locked
Locking User Profile - Locked user cannot log in, permissions problem RRS feed

  • Question

  •  

    Hello all,

      I've recently rolled out 20+ laptops that were deployed by from one image. 

     

      The Laptops were sysprep'ed before the image was taken.  Following the handbook and other advice found online, the limited user, "EMS", had restrictions set, but never locked before the image was deployed.

     

      After my extensive testing, I determined the image was ready for production use.  I then deployed the sysprep'ed image and locked the EMS user's account, among other non-related post-image configurations and put the laptops in service.

     

      I've been getting small handfuls of laptops back where the EMS user is unable to Log in.  When logging in they get the following message...

     

     

    Code Snippet

    Windows cannot copy file C:\Documents and Settings\EMS.org\Desktop to C:\Documents and Settings\EMS\Dekstop.  Possible causes of this error include network problems or insufficient security rights.  If this problem persists, contact your network administrator.

     

    DETAIL - Access is denied.

     

     

    Upon logging in as the administrator, I find that C:\documents and Settings\EMS\Desktop is Read Only to the COMPUTER_NAME\EMS user. 

     

    This is only happening on some of the laptops, and there doesn't seem to be anything that causes it.  Has anyone seen this before and know how to prevent it?

    Wednesday, November 26, 2008 2:44 PM

Answers

  • Hi,

     

    Do you by chance have the "Prevent users from saving files to the desktop" restriction enabled for that user?

     

    Thanks

    Rob Elmer

    Development Lead

    Windows SteadyState

    Saturday, November 29, 2008 3:31 AM
  • Hi,

    No, this wasn't a known issue--yours is the first report I've seen about it.  I'll log a bug about the issue in hopes that it can be addressed some time in the future. 

    Since the profile is locked, any data that the user saves to the desktop would be erased when he logs off.  If that's sufficient for your needs, I'd suggest removing that restriction.  One potential issue with that would be that users would then not be prevented from saving to the desktop, and thus risk losing data at logoff if they expected files placed on the desktop to be available in the future.  Users with locked accounts are warned at logon that they should save data elsewhere, which may mitigate that issue for you. 

    As it stands today, though, there appears to be a race condition between SteadyState restricting the ACL on the desktop directory and the Windows profile manager copying the profile to the temporary profile directory used for that session.  There's no workaround that I can think of which would eliminate that.  The race condition would likely be exacerbated by large profiles (perhaps large temp or temporary internet files directories), slow hardware, or machine loads that slow down the profile copy.

    Thanks,
    Rob Elmer
    Development Lead
    Windows SteadyState

    Tuesday, December 2, 2008 6:11 AM

All replies

  •  

    Hi Tony, regarding the “Access is denied” error, it should be caused by incorrect permission settings on the folder. We can modify permission from "Read Only" to "Full Control" to check the result.

     

    For other community members who encounter the same issue, you can follow the steps below to modify the permission.

    --------------------

    1. Log on with an administrator account. If auto logon is enabled, hold Shift key or enter Safe Mode to perform these operations.

    2. Delete all the contents under C:\documents and settings\<user name>\. Restart to test. Continue with the following steps if issue remains.

    3. Locate the source folder under C:\documents and settings\user.org

    4. Right click the problematic folder and choose Properties.  Please check if there is Security tab.

     

    If there is no Security tab and this is a Windows XP Professional computer, let’s disable simple file sharing to show the Security tab:

     

      a. Click Start, and then click My Computer.

      b. On the Tools menu, click Folder Options, and then click the View tab.

      c. In the Advanced Settings section, clear the Use simple file sharing (Recommended) check box. Click OK.

     

    If the system is Windows XP Home Edition, please press F8 when the computer starts and boot into Safe Mode with an administrator account to perform the following steps.

     

    5. Select the Security tab of the Desktop folder.

    6. Please check if user is in the “Group or user names” list. If so, please make sure it has Full Control permission. Otherwise, click the Add button to add user to the list. High light the account we added. Select the Allow check box for “Full Control”. Click OK.

     

    Hope this helps!

