After Hours



AD clients NTuser.dat locked on login

By ·
Tags: Off Topic

We're having problems with some of the users on our AD domain. They get userenv 1508 errors (among others) when they try to log in the first time in the morning.

Some background:
Our original domain is an nt domain. All users on the AD domain (except 1 or 2) were migrated from the NT domain to the AD domain using microsoft's ad migration tool.

The AD domain is win2k3 r2 (upgraded to r2), the clients are xp.

We were migrating users from the NT domain in a staged fashion and some had been working fine for a couple of months.

One Friday night I made some GPO changes to try to correct some time sync problems, and get the PDCE to sync with an external source.

The following Monday morning there were a rash of issues with people getting warnings that their profiles couldnt be loaded and temp profiles were being created.

It would be an unbelievable coincidence if the two events were not related (I dont believe it).

Most were able to reboot and get loaded correctly but several profile rebuilds were required.

I backed out the changes I had made previously but the problems persisted in the following days. The user could log in and out all day long with no problem, but overnight the issue was created.

At suggestions from another site, I tried GPOfix to return the group policy back to default (which was fine because previously the default group policy had been modified and this gave us the chance to default it and, instead create our own adjunct policies). However the problem persists.

About 150 of somewhat over 300 users have been migrated. Of the 150, I'd estimate about 50 of those have experienced the problem. Maybe 6 or 8 experience the problem very consistantly. Others come and go. Some seldom have the problem, many have not yet experienced it. We had 11 users reboot yesterday, 16 the day before. The 1 or 2 that were built on the AD domain have not yet had a problem.

Using Sysinternals procmon and process explorer we have determined the cause of the problem (at least in the case of our test subject) is that system (PID 4) is locking the profile's NTuser.dat.

The problem is profile specific as we had our test user attempt to log in and when it failed, log off and attempt to log in under a different account. The attempt was successful.

For those who have daily problems, rebuilding their profiles usually give good results, but not always permanent.

We have tried installing user profile hive cleaner. Again this had some but not universal success. (and I consider it a band-aid). It worked fine for some of our sample group, but the main test user had little or no improvement.

By logging in under another account, and manually loading the users profile we have been able to determine that, in the case of the test user, the event causing the issue occurs betwen 20:00 and 20:45. The user logs out about 15:30 each day but I don't think the event is related to the logout time (I could be wrong).

I think those are the main facts (there are certainly a hundred others).

Does anyone have any idea how we might approach finding a solution to these problems?

Thanks for your help.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

time shifts

by In reply to AD clients NTuser.dat loc ...

I stated above that the event was occurring 20:00 to 20:45. That was true over the period of several days but I noticed last night that it had shifted to sometime between 20:45 and 01:00 the next morning when I tried it again for grins....

Collapse -

personally I think it's the migrated profiles

by CG IT In reply to AD clients NTuser.dat loc ...

from NT to your new AD. I'm also thinking of the sync to external source, and not sure what that really means. Are you syncing with your NT domain?

But, my 2 cents is, it's a profile problem and it's the migration from NT to AD.

If the SID and profiles don't migrate right, and NT to AD without an upgrade to AD, that's a problem, your going to get this behavior.

Collapse -

We have had that thought

by In reply to personally I think it's t ...

On the 'sync to external source' I'm just talking about getting the PDCE's clock to sync to a standards based source like That is working well now.

We had considered the idea that the migration was the source of the problems as well - although that would reduce the GPO changes to the status of a trigger or complete coincidence.

But we've deleted the user profile on the machine, then had the user log in - which would create a new AD profile on the user's machine. It seems that would resolve any migrated user profile issues.

What additional steps do you recommend that we could give a shot?


Collapse -

so new profiles on the AD domain have the same problem?

by CG IT In reply to We have had that thought

how did you migrate the computer accounts? or did you create new computer accounts and join them to the domain?

If this happens to new user accounts, then I would say it's that group policy that's doing it.

run the RSOP tool on the users OU to see what their group policy is if there is a GP on a user OU or do it domain wide.

Collapse -

Repeating RSOP is a thought

by In reply to so new profiles on the AD ...

We migrated the machines using microsoft ad migration tool, which migrates the machine and the local profiles. I'm not sure how domain accounts were brought over from the NT domain. That was handled by someone else who has since taken a position with another company.

We haven't really had any new accounts that we have built on the domain. We have considered - on the test user - deleting her account from the domain, her domain account from the PC, creating a new account on the domain, then having her log in to the domain and copying her user data (which would be copied into a temp folder) back to her new profile. To see if that would have any effect. I was kind of saving that as a last resort.

I had run RSOP early on in the problem but it might be a good idea to take another look at that as well...

Collapse -

could be problems with the SID

by CG IT In reply to Repeating RSOP is a thoug ...

in using the ADMT to move machine and local machine user accounts [local machine aren't domain but you can make em domain].

I'd get a user, backup their profile, unjoing the comp from the domain,rejoin it, create an Active Directory user account on the DC. Then let her log in, log off.

I'ld also export her domain profile, do the repair corrupt profile with the exported profile, import it and try that see if her account locks out.

if not, I'd then try this with a computer that hasn't been unjoined from the domain, see if it's the machine computer account that was migrated.

Collapse -

users' SID is your problem

by alashhar In reply to AD clients NTuser.dat loc ...

the users SID have not migrated during the migration from NT to 2k3. so the users SID number in the users PCs are not the same in AD. or users? ProfileImagePath registries are duplicated with other users' ProfileImagePath. therefore try the following:
solution 1:
(1)Please make sure you have backed up the registry key before you delete anything.
(2)run regedit and go HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\
(3)delete the SID keys in the all profiles (ProfileList\<SID&gt.
(4)Test and see if the problem is fixed
solution 2:;en-us;811151

Collapse -

Tried some stuff

by In reply to users' SID is your proble ...

Hi guys,

thanks for the help so far. I tried Alashhar's suggestion tonight. It essentially has the same effect as rebuilding the profile since windows can't find the profile info in the registry. It created a "user.domain" path in documents and settings. I copied the users files back in from there. We'll see what happens tonight/tomorrow...

I also ran a gpresult /z on the users machine and compared it against my own. I didn't see anything there but I can post it if you want.

CG IT's full-blown removal/readd is still on the table as well...

Collapse -

did you try the corrupt profile to new profile method?

by CG IT In reply to Tried some stuff

as long as the computer account is ok, then creating a new user profile in AD, then taking the guts of the old user profile and putting it in the new AD profile sans the 3 main files ought to work. but if the computer account isn't correct eg something messed up with ADMT moving them over, then I think your freeze isn't user accountbased but computer accounts [bad SID].

Collapse -

event viewer

by alashhar In reply to Tried some stuff

is event viewer show any error? if so please post it

Related Discussions

Related Forums