Table of Content
- User profile cannot be loaded
- Setting the correct owner
- Mandatory profile permissions
- Conclusion
It is common to use mandatory profiles on managed devices like Thin Clients, Fat Client or a VDI environment. During a deployment, I ran into the issue the “User profile cannot be loaded” while all security permissions are correct. This may because of the Owner and in this blog post, I will share how to solve this issue.
User profile cannot be loaded
When a mandatory profile is not properly configured you may experience the following error.
The User Profile Service service failed the sign-in. User profile cannot be loaded.
Within the event log, the following error with Event ID 1526 will be reported.
Windows could not load your roaming profile and is attempting to log you on with your local profile. Changes to the profile will not be copied to the server when you log off. Windows could not load your profile because a server copy of the profile folder already exists that does not have the correct security. Either the current user or the Administrators group must be the owner of the folder.
As described in the error the Administrators group must be the owner of the folder otherwise the profile cannot be loaded.
Setting the correct owner
Within the security tab, the owner can be set. Go to the properties of the mandatory profile, open the security tab and click advanced.
Click on change and make sure to switch the location to the local machine.
This can also be done with PowerShell which may be useful in a deployment scenario.
$profilePath = "C:\Users\ManProfile.v6" $account = New-Object -TypeName System.Security.Principal.NTAccount -ArgumentList "BUILTIN\Administrators" $acl = Get-Acl -Path $profilePath $acl.SetOwner($account) Set-Acl -Path $profilePath -AclObject $acl
Mandatory profile permissions
It may be useful to have some basic information on the required permissions needed on the mandatory profile. The following table shows which permissions are required in a mandatory profile. Please note the permissions should also be set on registry level in the NTUSER.MAN.
User / Group | Permissions |
NT AUTHORITY\ALL APPLICATION PACKAGE | Full Control |
NT AUTHORITY\SYSTEM | Full Control |
BUILTIN\Administrators | Full Control |
NT AUTHORITY\Authenticated Users | Read and Execute |
In my scenario, I have decided to copy the mandatory profile on the local device for performance reasons. This way the copy action will not take place over the network which may be an issue in branch offices. When copying the mandatory profile during the deployment the permissions are inherited from the folder structure. Using the following script will block the inheritance and sets the correct required permissions described in the table above.
$accessRules = @() $accessObj = New-Object PsObject $accessObj | Add-Member NoteProperty Name "NT AUTHORITY\SYSTEM" $accessObj | Add-Member NoteProperty Permission "FullControl" $accessRules += $accessObj $accessObj = New-Object PsObject $accessObj | Add-Member NoteProperty Name "NT AUTHORITY\ALL APPLICATION PACKAGES" $accessObj| Add-Member NoteProperty Permission "FullControl" $accessRules += $accessObj $accessObj = New-Object PsObject $accessObj | Add-Member NoteProperty Name "BUILTIN\Administrators" $accessObj| Add-Member NoteProperty Permission "FullControl" $accessRules += $accessObj $accessObj = New-Object PsObject $accessObj | Add-Member NoteProperty Name "NT AUTHORITY\Authenticated Users" $accessObj| Add-Member NoteProperty Permission "ReadAndExecute" $accessRules += $accessObj # Set permission for each access rule foreach ($accessRule in $accessRules ) { $acl = Get-Acl -Path $profilePath $aclObj = New-Object System.Security.AccessControl.FileSystemAccessRule($accessRule.Name, $accessRule.Permission, "ContainerInherit,ObjectInherit", "None","Allow") $acl.AddAccessRule($aclObj) Set-Acl -AclObject $acl -Path $profilePath }
Conclusion
If you experience any issue with your mandatory profile the cause may be related to permissions. Of course, the first step is to check the event log for any related errors. By using PowerShell you can make sure the permissions are always set correctly so you don’t have to worry about that! If you any comments or question please leave them below!