Thursday, November 02, 2006

Fixing Temporary Profiles and User Profile Wizard 2.5

One of the best things about User Profile Wizard is that it is extremely reliable. At ForensiT we spend quite a lot of time helping customers get their migration scripts right, but once everything is working it tends to stay working. There is however, one support question that keeps coming back to haunt us. What is even more frustrating is that it isn't even our problem.

A typical support call will begin like this:
I used your User Profile Wizard tool to migrate my workstations to a new domain a few months ago, and at the time everything went great. Recently, however, several users have tried to login to their workstations and they receive an error message stating that the profile is corrupt (or something) and Windows loads a temporary profile.
What the user seeing is this:

Cannot load profile

It's that phrase "corrupt local profile" that is really scary. (Users tend to skip over the "Possible causes of this error..." part, and just read that.) If the user then clicks "OK" they get this message:

Temporary profile

The good news is that the profile is not corrupt. If we check the computer's Application Event Log we can see the following error:

Event 1508

In this case, salvation is in the DETAIL: "The process cannot access the file because it is being used by another process..." The file in question is ntuser.dat - the file that holds the registry part of the user's profile; which is to say, the data that you see under HKEY_CURRENT_USER if you run regedit when the user is logged on. So what's going on?

Here's the deal: Windows cannot load the same profile twice. Windows cannot load the profile here, because it is already loaded for someone else.

How could that be? One possibility is that the profile has already been loaded by a process, such as a Service, which uses the credentials of an account that shares the user profile of the user who is trying to log in. To get the screenshots above, I changed the configuration of the WMI Performance Adapter Service on a test machine so that it logged on with the local Administrator account:

WMI Service

I then ran User Profile Wizard so that my account would share the profile of the local Administrator account, and then I tried to logon...

We do sometimes see the "cannot load profile" error caused in this way - but not often. Usually the problem occurs because the user has logged on with, say, their local account, logged off and then logged on again with their domain account - which just happens to share the same profile as their local account. In theory this shouldn't be a problem: when the user logs off, Windows should unload their profile so that if they logon with a different account that uses the same profile it won't be "being used by another process." Often - usually - that's the case. Unfortuantely, it doesn't always work that way.

This is such a common problem that there is even a Microsoft Knowledge Base article on the subject. You can find it here:;en-us;837115

The article states:
This issue may occur if Microsoft Windows or third-party programs such as printer drivers or virus scanners do not stop and release resources when you log off your computer.
The fix given is to install the Microsoft User Profile Hive Cleanup Service (UPHClean) . Unfortuantely, although this works in many cases, some customers report that it does not. What's more, you shouldn't really need to install a new piece of software if all you want to do is migrate a user's workstation - and the user's profile - to a new domain.

So what to do? What we've done in User Profile Wizard 2.5 is simply to have the Wizard not share the profile (by default.) So, for example, say you have to migrate a machine from Novell NDS to Active Directory. You run User Profile Wizard to join the machine to the new domain and migrate the user's existing local account profile so that it can be used by their new domain account. By default, once User Profile Wizard 2.5 has completed the migration it will break the link between the original local user account and the original profile. When the user logs on with their new domain account, they get the profile they have always had. If however, they logon with their original local account Windows will create a new profile for the local account.

If you want to continue to share the profile, so that it is used by both accounts, you must check the "Share Profile" check box:

Temporary profile

Running from the command line, you need to use the /NOREMOVE switch. Be aware, however, that some piece of software on the machine might cause you to get the temporary profile error.

User Profile Wizard is essentially a migration tool. If a profile needs to be used regularly by more than one user account, you should be looking at User Profile Manager. Windows cannot load the same profile twice, but User Profile Manager can.

That's it for this post. Next time I'll discuss some of the features of Vista, and the changes we've had to make to User Profile Wizard.