Jump to content
Welcome to our new Citrix community!
  • 0

UPM: failed to copy 'ntuser.pol' to the userstore.


Marc Hasenbeck

Question

Hello Community,

 

from time to time we got problems with Userlogons. they cant logon and got this failure:

 

Group Policy Client login failed - access denied

(photo attached)

 

OS: Windows Server 2019
VDA 1909

 

as is known these failure appears when ntuser.dat is corrput. If we restore a slightly older (1h+) ntuser.dat + ntuser.pol + ntuser.ini from a snapshot - The user can logon normally.

 

The only thing i could track down: On every User-Logoff this failure is reported in the upm-log for every vda-server. Normally there is no problem with that. Next time the users can logon with no problems. This happens for all users...

 

2020-03-17;07:50:57.256;ERROR;DOMAIN;User01;13;19224;CJitThreadInfo::SaveChangedFiles: failed to copy 'ntuser.pol' to the userstore. Error 0x57: Falscher Parameter.

 

When logon fails the folowing is reported in upm-log:

 

2020-03-25;12:41:31.490;INFORMATION;;;26;19560;DispatchLogonLogoff: ---------- Starting logon processing...
2020-03-25;12:41:31.490;INFORMATION;;;26;19560;IsRunningInTerminalServerSession: Terminal services installed.
2020-03-25;12:41:31.490;INFORMATION;;;26;19560;IsRunningInTerminalServerSession: ICA session.
2020-03-25;12:41:31.492;INFORMATION;DOMAIN;user01;26;19560;DispatchLogonLogoff: UserSID = S-1-5-21-xxxxxxx-xxxxxxxx-xxxxxxx-xxxxxxx
2020-03-25;12:41:31.682;INFORMATION;DOMAIN;user01;26;19560;DispatchLogonLogoff: Triggered policy evaluation for <S-1-5-21-xxxxxxx-xxxxxxxx-xxxxxxx-xxxxxxx>
2020-03-25;12:41:31.682;INFORMATION;DOMAIN;user01;26;19560;DispatchLogonLogoff: Updated Group Policy Extension history for <S-1-5-21-xxxxxxx-xxxxxxxx-xxxxxxx-xxxxxxx>
2020-03-25;12:41:31.684;INFORMATION;DOMAIN;user01;26;19560;CheckUserExistsInGroup: Checking if user is a member of one of the ExcludedGroups
2020-03-25;12:41:31.686;INFORMATION;DOMAIN;user01;26;19560;UserIsMemberOfGroup: User is not member of group <DOMAIN.DE\CITRIX-VIRTUALAPPS-ADMINISTRATOREN>.
2020-03-25;12:41:31.686;INFORMATION;DOMAIN;user01;26;19560;CheckUserExistsInGroup: User is not a member of ExcludedGroups
2020-03-25;12:41:31.686;INFORMATION;DOMAIN;user01;26;19560;CheckUserExistsInGroup: Checking if user is a member of one of the ProcessedGroups
2020-03-25;12:41:31.688;INFORMATION;DOMAIN;user01;26;19560;UserIsMemberOfGroup: User is a member of group <DOMAIN.DE\CITRIX-VIRTUALAPPS-BENUTZER>.
2020-03-25;12:41:31.688;INFORMATION;DOMAIN;user01;26;19560;CheckUserExistsInGroup: User is member of a ProcessedGroups
2020-03-25;12:41:31.688;INFORMATION;DOMAIN;user01;26;19560;CheckIfUserNeedsToBeProcessed: Logon/logoff will be processed.
