UPM fails when AD group is deleted.

Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic

   This is considered a bug report.

When using multiple AD groups assigned to a single local profile, one per line, deleting any one of the AD groups from AD breaks UPM.  Domain users and Local users can no longer log in.

Using Windows 7 Machines.  User Profile Manager version 2.6, (Enterprise Volume License).

We have two AD groups assigned to use a local profile in a lab environment.  One group is for students, the other for Faculty and Staff.  The purpose is to allow Faculty to have the same experience as the student when it becomes necessary for the Faculty member to assist one of his/her students in the Lab.

It was decided that the Faculty and Staff Group was no longer necessary and was removed from AD.  The Student AD group was still valid and assigned to the local profile.

Log-ins to ALL Machines immediately began to fail.  The failure was exhibited by displaying a Welcome Screen forever.  No indication of failure; just stuck.  If login was completed within 2 -3 seconds of being presented the login screen, sometimes it was successful.  Safe Mode allowed login every time.

After performing an in-place upgrade to Windows 10, the error message presented was that the "User Profile Service is not started".

To make a long story short, after booting into Safe mode and removing the Assigned AD group that no longer existed, log-ins resumed normally.

Resolution was confirmed on Windows 7 machines using two tests:

1.  Removing the non-existent AD group assignment from UPM on the client machine.  This restored Log-in functionality in this case.
2.  Re-creating the AD group that was deleted.  This test was performed because it was prohibitive to visit 150 machines and remove the non-existent AD group.  Log-ins resumed in this case also.

Summary:

It is not unreasonable to expect that AD groups are created and deleted on a regular basis.  If any one of these groups that are used by UPM for profile assignment is subsequently deleted, that machine will no longer allow logins for anyone even if the remaining AD group and/or local users are valid.  What makes this even more problematic is that it even makes LOCAL user logins fail!

UPM needs to be aware when an AD group used in Profile assignment no longer exists and ALWAYS allow a local user login.

RLK

Author	Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic
roger.karren Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 11 Feb 2016 Status: Offline Points: 1	Post Options Post Reply Quote roger.karren Report Post Thanks(0) Quote Reply Topic: UPM fails when AD group is deleted. Posted: 11 Feb 2016 at 3:34pm
	This is considered a bug report. When using multiple AD groups assigned to a single local profile, one per line, deleting any one of the AD groups from AD breaks UPM. Domain users and Local users can no longer log in. Using Windows 7 Machines. User Profile Manager version 2.6, (Enterprise Volume License). We have two AD groups assigned to use a local profile in a lab environment. One group is for students, the other for Faculty and Staff. The purpose is to allow Faculty to have the same experience as the student when it becomes necessary for the Faculty member to assist one of his/her students in the Lab. It was decided that the Faculty and Staff Group was no longer necessary and was removed from AD. The Student AD group was still valid and assigned to the local profile. Log-ins to ALL Machines immediately began to fail. The failure was exhibited by displaying a Welcome Screen forever. No indication of failure; just stuck. If login was completed within 2 -3 seconds of being presented the login screen, sometimes it was successful. Safe Mode allowed login every time. After performing an in-place upgrade to Windows 10, the error message presented was that the "User Profile Service is not started". To make a long story short, after booting into Safe mode and removing the Assigned AD group that no longer existed, log-ins resumed normally. Resolution was confirmed on Windows 7 machines using two tests: 1. Removing the non-existent AD group assignment from UPM on the client machine. This restored Log-in functionality in this case. 2. Re-creating the AD group that was deleted. This test was performed because it was prohibitive to visit 150 machines and remove the non-existent AD group. Log-ins resumed in this case also. Summary: It is not unreasonable to expect that AD groups are created and deleted on a regular basis. If any one of these groups that are used by UPM for profile assignment is subsequently deleted, that machine will no longer allow logins for anyone even if the remaining AD group and/or local users are valid. What makes this even more problematic is that it even makes LOCAL user logins fail! UPM needs to be aware when an AD group used in Profile assignment no longer exists and ALWAYS allow a local user login. RLK

Support Members Profile Send Private Message Find Members Posts Add to Buddy List Moderator Group Joined: 09 Nov 2006 Location: United Kingdom Status: Offline Points: 1941	Post Options Post Reply Quote Support Report Post Thanks(0) Quote Reply Posted: 18 Feb 2016 at 4:36am
	We have tested this scenario and we cannot reproduce the problem. We therefore have to conclude that deleting AD groups is not in itself sufficient to cause the problems you describe. If you have further questions, please contact support@ForensiT.com Edited by Support - 18 Feb 2016 at 4:40am