none
Domain joined but trying to log on gives temporary profile only

    Question

  • I've joined our corporate domain fine, but every time I try to log in, I get the following message:

    "You have been logged on with a temporary profile.  Try logging in later...

    I've tried to find any tpoics regarding this and found none.  Anyone seen this or have any ideas to rey.  I've unjoined and rejoined the domain several times to rule that out, and can get nothing to change.  Thanks,
    Wednesday, April 22, 2009 7:33 PM

Answers

All replies

  • Hi,

     

    I haven’t encountered similar issue. However, you can refer to the following KB to troubleshoot the problem.

     

    A temporary profile is loaded after you log on to a Windows Vista-based system

     

    Hope it helps.

    Friday, April 24, 2009 8:25 AM
  • I have a similar problem.  I have had the issue with 2 different machines on the same network.  I did not have this problem with build 7000. I guess it would be good to say I am running RC x86 build 7100.

    The first issue I had was after joining the domain.  Using a restricted user account I was unable to login to the workstation.  However, using a domain admin account I was.  With a restricted user account I would receive a bunch of application errors, starting with explorer.exe “The application was unable to start correctly (0xc0000005)” and would never be presented with a shell/desktop, and any time you tried to launch a task you would receive the same Application error as above.  Even when trying to open task manager using the keyboard shortcuts you would get the same “application was unable to start” error.  So my first thought was well I’ll just elevate the user account to be a local administrator and see if that resolves the problems.  So I added the domain user group to the local administrators group on the local workstation. Logged out and then back in.  That’s when I receive the Local profile message that the post above are talking about.  So I followed the directions in the link http://support.microsoft.com/kb/947242.  That resolve the local profile problem, and now when the restricted user account logs in it at least gets a explorer shell and desktop.  However, whenever you try to launch some application as the restricted user error you still get the “application was unable to start error”. Applications like regedit, mplayer, mspaint, mstsc will not run… it seems to be faster to list the things that do work.  I can open eventvwr and calc.  Maybe something with UAC, has anyone else run into similar problems?

    Monday, May 04, 2009 3:00 PM
  • Well it looks like I was going the wrong direction, and I probably posted this in the thread.  I have limited my problem down to a User GPO, and it seems to be specific to the order the GPOs process.  Strange that it would break between builds.  But I am still trying to track down the specific setting that is causing the problem once I have it nailed down, I will post the results.

    Monday, May 04, 2009 9:01 PM
  • I have a similar problem except I don't get the "temporary profile error" I just get "The application was unable to start correctly" on ALL logins when joined to the domain even with the local accounts. Unable to start anything. Running in safe mode w/networking I'm able to do everything just fine...login as domain user connect to network shares. I guess the next thing is to try isolating services one by one. I don't even get anything in my event logs that give me a clue to what's happening other than "explorer displayed a pop up"
    Keep your head in the Clouds as you're coding .NET http://azurecoding.net
    Tuesday, May 05, 2009 2:13 PM
  • Same issue.  Domain account only gets temporary profile when logging in to RC machine. Robinson Zhang's linked solution did not fix issue.
    Wednesday, May 06, 2009 4:56 PM
  • We are able to join a Windows Domain on the network but unable to login using domain accounts. 

            Attempts to do so end up with an error "The username or password is incorrect".
    Wednesday, May 06, 2009 6:15 PM
  • Same issue.  Domain account only gets temporary profile when logging in to RC machine. Robinson Zhang's linked solution did not fix issue.

    Update:  I can log in to the RC machine with a domain account that has no profile path specified.  When logged in, I cannot access the network share where the domain profiles are stored (even though the logged in user has share and file rights, and can access this share from an XP workstation).  Trying to access this share gives:

    \\server\share is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions.

    A device attached to the system is not functioning
    .

    • Proposed as answer by Tom Ruff Thursday, May 07, 2009 9:01 PM
    Wednesday, May 06, 2009 6:52 PM
  • Oops...hit the wrong button.  Didn't mean to propose the previous post as an answer.  Sorry.

    Anyway - I was having trouble mapping network drives when logging into our 2003 domain from the RC.  The logon scripts would not run because I could not access the \\Domain\sysvol share where they were stored.  Perhaps your profile issue has the same cause.  In my case it was that my domain user account had the "Use Kerberos DES encryption types for this account" box checked.  After unchecking that box I was able to access the share and log in correctly.
    Thursday, May 07, 2009 9:08 PM
  • Ok, so I finally got a chance to sit back down with this issue.  It is fairly simple to recreate.  I am not sure if it is an incompatibility with my existing GPO that will maybe require updated templates?