2020-03-25;12:41:31.688;INFORMATION;DOMAIN;user01;26;19560;GetUserStorePath: User Store: Path In: \\fileserver\Roaming\Citrix\Profile\%username%.%userdomain%
2020-03-25;12:41:31.688;INFORMATION;DOMAIN;user01;26;19560;CADUser::Init: Determined user and DNS domain name: <user01>, <DOMAIN.DE>
2020-03-25;12:41:31.694;INFORMATION;DOMAIN;user01;26;19560;CADUser::Init: Determined the ADsPath of user: <user01>: <LDAP://DOMAIN.DE/CN=user01,OU=Mitarbeiter,OU=Customer,OU=Mandanten,DC=DOMAIN,DC=de>
2020-03-25;12:41:31.694;INFORMATION;DOMAIN;user01;26;19560;GetUserStorePath: User Store: Path Out: \\fileserver\roaming\citrix\profile\user01.DOMAIN
2020-03-25;12:41:31.694;INFORMATION;DOMAIN;user01;26;19560;XenApp Optimization, enabled: 0, definition path: 
2020-03-25;12:41:31.699;INFORMATION;DOMAIN;user01;26;19560;SessionCount::RealTimeCount - User: user01, Domain: DOMAIN, Session Count: 0.
2020-03-25;12:41:31.724;INFORMATION;DOMAIN;user01;26;19560;ProcessLogon: Found a profile in the user store: <\\fileserver\roaming\citrix\profile\user01.DOMAIN>.
2020-03-25;12:41:31.724;INFORMATION;DOMAIN;user01;26;19560;QueryLocalProfile: Profile directory read from registry: C:\Users\user01
2020-03-25;12:41:31.724;INFORMATION;DOMAIN;user01;26;19560;QueryLocalProfile: Local profile is a UPM profile.
2020-03-25;12:41:31.725;INFORMATION;DOMAIN;user01;26;19560;GetUserStorePath: ParentVhdFolder: Path In: \\fileserver\roaming\citrix\profile\
2020-03-25;12:41:31.725;INFORMATION;DOMAIN;user01;26;19560;CADUser::Init: Determined user and DNS domain name: <user01>, <DOMAIN.DE>
2020-03-25;12:41:31.725;INFORMATION;DOMAIN;user01;26;19560;CADUser::Init: Determined the ADsPath of user: <user01>: <LDAP://DOMAIN.DE/CN=user01,OU=Mitarbeiter,OU=Customer,OU=Mandanten,DC=DOMAIN,DC=de>
2020-03-25;12:41:31.725;INFORMATION;DOMAIN;user01;26;19560;GetUserStorePath: ParentVhdFolder: Path Out: \\fileserver\roaming\citrix\profile
2020-03-25;12:41:31.853;ERROR;DOMAIN;user01;26;19560;WaitForSingleObject return: dwExitCode=0x5, dwWait=0x0
2020-03-25;12:41:31.861;INFORMATION;DOMAIN;user01;26;19560;ProcessLogon: Starting to restore directories and files.
2020-03-25;12:41:31.900;ERROR;DOMAIN;user01;26;19560;FindFirstFileAPIWrapper: FindFirstFile for path <C:\Users\user01\Anwendungsdaten\*.*> returned: Zugriff verweigert
2020-03-25;12:41:32.857;ERROR;DOMAIN;user01;26;19560;FindFirstFileAPIWrapper: FindFirstFile for path <C:\Users\user01\Netzwerkumgebung\*.*> returned: Zugriff verweigert
2020-03-25;12:41:32.859;ERROR;DOMAIN;user01;26;19560;FindFirstFileAPIWrapper: FindFirstFile for path <C:\Users\user01\Recent\*.*> returned: Zugriff verweigert
2020-03-25;12:41:32.862;ERROR;DOMAIN;user01;26;19560;FindFirstFileAPIWrapper: FindFirstFile for path <C:\Users\user01\Vorlagen\*.*> returned: Zugriff verweigert
