Unreasonable profile userid. How to fix “The User Profile Service failed the login” problem

So now you have a problem if you write a library that will be used by both old-school code written with wchar_t defined as an alias for unsigned short and new-school code written with wchar_t as a separate internal type. What data type do you need to use for string parameters?

This is a translation of The sad history of Unicode printf-style format specifiers in Visual C++.

Windows implemented Unicode earlier than most other operating systems. As a result Windows solutions for many problems are different from the solutions made by those who waited for the dust to settle¹. The most striking example of this is using Windows UCS-2 as Unicode encoding. It was then the encoding recommended by the Unicode Consortium because Unicode 1.0 only supported 65"536 characters². The Unicode Consortium changed its mind five years later, but by then it was too late for Windows, which had already released Win32s, Windows NT 3.1, Windows NT 3.5 , Windows NT 3.51 and Windows 95 - all of which used UCS-2³.

But today we'll talk about printf style format strings.

This is the translation of If FlushInstructionCache doesn’t do anything, why do you have to call it, revisited .

You are expected to call the FlushInstructionCache function when you generate or modify executable code at run-time - so that the processor, when executing your generated/modified code, reads the instructions you wrote, rather than old instructions that may remain in the processor's instruction cache.

Previously we learned that . This is because a simple function call was enough to clear the command cache.

But on Windows NT the FlushInstructionCache function does real job, because it needs to notify all other processors to clear their caches.

However, if you look at Windows 10, you will find that the FlushInstructionCache function looks like the Windows 95 version: she doesn't do anything.

What's the matter?

The situation is this: I have Windows 7 Professional, licensed. I bought it in anticipation of DXHR so that I could play normally in my favorite cyberpunk game from childhood. In the meantime, until the game is released, it is used for debugging and rewriting applications that are purely applications that I write myself, which do not go anywhere further (relatively speaking) with ordinary mutexes, threads, processes, files and sockets; during testing, I actively read the documentation on the Internet.But I myself am a Linux-id, and therefore I rarely go to W7.

And so, sometimes I live in this Windows 7, I update regularly and I’m even glad that these are the great people at Microsoft, the system has never even crashed or frozen, I’m pleased with the speed of operation, antiviruses, firewalls and in general you can even live... Apparently, overpraised.

Yesterday, after next update, I discovered that I can’t create files in my Documents. The system began happily reporting that they say Permission denied, enter the administrator password... Well, okay, I think, maybe I accidentally messed something up, clicked the wrong checkbox somewhere, it happens. I don’t have anything valuable in my user profile, so I, without thinking too much, deleted it (naturally, through the control panel and deleting the user, or you never know) so as not to suffer later.

Then, I created a new user... And this started strange behavior: when I click on the icon of a newly created standard user on the Logon screen, the system writes: The User Profile Service service failed the login. User profile cannot be loaded.

Well... I thought, maybe it’s Windows. I mentally put -1 in his karma and went to look for a solution. It seems like I found it: support.microsoft.com/kb/947215 - but here’s the problem: nothing that’s described there helps. But it says about some Group Policy settings... Hmm, I think, however... I definitely didn’t go there and didn’t change anything, and in general on the Microsoft website it says that there is no such thing in Windows 7 Professional, but it is only in the Enterprise and Ultimate versions .

And now it’s completely unclear what the problem could be? I, as a Linux-id, generally cannot even imagine such behavior of the system: when an account is successfully created, but the system cannot use it in any way - and is not able to understand in which direction to dig, that is, I have complete frustration, lack mental models of what is happening, and a complete lack of understanding of why keywords look for a solution to the problem. I can't even find anything related to the Registry user-created. It’s not even in the list of SIDs - this is absolutely mysterious to me: how can you create a user like this, but not assign an identifier to him?.. It’s just mystical.

Therefore, all my hopes are in the Habracommunity (I looked in other communities, they simply repeat the recipe from Microsoft in different versions). What to do, where to look, what to look for? You can’t run your glitchy programs and roam the Internet as an administrator.