    Anyways, I have run it down to the following two conditions.  First the offending group policy must process first in the link order.  Secondly, create a new empty Software Restriction Policy and change “Windows Settings \ Security Settings \ Software Restriction Policies \ Enforcement \ Apply software restriction policies to” from the default to “All software files”.  Now once you link this policy to your users however you like.  You will find whenever a user affected by this policy logs on they will see the error message “The application was unable to start correctly…”   for most of the applications they run, if they are even presented with a desktop (explorer shell) at all.

    In my case this setting was found on a GPO that was blocking the installation and running of Skype.  So for my environment it wasn’t really a big deal to change the setting back to the default of “All software files except libraries (such as DLLs)”. After changing the setting back to the default the symptom went away in my environment.  However, think the error is still lingering in a different form.  I say that, because, on build 7000 using the gpresults.exe I get an output of simply “ERROR:” with no other supporting output.  On build 7100 using gpresult.exe I get “An unknown error occurred while data was gathered for this extension. Details: Unable to cast object of type 'System.String[]' to type 'Microsoft.GroupPolicy.Reporting.Extensions.Registry.UnknownType'.  under ” Windows Settings \ Security Settings  However, using rsop.msc I show no errors to speak of on either builds.

    I just thought I would throw this information out there in case someone has come across something similar or has the true answer for what is going on here.

    Friday, May 08, 2009 7:29 PM
  • I am having the same issues with the temporary profile. Domain account only gets temporary profile when logging in to RC machine. Has anyone found a way to solve this?
    Thursday, May 14, 2009 3:25 PM
  • Ok, so I finally got a chance to sit back down with this issue.  It is fairly simple to recreate.  I am not sure if it is an incompatibility with my existing GPO that will maybe require updated templates?

    Anyways, I have run it down to the following two conditions.  First the offending group policy must process first in the link order.  Secondly, create a new empty Software Restriction Policy and change “Windows Settings \ Security Settings \ Software Restriction Policies \ Enforcement \ Apply software restriction policies to” from the default to “All software files”.  Now once you link this policy to your users however you like.  You will find whenever a user affected by this policy logs on they will see the error message “The application was unable to start correctly…”   for most of the applications they run, if they are even presented with a desktop (explorer shell) at all.

    In my case this setting was found on a GPO that was blocking the installation and running of Skype.  So for my environment it wasn’t really a big deal to change the setting back to the default of “All software files except libraries (such as DLLs)”. After changing the setting back to the default the symptom went away in my environment.  However, think the error is still lingering in a different form.  I say that, because, on build 7000 using the gpresults.exe I get an output of simply “ERROR:” with no other supporting output.  On build 7100 using gpresult.exe I get “An unknown error occurred while data was gathered for this extension. Details: Unable to cast object of type 'System.String[]' to type 'Microsoft.GroupPolicy.Reporting.Extensions.Registry.UnknownType'.  under ” Windows Settings \ Security Settings  However, using rsop.msc I show no errors to speak of on either builds.

    I just thought I would throw this information out there in case someone has come across something similar or has the true answer for what is going on here.


    I can confirm that this is the same issue that was blocking on my side. I will refile my bug on connect using the feedback tool now that I'm up and running.
    Keep your head in the Clouds as you're coding .NET http://azurecoding.net
    Friday, May 15, 2009 3:24 PM
  • It would appear that Windows 7 has a new way of managing software restriction called AppLocker. There might be a conflict between the two.
    Keep your head in the Clouds as you're coding .NET http://azurecoding.net
    Friday, May 15, 2009 5:35 PM
  • I find it frustrating that such a serious issue is getting little to no attention, with no answers available. At any rate, here's my experience, which I just now resolved on my own:

    I've experienced the same issue logging in with my domain account, which is a Windows 2003 Domain Admin account. I got no notification that it was loading a temporary profile, other than seeing, "Preparing Your Desktop" when logging in. Then you go to Computer/Properties/Advanced System Settings/User Profiles/Settings and it shows the profile status as "Temporary". No user settings are saved and when you log in with another profile, the temp one no longer exists. Interestingly, this didn't happen with the Domain Administrator account... only mine! I tried numerous attempts setting file permissions, adding and removing the account as local Admin, etc. to no avail.

    I finally (just now) got my profile to stick. I went to the registry at HKLM/SOFTWARE/Microsoft/Windows NT/Profilelist. I compared the values under the GUID string for the admin account that stuck, against mine. The value on the "State" key for the Admin account was "256" where mine was "644". I switched mine to "256", checked under the user profile settings that it indeed said the profile state was "local", then logged off. I logged back on, and voila... no "Preparing Desktop" message and settings from my last session were retained. However, upon checking, my profile state said "Temporary" again. DOH! I went back to the registry and the "state" key now read "128". Well I switched it to "256" again, and rebooted completely this time. Now after repeated tries, my profile sticks as "local". Apparently if you don't go in and change that value a second time you will loose your profile settings again.

    Well there's my band-aid. Enjoy...