2020-03-25;12:41:33.573;INFORMATION;DOMAIN;user01;26;19560;ProcessLogon: User logging on with Streamed Profile support disabled.
2020-03-25;12:41:33.573;INFORMATION;DOMAIN;user01;26;19560;ProcessLogon: Restore finished.
2020-03-25;12:41:33.583;INFORMATION;DOMAIN;user01;26;19560;CRegistryHive::Load: RegLoadKey of <C:\Users\user01\NTUSER.DAT> to <S-1-5-21-xxxxxxx-xxxxxxxx-xxxxxxx-xxxxxxx> succeeded.
2020-03-25;12:41:33.593;ERROR;DOMAIN;user01;26;19560;AddACEs: The call to SetNamedSecurityInfo for file/dir <USERS\S-1-5-21-xxxxxxx-xxxxxxxx-xxxxxxx-xxxxxxx\Software\Policies> failed with: Das System kann die angegebene Datei nicht finden.
2020-03-25;12:41:33.593;WARNING;DOMAIN;user01;26;19560;ResetSecurityForIE_AC: target file C:\Users\user01\Appdata\Local\Packages\windows_ie_ac_001\ac does not exist
2020-03-25;12:41:33.595;INFORMATION;DOMAIN;user01;26;19560;ResetSecurityForRS1StartMenu: AddACEs Successfully
2020-03-25;12:41:33.606;INFORMATION;DOMAIN;user01;26;19560;SaveFolderRedirectionSettings: S-1-5-21-xxxxxxx-xxxxxxxx-xxxxxxx-xxxxxxx\Software\Citrix\UserProfileManager\FolderRedirection\Settings
2020-03-25;12:41:33.606;ERROR;DOMAIN;user01;26;19560;SetRegMultiStringData: RegCreateKeyEx failed with: Zugriff verweigert
2020-03-25;12:41:33.606;ERROR;DOMAIN;user01;26;19560;SaveFolderRedirectionSettings: Setting folder redirection settings at: <S-1-5-21-xxxxxxx-xxxxxxxx-xxxxxxx-xxxxxxx\Software\Citrix\UserProfileManager\FolderRedirection\Settings\UPM Excluded Directories> failed: (0x5) 'Zugriff verweigert'
2020-03-25;12:41:33.606;ERROR;DOMAIN;user01;26;19560;SetRegMultiStringData: RegCreateKeyEx failed with: Zugriff verweigert
2020-03-25;12:41:33.606;ERROR;DOMAIN;user01;26;19560;SaveFolderRedirectionSettings: Setting folder redirection settings at: <S-1-5-21-xxxxxxx-xxxxxxxx-xxxxxxx-xxxxxxx\Software\Citrix\UserProfileManager\FolderRedirection\Settings\UPM Included Directories> failed: (0x5) 'Zugriff verweigert'
2020-03-25;12:41:33.606;INFORMATION;DOMAIN;user01;26;19560;ProcessLogon: Performing Cross Platform logon processing
2020-03-25;12:41:33.606;INFORMATION;DOMAIN;user01;26;19560;CpsUserData::Init: Cross Platform is not enabled
2020-03-25;12:41:33.621;INFORMATION;DOMAIN;user01;26;19560;CRegistryHive::Unload: Unloaded registry hive <S-1-5-21-xxxxxxx-xxxxxxxx-xxxxxxx-xxxxxxx>.
2020-03-25;12:41:33.622;INFORMATION;DOMAIN;user01;26;19560;DispatchLogonLogoff: Updated Group Policy Extension history for <S-1-5-21-xxxxxxx-xxxxxxxx-xxxxxxx-xxxxxxx>
2020-03-25;12:41:33.622;INFORMATION;DOMAIN;user01;26;19560;DispatchLogonLogoff: ---------- Finished logon processing successfully in [s]: <2.13>.
2020-03-25;12:41:49.202;INFORMATION;;;;4148;PeriodicMaintenance: A thread has terminated. Closing its handle.
2020-03-25;12:41:49.202;INFORMATION;;;;4148;PeriodicMaintenance: A thread has terminated. Closing its handle.

