RDS 2012: Profile Disks and Temp Profiles


The huge pain with using Profile Disks in Windows Server 2012 RDS is to dealing with TEMP profiles. When the user’s profile corrupts and started creating TEMP user profiles, Admins has to deal with fixing the issue and it’s NOT easy. But if you want to know how to fix it, here it is.

1. Delete User’s profile disk (.VHDX). To find the user’s correct profile disk, you have to check the NTFS security tab in properties of the xxxxx.vhdx file.

image

2. Check all Remote Desktop Session Host servers C:\Users folder to check which server has the corrupt user profile. (hint: check \\sessionhost\c$\users from your computer)

3. Once you find the server, Remote desktop to that server. You will see the following event log message on that server in System Logs.

Remote Desktop Services could not apply a user desktop for a user account with a SID of <GUID>. A temporary profile was enforced for the user. Verify that the user profile disk settings are correct. The error code is 0x800700AA.0

4. Open REGEDIT and expand to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

5. Click each sub key section and watch ProfileImagePath value. This value will say username in the path.

6. Once you find the correct key, Delete it.

7. Have user logon again to the RemoteApp or VDI. RDS will create new profile disk.

Hope that fixed your issue. If so, please leave me a thanks note.

Windows Installer: The feature you are trying to use…


If you are stuck on Windows Installer error dialog box saying:

The feature you are trying to use is on a network resource that is unavailable.

image

No worries. This is related to Cached Installers issue. Microsoft support got your back. They have an handy dandy Microsoft Fix It program to fix the Windows Installer issues. You can use either to Install or Uninstall a software from your computer using this Fix It program.

Download the Fix It program and run it on the troubled computer. Get it from http://support.microsoft.com/mats/Program_Install_and_Uninstall

Windows 2008 R2–RDS: “RemoteApp program is not in the list of authorized programs”


On Microsoft Windows Server 2008 R2 RDS platform, you published a in-built programs like Notepad or Wordpad. You tried to access/run the published program using Remote Desktop Web Access, you end up seeing this message:

clip_image001

When this happened to me, I found no real answers on the Internet.  But the resolution I figured out myself was so simple and made me think how we sometimes miss the obvious stuff.

Resolution:

If you are publishing an Windows in-built programs, you shouldn’t be publishing manually (meaning – typing the path name of the program). If you publish anything under C:\Windows, you would get the above message.

Instead use the listed programs in application publishing wizard. If you still don’t know what I am talking about, follow the steps below.

1. Open RemoteApp Manager and connect to desired RDS Session Host server.

2. On Action Pane click on image

3. Click Next on RemoteApp Wizard Welcome page.

4. Select one of these listed programs if you want to publish in-built program. Do not click Browse button.

 

image

5. Click Next and Finish button to complete the wizard.

Now you can access this published application without any errors. Hope this explanation helped you.

Windows: How to flush all user profiles automatically?


How do you delete all user profiles on a Windows Computer or server? Don’t do it manually or don’t search for third-party tools or scripts. You do that very easily by local policy or group policy. Al you have to do is,

  1. Click Start, type gpedit.msc in the Start Search box, and then click gpedit in the Programs list.
    If you are prompted for an administrator password or for confirmation, type the password, or click Continue.
  2. Under Computer Configuration, expand Administrative Templates, expand System, and then click User Profiles.
  3. In the details pane, double-click Delete user profiles older than a specified number of days on system restart.
  4. Close all dialog boxes.

Whenever you reboot the computer/server,  all user profiles will be deleted.

If you don’t reboot the computer/server often, then you may look for other scripted solutions.

Argh!!! “The specified DHCP client is not a reserved client”


I was trying to add an reserved IP address, I get this error repeatedly. Quick Internet search took me to http://msdn.microsoft.com/en-us/library/ms847672.aspx.  It Says,

Explanation:

Stand-alone DHCP servers are not allowed to operate when Active Directory is operating. This is to prevent unauthorized servers operating on the network. A DHCP server initializes and starts providing DHCP services to clients only if the server finds its IP address in the authorized list for each of the enterprise roots reported by other DHCP servers. If it does not find itself in the authorized list for each of the reported enterprise roots, it does not initialize and the DHCP service is stopped.

User Action:

Verify whether the DHCP server is supposed to be part of a directory service enterprise or operating as a stand-alone server. If the DHCP server should belong to a directory service enterprise, reconfigure the server to be a domain controller or member server of the directory service enterprise, as applicable.

But, my DHCP server is authorized, alright. It is dishing out IP addresses, no problem.

You know, that’s one of those moments I felt stupid shame when I found the issue. The IP address I was trying to reserve is OUT OF DISTRIBUTION range, meaning it was in exclusion from distribution range.  What a dump error message? I think those MS developers revenge on Sys Admins are very revolting.

Remote Desktop: "Your system administrator Does not allow the use of saved credentials to log on to the remote computer. Because identity is not fully verified. Please enter new credentials" and “Domain sid inconsistent”


 

I was trying to remote desktop to a VM that is in different domain. I keep getting this error message:

"Your system administrator Does not allow the use of saved credentials to log on to the remote computer. Because identity is not fully verified. Please enter new credentials"

I tried to type the correct credentials manually on Remote Desktop.  I decided to take a look at the server’s security log. This is what I found:

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 10/7/2010 12:23:43 PM
Event ID: 4625
Task Category: Logon
Level: Information
Keywords: Audit Failure
User: N/A
Computer: servername.domain.local
Description:
An account failed to log on.

Subject:
Security ID:                NULL SID
Account Name:                –
Account Domain:                –
Logon ID:                0x0
Logon Type:                        3
Account For Which Logon Failed:
Security ID:                NULL SID
Account Name:                myADaccount
Account Domain:                DomainName
Failure Information:
Failure Reason:                Domain sid inconsistent.Status:                        0xc000006d
Sub Status:                0xc000019b
Process Information:
Caller Process ID:        0x0
Caller Process Name:        –
Network Information:
Workstation Name:        MyClientWorkstationName
Source Network Address:        –
Source Port:                –

Failure Information:
Failure Reason:                Domain sid inconsistent.
Status:                        0xc000006d
Sub Status:                0xc000019b

Well…Failure reason says “Domain sid inconsistent” and Security ID says NULL SID.

YES, I knew what went wrong right away.  My test domain controller and standalone server VM are deployed from same template. so both consists same SID. 

Usually duplicate SID is not a problem. But if you domain controller and client machine SID are the same, then it’s a big problem. 

I ran (C:\Windows\System32\SysPrep\) SysPrep.exe on my server and re-joined to the domain. Everything magically OK after that.

Windows Server 2008 R2 on VM: Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item


Newly built Windows Server 2008 R2 server on VM had strange issues. I logged in as account that’s part of domain admins. I supposed to have local administrative privileges. But when try to open any administrative tools (like services, event log), I get this error message:

Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item

It was driving me crazy. It turn out to be I can’t logon as local administrator either.

After half day of itching my mind, the following two things resolved the my issue.

  1. Turned off Internet Explorer Enhanced Security setting for Administrators and Users
  2. Turned off User Account Control (in Safe Mode)

Bizarre experience though!