Group Policy Central

If you have are one of the many people who have checked out my Best Practice: Roaming Profiles and Folder Redirection (a.k.a. User State Virtualization) post you probably know that roaming profiles can be super useful feature to implement. However over the years roaming profiles have got a bit of a bad wrap as sometime things can and do go wrong. In these case the IT administrator is usually left with no other option than to reset the users profile to solve a issue with their account.

Tip: Make sure that the issue is related to the users roaming profile by testing another account with the same or similar privileges on the same computer. If the other computer account also has the same issues or if the issues seems to does not follow them to other computers then it is highly unlikely it is a roaming profile issue.

So lets assume you have troubleshoot this issue for many hours and you are at your wits end about to rip out your hair (if you have any) and have decided to reset the users profile… how do you do it?

In Windows XP days you could just delete the users local and roaming profile files and the next time the user logged on they would generate a new profile. However if you do this in Windows 7 you will find that this no longer works…

So what is the correct way to reset a roaming profile in Windows 7?

Step 1. Open Active Directory Users and Computers and to the profile tab of the user account you want to reset. Now take note of the roaming profile path….

Step 2. Reboot the users computer that is having issues and logon with an account that has local admin and is NOT the account you are tyring to fix.

Step 3. Open control panel and type “Advanced” in the search field then click on “View advanced system settings”

Step 4. Click on the “Advanced” tab and under User Profiles click the “Settings” button

Step 5. Now select the user you want to reset the profile and press the “Delete” button.

Step 6. Press “Yes”

And now the local copy of the roaming profile is deleted you also need to remove the network copy…

Note: If you have implemented folder redirection as per my Best Practice: Roaming Profiles and Folder Redirection (a.k.a. User State Virtualization) then the vast majority of the users information will not be part of the users roaming profile. This means other than a few program setting the users is unlikely to lose any work. The exception to this is the AppData folder however if you are trying to preserve this folder as well note you may be copying over the issues that are trying to fix.

WARNING: Always be careful you have everything backed up before deleting any users profile.

Step 7. Before you log off that computer go to the path you noted in step 1 and delete (or rename) the roaming profile for that users on the network.

Note: You many need to take ownership of the folder before it can be deleted.

Tip: To avoid having to take owner ship of the roaming profile be sure you have enabled the  Add the Administrator security group to roaming users profiles setting.

How to fix the “You have been logged on with a temporary profile” issue in Windows 7

So… that was the easy way… But what do you do if just deleted the users profile files and now the users is “logged on with temporary profile” like you did back in the Windows XP days….

Step 1. Reboot the computer again and logon as the local admin.

Step 2. Open Regedit and go following registry key path:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

Step 3. Find the Profile that has the ProfileImagePath of the users you are fixing and delete that entire key.

Step 4. Log off and logon as the user you are trying to fix.

TIP: If this is successful make sure you get the use to log off straight away so the new profile is save to the network which will then propagate to any other computer when then log on.

Hopefully this will have fixed your roaming profile issues and the users is now back up and running with a minimum of fuss… Of course some of the users personal settings may have been lost but hopefully a well managed SOE should allow them to run all the essential programs with little to no additional set up.

Source: I found the registry key trick from this TechNet Forum article http://social.technet.microsoft.com/Forums/en-US/w7itprogeneral/thread/5ec0b949-effa-4e30-ba09-dc948a4c7a8b

Another one…? yes… Another roaming profiles group policy for this weeks setting of the week. But this is a really super cool policy I found while reading the “What’s New in Folder Redirection and User Profiles” (via @stealthpuppy ) document that Microsoft recently published. This document mainly goes through the new features with folder redirections in Windows 7 however it also mentions the new group policy/feature called “Background upload of a roaming users profile’s registry file while user is logged on”.

This setting can be found under Computer Configuration > Administrative Templates > System > User Profiles and is specific to Windows 7 or Windows Server 2008 R2.

This policy setting would be very useful as a way to ensure that at least part of a users profile is save to the network if they are they type that never like to log off their computer at night.

There are a few points about this policy which I have summarised below:

• Only synchronises the users registry profile (ntuser.dat) so things like desktop icons and favourites wont sync. (This is what folder redirection is for any way).
• There are two modes of scheduling the update
  • Run at set interval – Between 1 hour and 720 hours (30 days).
  • Run at specified time of day – useful if you only want to run this at 3am so that it only applies to users who stay logged on over night.
• The schedule will run randomly any time up to an hour after it is supposed to run so to not load the file server with a large number of concurrent requests.
• If you choose one method of scheduling then it will ignore the set value of the other schedule.

I also have a very strong suspicion that this setting is only compatible if you have Windows 2008 (or later) as the file server so that it can handle the copying of the locked file (ntuser.dat). Please ping me if you can confirm this.

This setting is another profile related setting however I think the focus is warranted as so many organisations use roaming profiles. This setting is called “Prevent Roaming Profile changes from propagating to the server” and can be found under  Computer Configuration > Policies > Administrative Templates > System > User Profiles and like the previous setting work on Windows XP / 2003 or above.

This setting would be very useful to apply to computer that have un-usual configuration that might other wise make unwanted changes to a users roaming profile. This setting would essential prevent any changes made to the users profile propagating to other workstations. One example where this could be used is when you want to test a new application with a real users account.

This week I have decided to chose “Add the Administrator security group to roaming users profiles” as the setting of the week. This setting can be found under “Computer Configuration > Policies > Administrative Templates > System > User Profiles” and applied to Windows XP / 2003 or later.

This setting adds the administrator ACL to the users roaming profile path on the server when it is first created. This greatly helps your user administrator as they don’t need to perform complicated take ownership and permission changes when they need to access a users profile to do something like a file restore or profile move.

In my experience unless the privacy of the users personal files on your companies file server needs to be guaranteed this option is normally enabled.

BUT!!!! Be very sure that you enable this option as soon as possible as this setting does NOT apply retrospectively to existing users profiles as it only applied the administrators group to the profile when the roaming profile when  it is created on the server for the first time.

(This will hopefully be the first of many Group Policy Setting of the Week (or GPSW) articles where I will showcase one policy setting and what it does.)

I just read about this cool new policy setting on the “Ask the Performance Team” blog that will help address the issues of computers hard drives filling up over time with multiple user profiles. Previously you either had the option to purge the local users profile on log off or keep a cached copy of the profile forever. Either users would have to download their profile every time they logon to the computer which could greatly slow down the logon process or their cached profiles was never deleted which resulted in the system drive running out of space. This new setting “Delete user profiles older than a specified number of days on system restart”  allows you to set a timer on the local cached profiles so that they will be purged X number of days after being used. This means users who commonly logon to a particular computer will still have their profile cached but users that logon seldomly will have their files cleaned up thus saving precious disk space.

This might sound like a great setting to implement on a Terminal Server however note the clean up wont happen until the server is rebooted. This restriction should not be so bad as Terminal Servers are probably rebooted at least once a month any way for patching (you do patch your terminal servers don’t you?).

This setting can be found under Computer Configuration \ Policies \ Administrative Templates \ System \ User Profiles

Source: http://blogs.technet.com/askperf/archive/2009/11/03/just-me-and-my-profile-part-2.aspx