At work we recently moved to an Active Directory domain for all of our public computers to authenticate against. This was a shift from a SAMBA-based domain, and we have had some issues that resulted from this migration.
One of the biggest issues has been in the area of user profiles. People who log onto public computers have roaming profiles, which means that all of their user and application data is stored on a server somewhere, and downloaded each time the user logs in. Changes made during that session are uploaded to the server, so the profile is always in sync.
However, going from one domain to another means that file ownership changes due to different SIDs. Compounding the problem is that we get non-specific reports from the field, consisting of “Joe’s profile is broken,” with no further information.
To track down problems with user profiles, Windows supports extensive logging capabilities, which are not enabled by default. To enable logging of user profiles, here is the process:
1. In the Run dialog box, type regedit, and then click OK.
2. Locate the following subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon
3. Create a new entry named UserEnvDebugLevel of data type REG_DWORD,
and set its value to 0×30002.
The log file is stored in this location: %windir%\Debug\Usermode\Userenv.log
I set this up on a test machine joined to the domain, so that when I receive reports of profile errors, I can log the problem user onto the domain and audit the resulting log file.
tags: windows,profiles,roaming,debug
