Owner permissions on Mandatory profile with Windows 10

It is common to use mandatory profiles on managed devices like Thin Clients, Fat Client or a VDI environment. During a deployment, I ran into the issue the “User profile cannot be loaded” while all security permissions are correct. This may because of the Owner and in this blog post, I will share how to solve this issue.

User profile cannot be loaded

When a mandatory profile is not properly configured you may experience the following error.

The User Profile Service service failed the sign-in.
User profile cannot be loaded.

Within the event log, the following error with Event ID 1526 will be reported.

Windows could not load your roaming profile and is attempting to log you on with your local profile. Changes to the profile will not be copied to the server when you log off. Windows could not load your profile because a server copy of the profile folder already exists that does not have the correct security. Either the current user or the Administrators group must be the owner of the folder.

As described in the error the Administrators group must be the owner of the folder otherwise the profile cannot be loaded.

Setting the correct owner

Within the security tab, the owner can be set. Go to the properties of the mandatory profile, open the security tab and click advanced.

Click on change and make sure to switch the location to the local machine.

This can also be done with PowerShell which may be useful in a deployment scenario.

Mandatory profile permissions

It may be useful to have some basic information on the required permissions needed on the mandatory profile. The following table shows which permissions are required in a mandatory profile. Please note the permissions should also be set on registry level in the NTUSER.MAN.

User / Group Permissions
NT AUTHORITY\ALL APPLICATION PACKAGE Full Control
NT AUTHORITY\SYSTEM Full Control
BUILTIN\Administrators Full Control
NT AUTHORITY\Authenticated Users Read and Execute

In my scenario, I have decided to copy the mandatory profile on the local device for performance reasons. This way the copy action will not take place over the network which may be an issue in branch offices. When copying the mandatory profile during the deployment the permissions are inherited from the folder structure. Using the following script will block the inheritance and sets the correct required permissions described in the table above.

Conclusion

If you experience any issue with your mandatory profile the cause may be related to permissions. Of course, the first step is to check the event log for any related errors. By using PowerShell you can make sure the permissions are always set correctly so you don’t have to worry about that! If you any comments or question please leave them below!

 

Photo by Ben Sweet on Unsplash