none
GPO setting 'Do not log users on with temporary profiles' is not working

    Question

  • Hi,

    I have a GPO with several settings being applied to my RDS servers. It has been working for a few months, but now this one setting from the GPO stops working, and lets users connect to my RDS farm 2012 R2, with a temporary profile while the UserProfileDisk is active on a disconnected session on the other session host.

    I have been looking around for a solution for this, but all I have been able to find is for a GPO that doesn't get applied, not just a single setting.

    Any of you had a similar experience? I need this to work, to prevent users from being able to logon without their UserProfileDisk


    KL_Dane

    Wednesday, July 8, 2015 10:27 AM

Answers

  • In the end I reinstalled the RDS setup and that did it for me.

    KL_Dane

    • Marked as answer by KL_Dane Wednesday, September 14, 2016 12:47 PM
    Wednesday, September 14, 2016 12:47 PM

All replies

  • I removed this setting and made a new GPO with only this setting and enforced it to my 2 sessions hosts.

    I am still able to log on to the second session host with a temporary profile.


    KL_Dane

    Thursday, July 9, 2015 8:48 AM
  • Hi,

    Sorry for the late response. Would you please check the rsop report that the new group policy is got applied and is the winning GPO?

    Best Regards,

    Elaine


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, July 13, 2015 9:42 AM
    Moderator
  • Hi Elaine,

    I have checked and it is winning:

    Thank you for taking the time to assist me with this.


    KL_Dane

    Monday, July 13, 2015 10:27 AM
  • Hi KL_Dane,

     According to your description here, I was wondering if the issue could be caused by the both RDS servers invoke a same process. Such as the process was not closed when you log off via the first server and then when you log on to the second server it would use a temprorary profile.

    So I'd like you to check if you configured Set time limit for disconnected sessions for the RDS server on your environment.

    Besides, you can check the below Thread which has the similar problem as you for some reference:

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/31be4077-1e7c-4845-b707-ab37b7869292/users-in-our-2008-r2-terminal-services-farm-keep-getting-temporary-profiles-when-they-log-in?forum=winserverTS

    Hope it helps.

    Best Regards,

    Elaine


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, July 15, 2015 1:54 AM
    Moderator
  • Hi Elaine,

    At first I had a 3hour time limit for disconnect and the same for active/idle, to make sure all profiles was all logged out after a max of 6 hours (during night time). At the moment there is no limit on those 2 settings.

    I have not even begun setting up printers in this setup, so it is not a faulty print driver that is teasing me ;)

    I think I have solved the temp profile for users... Someone put domain users into the local administrators group. Once I corrected this, it stopped giving my users temp profiles. My domain admin account can still get a temp profile, but I think that is by design (correct me if i'm wrong).

    Now a different issue occurs, after i removed the users from the local administrators group. Randomly a user gets blocked by my GPO setting, not allowing them to log on because they can't get their profile.

    At first it was 3 of my 5 test users and only when they was directed to the RDS02 session host. So I disallow logons to the RDS01 session host = everyone connects to RDS02 just fine with their userprofiledisk and everything works.

    I allow connections to RDS01 and now the other 2 of my 5 test users gets blocked by the GPO setting but only when they are directed to RDS01.

    If I log on 3 users to RDS01 and log one of the 2 on and they get directed to RDS02 = they log on just fine.

    Eventlogs is no help. Any suggestions to why that is occuring?


    KL_Dane

    Thursday, July 16, 2015 6:36 AM
  • Hi,

    Referring your above post, can you ensure everyone is there in the GPO at the security filter. Or you restrict it to a security group?


    Regards, Prabhu

    Thursday, July 16, 2015 6:45 AM
  • Hi Prabhu,

    I have a GPO with Computer settings linked to the OU containing my RDS Session Host servers.

    I have a GPO with User settings linked to the same OU (Configure user Group Policy loopback processing mode is enabled with mode: Merge)

    Anyone that connects to the session hosts will get the GPO.


    KL_Dane

    Thursday, July 16, 2015 7:10 AM
  • Ok..then where you get stuck now, could you please be specific on the issue?