P.S. Or, would it be easier to demolish this Windows (a pity for the money, of course, but... it’s just... such a bummer is not childish) and hope that when DXHR comes out, it will run under WiNE?.. The 2nd parts of Starcraft and Portal.

The profile has two purposes: managing the use of a password and limiting the number of session resources used. Password usage checking is always enabled, resource usage checking is only available when the RESOURCE_LIMIT=TRUE parameter is enabled (disabled by default). Profiles are used by default, but default profiles (applied to all users, including SYS and SYSTEM) check very little.

Profile password limits are always enforced; profile resource limits

are enforced only if the instance parameter RESOURCE_LIMIT is TRUE.

The following restrictions may be applied to the password

• FAILED_LOGIN_ATTEMPTS – sets the number of consecutive incorrect password entries before the account is locked. If the correct password is entered before blocking, the counter is reset to zero.
• PASSWORD_LOCK_TIME – sets the number (in days) until the account is locked after FAILED_LOGIN_ATTEMPTS
• PASSWORD_LIFE_TIME – the number (in days) until the password expires. After this, the password may still be active for some time, depending on PASSWORD_GRACE_TIME
• PASSWORD_GRACE_TIME – the number (in days) after the first successful connection attempt after the password expires, a prompt to change the password will be displayed. The old password is valid at this time
• PASSWORD_REUSE_TIME – Number of days before the password can be used again (password value)
• PASSWORD_REUSE_MAX – sets how many times the same password can be used
• PASSWORD_VERIFY_FUNCTION – name of the function to be executed when the password is changed. The purpose is to check the new password against required level security, but you can use it for any purpose.

Resource Limitation

Restrictions on the use of server resources (kernel limits) are

SESSION_PER_USER the number of parallel connections that the same account can create. Sessions will be blocked upon reaching this value

CPU_PER_SESSION – CPU time (in centiseconds) that the session server process can use before being forced to terminate

CPU_PER_CALL - CPU time (in centiseconds) that the server process can use to execute one SQL command before the query is forced to stop execution

LOGICAL_READS_PER_SESSION – the number of blocks that a session can read (regardless from the buffer or from disk) before forced shutdown sessions

LOGICAL_READS_PER_CALL – the number of blocks that a request can read (regardless from the buffer or from disk) before forcing the request to stop

PRIVATE_SGA – for sessions connected using a shared server architecture, the number of kilobytes that the session can use in the SGA

CONNECT_TIME – in minutes, maximum session duration

IDLE_TIME – in minutes, the duration of inactivity after which the session is forcibly disconnected

COMPOSITE_LIMIT is a weighted sum of other attributes. Not covered in this course

Any resource usage limits will not be enforced until the RESOURCE_LIMIT instance parameter is set. Default value is FALSE. You can enable it by executing the request

ALTER SYSTEM SET RESOURCE_LIMIT=TRUE;

When a session is disconnected due to reaching the limit, if there was unconfirmed transaction– it is cancelled. If the execution of a request stops, then the changes made by this request are canceled, but all previously executed commands remain valid and unconfirmed.

Profiles can be used to limit resource usage, but a much more

sophisticated tool is the Resource Manager

Creating and assigning profiles

You can manage profiles through Database Control or SQL *Plus. To view current user profiles, query

select username,profile from dba_users;

By default, all accounts (except for the two internal accounts DBSNMP and WKSYS) will use the DEFAULT profile. Request to view profile

select * from dba_profiles where profile=’DEFAULT’;

The DEFAULT profile has no resource restrictions, but there are several password restrictions

These restrictions are not too strong: the password can be entered incorrectly 10 times before the account is blocked for one day, and the password expires after six months with a grace period of a week. The simplest way To apply stricter password restrictions is to run the script supplied with Oracle $ORACLE_HOME/rdbms/admin/utlpwdmg.sql. This script will create the VERIFY_FUNCTION and VERIFY_FUNCTION_11G functions and then execute the query

