6. Отметьте Include inheritable permissions from this object’s parent and Replace all child object permissions with inheritable permissions from this object и дважды нажмите OK.

Теперь настройки безопасности директории Default установлены верно. Попробуйте залогиниться заново.

LoadUserProfileA function (userenv.h)

Loads the specified user’s profile. The profile can be a local user profile or a roaming user profile.

Syntax

Parameters

Token for the user, which is returned by the LogonUser, CreateRestrictedToken, DuplicateToken, OpenProcessToken, or OpenThreadToken function. The token must have TOKEN_QUERY, TOKEN_IMPERSONATE, and TOKEN_DUPLICATE access. For more information, see Access Rights for Access-Token Objects.

Pointer to a PROFILEINFO structure. LoadUserProfile fails and returns ERROR_INVALID_PARAMETER if the dwSize member of the structure is not set to sizeof(PROFILEINFO) or if the lpUserName member is NULL. For more information, see Remarks.

Return value

TRUE if successful; otherwise, FALSE. To get extended error information, call GetLastError.

The function fails and returns ERROR_INVALID_PARAMETER if the dwSize member of the structure at lpProfileInfo is not set to sizeof(PROFILEINFO) or if the lpUserName member is NULL.

Remarks

When a user logs on interactively, the system automatically loads the user’s profile. If a service or an application impersonates a user, the system does not load the user’s profile. Therefore, the service or application should load the user’s profile with LoadUserProfile.

Services and applications that call LoadUserProfile should check to see if the user has a roaming profile. If the user has a roaming profile, specify its path as the lpProfilePath member of PROFILEINFO. To retrieve the user’s roaming profile path, you can call the NetUserGetInfo function, specifying information level 3 or 4.

Upon successful return, the hProfile member of PROFILEINFO is a registry key handle opened to the root of the user’s hive. It has been opened with full access (KEY_ALL_ACCESS). If a service that is impersonating a user needs to read or write to the user’s registry file, use this handle instead of HKEY_CURRENT_USER. Do not close the hProfile handle. Instead, pass it to the UnloadUserProfile function. This function closes the handle. You should ensure that all handles to keys in the user’s registry hive are closed. If you do not close all open registry handles, the user’s profile fails to unload. For more information, see Registry Key Security and Access Rights and Registry Hives.

Note that it is your responsibility to load the user’s registry hive into the HKEY_USERS registry key with the LoadUserProfile function before you call CreateProcessAsUser. This is because CreateProcessAsUser does not load the specified user’s profile into HKEY_USERS. This means that access to information in the HKEY_CURRENT_USER registry key may not produce results consistent with a normal interactive logon.

The calling process must have the SE_RESTORE_NAME and SE_BACKUP_NAME privileges. For more information, see Running with Special Privileges.

Starting with WindowsВ XP Service PackВ 2 (SP2) and Windows ServerВ 2003, the caller must be an administrator or the LocalSystem account. It is not sufficient for the caller to merely impersonate the administrator or LocalSystem account.

The userenv.h header defines LoadUserProfile as an alias which automatically selects the ANSI or Unicode version of this function based on the definition of the UNICODE preprocessor constant. Mixing usage of the encoding-neutral alias with code that not encoding-neutral can lead to mismatches that result in compilation or runtime errors. For more information, see Conventions for Function Prototypes.

Troubleshoot user profiles with events

Applies to: Windows 10, Windows 8, Windows 8.1, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, and Windows Server (Semi-annual Channel).

This topic discusses how to troubleshoot problems loading and unloading user profiles by using events and trace logs. The following sections describe how to use the three event logs that record user profile information.

Step 1: Checking events in the Application log

The first step in troubleshooting issues with loading and unloading user profiles (including roaming user profiles) is to use Event Viewer to examine any Warning and Error events that User Profile Service records in the Application log.

Here’s how to view User Profile Services events in the Application log:

1. Start Event Viewer. To do so, open Control Panel, select System and Security, and then, in the Administrative Tools section, select View event logs. The Event Viewer window opens.
2. In the console tree, first navigate to Windows Logs, then Application.
3. In the Actions pane, select Filter Current Log. The Filter Current Log dialog box opens.
4. In the Event sources box, select the User Profiles Service checkbox, and then select OK.
5. Review the listing of events, paying particular attention to Error events.
6. When you find noteworthy events, select the Event Log Online Help link to display additional information and troubleshooting procedures.
7. To perform further troubleshooting, note the date and time of noteworthy events and then examine the Operational log (as described in Step 2) to view details about what the User Profile Service was doing around the time of the Error or Warning events.

You can safely ignore User Profile Service event 1530 «Windows detected your registry file is still in use by other applications or services.»

Step 2: View the Operational log for the User Profile Service

If you cannot resolve the issue using the Application log alone, use the following procedure to view User Profile Service events in the Operational log. This log shows some of the inner workings of the service, and can help pinpoint where in the profile load or unload process the problem is occurring.

Both the Windows Application log and the User Profile Service Operational log are enabled by default in all Windows installations.

