locked
Unable to lock profile RRS feed

  • Question

  • I'm setting up a brand-new machine for public access use, and am nearly finished.  Just installed Steady State.  (First time... have used both the PAC computing and Shared Computer Toolkit before.)

    It goes great until I try to lock the profile.  And it won't.

    Again, this is a fresh install of EVERYTHING on a brand new machine.  I create an account, and it works fine.  (Including locking.)  I unlock it, login with that account, and make the little changes it needs.  (Set home pages, change various program options, run some programs for the first time as that user to let them do their thing, then clean up some of the little messes they make, change the background, and so on.)

    Then I log out and go to lock it.  It won't.  Check the box, and tell it OK.  It remains unlocked.

    Now, before answering, please do not tell me this:

    "according to the symptom, Windows SteadyState seems to be unable to change ntuser.dat to ntuser.man. This can be a user profile corrupt issue. Please create a new user or create a new user profile to test out.


    Also the issue can be related to the windows disk protection being turned on to remove all changes at restart. If this is the case, you can do so:

     

    1. Switch the disk protection option to retains all changes permanently.

    2. Lock the user profile in SteadyState.

    3. Log off or restart to commit the  changes to the disk.

    4. Log on as a administrator again to check if the user profile has been locked."

     

    I already knew all of that, before I even came here looking for support.  The previous tools were subject to the same problems.

     

    Forget about the disk protection possibility... has never been turned on yet on this machine.  I'm not using any other program with similar functionality, either.  So that's not it.  That leaves "user profile corrupt".

     

    But here's the deal... it IS a brand new user.  How could it be corrupt already?  Not only that... I followed those exact steps (delete user, create a new one and start over) multiple times before even coming here.

     

    I've done it three times now...

     

    1.  Create new user

    2.  Choose security/etc settings for the user

    3. Lock user (successful)

    4. Unliock user

    5. Change security/etc settings for the user to less strict

    6. Login as that user

    7. Run all programs once (to get "1st run" garbage questions out of the way for users)

    8. Change some program settings

    9. Change the desktop background (yes it's a bmp, and it works fine)

    10. Logout as that user, login as admin and run SteadyState

    11. Change security/etc settings for that user back to be more strict

    12. Lock user (UNSUCCESSFUL???)

     

    Then delete the user and go through the whole thing again.

     

    It takes time, and keeps failing.  This is ridiculous, and I'm starting to get ticked.  "Profile is corrupt" is a non-answer for this, yet my searches here aren't turning up anything but that cut 'n paste reply to all cases.

     

    So... as a user who has already tried the commonly offered solution multiple times, what would be my next step when said solution fails? Not trying to be a pain, just want to be clear that the canned answer has already been tried and failed.

    Thanks!

    Wednesday, November 25, 2009 2:02 AM

Answers

  • As I know, the “Lock profile to prevent the user from making permanent changes” option is implemented via mandatory user profile. When you choose “Lock profile to prevent the user from making permanent changes” option, SteadyState will change the ntuser.dat of the corresponding user profile to ntuser.man (mandatory profile) and rename the profile folder to <UserName>.orig.

    According to the symptom, it seems that the user profile could not be locked. Considering the current situation, let's modify the ntuser.dat file manually:

    1. Rename the “C:\Documents and Settings\<username>\ntuser.dat” file to ntuser.man.
    2. Try to lock user profile again.


    Sean Zhu - MSFT
    • Marked as answer by Sean Zhu - Wednesday, December 2, 2009 3:35 AM
    Thursday, November 26, 2009 8:47 AM
  • OK, finally successful.

    The profile I was working on ended up corrupted somehow.  Just plain wouldn't log in anymore. Deleted it and started over yet again.

    Made all changes in one shot, and lo & behold... it worked and locked.  (This would be at least the 7th or 8th attempt at setting up an account.)  And then I remembered one last thing... I'd forgotten to set the default printer.

    Unlocked it, logged in to change that, then logged out.  Aack, it's broken again.  Won't lock.  Tired of messing with it, so didn't do it all over again trying to duplicate 1it.  So maybe that is it, maybe not.  At any rate, seemed a good time to try renaming the files manually.

    Renaming ntuser.dat to ntuser.man was no problem.  Renaming the profile to name.orig couldn't be done.  Kept saying the folder was in use or I didn't have permission.  (Local admin on a non-domain machine... of course I have permission.)

    Rebooted to see if forcing it to let go of the file would change anything.. it did.  At that point I could rename the profile folder as well.

    Ran the steady state tool and it saw it as still locked, and when clicking to get in there and change it, it wanted me to "initialize" it.  Um... no, lets back up to where it left off instead.  Renamed the files back to what they normally would be when unlocked, then went back to steady state.  And it FINALLY worked.  I immediately made backups of the finished profile in both locked and unlocked states.

    But it seems to be working now.

    I think this is the trick...

    1.  Create the account
    2.  Set all steady state security settings to "none"
    3. Login as the account, make all windows setting changes
    4. Run all apps at least once, going through any setup routines and config changes
    5. Login as administrator again, and change all steady state settings to whatever desired
    6. Try to "lock" the profile.

