Temporary User Profiles
This article is part of Helge’s Profile Toolkit, a set of posts explaining the knowledge and tools required to tame Windows user profiles.
Nobody wants a temporary profile. So why do I get one? Here are the most common reasons for Windows to only issue a profile that is deleted at logoff instead of the regular local or roaming user profile.
What is a Temporary Profile?
With Windows, every logon session needs a user profile (even service accounts and the local system have profiles, by the way). Usually a profile already exists and the operating system loads it. If no profile is present, Windows creates a new one from the default profile. If either one of these operations fails Windows cannot log on the user, unless it creates an “Ersatz” profile which lasts only for the duration of the session. Such a profile is called a temporary profile. It is not too dissimilar from a local profile except for the fact that it is deleted when the user logs off.
Next I present the most common reasons for Windows to create a temporary profile.
Reason #1: Local Profile Folder Was Deleted Without Deleting the Associated Registry Key
A user profile is no more than a directory on disk, but if you try to delete a profile by simply removing that directory below C:\Users you fail miserably. Why? I do not know why Microsoft did this and I do not like it, but beginning with Vista you also need to delete the ProfileList registry key pointing to the profile you removed.
Additional information in the Microsoft Knowledge Base:
Reason #2: Incorrect Permissions on Roaming Profile
If the user has a roaming profile configured, Windows is very strict by default. The user needs at least “change” permissions (understandably), but he or she (or Administrators) also need to be owner of the profile folder. If that is not the case, Windows deems the profile to be “unsafe” and does not use it. Instead, the user gets a temporary profile.
If you have configured the group policy setting Set roaming profile path for all users logging onto this computer and log on with a local user account, the local user in all likelyhood cannot access the roaming profile path and a temporary profile is used.
What you can do:
Disable the permissions check via group policy: Machine -> System -> User Profiles -> “Do not check for user ownership of Roaming Profile Folders”
Additional information in the Microsoft Knowledge Base:
Reason #3: The Registry Hive Cannot Be Loaded
Of all the files and folders in a profile one file is of very special importance: NTUSER.DAT. It stores the user’s registry, to be mounted to HKEY_CURRENT_USER upon logon. If that file is missing, corrupt, is already loaded or has incorrect permissions, Windows cannot use (ie. load) a profile and is forced to issue a temporary profile instead.
Additional information in the Microsoft Knowledge Base:
“Windows cannot load your profile because it may be corrupted” error message when you try to log on to Windows XP
Error message when you use a migrated user account to log on to a migrated computer that is running Windows Vista, Windows Server 2003, or Windows XP: “Windows cannot find the local profile and is logging you on with a temporary profile”
Reason #4: You Are a Guest
If a user is a member of the local group Guests or the domain group Domain Guests Windows issues nothing but temporary profiles. Sorry, but nothing to be done about that except to get rid of that guest status as soon as possible.
Additional information in the Microsoft Knowledge Base:
Reason #5: User is a Member of Too Many Groups
As the SIDs of all groups users are a member of are added to their Kerberos Tokens the maximum allowed token size may not suffice for users that are members of many groups. This issue has been around since Windows 2000 and it can cause all kinds of weird errors. Apparently it can also cause the creation of temporary profiles (thanks for the hint, Thilo!).
What you can do:
Increase the MaxTokenSize registry value as described in MS KB 327825.
6 Comments
The next question will be how to use this Windows functionality and force the use of a temporary profile as a replacement of the mandatory profiles ;-).
Exactly what brought me hear. Want to force a temp profile on VDI’s on a domain without using roaming profiles.
This very helpful. Thank you for sharing the information :-)
I know this is an old article, but it still is valid in a 2012/2016 environment. This helped us with a domain migration of roaming profiles. We had re-ACL’d the files and registery within the NTuser.dat. However, the ownership issue of the profile must still have been the wrong or not working. So this fixed the issue
It is a great article. Recently, I saw a strange case that a user logged on with the default profile for the system. Actually, Windows had tried to log a user on with a temporary profile, but it was failed. Then, I hope you will deal with the default profile for the system.
This can also result from in incorrect profile path being entered on the AD user object. We don’t use roaming profiles in our environment and someone had entered the bat file from the logon script into the profile path.