Disappearing Profiles in W2K

G

Guest

This really pertains to W2K Workstation, but I couldn't find the appropriate
group.

We have mixed environment of W2K and XP Pro workstations, and recently
upgraded both our servers from W2K to W2K3. Since then (or as near to it as
we can tell), the W2K users will on occasion log in to find their profile has
disappeared or reset. This isn't the permissions issue already covered on
here, as the profile names are not appended 0001, etc. This does not occur
on the XP machines.

We've worked with Microsoft and run all their diagnostics. Our AD checks
out clean. We're already running the Hive Cleaning Service on the W2K
machines, per Microsoft's suggestion. This has greatly reduced the occurance
of this issue, but just yesterday we've had one go which has already been
manually restored and is running the Hive Cleaner, meaning the others are at
risk as well. Nobody's roaming, so there's little chance of duplicate SIDs.

Microsoft is at a loss on this one... they've had us modify the registry on
these machines to enable some deep-level logging, and for now we just send
them our logs. Anyone have any ideas?

-=Andrei
 
P

Pegasus \(MVP\)

Andrei said:
This really pertains to W2K Workstation, but I couldn't find the appropriate
group.

We have mixed environment of W2K and XP Pro workstations, and recently
upgraded both our servers from W2K to W2K3. Since then (or as near to it as
we can tell), the W2K users will on occasion log in to find their profile has
disappeared or reset. This isn't the permissions issue already covered on
here, as the profile names are not appended 0001, etc. This does not occur
on the XP machines.

We've worked with Microsoft and run all their diagnostics. Our AD checks
out clean. We're already running the Hive Cleaning Service on the W2K
machines, per Microsoft's suggestion. This has greatly reduced the occurance
of this issue, but just yesterday we've had one go which has already been
manually restored and is running the Hive Cleaner, meaning the others are at
risk as well. Nobody's roaming, so there's little chance of duplicate SIDs.

Microsoft is at a loss on this one... they've had us modify the registry on
these machines to enable some deep-level logging, and for now we just send
them our logs. Anyone have any ideas?

-=Andrei
Click to expand...

Profile folders are deleted by design if their owners are
members of the Guest group.
 
P

Pegasus \(MVP\)

Since you've had no replies in almost two weeks I suspect that
no newsgroup contributor has come across this problem before.
This suggests that it is specific to your site. I can readily think of
three possible causes:
- Malicious interference
- Virus/malware
- Forgotten scripting

I have dealt with post caused by all of the above.

If this was my show then I would do this:
- Make the user the "Owner" of his profile folder.
- Give him full access rights.
- Give read-only rights to the System and the Domain Admin account.
- Remove all other access rights.
- Create a "honey-pot" file inside the profile folder. It should have
full rights for "everyone".
- Create a scheduled task that runs once every hour. Its sole
purpose is to monitor the existence of the honey-pot file, e.g.
like so:
@echo off
if exist "c:\documents and settings\SomeUser\test.txt" (set status=found)
else (set status=not found)
echo %date% %time% File %status% >> %SystemRoot%\monitor.txt
- Schedule this same task to run at boot time and at logon time.
- Check the file %SystemRoot%\monitor.txt on a weekly basis. It
is likely to give you valuable information.
 
G

Guest

Great suggestion, Pehasus. Thanks!

-=A


Pegasus (MVP) said:
Since you've had no replies in almost two weeks I suspect that
no newsgroup contributor has come across this problem before.
This suggests that it is specific to your site. I can readily think of
three possible causes:
- Malicious interference
- Virus/malware
- Forgotten scripting

I have dealt with post caused by all of the above.

If this was my show then I would do this:
- Make the user the "Owner" of his profile folder.
- Give him full access rights.
- Give read-only rights to the System and the Domain Admin account.
- Remove all other access rights.
- Create a "honey-pot" file inside the profile folder. It should have
full rights for "everyone".
- Create a scheduled task that runs once every hour. Its sole
purpose is to monitor the existence of the honey-pot file, e.g.
like so:
@echo off
if exist "c:\documents and settings\SomeUser\test.txt" (set status=found)
else (set status=not found)
echo %date% %time% File %status% >> %SystemRoot%\monitor.txt
- Schedule this same task to run at boot time and at logon time.
- Check the file %SystemRoot%\monitor.txt on a weekly basis. It
is likely to give you valuable information.
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Domain Name change in W2K 1
User Profiles 6
Roaming Profiles 2
SUS and W2K Server 1
w2k pro manadatory profiles 2
User profiles? Too easy to lose? (Your comments?) 1
My Documents on W2K terminal server 8
Replication with W2K Workstations 1

Top