Owner permissions on Mandatory profile with Windows 10

22 Dec 2017 by Ryan Ververs-Bijkerk

Category:

    Windows

Owner permissions on Mandatory profile with Windows 10

Table of Content

  • User profile cannot be loaded
  • Setting the correct owner
  • Mandatory profile permissions
  • Conclusion

It is common to use mandatory profiles on managed devices like Thin Clients, Fat Client or a VDI environment. During a deployment, I ran into the issue the “User profile cannot be loaded” while all security permissions are correct. This may because of the Owner and in this blog post, I will share how to solve this issue.

User profile cannot be loaded

When a mandatory profile is not properly configured you may experience the following error.

The User Profile Service service failed the sign-in. User profile cannot be loaded.

Within the event log, the following error with Event ID 1526 will be reported.

Windows could not load your roaming profile and is attempting to log you on with your local profile. Changes to the profile will not be copied to the server when you log off. Windows could not load your profile because a server copy of the profile folder already exists that does not have the correct security. Either the current user or the Administrators group must be the owner of the folder.

As described in the error the Administrators group must be the owner of the folder otherwise the profile cannot be loaded.

Setting the correct owner

Within the security tab, the owner can be set. Go to the properties of the mandatory profile, open the security tab and click advanced.

Click on change and make sure to switch the location to the local machine.

This can also be done with PowerShell which may be useful in a deployment scenario.

$profilePath = "C:\Users\ManProfile.v6"
$account = New-Object -TypeName System.Security.Principal.NTAccount -ArgumentList "BUILTIN\Administrators"
$acl = Get-Acl -Path $profilePath
$acl.SetOwner($account)
Set-Acl -Path $profilePath -AclObject $acl

Mandatory profile permissions

It may be useful to have some basic information on the required permissions needed on the mandatory profile. The following table shows which permissions are required in a mandatory profile. Please note the permissions should also be set on registry level in the NTUSER.MAN.

User / Group Permissions
NT AUTHORITY\ALL APPLICATION PACKAGE Full Control
NT AUTHORITY\SYSTEM Full Control
BUILTIN\Administrators Full Control
NT AUTHORITY\Authenticated Users Read and Execute

In my scenario, I have decided to copy the mandatory profile on the local device for performance reasons. This way the copy action will not take place over the network which may be an issue in branch offices. When copying the mandatory profile during the deployment the permissions are inherited from the folder structure. Using the following script will block the inheritance and sets the correct required permissions described in the table above.

$accessRules = @()
$accessObj = New-Object PsObject
$accessObj | Add-Member NoteProperty Name "NT AUTHORITY\SYSTEM"
$accessObj | Add-Member NoteProperty Permission "FullControl"
$accessRules += $accessObj

$accessObj = New-Object PsObject
$accessObj | Add-Member NoteProperty Name "NT AUTHORITY\ALL APPLICATION PACKAGES"
$accessObj| Add-Member NoteProperty Permission "FullControl"
$accessRules += $accessObj

$accessObj = New-Object PsObject
$accessObj | Add-Member NoteProperty Name "BUILTIN\Administrators"
$accessObj| Add-Member NoteProperty Permission "FullControl"
$accessRules += $accessObj

$accessObj = New-Object PsObject
$accessObj | Add-Member NoteProperty Name "NT AUTHORITY\Authenticated Users"
$accessObj| Add-Member NoteProperty Permission "ReadAndExecute"
$accessRules += $accessObj

# Set permission for each access rule
foreach ($accessRule in $accessRules ) {
	
	$acl = Get-Acl -Path $profilePath
	$aclObj = New-Object System.Security.AccessControl.FileSystemAccessRule($accessRule.Name, $accessRule.Permission, "ContainerInherit,ObjectInherit", "None","Allow")
	$acl.AddAccessRule($aclObj)
	Set-Acl -AclObject $acl -Path $profilePath
	}

Conclusion

If you experience any issue with your mandatory profile the cause may be related to permissions. Of course, the first step is to check the event log for any related errors. By using PowerShell you can make sure the permissions are always set correctly so you don’t have to worry about that! If you any comments or question please leave them below!

Photo by Ben Sweet on Unsplash

Tags:
    mandatory profile
    powershell
    windows 10
    windows 10
Ryan Ververs-Bijkerk
Written by Ryan Ververs-Bijkerk

Ryan is a self-employed technologist at GO-INIT who specializes in the EUC and code area. He primarily focuses on the user experience in centralized desktop environments.

Search

    Follow me

    Community