4 comments

Temporary Profiles and IIS Application Pool Identities

Published on Monday, September 24, 2012 in , ,

I’m a bit stumbled that I’ve only come across this now. Recently I discovered that there are some cases where you can end up with your service account using a temporary profile. Typically this is the case where your service account has very limited privileges on a Server. Like application pool identities which run as a regular AD user, which I consider a best practice. I myself saw this in the context of the application pool identities in a SharePoint 2010 farm or with SQL Server Reporting Services 2008 R2.

The phenomena is also described at: Todd Carter: Give your Application Pool Accounts A Profile So this does not apply to all Application Pool identities! Only those running with “load profile=true”.

In the Application event log you can find the following event:

Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.

How to fix it if you see those nasty “c:\users\TEMP” folders?

  1. Stop the relevant application pools
  2. Stop the IIS Admin Service (in services.msc)
  3. See that the TEMP folders are gone in c:\users
  4. Follow the next steps

How to make sure your accounts get a decent profile?

We will temporary add the service account to the local administrators group so they can create a profile. In fact all they need is the “logon locally” privilege. The second command will start a command prompt while loading a profile. This will ensure a proper profile is created.

  1. net localgroup administrators CONTOSO\AppPoolAccount /add
  2. runas /u:CONTOSO\AppPoolAccount /profile cmd
  3. net localgroup administrators CONTOSO\AppPoolAccount /del

As a side note: if the TEMP folders are not disappearing, or you are still getting a temporary profile, you can try to properly cleanup the temporary profile:

  1. Stop the application pools
  2. Stop the IIS Admin Service
  3. Using right-click properties on computer, choose advanced tab and then pick User Profiles. There you can properly delete them.

If you’re still having troubles you might need to delete the TEMP folders manually AND cleanup the following registry location: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList Especially look if there aren’t any keys with .bak appended to it.

Related Posts

4 Response to Temporary Profiles and IIS Application Pool Identities

25 October, 2012 17:22

Thanks for the post. Just discovered the same thing with SharePoint 2010 when troubleshooting a SharePoint Learning Kit issue.

Strange it just popped out of the blue for you too. I almost have to suspect a Windows or SharePoint update/service pack as being responsible.

I'm going to try your workaround on my test servers and may make this a best practice for all of our IIS boxes.

27 October, 2012 16:31

thanks for taking the time to post back.

SRW
12 November, 2012 22:05

Can you help me? I received the message you mention:
Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.
This is a home computer, I'm the only one who uses it, it's VERY old, and this has NEVER happened. I only have one profile "owner" on it and now I can't access anything on my computer - desktop/my documents, it's all gone!!!

12 November, 2012 22:51

I'm sorry but that's very hard to troubleshoot without hands on. If I were to troubleshoot this i'd logon as a local administrator (be it with a temporary profile or not) and then try to create a new user, give him administrator rights and then log on as that new user. If you use a new profile then, you can try to fix the old one by verifying both file and registry entries belonging to profiles.

If that's all to techy and complex I'd advise to just format the machine....

Add Your Comment