    Regards, Prabhu

    Thursday, July 16, 2015 7:29 AM
  • Hi Prabhu,

    I have 3 users that connects as intended, when they are directed to the RDS01 - If they get directed to RDS02 they get this:

    I can see this in the eventlog:

    Followed by this:

    Another 2 users have the same issue, but on opposite RDS servers.


    KL_Dane


    • Edited by KL_Dane Thursday, July 16, 2015 8:09 AM
    Thursday, July 16, 2015 8:08 AM
  • can you do an workaround?

    take up one problematic user and rename the user profile folder with some name like, name_old.

    Then logoff the user session. login again. If required have a clean reboot.


    Regards, Prabhu

    Thursday, July 16, 2015 10:46 AM
  • Hi Prabhu,

    The only workaround I figured out is to deny logons to one of my 2 session hosts.

    I have tried rebooting all servers, deleting all userprofiledisks. The same issue happens again.


    KL_Dane

    Thursday, July 16, 2015 10:58 AM
  • Found an MSFT support article. I am wondering, if you already came across this.

    https://support.microsoft.com/en-us/kb/947215


    Regards, Prabhu

    Thursday, July 16, 2015 11:19 AM
  • In addition you would may like to refer below:

    OPTION ONE
    To Try and Fix the User Profile of the User Account

    Note
    This option is to attempt to repair the user profile of the user account that is getting the error by replacing the current bad user profile with a good backup copy to use instead to fix this error without losing anything.

    1. If you have another administrator account that is not affected by this user profile error, then sign out of the affected account (ex: Brink), and sign in to the other administrator account.
    Note
    If you do not have another administrator account to sign in to, then you could do one of the following options below to enable the built-in Administrator account to sign in to, and continue on to step 2 below.

    A) Boot into safe mode, enable the built-in Administrator, sign out, and sign in to Administrator.

    OR

    B) Open a command prompt at boot, enable the built-in Administrator, restart the PC, and sign in to Administrator.

    2. Press the + R keys to open the Run dialog, type regedit, and click/tap on OK.

    3. If prompted by UAC, then click/tap on Yes.

    4. In Registry Editor, navigate to the location below. (see screenshot below)

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList



    5. In the left pane under ProfileList, click on a SID key (S-1-5-21....long number). (see screenshot above)

    A) In the right pane of the SID key, look at the ProfileImagePath value to see if it is for the same user account name (ex: Brink) that has the user profile error.

    B) If not, then repeat step 5 until your find it, then go to step 6 below.

    6. If you improperly renamed the user profile folder (C:\Users\Brink) of the affected user account by right clicking on it and click/tap on Rename, then manually rename the user profile folder in File Explorer back to what it shows as the correct name (ex: Brink) in the ProfileImagePath value in the registry. (see screenshots below step 4 and below)



    7. Do step 8 or 9 below depending on if you have either one or two SID keys with the same S-1-5-21....long number with one without .bak (ex: ...-1014), and one with .bak (ex: ...-1014.bak) at the end. (see screenshot below step 4)

    NOTE: The SID key without .bak is the current bad user profile, and the SID key with .bak is the hopefully good backup of the user profile.

    8. If you have Only One S-1-5 (SID) key with .bak at the end

    A) In the left pane, right click on the SID key (ex: ...-1014.bak) with .bak at the end of the numbers, and click/tap Rename. (see screenshot below)



    B) Remove only .bak at the end of the numbers, press Enter, and go to step 10 below. (see screenshot below)



    9. If you have Two S-1-5 (SID) keys with the Same Long Number

    A) In the left pane, right click on the top SID key (ex: ...-1014) without .bak at the end of the numbers, click/tap Rename, add .bk to the end of the numbers, and press Enter. (see screenshot below)



    B) In the left pane, right click on the bottom SID key (ex: ...-1014.bak) with .bak at the end of the numbers, click/tap Rename, remove only .bak at the end of the numbers, and press Enter. (see screenshot below)



    C) Now go back and Rename the first SID key with .bk to .bak now at the end of the numbers, press Enter, and go to step 10 below. (see screenshot below)



    10. In the right pane of the SID key (ex: ...-1014) without .bak now, double click/tap on the RefCount DWORD to modify it. (see screenshot below step 4)

    Note
    If you do not have RefCount, then right click or press and hold on an empty space in the right pane, click/tap on New and DWORD (32 bit) Value, type RefCount, and press Enter.

