Citrix profile issues/access denied

[Dan]

We are having serious problems with roaming profiles for
Citrix. When users log on, they get the folling message:

User Environment
Windows cannot log you on because the profile cannot be
loaded. Contact your network administrator.
DETAIL - Access is denied.

Now, being a network administrator, this comes as a bit
of a surprise to me, as the user has full control over
their profile folder (on a separate server).

We have a 6 server farm, active directory.

The strange thing is that I can switch them from using
our published application (which picks one of the servers
for them) to logging on directly to a specific
MetaframeXPe server, and they will be able to log onto
ONE SPECIFIC SERVER every time; they will get
the "ACCESS DENIED" message on the other five (I have to
try logging them into each of the servers to figure out
which one will work, then they have to stick with that
one). I had been setting them up with a connection to
the one server that was allowing them in, but that's not
really fixing the problem.

Now the issue is coming to a head because one of our
servers has a specific app we limit to only some users;
the app is ONLY on that one server. Now people that need
to use the app are becoming unable to log into that
server to use the app.

HELP!!!

Does ANYONE know what is causing this, have a fix or a
better workaround (NOT including 'make them all new
profiles!'). Does anyone know if Microsoft has
acknowledged this issue or if they plan to?

This issue is getting worse and worse!

THANKS!

 

[Mack M]

Few things to look at. Hope this helps...

1. Look in the Documents and Settings folder for the user
that cannont login. Most likely you will see a leftover
folder for them. Delete that folder and have them try
again. This should fix the problem... at least until
they do not logoff properly again. Which is probably
cause the issue in the first place.

2. If you are unable to delete the folder because a
registry file is still in use you will need to open
regedt32 and unloaded the appropriate sub-hive in the
HKEY_USERS hive. Each logged on users has two sub-hives
loaded one is the SID of the user object the other is the
object SID with an _classes extension. This is the one
you want to look for. Any classes hive the does not have
a corresponding SID hive can be unloaded safely. Having
to that you should be able to delete the folder in
Documents and Settings.

3. If the you does not have a folder in Documents and
Settings look at the TEMP folder in Docs and Settings.
You may have to remove that if the security settings show
that the user has access to it.

 

[Robin Caron]

I've written a freeware service that will eliminate error event Userenv/1000
where the text of the message says Windows cannot unload your registry class
and the error is Access is denied.

http://groups.google.com/groups?&selm=#[email protected]

Contact me for more details if you are interested.

 

[Daniel Hawthorne]

Hi Dan,

Do you know when this issue started?

I only ask because we had a problem with roaming profiles
after installing the RPC hotfixes that MS released.

Eventually MS agreed that installing either of the 2
hotfixes, the original or the newer one, can cause
problems with roaming profiles. The hotfix for this issue
is 827825 but the last I knew there is still no KB
article for it. You will have to call MS and request the
hotfix.

The basic issue was that when the user signs off, it
believes the profile is still in use and will not delete
it. This means that there roaming profile is not updated
and you will start seeing lots of profile directories
building up. Unless the server is restarted, you can't
delete them easily either. This may be why your users
have problems logging on.

Hope this helps.

Daniel.

 

[Dan]

OKAY HERE IS THE FIX FOR ALL WHO ARE INTERESTED!

The cause was the Blaster worm patch somehow conflicting
with other hotfixes. We needed to keep the Blaster worm
patch (obviously), so:

Uninstall Hotfix #Q328310
Uninstall Hotfix #Q329170

This seems to fix the problem.

Until Microsoft puts something in the knoledge base this
is your best bet if you come across this identical
problem. Check the error log, you will see EventID: 1000
errors (you may have to look for them a bit). That's the
problem we were having.