Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 1533 Source: UserProfileService

Level
Description
Windows cannot delete the profile directory C:\Users\<username>. This error may be caused by files in this directory being used by another program.

DETAIL - The directory is not empty.
Comments
 
In our case this error showed up on our Windows 2008 Citrix XenApp 5.0 virtual servers running on an VMware ESX host after enabling the "set path for TS Roaming User Profile" group policy and pointing it to a DFS share in addition to enabling the "Delete cached copies of roaming profiles" group policy.

On an attempt at starting an application through Citrix web access the users would see the message:

The User Profile Service failed the logon
User profile cannot be loaded.

On investigation it appeared that the cached copy of the roaming profile was not being cleaned up correctly on log out the file C:\Users\<username>\AppData\Local\VMware\hgfs.dat was locked and was being left behind.

Further researched showed that the file is related to VMWare shared folders and it is an issue with VMWare Tools and Terminal Server roaming profiles. For details and first part of the fix please see:
- EV100024
- EV100023

The second part of the fix is to clean up the broken user profiles.  There are two components to delete: the cached copy of the roaming profile (on all affected local servers) and the related registry entries on the affected local servers.

Deleting the cached copies of the roaming profiles on the local servers without deleting the corresponding registry entries may cause other problems.

In the registry editor open HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList. The subkeys are the SIDs of users that logged on to that server before.  Looking at each SID key look at the ProfileImagePath value (which will also give you the user name) and note the path. Temporarily prevent the user from logging on to any Citrix server and delete the folder given by the path along with the SID subkey. You may also find SID.bak subkeys in which case you may not find the related ProfileImagePaths these subkeys should be deleted as well.  We also deleted all other orphaned folders in the local profile directory not referenced in the registry. Repeat for all other Citrix servers. Re-enable user logon to Citrix.

FYI: Joe Shonk of the Shonk Project wrote a VB script to automate deletion of profiles. However I have not used the script and can't comment. It is available at EV100025.

References: EV100026, ME947242

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...