User Profile being deleted on Logon. NOT Roaming, NOT Guest. Many PCs.


  1. Posts : 1
    All
       #1

    User Profile being deleted on Logon. NOT Roaming, NOT Guest. Many PCs.


    Hello forums.

    I am an IT admin for a school portraits company.

    We deploy dozens of laptops into the field for support of various applications and services, and today we encountered an issue where windows is attempting to delete the user profile our operators use.

    I am familiar with situations that can cause this to happen, and a quick google search re-affirms these issues are still present in Win7, but these issues are NOT applicable and I want to quickly list them so that responses on this thread are unrelated and on track to my actual problem.

    1.) Windows will remove your profile if you are a member of the Guests or Domain Guests usergroup. This is not happening on our machines, and has been confirmed by checking both LUserMgr.msc and RegEdit for SID.bak

    2.) Windows occasionally will remove your profile if you belong to too many groups and the Kerberos Tokens are overloaded. This is not happening, there are only 2 groups.

    3.) Windows will load a temporary profile if your roaming profile cannot be applied from the domain, if you have left and rejoined the domain, or changed your username. This is not the case. We are using LOCAL profiles only, and explicitly. Local profiles do not have an expiration date. We have not left and rejoined the domain. We have not changed the name or password of the account, or been locked out. Additionally, these user accounts are setup to never expire the password, and prevent users from changing the password.

    4.) Windows will fail to load your profile and attempt to load a temporary profile if your profile has become corrupted. Run ChkDsk against your HDD or MemTest against your ram. I am hesitant to believe this is the case, but will not rule it out. The reason I am hesitant is for 2 reasons, which I will call 4A and 4B.

    4A.) We deploy a hard drive steady state solution called DeepFreeze. I'm sure many of you have heard of it. Similar products are Windows SteadyState, or CompuGuard CornerStone. Essentially the computer is frozen in a state, and once it's booted, operators can make virtual changes to this state that appear to work, for the duration of their session, but infact no changes are committed to the hard drive, only a virtual disk. Upon rebooting the PC, all actions are reversed, and the same stock system image is loaded every time the machine starts up. So if there was an issue where a specific file or resource was corrupted on the user profile service, including intentional deletion of the entire profile, or NTUser.dat etc., a reboot of the computer 100% of the time restores these files to their working state and operations can resume.

    4B.) We have many machines (about a dozen) that have simultaneously exhibited this issue. There is no way 10 machine's hdd's all got corrupted or crashed on the same day at the same time. I would suspect this could be possible if we had roaming profiles and a problem with the source profile occured, but again each of these machines employs a LOCAL ONLY profile, not roaming. They are also imaged individually- we did not use sysprep or cloning software to deploy a standard image to all machines, rather they were setup individually and independent of eachother and each have their own SIDs, token cache, license keys, etc.

    What I've noticed so far:


    1. We do NOT get the balloon popup that says your user profile could not be loaded, and we loaded a temp one instead. I've seen these before when we have roaming profile issues, but we get no error or popup at all from Windows when the temp account loads. In EventVwr several alerts indicate a problem DELETING the profile because files are still in use. Okay but why is windows attempting to delete the profile at all?

    2. Once it successfully deploys a new profile and logs on, the profile name is the same as the old profile name, but with .%MACHINENAME% attached. So user PC1\Staff would normally logon and in C:\Users\Staff see their files, what's happening is now after authentication, it says "Preparing Your Desktop", it gives the default desktop, icons, pinned taskbar icons, and moves many things into the recycling bin. Loading C:\Users shows both C:\Users\Staff which is empty, no files or folders at all, and there is an additional folder, the actively loaded profile, called C:\Users\Staff.PC1. Inside is Desktop, Documents, etc. all the usual profile folders. But none of the files originally in the profile have been moved, this is really just a direct copy of DefaultUser.

    3. When we run CMD, and enter "Echo %UserProfile%", it returns C:\Users\Staff.PC1.

    4. Computers exhibiting the problem were not all exposed to similar conditions- the 12 machines so far that appear to have an issue all came from different job sites, at different locations, some with internet, some without.

    5. Disabling access to the domain controller has no effect. I noticed some other issues in referencing an inability to load Group Policies, etc. and thought maybe the domain server was faulting out in delivery of logon related resources, even though it's a local account they are still joined to the domain and may be attempting to interface with it. So I turned off the wireless network, rebooted the laptops (no ethernet inserted) so that they are effectively blind to the network and unable to see the domain controller. Rebooting again should revert the corrupted user profile back to good, and when we boot up it still thinks for a minute (longer than before) but eventually goes ahead and loads the temp profile and deletes the usual one.

    6. Both C:\Users\Staff and C:\Users\Staff.PC have a date last modified of the exact time the computer logged on. This tells me the logon service itself is responsible for deleting the account, it wasn't deleted by end users.

    I'm a bit scared to unfreeze the machine's and reconfigure the new account. Will we lose everything that was on the old one? Will we always be stuck with this .PC1 %machinename% suffix? Apps we use that normally point at C:\Users\Staff\AppData directly (as opposed to the proper C:\Users\%username%\AppData) will not be able to locate the files.

    7. Machine's that are UNAFFECTED still login just fine. The correct wallpaper, files, etc. are loaded, and in an environment side by side with affected units, can be restarted and continue to function properly.

    8. If I logon as a domain admin, using DomainName\AdminUserName instead of PC1\Staff, and then proceed to go to C:\Users, I do still see that C:\Users\Staff has been deleted at the time that I logged on. So logging into a different account still deleted the Staff account even if it's an unrelated user.

    Where should I start troubleshooting this? Any ideas what could be happening here?
      My Computer


  2. Posts : 9,746
    Windows 7 Home Premium 64 bit sp1
       #2

    Hi LegacyPortraits, welcome to the Forum.

    This sounds like a massive virus infection, that has migrated to your computers. Do you have Anti Virus software installed & if so you should run virus scans on each computer to see if you can find & eradicate it.

    Some virus & other malicious infections can only be completely removed by a complete re installation of the operating system & programs.

    Do you have a regular system imaging back up plan that you could implement if needed.

    Please let us know what you have available.
      My Computer


  3. Posts : 7,101
    W7 home premium 32bit/W7HP 64bit/w10 tp insider ring
       #3

    Hi Legacy,

    As these changes all appeared simultaniously, id plump for an update, MS/Deepfreeze or a common program on them.

    If i was you
    on both a corrupted and non-corrupted machine run Farbar
    Farbar Recovery Scan Tool Download

    Compare the results, obviously look for that date as a starting point

    Roy
      My Computer


  4. Posts : 1,784
    Linux Mint 18.2 xfce 64-bit (VMWare host) / Windows 8.1 Pro 32-bit (VMWare guest)
       #4

    I think you have a bug in DeepFreeze. I immediately thought of DeepFreeze, but I wasn't sure until you said that you were using DeepFreeze. This is the sort of thing DeepFreeze would do, if it thought that the profiles being deleted were not allowed to be kept.

    I would uninstall DeepFreeze from the computers with this issue, then reinstall / reconfigure it. Of course, you could do a backup of these computers before proceeding, if you are concerned about losing data.

    By the way, thanks for the really detailed information you posted. This has taught me some things about Windows that I was not familiar with.
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 23:31.
Find Us