    The value for this entry will reset and return back to the original value after you have restarted the computer and logged on to the account.

    11. Type 0 (number), and click/tap on OK. (see screenshot below)



    12. In the right pane of the SID key (ex: ...-1014) without .bak now, double click/tap on the State DWORD to modify it. (see screenshot below step 4)

    Note
    If you do not have State, then right click or press and hold on an empty space in the right pane, click/tap on New and DWORD (32 bit) Value, type State, and press Enter.

    The value for this entry will reset and return back to the original value after you have restarted the computer and logged on to the account.

    13. Type 0 (number), and click/tap on OK. (see screenshot below)



    14. When finished, close Registry Editor, and restart the computer.

    15. See if you are able to sign in to the user account now without getting the "User Profile Service service failed the sign-in. User Profile cannot be loaded." error.



    OPTION TWO

    To Delete and Create a new User Profile for the User Account

    Note
    This option will basically delete the user profile of the user account that is getting the error in order to reset and rebuild the user profile to default to fix this error. You will lose all of your account settings and personalization.


    1. If you have another administrator account that is not affected by this user profile error, then sign out of the affected account (ex: Brink), and sign in to the other administrator account.

    Note
    If you do not have another administrator account to sign in to, then you could do one of the following options below to enable the built-in Administrator account to sign in to, and continue on to step 2 below.

    A) Boot into safe mode, enable the built-in Administrator, sign out, and sign in to Administrator.

    OR

    B) Open a command prompt at boot, enable the built-in Administrator, restart the PC, and sign in to Administrator.


    2. Back up anything that you do not want to lose in the C:\Users\(user-name) profile folder (ex: Brink) of the affected user account to another location. When finished, delete the C:\Users\(user-name) folder.

    3. Press the + R keys to open the Run dialog, type regedit, and click/tap on OK.

    4. If prompted by UAC, then click/tap on Yes.

    5. In Registry Editor, navigate to the location below. (see screenshot below)

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList



    6. In the left pane under ProfileList, click on a SID key (S-1-5-21....long number). (see screenshot above)
    NOTE: Usually, it will be for the SID key that has .bak at the end of the long number.

    A) In the right pane of the SID key, look at the ProfileImagePath value to see if it is for the same user account name (ex: Brink) that has the user profile error.

    B) If not, then repeat step 6 until your find it, then go to step 7 below.

    7. Right click or press and hold on the SID key (ex: ...-1014.bak) found in step 6, and click/tap on Delete. (see screenshot below step 5)

    8. Click/tap on Yes to confirm.

    9. If there is another SID key (ex: ...-1014 at end) with the exact same long number from step 6 for the same user account (ex: Brink) without .bak at the end of it, then repeat step 7 and 8 above for it as well



    10. When finished, close Registry Editor.

    11. See if you are now able to sign in to the user account (ex: Brink) from step 1 without getting the "User Profile Service service failed the sign-in. User Profile cannot be loaded." error.

    12. If successful, the affected account's (ex: Brink) user profile will be recreated and no longer receives the error. You can then copy any files you want back from the back up created at step 2.


    Regards, Prabhu

    Thursday, July 16, 2015 11:25 AM
  • Hi Prabhu,

    I have tried this but it does not work for me.


    KL_Dane

    Thursday, July 16, 2015 12:22 PM
  • can you check http://answers.microsoft.com/en-us/windows/forum/windows_7-security/error-windows-cannot-log-you-on-because-your/e30ad127-d9fd-48b1-b1e9-f2b60b01167f?auth=1

    You may get some clues towards a resolution.


    Regards, Prabhu

    Thursday, July 16, 2015 12:58 PM
  • Hi Prabhu,

    I don't have any such events in the application logs, only the two i linked earlier.


    KL_Dane

    Friday, July 17, 2015 9:41 AM
  • In the end I reinstalled the RDS setup and that did it for me.

    KL_Dane

    • Marked as answer by KL_Dane Wednesday, September 14, 2016 12:47 PM
    Wednesday, September 14, 2016 12:47 PM