    Friday, November 28, 2008 3:30 AM
  • Sean,
      I am aware of changing the security permissions on the folder.  I've done this before posting to get by the issue, though I need to understand what caused it so i can prevent it.

      These laptops are in production use for an ambulance company in the ambulance themselves.  If they can not log onto the computer, they are unable to receive call information and write reports and manage their patients.  In my pre-deploy testing, I have not come across this issue, though more and more of the laptops are exhibiting this problem. 

     Unfortunately, as I have not been the only one fixing these laptops as this happens, I don't know for certain that it has happened twice on one laptop.  I've been keeping record of which ones it happens on, but the others have not...

    Do you have any insight as to why the permissions are changing on the desktop folder?

    Thanks,
    Tony Baker
    Friday, November 28, 2008 2:40 PM
  • Hi,

     

    Do you by chance have the "Prevent users from saving files to the desktop" restriction enabled for that user?

     

    Thanks

    Rob Elmer

    Development Lead

    Windows SteadyState

    Saturday, November 29, 2008 3:31 AM
  • Wow Rob,
    I hadn't even considered that.  It is enabled.

    Is this a known compatibility issue?  Is there a fix that will allow both Profile locking and preventing users from writing to their desktop?  a note about this should be added to the handbook under the User Profile locking section. 

    Are there any other settings that would prevent Profile Locking from working as expected?

    Thanks,
    Tony Baker
    Monday, December 1, 2008 5:42 PM
  • Hi,

    No, this wasn't a known issue--yours is the first report I've seen about it.  I'll log a bug about the issue in hopes that it can be addressed some time in the future. 

    Since the profile is locked, any data that the user saves to the desktop would be erased when he logs off.  If that's sufficient for your needs, I'd suggest removing that restriction.  One potential issue with that would be that users would then not be prevented from saving to the desktop, and thus risk losing data at logoff if they expected files placed on the desktop to be available in the future.  Users with locked accounts are warned at logon that they should save data elsewhere, which may mitigate that issue for you. 

    As it stands today, though, there appears to be a race condition between SteadyState restricting the ACL on the desktop directory and the Windows profile manager copying the profile to the temporary profile directory used for that session.  There's no workaround that I can think of which would eliminate that.  The race condition would likely be exacerbated by large profiles (perhaps large temp or temporary internet files directories), slow hardware, or machine loads that slow down the profile copy.

    Thanks,
    Rob Elmer
    Development Lead
    Windows SteadyState

    Tuesday, December 2, 2008 6:11 AM
  • Rob,
      here is my documentation written regarding the configuration of Steadystate on the laptops that were deployed

    Configuration

    • Computer Restrictions
      • Enabled Settings. All others are left DISABLED
        • Remove the Administrator user name from the welcome screen
        • Remove the Shutdown and Turn Off options from the Log On to Windows Dialog box and the Welcome Screen
        • Prevent users from Creating folders and files on drive C: * Prevent Users from opening Microsoft Office documents from within Internet Explorer

    • Automatic Updates
      • Daily at 3:00 AM

    • Disk Protection
      • OFF

    • User Account Settings (EMS)
      • General
        • Lock Profile (This must happen after Image has been deployed, Having the profile locked before imaging removes it from the image)
        • No other settings are enabled on the General Tab
      • Windows Restrictions - All are used EXCEPT THE FOLLOWING
        • Start Menu - Remove the Shutdown Button
        • General Restriction - Disable Notepad and WordPad
        • Hide Drives - All but C:
      • Feature Restrictions- All are used EXCEPT THE FOLLOWING
        • IE - Prevent Internet Access
        • IE - Prevent Printing
        • IE - Do not allow access to Favorites
        • Toolbar Options - Third Party Extensions Buttons
        • Home Page: (Set to our webmail address)


    The Laptops were syspreped before the image was taken.  They have joined the domain after being imaged, though the EMS user referred to is a local account that is used, not a domain account.

    Contrary to your previous post, we'd prefer to prevent users from making the changes in the first place, so we've opted to Unlock the profiles until a permanent fix is found.

    Thanks for your attention to this issue.  Please let me know if I can provide any further details as to our setup
    Tuesday, December 2, 2008 1:26 PM