    • Proposed as answer by Slackjaw747 Tuesday, June 16, 2009 9:07 PM
    Tuesday, June 16, 2009 8:23 PM
  • Oh, I should add that you can only modify your state setting under that HKLM key when you are logged in with the problem profile... obviously since that GUID disappears after you log off.
    Tuesday, June 16, 2009 8:32 PM
  • I find it frustrating that such a serious issue is getting little to no attention, with no answers available. At any rate, here's my experience, which I just now resolved on my own:

    It is a pre-release operating system. A bug was filed, they said it's resolved in a later build. They could either waste time on supporting a pre-release OS or they can spend it on getting the OS out the door. My vote's for the latter.
    Keep your head in the Clouds as you're coding .NET http://azurecoding.net
    Saturday, June 20, 2009 5:46 PM

  • It is a pre-release operating system. A bug was filed, they said it's resolved in a later build. They could either waste time on supporting a pre-release OS or they can spend it on getting the OS out the door. My vote's for the latter.
    Keep your head in the Clouds as you're coding .NET http://azurecoding.net

    Unfortunately this is still happening in the RTM. At least it is to me, and only with my login. I've logged into the machine (Win7 Enterprise on Win2003 Domain) with 3 different users all were fine. My login however always gets loaded as a Temporary Profile.

    The registry modification listed in the answer did work for me. I just wonder if this will happen randomly with other users, or was it a fluke occurrence.

    http://support.microsoft.com/default.aspx/kb/947242


    "Since baseball time is measured only in outs, all you have to do is succeed utterly; keep hitting, keep the rally alive, and you have defeated time. You remain forever young." - Roger Angell
    Monday, August 31, 2009 3:55 AM
  • Its still happening with the full blown production version, which my organization has already.

    I am having this same issue with a Server 2008 R2 box that is an RDS Host (Terminal Server). The other 2008 Servers in that TS farm are running the Software restriction policies just fine but the box that was recently upgraded to R2 has this problem and all of them have identical network configurations.

    Has anyone tried to see if a separate policy needs to be made using Applocker instead of the old software restriction policies?
    Friday, September 04, 2009 1:30 PM
  • Hi Grunewald6

    This behavior occurs because the account that you use to log on to the computer is a member of one or more of the following groups: Local Guests Group, or, Domain Guests Group.

    I had the same problem and i solved the problem by removing the user from the domain guests group in the AD.

    there is not need to delete anything from the registry or edit permissions like i read in posts.

    Rergards

    Wednesday, September 01, 2010 12:14 PM
  • Hi Grunewald6

    This behavior occurs because the account that you use to log on to the computer is a member of one or more of the following groups: Local Guests Group, or, Domain Guests Group.

    I had the same problem and i solved the problem by removing the user from the domain guests group in the AD.

    there is not need to delete anything from the registry or edit permissions like i read in posts.

    Rergards


    And how is this done???

    PLEASE HELP-----THANKS

    Thursday, September 02, 2010 1:59 AM
  • I had the same issue with a brand new 2008 R2 VM. For me I nuked the profiles from C:\Users and also loaded up the ProfileList key in the registry. Find the SID for any of the usernames you are having trouble with and delete them.

     

    Worked for me.

    • Proposed as answer by mattypeterson Monday, December 03, 2012 3:28 PM
    Thursday, January 13, 2011 4:44 PM
  • Excellent solution that works for me. Thanks.

    Wednesday, February 16, 2011 1:37 AM
  • Me too. Thank you!
    Monday, February 28, 2011 7:42 AM
  • thank you for you answer, worked for me - i hade user member in domain guest group , just remove the user from guest group and every thing was fine.
    Monday, March 28, 2011 1:39 PM
  • This scenario is for Win7 join to a domain and domain users, with server profiles.

     

    My finding:

    1. Unlike windows XP which creates and upload the profile to the server at the time of logoff; Win7 tries to create the folder at the time of login and if it is unsuccessful it gives you all the hassle.

    2. Also win7 creates the folder in the server with special security access which is not same as XP. it is not done via server security rights, it is done by Win7 which most likely has no access to your server.

     

    Solution: Give the user right to create folder in \\server\profile folder and try to login. it will successfully login and will create another profile for the user named as user.V2 which is not accessible to even administrator. after one time successful loging you can revoke the security right from the user and win7 will use the folder to update profile changes.

     

    Masoud Taghizadeh

    Friday, April 08, 2011 10:08 PM
  • Thanks for your answers, worked for me : Remove the user from domain guests group and/or Local guest group and clean the registry; I deleted all references of SID and GUID of user in the registry.

    Thanks for your help.

     

    Friday, June 22, 2012 1:50 AM
  • Removing user from Domain guests group worked for me.  Also, force an active directory replication once the change is made.
    Wednesday, March 12, 2014 4:37 PM