Initial login for newly created user account failing

System: Windows Server 2012R2

- last updated on -

About: This document is meant to detail a peculiar fault encountered with the initial login for a newly created user account on a Windows Server 2012R2 system, as the failure was quite bizarre in manifestation and root cause.

Symptoms and context: A new user account, which had administrative privileges, had been created on a Server 2012R2 system and the initial login for said account would not go through, instead failing with an

The user profile service failed the logon - User profile cannot be loaded.

error message showing on the login screen.

The System EventLog would record an event with the ID #1509, originating from the User Profile Service source, reading:

Windows cannot copy file \\\?\C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Command Prompt.lnk to location \\\?\C:\Users\%username%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Command Prompt.lnk. This error may be caused by network problems or insufficient security rights.

DETAIL - Access is denied.

Root cause analysis: Troubleshooting attempts turned up the fact that the a new user profile gets created by duplicating/copying the C:\Users\Default folder (marked as Hidden) to the target user profile folder, C:\Users\%username% - in this particular situation, the folder copying failed for no apparent reason. It turned out that the C:\Users\Default folder was missing the standard Read&Execute permission for the Everyone user group, as at least the copying of the [...]Start Menu\Programs\System Tools section of the default profile was done by using the security token of the Everyone group, and it failed, which in turn blocked the entire profile duplication - this is no doubt a protection mechanism aimed at making sure that an initial profile is created properly.

Resolution: The solution has been to (re)grant the Everyone group Read&Execute permissions on the C:\Users\Default folder. The quickest way of achieving this is to execute the below command in an elevated cmd.exe shell:

icacls C:\Users\Default /grant Everyone:(OI)(CI)RX

Note: The %username% 'variable' is meant to represent the actual user name.

References:

  1. http://serverfault.com/questions/590651/copying-default-profile-for-new-users-fails-with-the-process-cannot-access-the
  2. http://serverfault.com/questions/388242/the-user-profile-service-failed-the-logon-user-profile-cannot-be-loaded