Here’s how to view the Operational log for the User Profile Service:

1. In the Event Viewer console tree, navigate to Applications and Services Logs, then Microsoft, then Windows, then User Profile Service, and then Operational.
2. Examine the events that occurred around the time of the Error or Warning events that you noted in the Application log.

Step 3: Enable and view analytic and debug logs

If you require more detail than the Operational log provides, you can enable analytic and debug logs on the affected computer. This level of logging is much more detailed and should be disabled except when trying to troubleshoot an issue.

Here’s how to enable and view analytic and debug logs:

1. In the Actions pane of Event Viewer, select View, and then select Show Analytic and Debug Logs.
2. Navigate to Applications and Services Logs, then Microsoft, then Windows, then User Profile Service, and then Diagnostic.
3. Select Enable Log and then select Yes. This enables the Diagnostic log, which will start logging.
4. If you require even more detailed information, see Step 4: Creating and decoding a trace for more information about how to create a trace log.
5. When you are finished troubleshooting the issue, navigate to the Diagnostic log, select Disable Log, select View and then clear the Show Analytic and Debug Logs checkbox to hide analytic and debug logging.

Step 4: Creating and decoding a trace

If you cannot resolve the issue using events, you can create a trace log (an ETL file) while reproducing the issue, and then decode it using public symbols from the Microsoft symbol server. Trace logs provide very specific information about what the User Profile Service is doing, and can help pinpoint where the failure occurred.

The best strategy when using ETL tracing is to first capture the smallest log possible. Once the log is decoded, search the log for failures.

Here’s how to create and decode a trace for the User Profile Service:

Sign on to the computer where the user is experiencing problems, using an account that is a member of the local Administrators group.

From an elevated command prompt enter the following commands, where

is the path to a local folder that you have previously created, for example C:\logs:

From the Start screen, select the user name, and then select Switch account, being careful not to log off the administrator. If you are using Remote Desktop, close the Administrator session to establish the user session.

Reproduce the problem. The procedure to reproduce the problem is typically to sign on as the user experiencing the issue, sign the user off, or both.

After reproducing the problem, sign on as the local administrator again.

From an elevated command prompt run the following command to save the log into an ETL file:

Type the following command to export the ETL file into a human-readable file in the current directory (likely your home folder or the %WINDIR%\System32 folder):

Error occurs during desktop setup and desktop location is unavailable when you log on to Windows for the first time

This article provides help to solve an issue where profile loading fails when the ntuser.dat or usrclass.dat file is defined as read-only, or the profile user lacks the appropriate permissions for these two .dat files.

Original product version: В Windows 10 — all editions, Windows Server 2012 R2
Original KB number: В 3048895

Symptoms

Profiles don’t load when users log on to a computer for the first time. Or, you log on to a computer where policy deletes the cached profile after a date interval when you log off.

Logons that use mandatory user profiles or Virtual Desktop Infrastructure (VDI) may also be affected.

Profiles don’t load when users log on by using cached user profiles.

Services don’t start because of profile load failures. Affected services include but aren’t limited to the following:

When this issue occurs, related events are logged. See the events that are logged in Event Viewer.

Process Monitor may indicate that a CreateFile operation fails with an ACCESS DENIED result to the following path, depending on how file access is constrained: :\documents & settings\ \local settings\Application Data\Microsoft\Windows\UsrClasss.dat.

The screenshot of Process Monitor can be seen here:

Cause

Update 3021674 adds checks for access to the Ntuser.dat and the Usrclass.dat files.

Resolution

To resolve this issue, follow these steps:

Check whether the READ ONLY flag is set on the NTUSER.DAT or USERCLASS.DAT file for the profile that fails to load.

New user profiles are derived from C:\users\default\ during first-time account logons. If profiles fail to load with signatures that match those that are described in the «Symptoms» section, check whether the Read-Only bit is enabled on the NTUSER.DAT and USRCLASS.DAT files in the profile directory for the users or service accounts in question.

NTUSER.DAT in Windows Vista and later versions of Windows is located in C:\users\default\ntuser.dat. Earlier operating systems have other paths, such as C:\Documents and Settings\ \ntuser.dat.

The USRCLASS.DAT file is typically located along a path like C:\Documents and Settings \Local Settings\Application Data\Microsoft\Windows\UsrClass.dat or C:\Users \AppData\Local\Microsoft\Windows.

In Windows Explorer, right-click the NTUSER.DAT or USRCLASS file for the relevant default user or cached user profile. The Read-only check box should be cleared. It this check box is selected, it will cause profile load failures.

Check the NTFS File System permissions setting on the NTUSER.DAT or USERCLASS.DAT file in the cached profile directory that fails to load.

In the following screenshot, the test user, CONTOSO/testUser, has full control over NTUSER.DAT (not shown) and USRCLASS.DAT. Everyone isn’t listed in the ACL Editor group.

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the «Applies to» section.

More information

Events that are logged in Event Viewer

Details of the failure that are displayed in Process Monitor

ProMon detailsThe following message is displayed in Process Monitor:

Desired Access: Generic Read/Write, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: H, ShareMode: Read, Write, AllocationSize: n/a, Impersonating:

The following screenshot shows the Process Monitor details: