Temporary User Profiles

This article is part of Helge’s Profile Toolkit, a set of posts explaining the knowledge and tools required to tame Windows user profiles.

Nobody wants a temporary profile. So why do I get one? Here are the most common reasons for Windows to only issue a profile that is deleted at logoff instead of the regular local or roaming user profile.

What is a Temporary Profile?

With Windows, every logon session needs a user profile (even service accounts and the local system have profiles, by the way). Usually a profile already exists and the operating system loads it. If no profile is present, Windows creates a new one from the default profile. If either one of these operations fails Windows cannot log on the user, unless it creates an “Ersatz” profile which lasts only for the duration of the session. Such a profile is called a temporary profile. It is not too dissimilar from a local profile except for the fact that it is deleted when the user logs off.

Next I present the most common reasons for Windows to create a temporary profile.

Reason #1: Local Profile Folder Was Deleted Without Deleting the Associated Registry Key

A user profile is no more than a directory on disk, but if you try to delete a profile by simply removing that directory below C:\Users you fail miserably. Why? I do not know why Microsoft did this and I do not like it, but beginning with Vista you also need to delete the ProfileList registry key pointing to the profile you removed.

Additional information in the Microsoft Knowledge Base:

Error message: “The User Profile Service failed the logon. User profile cannot be loaded”, when logging on to Windows 7 or Windows Vista

Reason #2: Incorrect Permissions on Roaming Profile

If the user has a roaming profile configured, Windows is very strict by default. The user needs at least “change” permissions (understandably), but he or she (or Administrators) also need to be owner of the profile folder. If that is not the case, Windows deems the profile to be “unsafe” and does not use it. Instead, the user gets a temporary profile.

If you have configured the group policy setting Set roaming profile path for all users logging onto this computer and log on with a local user account, the local user in all likelyhood cannot access the roaming profile path and a temporary profile is used.

What you can do:

Disable the permissions check via group policy: Machine -> System -> User Profiles -> “Do not check for user ownership of Roaming Profile Folders”

Additional information in the Microsoft Knowledge Base:

The “Set roaming profile path for all users logging onto this computer” Group Policy setting also applies to local user accounts in Windows Server 2008

Reason #3: The Registry Hive Cannot Be Loaded

Of all the files and folders in a profile one file is of very special importance: NTUSER.DAT. It stores the user’s registry, to be mounted to HKEY_CURRENT_USER upon logon. If that file is missing, corrupt, is already loaded or has incorrect permissions, Windows cannot use (ie. load) a profile and is forced to issue a temporary profile instead.

Additional information in the Microsoft Knowledge Base:

“Windows cannot load your profile because it may be corrupted” error message when you try to log on to Windows XP
Error message when you use a migrated user account to log on to a migrated computer that is running Windows Vista, Windows Server 2003, or Windows XP: “Windows cannot find the local profile and is logging you on with a temporary profile”

Reason #4: You Are a Guest

If a user is a member of the local group Guests or the domain group Domain Guests Windows issues nothing but temporary profiles. Sorry, but nothing to be done about that except to get rid of that guest status as soon as possible.

Additional information in the Microsoft Knowledge Base:

A temporary user profile is created every time that you log on to a Windows Vista-based computer that is connected to a domain

Reason #5: User is a Member of Too Many Groups

As the SIDs of all groups users are a member of are added to their Kerberos Tokens the maximum allowed token size may not suffice for users that are members of many groups. This issue has been around since Windows 2000 and it can cause all kinds of weird errors. Apparently it can also cause the creation of temporary profiles (thanks for the hint, Thilo!).

What you can do:

Increase the MaxTokenSize registry value as described in MS KB 327825.

, , , ,

3 Responses to Temporary User Profiles

  1. Bob November 29, 2011 at 19:37 #

    The next question will be how to use this Windows functionality and force the use of a temporary profile as a replacement of the mandatory profiles ;-).

    • Joe Trader June 13, 2016 at 16:07 #

      Exactly what brought me hear. Want to force a temp profile on VDI’s on a domain without using roaming profiles.

  2. Bez March 8, 2016 at 13:46 #

    This very helpful. Thank you for sharing the information :-)

Leave a Reply