Win7 deactivates and looses all profiles?

S

schnell

Gawd
Joined
Jul 22, 2005
Messages
764
This has happened to several computers on my work domain. The computer will work fine one day and the next day the user will come in and the computer says Windows is not active and everything is gone. It looks like the computer has just had windows installed on it. It is no longer joined to the domain and none of the user accounts are active. When you browse the hard drive all of the user profiles are still there and all of the programs are still there but they don't work. It looks like a system restore happened but the computer did it on its own.

Any sys admins seen something like this happen?
 
Verify the ProfileList key to make sure that everything is still there & that the permissions for it are correct
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
 
CrimsonKnight13 said:
Verify the ProfileList key to make sure that everything is still there & that the permissions for it are correct
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
Click to expand...

Only one profile is in the list. The one created during the windows install.
 
schnell said:
Only one profile is in the list. The one created during the windows install.
Click to expand...

Something overwrote the registry. This list should contain all accounts that have logged on to it (system, services, local, & domain). Do you have any backups or system restores?
 
It has the system accounts:
Systemprofile
Localservice
Networkservice

But the 4 or 5 user accounts that should be there are not.

CrimsonKnight13 said:
Do you have any backups or system restores?
Click to expand...

Not for a desktop in the environment. I guess I will backup the files and rebuild.

Any idea on how to keep this from happening in the future?
 
schnell said:
It has the system accounts:
Systemprofile
Localservice
Networkservice

But the 4 or 5 user accounts that should be there are not.



Not for a desktop in the environment. I guess I will backup the files and rebuild.

Any idea on how to keep this from happening in the future?
Click to expand...

Anything odd in the event logs? I'm not sure what would trigger that to happen.

Best way to prevent it at the profile level, would be to back up that key & any other keys that deal with system profiles. I'm not sure what other parts of the OS are impacted.
 
A computer should not disjoin a domain, it needs permissions to do that. Do you have some recovery software on a different partition that might be recovering the primary partition? That's the only thing I can think off by the description.

This posting is provided "AS IS" with no warranties, and confers no rights.
 
Ranma_Sao said:
A computer should not disjoin a domain, it needs permissions to do that. Do you have some recovery software on a different partition that might be recovering the primary partition? That's the only thing I can think off by the description.

This posting is provided "AS IS" with no warranties, and confers no rights.
Click to expand...

Nope.

And it is not simply disjoined from the domain. That is one of the symptoms. Everything config wise is gone from the machine. None of the GPO's are applied anymore. All of the applications installed are gone from the start menu, they are still installed but do not run. All of the profiles are gone from the registry but still exist on the machine. A setup account that is created during the imaging process is the only account that exists on the machine, which is crazy since the account gets deleted. Its like somehow the computer got reverted back to the state it was in right after it got imaged about 8 months ago.

I have seen the happen several times in the environment. At first I thought it was some kind of system restore or something but it happened to the IT manager's VM about 2 months ago too. It is really starting to worry me as we are looking to start a large scale roll out of win7 starting in January 2013.
 
As someone said, what does event viewer say? This isnt a VM btw. It would be quite easy to revert to an old snapshot, although I suppose in that case the profiles wouldn't be around.

You also need to give the exact error message e.g. is it:

A problem has prevented Windows from accurately checking status of your license for this computer.
This copy of Windows is not active.
 
Physical machine. No clues in the event viewer that I saw. I did not have much time to dink around with looking into it, I just rebuilt the machine. I do have a vhd of the machine however so if there is a way to load up the event viewer from a vhd i can look.
 
Sounds to me like something is telling the machines to restore an old version of the registry.

Are you sure that there isn't some virus or something on at least one of the machines on the network?

What about software? A botched update process could cause this. Haven't seen anything as bad as you are describing in quite a while.

What AV are you running?

This is definitely not something wrong with Windows 7. Something else is causing it.
 
schnell said:
AV is SEP 12.1
There was nothing in the logs of SEP
Click to expand...

Just beacuse there isn't anything in the log doesn't mean it isn't some sort of virus. A non detection only means that the AV didn't detect anything.
 
Domain Profiles are still going to be in C:\Users but you won't be able to use them since you are not longer in the domain. You will only be able to log into local profiles until this is resolved. Go to computer management and view User Profiles. The profiles marked as domainname\username are the domain profiles. Ones that are not marked that way will be the local profiles.

Is this machine being activated by KMS and by chance lost connectivity to the KMS server?
 
bigdogchris said:
Is this machine being activated by KMS and by chance lost connectivity to the KMS server?
Click to expand...

No.

The best way I can describe this is it appears that the machine kicked of a system restore on its own. Programs are still installed but not in the registry so it looks similar to what happens when system restore is used and the registry is restored to a previous version, However I can tell you for sure that these users did not run a system restore on their own.

Is it possible that a failed windows update could kick off a system restore?
 
schnell said:
Physical machine. No clues in the event viewer that I saw. I did not have much time to dink around with looking into it, I just rebuilt the machine. I do have a vhd of the machine however so if there is a way to load up the event viewer from a vhd i can look.
Click to expand...

Its easy - just open event viewer and then from the Action Menu "Open Saved Log". The files I think are in C:\Windows\System32\winevt\Logs nowadays.

As I said before, can you get the exact error message.

Also, what exactly does "they do not run" mean in your sentence "All of the applications installed are gone from the start menu, they are still installed but do not run". The event log should capture any borks.
 
what are local user rights?

could someone in your office be dicking around with systems .....
 
I've seen this happen alot with laptops. Something crashes it and the dopey user tries to do an auto repair or for some reason it defaults to have windows automatically fix the problem. If it doesn't find it, it tries to revert back to when it was imaged. Telltale sign is the computer name is the randomized one prior to post-imaging that we do and is no longer on the domain...
 
Was a there a resolution to this issue? I'm curious about it.
 
You must log in or register to reply here.
Back
Top