none
Windows Server 2008 R2 Roaming Profile issues. RRS feed

  • Question

  • Our domain is running windows server 2008 r2 and all the workstations are windows 7.

    On a regular basis we keep getting accounts automatically locking out when the user has logged on to his account (therefore we are constantly unlocking through AD until we get the chance to fix it.

    The fix is as follows.

    1.Remove users local profile,

    2.Remove users registry profile (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList)

    3.Rename users roaming profile

    4.Log in as user to create new roaming profile

    5.Copy users old profile to new profile (sometimes with NTUSER data, sometimes without)

    Any ideas why this keeps happening, because it is becoming a burden.

    Sunday, September 22, 2013 9:13 AM

Answers

  • Hi,

    Since the account lockout issue could be caused by many factors, such as Programs,

    Service accounts, Low bad password threshold AD replication and redundant credentials.

    At this time, in order to narrow down the cause of the account lockout issue. I suggest

    we try to enable Auditing policy, Netlogon Logging and Kerberos Logging to capture the

    information about the accounts that are being locked out.

    Enable Auditing at the Domain Level

    To view the Auditing policy settings, in the Group Policy MMC, navigate to Computer

    Configuration-> Windows Settings-> Security Settings-> Local Policies-> Audit

    PolicyEnable auditing for the event types listed in the previous section.

    Enable Kerberos event logging on a computer

      1. Click Start, clickRun, type regedit, and then press ENTER.
      2. Add the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro\Lsa\Kerbero\Parameters       registry value to the registry key:
            
        • Registry value: LogLevel  
        • Value type: REG_DWORD  
        • Value data: 0x1

                       If the Parameters registry key does not exist, create it.

     Close Registry Editor and restart the computer.

    Regarding enabling Netlogon logging, we could refer to the following article:

    Enabling debug logging for the Net Logon service

    For details about troubleshooting account lockout issue, please refer to the articles below:

    Troubleshooting Account Lockout

    Maintaining and Monitoring Account Lockout

    User Account Lockout Troubleshooting

    Virus alert about the Win32/Conficker worm

    Hope this helps

    Best regards

    Michael

    Monday, September 23, 2013 11:09 AM
    Moderator

All replies

  • Antivirus blocking the profile to load (or the AV on the server taking too much time to scan/open the file) ? Test it on a workstation that it happen a lot by removing it in worst case.


    MCP | MCTS - Exchange 2007, Configuring | Member of TechNet Wiki Community Council | French Moderator on TechNet Wiki (Translation Widget)

    Monday, September 23, 2013 1:42 AM
    Moderator
  • Hi,

    Since the account lockout issue could be caused by many factors, such as Programs,

    Service accounts, Low bad password threshold AD replication and redundant credentials.

    At this time, in order to narrow down the cause of the account lockout issue. I suggest

    we try to enable Auditing policy, Netlogon Logging and Kerberos Logging to capture the

    information about the accounts that are being locked out.

    Enable Auditing at the Domain Level

    To view the Auditing policy settings, in the Group Policy MMC, navigate to Computer

    Configuration-> Windows Settings-> Security Settings-> Local Policies-> Audit

    PolicyEnable auditing for the event types listed in the previous section.

    Enable Kerberos event logging on a computer

      1. Click Start, clickRun, type regedit, and then press ENTER.
      2. Add the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro\Lsa\Kerbero\Parameters       registry value to the registry key:
            
        • Registry value: LogLevel  
        • Value type: REG_DWORD  
        • Value data: 0x1

                       If the Parameters registry key does not exist, create it.

     Close Registry Editor and restart the computer.

    Regarding enabling Netlogon logging, we could refer to the following article:

    Enabling debug logging for the Net Logon service

    For details about troubleshooting account lockout issue, please refer to the articles below:

    Troubleshooting Account Lockout

    Maintaining and Monitoring Account Lockout

    User Account Lockout Troubleshooting

    Virus alert about the Win32/Conficker worm

    Hope this helps

    Best regards

    Michael

    Monday, September 23, 2013 11:09 AM
    Moderator