ALTER PROFILE DEFAULT LIMIT

PASSWORD_LIFE_TIME 180

PASSWORD_GRACE_TIME 7

PASSWORD_REUSE_TIME UNLIMITED

PASSWORD_REUSE_MAX UNLIMITED

FAILED_LOGIN_ATTEMPTS 10

PASSWORD_LOCK_TIME 1

PASSWORD_VERIFY_FUNCTION verify_function_11G;

This command will change the DEFAULT profile. All users with the DEFAULT profile (all default users) will immediately pick up the new values. The only change will be to use the verify_function_11G function. This function will check the password against certain criteria, namely

• The new password must be at least 8 characters long
• The password must not be the same as the username
• Frequently used simple passwords(for example oracle) will be rejected
• The new password must contain at least one capital letter and one number
• The password must differ by at least three characters from the previous one

You can take this function as an example and modify it as per your requirements. In general, it is advisable to create separate profiles for different user groups.

To create a profile, use the CREATE PROFILE command, setting the necessary restrictions. Unset values ​​will be set depending on the values ​​in the DEFAULT profile. For example, consider a scenario where users can only open one session, administrators can create as many sessions as they want and must change the password once a week with a grace period per day, and programmers can open two sessions. To do this you can run the commands

alter profile default limit sessions_per_user 1;

Then create a profile dba_profile and assign it to the system user

create profile dba_profile limit sessions_per_user unlimited password_life_time 7 password_grace_time 1;

alter user system profile dba_profile;

And create a profile for programmers

create profile programmers_profile limit sessions_per_user 2;

alter user jon profile programmers_profile;

alter user sue profile programmers_profile;

For resource limits to take effect, you must set the instance parameter

alter system set resource_limit=true;

If the instance uses SPFILE, this change will be applied to the parameters file and will be used even after a restart.

A profile cannot be deleted if it is assigned to a user. You can either first transfer users to another profile, or use the CASCADE directive, which will automatically reassign users using the deleted profile back to the DEFAULT profile.

Roaming user profiles are easy to create. To create them you don't even need to understand Active Directory or group policies, but knowledge of these technologies will greatly simplify your life when managing such profiles. To create roaming profiles in a nutshell, you need to configure the network location where these profiles will be located, and then configure each account user to match with the previously created network location. All these actions are described below:

A mandatory user profile is created by analogy, only after setting up the desktop (it is enough for the user, say, the head of a department or you have completed all the settings for the current profile), the file of this profile should be renamed from NTUSER.DAT to NTUSER.MAN. Also, each required user profile should be stored in a specially designated folder top level. That is, you need to create the following folder hierarchy: the top level root folder is, say, Profiles, where the folder will be located mandatory_user_profiles, inside which folders with required user profiles will already be located. For this folder you only need to grant permissions at the level "Readings", which will not allow users to make changes to their mandatory user profile, which is located on the server. After that, on the tab "Profile" user, in the corresponding text field, specify a name with the suffix.man (.man.v2 for users who log in under operating systems Windows Vista and above) at the end for the user folder, which will become a required user profile.

Managing roaming user profiles using Group Policy

As you know, in Active Directory domains, to reduce the cost of managing computer systems, it is advisable to use group policies. Roaming user profiles are no exception. Group policies allow you to manage most of the tasks you might encounter when deploying roaming user profiles. To do this, Microsoft provides 23 Group Policy settings located in the nodes Policies\Administrative Templates\System\User Profiles computer configuration and user configuration sections. Consider these parameters:

Rice. 4. User Profile Management Policy Settings

Adds the Administrators security group to roaming user profiles.

This Group Policy setting is used to add the Administrators security group to the roaming user profile share and to assign full access. After you set up a roaming user profile, it will be created the next time the user logs on in the location you specify. If the parameter is disabled or not specified, then only the user will receive full access to their profile, and the administrators group will not have access to the files, and if this option is enabled, the administrators group will also have full access rights to the user's profile folder. If you enable this option after creating a profile, it will not affect the previously created profile. It is worth noting that you should configure this parameter not on the profile server, but on the user’s computer, since the permissions are general file access assigned to the roaming profile during its creation.