    7a. If it works, congratulations.  You're done.  This NEVER ONCE happened for me.  Got really close one time, but one last tweak put it over the edge.
    7b. If it doesn't work, reboot the machine and then try to lock it again.  This forces the *stupid bleeping* system to let go of any open files/folders in the profile.  It should work then.

    8.  If it still doesn't work, scream silently to yourself.  Go get some ice cream or other substance of choice to take your mind off of it for a while. Then continue the search for help/answers.


    Thanks.  :)
    • Marked as answer by Sean Zhu - Wednesday, December 2, 2009 3:35 AM
    Monday, November 30, 2009 11:17 PM

All replies

  • As I know, the “Lock profile to prevent the user from making permanent changes” option is implemented via mandatory user profile. When you choose “Lock profile to prevent the user from making permanent changes” option, SteadyState will change the ntuser.dat of the corresponding user profile to ntuser.man (mandatory profile) and rename the profile folder to <UserName>.orig.

    According to the symptom, it seems that the user profile could not be locked. Considering the current situation, let's modify the ntuser.dat file manually:

    1. Rename the “C:\Documents and Settings\<username>\ntuser.dat” file to ntuser.man.
    2. Try to lock user profile again.


    Sean Zhu - MSFT
    • Marked as answer by Sean Zhu - Wednesday, December 2, 2009 3:35 AM
    Thursday, November 26, 2009 8:47 AM
  • Thanks, I'll give that a shot.

    I've still been hammering at it to see what is causing it.  (Since before my changes are made to a new account it always works, and after it always doesn't.)

    I'm making my changes one at a time now, then logging out to check to see if it still locks.  If I find a particular point at which it fails, I'll do it again to see if it is consistent, then report it.  I'll also try to rename the files manually, as reccommended.

    FWIW, I did install the user profile hive cleanup service after reading that it was still ok to do that with steady state.  Was hoping that would get the system to let go of the profiles. Which does always seem to be a problem... windows keeping profile files in use for no good reason, even when user is logged out.  I can't think of a single good reason for it to do that.  It makes sense that if all the Steady State tool is doing there is renaming stuff, that it will fail due to those files being in use.  (Then again, I don't understand why windows can't manage to rename a file even if it is already in use. Silly.)

    The hive cleanup service didn't seem to make any difference though.

    Another thing... I tried to use the "export/import user" functions to save me some time setting up a new user, but it appears to be a very limited feature.  Doesn't seem to save anything at all, other than username/password and the steady state security settings themselves.

    It'd be nifty if it actually saved the entirety (or most) of the user profile.  Both the registry settings and many of the files in the home folder.  (App Data and such... the ones created when apps are first run.) As is, it only saves a minute or two worth of configuring, instead of maybe 10-15.

    Anyway, I'll report back after working on it a bit more.  Thanks

    Monday, November 30, 2009 8:15 PM
  • OK, finally successful.

    The profile I was working on ended up corrupted somehow.  Just plain wouldn't log in anymore. Deleted it and started over yet again.

    Made all changes in one shot, and lo & behold... it worked and locked.  (This would be at least the 7th or 8th attempt at setting up an account.)  And then I remembered one last thing... I'd forgotten to set the default printer.

    Unlocked it, logged in to change that, then logged out.  Aack, it's broken again.  Won't lock.  Tired of messing with it, so didn't do it all over again trying to duplicate 1it.  So maybe that is it, maybe not.  At any rate, seemed a good time to try renaming the files manually.

    Renaming ntuser.dat to ntuser.man was no problem.  Renaming the profile to name.orig couldn't be done.  Kept saying the folder was in use or I didn't have permission.  (Local admin on a non-domain machine... of course I have permission.)

    Rebooted to see if forcing it to let go of the file would change anything.. it did.  At that point I could rename the profile folder as well.

    Ran the steady state tool and it saw it as still locked, and when clicking to get in there and change it, it wanted me to "initialize" it.  Um... no, lets back up to where it left off instead.  Renamed the files back to what they normally would be when unlocked, then went back to steady state.  And it FINALLY worked.  I immediately made backups of the finished profile in both locked and unlocked states.

    But it seems to be working now.

    I think this is the trick...

    1.  Create the account
    2.  Set all steady state security settings to "none"
    3. Login as the account, make all windows setting changes
    4. Run all apps at least once, going through any setup routines and config changes
    5. Login as administrator again, and change all steady state settings to whatever desired
    6. Try to "lock" the profile.

    7a. If it works, congratulations.  You're done.  This NEVER ONCE happened for me.  Got really close one time, but one last tweak put it over the edge.
    7b. If it doesn't work, reboot the machine and then try to lock it again.  This forces the *stupid bleeping* system to let go of any open files/folders in the profile.  It should work then.

    8.  If it still doesn't work, scream silently to yourself.  Go get some ice cream or other substance of choice to take your mind off of it for a while. Then continue the search for help/answers.


    Thanks.  :)
    • Marked as answer by Sean Zhu - Wednesday, December 2, 2009 3:35 AM
    Monday, November 30, 2009 11:17 PM