A few weeks ago I wrote about some strange things we had seen occurring with mandatory profiles. We had twice witnessed the scenario of an improperly configured mandatory profile causing user policies to fail or terminate prematurely. Naturally, I concluded this must be a scenario specific to man profiles. Well, I was wrong. Today I had it happen with just an ordinary user with their own roaming profile on the server. There's a chain of events, which goes like this:
- A user leaves the employ of our enterprise, and her computer is taken over by another staff member who doesn't have their own login account.
- Logically, the departing user's account is simply renamed to be the new user. But this causes folder redirection policy to fail. Microsoft claims this was first fixed in SP2 - the version the computer is running.
- To cut a long story short, I decide to drop the user account and create a new one. Windows then refuses to load their profile from the existing folder, despite having full control, because the ownership is set wrongly.
- I reset the ownership of the profile folder and all subfolders and files from "Account unknown" to "Administrators".
- At next logon, Windows pretends to load the profile, but user policies are incomplete - as shown by the apparent non execution of the login script resulting in no drive letter mappings. The user's start menu also has no program shortcuts on the left hand side, including Internet and Email.
- Eventually I dropped the profile and created a new one, result: problem solved.
Is there a pattern to this? You bet there is. One of the most annoying repetitive problems we have had is with our existing users that we migrated from our Samba system to Active Directory at the beginning of this year. We had Windows create new profiles for them, and then some of the data from their previous profile was merged into the new one (e.g. My Documents). The most consistent problem that these users have experienced is, you guessed it - incomplete user policy application - often expressed through login scripts not running or not finishing.
Another nasty little surprise to watch out for when you rename a user is, even though you can change the name of their profile folder on the server, Outlook keeps using the old local path for its data files. This is because Outlook's file paths are hardcoded rather than using a variable name as the Registry does.