When the system is rebooted, delete user profiles after the specified number of days.

The current setting allows the administrator, when rebooting the system, to automatically delete user profiles that have not been used for the days specified in this policy, with a day being considered 24 hours from the moment access to this profile is gained. If the parameter is activated, then when the system is rebooted, profiles unused for the specified number of days are automatically deleted by the user profile service. If the parameter is not configured or disabled, then automatic deletion will not occur. For users on frequent and long-term business trips, the use of this profile should be planned privately.

Do not check user ownership of roaming profile folders.

This option disables secure setup default for the user folder of roaming user profiles, defines actions with the existing folder when updating computers, maintains and improves the security level of the user profile. Starting from the operating room Windows systems XP SP1, the roaming profile folder is not available for copying if it already exists and its permissions are incorrect. When this option is enabled, the Windows operating system does not check for an existing folder. When the parameter is disabled or not specified in existing folder roaming user profile, files are not copied, and an error message appears in the event log. If there is no cached profile, a temporary user profile is used.

Delete cached copies of roaming profiles.

Using this option, you can determine whether copies of the user's roaming profile can be saved to the hard drive when logging off. Together with the associated settings in this folder, this parameter defines the strategy for managing user profiles that are located on remote servers and determines what the system will do when the profile load time is long. As mentioned earlier, when a user logs out of the system, the roaming user profile is saved to the local HDD to eliminate the situation of an unavailable profile server. When this option is enabled, all local copies are deleted, leaving the moved profile only on the profile or file server. If your connection is slow, this option should be disabled because it requires a local copy of the roaming profile.

Do not force the user's registry to be unloaded when the user logs out.

This Group Policy setting is used in case of application compatibility issues. The operating system is unloading system registry user when logging out, regardless of open handles to user registry keys. Because using this option may prevent roaming profiles from receiving updates, we recommend using this option only as a last resort. If this parameter is enabled, the registry will not be forced to unload when logging out, but the system registry will be reloaded after the handles to the user registry keys are closed. A disabled or unconfigured setting will always unload the registry, even when handles are open.

Do not detect slow network connections.

As you already know, slow connection is a measurement of the speed at which a user's computer connects to a remote server containing the user's roaming profile. When the system detects a slow connection, the roaming profile folder settings determine how the system reacts to the slow connection. When this option is enabled, the system does not detect a slow connection and none of the network connections will be considered as such; accordingly, roaming profiles are always blocked. The system ignores settings that specify how to respond to slow connections. When disabled or not configured, the system measures the connection speed to the remote server that stores the user profile. If the connection is slow, the system will use other settings set in the roaming profile folder to proceed further, loading a local copy of the user profile by default.

Prompt the user when slow is detected network connection.

The current Group Policy setting will help you if your users require the roaming profile to be loaded even when there is a slow network connection to the profile server. On Windows XP and earlier operating systems, when a slow connection is detected, a dialog box is displayed to select the option to load a remote copy of the roaming profile. On Windows Vista and later operating systems, when you log on, only a check box is displayed to determine whether to load a user profile. When this policy setting is activated, users themselves determine the need to load a roaming profile when the connection to the server is slow. When disabled or not specified, a local copy of the user profile is used. When enabled "Wait for the roaming user profile to load", the remote copy of the profile will be loaded automatically or the system will completely ignore the user's pre-selection. To configure the response time on operating systems below Windows Vista, use the "Time-out dialog boxes» . When enabled "Do not detect slow connection", this parameter is ignored. When enabled "Delete cached copies of roaming profiles", there is no local copy of the profile, therefore the local copy of the profile does not load on a slow connection.

Leave installation details Windows installer and group policy.

Using this setting allows you to determine whether the operating system leaves Windows Installer and Group Policy installation data when it deletes a roaming user profile. By default, all information related to it is deleted, including those related to the installer, so the next time you log in, it becomes necessary to install all applications published using the policy, which, accordingly, increases the login time. When you enable this setting, Windows Installer and Group Policy installation data is not removed from the computer, which improves performance the next time users with a deleted profile log on. If the policy is disabled or not configured, the roaming user profile is deleted entirely, including Windows Installer and Group Policy data. When the policy is enabled local administrator should remove Windows Installer and Group Policy data from the user's registry and file system.