 

All exclusions for our AV-software ntuser.dat etc. have been configured.

 

Below our exclusion-list for ntuser-files:
 

C:\Users\*\ntuser.pol
C:\Users\*\ntuser.ini
C:\Users\*\NTUSER.DAT{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx}.TMContainer00000000000000000002.regtrans-ms
C:\Users\*\NTUSER.DAT{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx}.TMContainer00000000000000000001.regtrans-ms
C:\Users\*\NTUSER.DAT{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx}.TM.blf
C:\Users\*\NTUSER.DAT.START
C:\Users\*\NTUSER.DAT.LOG2
C:\Users\*\NTUSER.DAT.LOG1
C:\Users\*\NTUSER.DAT.LASTGOODLOAD
C:\Users\*\NTUSER.DAT.BAK.LASTGOODLOAD
C:\Users\*\NTUSER.DAT.BAK
C:\Users\*\NTUSER.DAT

 

Maybe someone has an idea why the error regarding ntuser.pol occurs every time a user logged off. Did someone have the same behavior?

 

thanks for any hints and replies!

 

GPClient_Error.jpeg

Link to comment

25 answers to this question

Recommended Posts

  • 0

Sorry... I should have mentioned that ...

 

actually we are using VDA1909 on Windows Server 2019

 

Everytime we got this Logon-Error these two pathes create an access denied.

 

<S-1-5-21-xxxxxxx-xxxxxxxx-xxxxxxx-xxxxxxx\Software\Citrix\UserProfileManager\FolderRedirection\Settings\UPM Excluded Directories> failed: (0x5) 'Access denied'

<S-1-5-21-xxxxxxx-xxxxxxxx-xxxxxxx-xxxxxxx\Software\Citrix\UserProfileManager\FolderRedirection\Settings\UPM Included Directories> failed: (0x5) 'Access denied'

 

When i take a look into the registry  of an user who is currently logged in with success, there is no path like "...\UserProfileManager\..." under "HKCU\Software\Citrix\"

 

 

Link to comment
  • 0

Same problem here Server 2019 running 1912 CU1.

For me I find it's after I reboot the server that I start getting these.

In my case, if I mount the ntuser.dat for the user with the issue in regedit and assign the user full rights to it, then unmount it, then they can work fine.

Just seems like NTUSER.DAT is losing it's permissions for the user.

 

Anyone solve this yet ?  I'm about to open a case on it.

Link to comment
  • 0

@Steve MacNeil1709157315 
Did you find a solution to this issue? I'm intermittently experiencing the same issue for users. 

Same as you, within ntuser.dat doesn't have rights anymore. Grant the rights again and user can logon without issues. 
W2K12R2 with VDA/UPM 7.1912.1

Opening a ticket for this now. Can you share your Citrix ticket number, so I can mention this to the engineer?
Thanks!

 

Link to comment
  • 0

Hey All,

 

Not sure if this applies to your situation, but me for the issue was two-fold.

 

1. Someone enabled a GPO for roaming profiles and that may have played into the issue depending on how the profiles were processed.

2. There was an issue with the .ost mounting and unmounting for profiles as well.  Which I fixed by enabling the setting backup/restore .ost option.

 

After disabling the GPO for roaming profiles and enabled the backup/restore option, I then manually (overnight), went into the server while no one was on and removed all the local profiles on the system.

 

Ever since then, profiles load and delete at logoff properly, there's the odd ost re-index when the windows search service crashes but it rebuilds fine now and I haven't seen this issue again.

 

Hope this helps someone.

Link to comment
  • 0

Hi guys,

 

i came here from another post of @Thomas Jung1709156226

i also have a problem that may fit in this discussion.
https://discussions.citrix.com/topic/285251-permissions-in-ntuserdat-are-getting-lost/

This discussion is older but the newer posts on it keep me thinking that this issue may also be there with the newer versions.

 

Can you also refer to canged permissions within the ntuser.dat when the logon fails with the error in the op?

 

regards from germany 

Link to comment
  • 0

Hi @Johannes Gagel

You are correct, it's not an issue with NTFS rights on ntuser.dat, but with security within the registry.
Mounting the ntuser.dat as an admin, granting the user full control and unmounting again fixes the issue immediately.

 

I've just now upgraded our Acceptance MC to VDA 7.1912 CU2, which is available since yesterday. Also added the LogoffCheckerSysModules key, as I've found that the AntiVirus notification icon kept the session active, even after closing the last application. https://support.citrix.com/article/CTX891671

Waiting for feedback from test user...

