On 2014-06-17, we had eight of our Windows Server 2008 R2 RDSH Servers (all members of the same RDSH farm {brokered}) suddenly believe Windows Activation was lost while users were logged in. If user was previously logged in they were somewhat functioning, but nobody could establish a new logon. If an Administrator tried to Activate Windows the error code 0x80070005 would occur. Each of these servers is running ESET File Security for Windows Servers 4.5.12011.0 for anti-virus protection. Event Viewer would not load at all and would crash MMC (eventually found Event ID 6001 & 6004 from Winlogon occurred right when they all went crazy).
- Searched TechNet and found: http://support.microsoft.com/kb/2704233
- Reviewed the registry and found the following keys were completely missing:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Profilelist\S-1-5-18
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Profilelist\S-1-5-19
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Profilelist\S-1-5-20 - Also found keys in "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Profilelist\" were missing:
Default
ProfilesDirectory
ProgramData
Public - After further investigation found Symbolic link for "Default User" in C:\Users\ was also missing(should link to C:\Users\Default and have special NTFS Folder Only privileges).
- Found C:\Users\Public\Desktop was named "Public Desktop" though a Symbolic link from "C:\ProgramData\Desktop" was pointing to "C:\Users\Public\Desktop"
NOTE: I will publish what it took to fix, as I already resolved but wanted to post the info here on ServerFault.com in case somebody else runs into this.
Best Answer
Here is how I was able to resolve the issue. There are some EXTREMELY DANGEROUS and DATA DESTRUCTIVE steps here. If you DO NOT have Roaming Profiles & Folder Redirection of the User Accounts than you seriously should call Microsoft Support as this is NOT the way to fix your issue as it will remove files!!!!! ANY USE OF THESE INSTRUCTIONS IS AT YOUR OWN RISK!!!!!
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Profilelist\S-1-5-18
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Profilelist\S-1-5-19
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Profilelist\S-1-5-20
Default > %SystemDrive%\Users\Default
ProfilesDirectory > %SystemDrive%\Users
ProgramData > %SystemDrive%\ProgramData
Public > %SystemDrive%\Users\Public
Security - Advanced - Change Permissions...
Uncheck "Include inheritable permissions..."
Add "Everyone" > Apply to "This folder only" > Deny "List folder / read data"
Add "Everyone" > Apply to "This folder only" > Allow "Traverse folder / execute file" + "List folder / read data" + "Read Attributes" + "Read extended attributes" + "Read permissions"
Add "SYSTEM" > Apply to "This folder only" > Allow "Full Control"
Add "Administrators (%COMPUTERNAME%\Administrators)" > Apply to "This folder only" > Allow "Full Control"
Don't do this if you do not have roaming profiles and folder redirection setup where the user files are not stored only on this server!!!
Select All Files & Folders Except the following:
All Users
Administrator
Administrator.{%YOURDOMAINNAME%}
Default
Default User
Public
desktop.ini
Delete permanently the selected folders that are for Profiles that no longer exist in the ProfileList section of the registry (SHIFT+DELETE).
NOTE: If you are running virtual RDSH servers, you may want to restore your RDSH servers from backups if you have a properly working backup system if you want to avoid this craziness.