Allow the use of local profiles only.

Using this Group Policy setting, you can prevent users with a roaming profile from receiving it on a specific computer. By default, the first time a user logs in, their roaming profile is loaded on local computer. Upon subsequent login, the roaming profile is merged with the user's local profile. When you shut down and log out of the system, the local copy of the profile with the changes made during the session is merged with the server copy of the profile. Using this setting, you can prevent users from receiving their roaming profile on a specific computer. When this option is enabled, upon first login, the user receives a new local profile in which all system changes will be saved. The same local profile will be used for all subsequent logins, without synchronizing with the server. If this option is disabled or not specified, the roaming user profile is used by default.

Set the path to roaming profiles for all users logged on to this computer.

This parameter determines the need to use the specified network path for all users of a single computer. To use this parameter, enter the path to the network share in the following format: \\computer_name\share_name. To provide an individual profile folder for each user on a single computer, add %Username% paths, otherwise all users will use the same profile folder, but you must ensure that the appropriate security settings are in place. When enabled, all users use the specified path to roaming profiles. When disabled or not configured, users use a local or standard roaming user profile.

Dialog box timeout.

Using the current Group Policy setting, you can determine how long the operating system should wait for a user response before taking an action, which is the default. The latter is used if the user has not responded to a message indicating that a slow connection detection event has occurred, the profile server is unavailable, or that the local user profile is newer than the server profile. It is advisable to use this parameter to predefine the system value, which is 30 seconds. You can specify a value between 0 and 600 seconds.

Do not register users with temporary profiles in the system.

The current Group Policy setting allows you to automatically log off users when their profiles cannot load. This policy also applies when the profile contains errors that prevent loading, while preventing the operating system from registering a user with temporary profile. When this setting is enabled, the operating system will not register a user with a temporary user profile. If the parameter is disabled or not specified, if it is impossible to load user profiles, the operating system will register temporary profiles in the system.

The maximum number of times that a user profile can be downloaded and updated.

By using this Group Policy setting, you can control the number of times an update to the NTUSER.DAT file can be retried when a user logs off or the update fails. When the user logs off, the operating system unloads the user portion of the registry and updates it. The system stops these attempts when the specified number of attempts is exhaustive. By default, the system retries 60 times. If you enable this setting, you can change the number of retries to load and update user registry settings. If you set the value to zero, the operating system will unload and update registry settings only once. If there are many profiles on the computer, then it is advisable to increase the number of retries.

Prevent changes to the roaming profile from being sent to the server.

By using this option, you can prevent changes made to a roaming profile on a specific computer from being applied to the copy of the computer on the server. As mentioned earlier, when a user logs on, their roaming profile is copied to the local computer, and the roaming profile is merged with the local one if they have previously logged in. If you enable this option, the user will receive their roaming profile when they log in, but any changes the user makes to their profile will not be made to their roaming profile when they log out.

Wait for the roaming profile to load.

This Group Policy setting instructs the operating system to wait for a remote copy of the roaming user profile to load, even if you are connected over a slow connection. By enabling this option, you will always allow the roaming user profile to be loaded from the server. It is worth paying attention to the fact that if you enabled the parameter, then this Group Policy setting is ignored. Also, when the parameter is enabled "Delete cached copies of roaming profiles" If your connection is slow, you don't have a local copy of the roaming profile to download. If this Group Policy setting is disabled or not configured, then when a slow connection is detected, the system downloads a local copy of the roaming user profile

Timeout of slow network connections for user profiles.

