, right-click the name of the user profile
that you want to modify, and then click “Properties”.
5. Specify the profile path and the home folder. To do so, follow these steps:
a. Click “Profile”, in the “Profile Path” box, type the full path of the Profiles folder that you created (for a Windows XP client). For example, type the following path:
“\\<computer name>\share\Profiles” (without the quotation marks)
b. Click “Profile”, click “Connect”, and then specify a drive letter.
c. In the ” To” box, type the full path of the user folder in the Profiles folder that you created (for a Windows XP client). For example, type the following path:
“\\computer name\share\Profiles\<Username_folder>” (without the quotation marks).
6. Click “OK”.
7. On the “Console” menu, click “Exit”
-User Receives Errors at Logoff
1) Is the Profile failing to save locally or remotely?
Is the user receiving error messages indicated that the Profile save has failed? If so does the user have a mandatory profile? For more information on mandatory profiles please see the article below:
Related Articles:
323368 HOW TO: Assign a Mandatory User Profile in Windows 2000
http://support.microsoft.com/?id=323368
2) Is the user receiving error messages indicated that the Profile save has failed (This also includes “Access Denied” during logoff)?
When a user with a roaming user profile logs off, the following error message may be displayed:
Windows cannot update your roaming profile. Contact your network administrator.
DETAIL - Access is denied
At the NTFS share level, the following permissions are required for the user:
List Folder Contents
Read
Write
257848 “Access Denied” Error Message When Updating Roaming User Profile
http://support.microsoft.com/?id=257848
255113 Windows 2000 Roaming Profiles May Not Synchronize with Windows NT 4.0
http://support.microsoft.com/?id=255113
3) Does the User have a Mandatory Profile defined?
4) Is the User logging on a member of the Guests Group?
5) Is the User receiving errors regarding Files in use during logoff?
-Close all applications before logoff. If the condition persists, disable the Indexing Service, Antivirus
Software and Backup Software. Once the offending service is identified, the owner of the component should work on this issue
6)Is the User receiving any resource errors upon logoff? (i.e. insufficient resources for example)
-
Check the following registry Keys: MaxWorkItems and MaxMpxCnt. Does increasing these values resolve the logoff failures?
Relevant information:
Terminal Server Client Connections and Logon Limited by MaxWorkItems and MaxMpxCt Values
7) Is the Error Received related to Access Denied? error code=5
Default NTFS Permissions in Windows 2000 and verify the NTFS Permissions on the local system.
Relevant information:
244600 Default NTFS Permissions in Windows 2000
http://support.microsoft.com/?id=244600
162031 Blank Screen or Operating System Cannot Load Profile at Logon
http://support.microsoft.com/?id=162031
- USEFUL ARTICLES:
-Upgrades
User Profiles May Not Be Migrated During Windows XP Upgrade [winxpnetkb]
ID: Q307910 CREATED: 17-SEP-2001 MODIFIED: 06-AUG-2002
Roaming Profiles May Not Synchronize Correctly in Windows [winnt]
ID: Q255113 CREATED: 22-FEB-2000 MODIFIED: 24-OCT-2000
How to Migrate User Profiles to Windows 2000 [ntrelease]
ID: Q234548 CREATED: 04-JUN-1999 MODIFIED: 22-AUG-2001
Documents and Settings Folder Permissions Improperly Set [ntrelease]
ID: Q256569 CREATED: 07-MAR-2000 MODIFIED: 31-AUG-2002
Deleting a User Profile Removes the My Documents Folder [ntrelease]
ID: Q264735 CREATED: 06-JUN-2000 MODIFIED: 31-JUL-2001
-Profile Load/Unload
Issues When Windows 2000 Loads and Unloads Profile [ntrelease]
ID: Q289564 CREATED: 14-FEB-2001 MODIFIED: 06-AUG-2002
Msinfo32.exe Causes Userenv Event ID 1000 in Windows 2000 [ntrelease]
ID: Q285192 CREATED: 12-JAN-2001 MODIFIED: 15-AUG-2002
Roaming User Profiles Do Not Unload [ntrelease]
ID: Q253820 CREATED: 10-FEB-2000 MODIFIED: 08-MAY-2002
Msinfo32.exe Causes Userenv Event ID 1000 [ntrelease]
ID: Q269858 CREATED: 01-AUG-2000 MODIFIED: 08-MAY-2002
Err Msg: Your Profile Was Not Successfully Loaded… [arnetwork]
ID: Q166666 CREATED: 09-APR-1997 MODIFIED: 09-AUG-2001
A User May Experience a Slow Logoff Process [ntrelease]
ID: Q319909 CREATED: 18-MAR-2002 MODIFIED: 20-AUG-2002
No Desktop or Blank Desktop After Logging On to Windows 2000 [ntrelease]
ID: Q256194 CREATED: 04-MAR-2000 MODIFIED: 01-APR-2002
-Permissions & Rights
Roaming Profile Folders Do Not Allow Administrative Access [ntrelease]
ID: Q222043 CREATED: 11-MAR-1999 MODIFIED: 06-AUG-2002
Blank Screen or Operating System Cannot Load Profile at Logon [ntrelease]
ID: Q162031 CREATED: 10-JAN-1997 MODIFIED: 06-AUG-2002
Default Profile Is Always Used When You Log On [ntrelease]
ID: Q321043 CREATED: 08-APR-2002 MODIFIED: 31-MAY-2002
-Roaming Profiles
Roaming Profiles and Internet Printing Are Incompatible [ntrelease]
ID: Q247574 CREATED: 02-DEC-1999 MODIFIED: 07-SEP-2001
“Access Denied” Error Message When Updating Roaming User Profile[ntrelease]
ID: Q257848 CREATED: 20-MAR-2000 MODIFIED: 15-AUG-2002
“Protected Storage” Error with Windows 2000 Roaming Profiles [winnt]
ID: Q249818 CREATED: 03-JAN-2000 MODIFIED: 08-AUG-2001
-Application Data
Err Msg: Not Enough Storage Is Available to Process This Command[ntrelease]
ID: Q252424 CREATED: 26-JAN-2000 MODIFIED: 06-AUG-2002
-MISC
824198 “The Credentials Supplied Conflict with an Existing Set of Credentials”
http://support.microsoft.com/?id=824198
269378 Differences in the User Profiles in Windows
http://support.microsoft.com/?id=269378
321043 Default Profile Is Always Used When You Log On, Roaming and Mandatory
http://support.microsoft.com/?id=321043
302082 HOW TO: Create a Roaming User Profile in Windows 2000
http://support.microsoft.com/?id=302082
324749 HOW TO: Create a Roaming User Profile in Windows Server 2003
http://support.microsoft.com/?id=324749
Active DirectoryActive Directory
Filed under: Active Directory
One Response to “How Do I troubleshoot Windows User Profile Issues?”
Leave a Reply