 

Remarks:

- for us, the issue occurs on both published apps and desktops. 

- the application seems to occur only(mostly?) for users of one specific internally written Java application. Not sure if that's relevant.

 

I've had the issue myself this morning during testing.
Simply opened a published application, which gives a logon prompt for the application.
Without logging on, closed the application again.

(As an admin, executed "end task" on the antivirus notification icon, so the session would logoff)

Logged on again: "Access is denied error".

 

Checked the UPM logs: 

4 errors during logoff: 

- CopyFileWithRetries failed when copy local sucurity attribute ini file to user store: The system cannot find the path specified.

- ProcessLogoff: SaveChangedFiles failed with: The system cannot find the path specified.

- SyncCookieFilesWebcache: WebCache database didn't exist return

- SyncCookieFilesWebcache failed with: 0x2.

Logoff finishes: DispatchLogonLogoff: ---------- Finished logoff processing successfully in : <1.19>.

image.thumb.png.25448447eefab4371456bb409e8fa31e.png

 

(The text below went in strikethrough automatically at posting, can't seem to undo it...)

 

At logon (during which I get the Access Denied error and the session is logged off again)

Starts fine, all is green, i.e.: 

- CopyFileWithRetries: Copied a file from: <c:\users\XXX\NTUSER.DAT> to <c:\users\XXX\NTUSER.DAT.START>.

Until errors start occuring:

- ProcessLogon: Copying the user's registry hive for backup failed with: Access is denied.

- ResetSecurityForIE_AC: target file c:\users\XXX\Appdata\Local\Packages\windows_ie_ac_001\ac does not exist

- SetRegMultiStringData: RegCreateKeyEx failed with: Access is denied.

- SaveFolderRedirectionSettings: Setting folder redirection settings at: <S-1-5-21XXX\Software\Citrix\UserProfileManager\FolderRedirection\Settings\UPM Excluded Directories> failed: (0x5) 'Access is denied.'

- SetRegMultiStringData: RegCreateKeyEx failed with: Access is denied.

- SaveFolderRedirectionSettings: Setting folder redirection settings at: <S-1-5-21XXX\Software\Citrix\UserProfileManager\FolderRedirection\Settings\UPM Included Directories> failed: (0x5) 'Access is denied.'

 

Logon seems to have succeeded: DispatchLogonLogoff: ---------- Finished logon processing successfully in : <0.42>.

But 8 seconds later, (no UPM logs in between previous and this), logoff is kicked off: DispatchLogonLogoff: ---------- Starting logoff processing...

Edited by PMYPMY
strikethrough comment
Link to comment
  • 0

hi @pmypmy,

 

please read the other discussion...

@Sebastien MARGUERITE fixed this problem by setting the UPM setting "Wait XX Seconds after logoff before deleting the profile from the VDA"

I set this yesterday, but it may take a white to take effect because there may be allready corrupted profiles from a few days ago.

 

Maybe the described things in the other discussion fits on your problem too.

 

i will now have an eye on the problem...

 

As i have news i will let you know.

 

regards

Johannes

 

Link to comment
  • 0

Hi @Johannes Gagel

Thanks, I had already checked the other discussion and found the delay setting.
That's set to 60 seconds at the client, so requested info if that's for a particular reason and if we can set this to 0 (or disable it altogether). 


Either way, if that's the case, then it's something Citrix should fix, as in my opinion you can't have a setting in GPO that breaks stuff this way :)

Link to comment
  • 0

Hi,

 

i can also confirm, that the error did not happen again after setting the parameter. (the ntuser.dad gets messed up at the logoff so you may have some corrupt ones in the profile store left that you have to find. either with a script or by manually waiting for users to have the issue) once all your profiles are good again. it should not happan again.

 

@Thomas Jung1709156226 yes thats the setting we are talking about. But this is only relevant if you are using UPMs and you have the setting "delete profiles after logoff" active

 

does a Citrix employee will see this topic? It would be great if they can address this issue in some future build.

 

Thank you so much to all of you.

 

best regards from germany

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...