The current setting allows you to specify which connection to download roaming user profiles will be considered slow. The operating system considers the connection to be slow if the server on which the roaming user profile is located responds more slowly than specified in this parameter. For computers connected to IP networks, the operating system calculates the speed at which remote server should return data in response to a ping message. To set the threshold value for this check in the text box "Connection speed" Enter a decimal number from 0 to 4294967200 representing the minimum acceptable transfer rate in kilobits per second. The default value is 500 kbps. In addition, if for computers not on IP networks file system server does not respond within the maximum acceptable delay in milliseconds, which is specified in the text field "Time", the server is also considered slow. In this text field, you can enter a value from 0 to 20000. If the Group Policy setting is enabled "Do not detect slow connections", then this parameter is ignored.

Background transfer of the roaming user profile registry file when the user logs on.

This option appeared only in Windows 7 operating systems and Windows Server 2008 R2. Using this parameter, you can schedule background transfer of the roaming user profile registry file. The transfer only takes place if the user is logged in. Note that this setting does not prevent the roaming user profile registry file from being transferred when the user logs off. The main difference between this option and all the others is that to use this option, you must first select the schedule planning method to use. There are two scheduling methods:

• Launch from at a given interval . By selecting this schedule plan, the user profile registry file will be transmitted at the specified interval after the user logs in. In a text field "Interval" you can specify an interval from 1 to 720 hours. For example, if you specify an interval of 4 hours, the registry file will be transferred in the background every four hours even if the user does not log off. The next time the user logs in, the timer will start again;
• Launch at specified time. When you select this plan, the registry hive will be transferred only once every day at the same time.

Rice. 5. Roaming profile background transfer settings dialog box

Set the maximum network timeout if the user has a roaming profile or a remote home directory.

By default, if you move a profile or delete the main profile folder while the network connection is unavailable, after the user logs on, the Windows operating system waits for 30 seconds for the network to come back online. Using this setting, you can set the wait time for the network to come back online. If the network remains unavailable after the maximum timeout period, the user login will continue without a network. As soon as the network becomes available before the maximum timeout has expired, the user's login will certainly continue.

Connect the home folder to the root of the share.

The current setting specifies the %HOMESHARE% and %HOMEPATH% environment variable settings, which define the user profile's home folder, and also contains the full path to the home folder. In this case, users can access the home folder and any of its subfolders through the home folder's drive letter, but at the same time cannot view or access its parent folders. When you disable this setting, home folders are mapped to the user's folder rather than to the share for more than high level. You cannot use this option on operating systems that were created after the Windows XP operating system.

Sync your main folders only when you log in or log out.

With this Group Policy setting, you can specify network folders, which will sync using offline file policies when logging in and out. This setting is useful to resolve problems with applications that do not work correctly with offline files when the user is online. If this setting is enabled, then the network paths that are specified in the setting will be synchronized using the Offline Files policy. If disabled or not set, the paths that are specified in the current setting will behave similarly to other cached data processed by the Offline Files policy and will remain online while the user is logged in if network paths are available.

Exclude folders from the roaming profile.

This Group Policy setting allows you to exclude folders that should be included in a roaming user profile, allowing you to avoid storing certain folders on the profile server. As you know, roaming profiles necessarily exclude the “Appdata\Local”, “Appdata\LocalLow” folders, as well as folders containing temporary files and browser history Internet Explorer. If you enable this option, you can exclude any folders that are located in the user profile. If you disable this option, only the default folders will be moved.

Limit profile size.

This setting allows you to set the maximum size of a user profile and determines what the operating system will do when the profile reaches its maximum value. With this setting, you can set the maximum profile size, determine whether the profile size includes registry files, specify whether end users will receive notifications when exceeding maximum size profile, specify a special message notifying the user that the profile size has been exceeded, and also determine how often this message should be displayed. If you disable or do not configure settings for this setting, the operating system will not limit the size of the user profile.

Conclusion

In this article, you learned about the purpose and types of user profiles, which have a number of advantages, both for system administrators, and for end users. We learned that user profiles allow you to apply personal settings each time a user logs into operating system, rather than being used to log in as is the case with user accounts. The article provides a table from which you can find out about all the folders that are part of the profiles. We talked about how roaming user profiles are created, and also looked at group policies that allow you to manage roaming and local user profiles.