Temporary Profiles and IIS Application Pool Identities

Published on Monday, September 24, 2012 in , ,

I’m a bit stumbled that I’ve only come across this now. Recently I discovered that there are some cases where you can end up with your service account using a temporary profile. Typically this is the case where your service account has very limited privileges on a Server. Like application pool identities which run as a regular AD user, which I consider a best practice. I myself saw this in the context of the application pool identities in a SharePoint 2010 farm or with SQL Server Reporting Services 2008 R2.

The phenomena is also described at: Todd Carter: Give your Application Pool Accounts A Profile So this does not apply to all Application Pool identities! Only those running with “load profile=true”.

In the Application event log you can find the following event:

Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.

How to fix it if you see those nasty “c:\users\TEMP” folders?

  1. Stop the relevant application pools
  2. Stop the IIS Admin Service (in services.msc)
  3. See that the TEMP folders are gone in c:\users
  4. Follow the next steps

How to make sure your accounts get a decent profile?

We will temporary add the service account to the local administrators group so they can create a profile. In fact all they need is the “logon locally” privilege. The second command will start a command prompt while loading a profile. This will ensure a proper profile is created.

  1. net localgroup administrators CONTOSO\AppPoolAccount /add
  2. runas /u:CONTOSO\AppPoolAccount /profile cmd
  3. net localgroup administrators CONTOSO\AppPoolAccount /del

As a side note: if the TEMP folders are not disappearing, or you are still getting a temporary profile, you can try to properly cleanup the temporary profile:

  1. Stop the application pools
  2. Stop the IIS Admin Service
  3. Using right-click properties on computer, choose advanced tab and then pick User Profiles. There you can properly delete them.

If you’re still having troubles you might need to delete the TEMP folders manually AND cleanup the following registry location: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList Especially look if there aren’t any keys with .bak appended to it.


UAG: Trunk With Anonymous Authentication Not Working

Published on in

A few days ago I was setting up an UAG which has a trunk configured with anonymous authentication so that I could publish our FIM Self Service Password Reset page. I think I tried to outsmart UAG because this was I was getting over and over again:


In words: 500 – Internal server error.

I said to myself “how hard can it be?!”. After some time I started thinking that removing the default Portal entry which is added to the trunk wasn’t a good idea. I didn’t need it as my users will go directly to the SSPR site, but it seems like UAG needs it very badly! Just re-add it, activate the config and everything should start working.


To conclude: even if you don’t need it, better leave it in place.


Win 8 Client: Manage Wireless Networks, Where Art Thou? Follow Up

Published on Wednesday, September 19, 2012 in

A while ago I posted a workaround to manage the more advanced settings of wireless networks: Win 8 Client (Dev Preview): Manage Wireless Networks, Where Art Thou?

In some of the comments I read that in the final version the explorer.exe shell:: command did no longer worked. After verifying on my own fresh install I noticed that this was indeed the case. However, there’s other possibilities which make it less bad. You can now access the advanced settings in the followings ways:

1. Just before finishing the creation of a new network:

In the network and sharing center click “set up a new…”


Choose “Manually connected to a …”


After entering some basic parameters you can choose “Change connection settings” before clicking close.


2 For an existing network connection:

Ok, my title is a bit misleading, I think you can only edit this one if the SSID is actually accessible. Meaning you are actually in the physical location where the Wireless LAN is supposed to be. So I’m not saying authentication should succeed, but the SSID should be “online”. So in a lot of situations this might be sufficient.

When clicking the network item in the tray a bar will appear to the right with your networks in it. You can right-click it and choose “view connection properties”.


3 By deleting and re-adding the profile:

Yep, this one is not funny, but for now I don’t see any other options. I actually found this one on the following blog: Ryan McIntyre : Windows 8 Missing “Manage Wireless Networks”

  • Show the profiles: netsh wlan show profile
  • Delete a profile: netsh wlan delete profile “profile name”
  • Recreate it using the GUI and make sure you now do it properly



Quick Tips: September Edition #1

Published on Monday, September 17, 2012 in , ,

Ok, I’ve gone through my mailbox and I’ve got quite some little neat tricks I want to share and most of all never forget myself. So I’ll put them here for future reference.

Tip #1 (Network):

Remember “Network Tracing Awesomeness” If you’d only want to have traffic captured which involves a specific IP you can start the trace like this:

netsh trace start capture = yes ipv4.address=

This can be very convenient if your server is a domain controller or a file server and communicates with a lot of clients all the time.

Tip #2 (IIS):

In various IIS Kerberos configuration howto’s you are instructed to set useAppPoolCredentials to true. I Always hate editing XML’s directly as it’s quite easy to make errors. Using the following command you can easily set this parameter from a command prompt:

appcmd set config "Default Web Site" /section:windowsauthentication
/useAppPoolCredentials:true /commit:MACHINE/WEBROOT/APPHOST
(the command is supposed to be on one line)

The Default Web Site is the name of the site as it appears in the IIS management console. Remember, you might need to have something like Default Web Site/vDir If you have to configure this for sublevels of the site.

Tip #3 (Kerberos):

If you enable an account to be trusted for delegation to a given service, you might have to wait some time before the service itself notices this. This is often noticed as: I changed something, it didn’t work and magically the next day it started working. If I’m not mistaken, this might have to do with the Kerberos S4U refresh interval which is at 15’ by default. At least that was the value at Windows 2003… See also: KB824905: Event ID 677 and event ID 673 audit failure messages are repeatedly logged to the Security log of domain controllers that are running Windows 2000 and Windows Server 2003

Tip #4 (PowerShell):

From: MSDN: Win32_PingStatus class

When you use PowerShell to perform remote tasks on a server, such as WMI queries, it might be way more efficient to do a quick ping before actually trying to talk WMI to the server. This way you can circumvent those nasty timeouts when the server you are trying to talk to is down.

$server = "server01"
$PingStatus = Gwmi Win32_PingStatus -Filter "Address = '$Server'" |Select-Object StatusCode

Tip #5(Tools):

Every once in a while I need a tool from the Sysinternals Utilities set. Mostly I go to google, type in the name, get to the Microsoft site hosting the utility and click launch. However, it seems you easily access all of the tools using this webdav share: \\live.sysinternals.com just enter it in a file explorer or your start-> run. The utilities we all know so well are located in the Tools folder. Or if that doesn’t works, just use http://live.sysinternals.com/ 


Thanks to a colleague for this last tip!

-Stay tuned for more!-


SCCM 2007: DCM Check For A Registry Value Only If the Value Exists

Published on Monday, September 10, 2012 in

This is a bit far from my regular technologies, but today I used the DCM (Desired Configuration Management) feature of SCCM to map the amount of clients which are suffering a particular issue. More specific, we are suffering the issue as described in: social.technet.microsoft.com: Print drivers on windows 7 clients missing dependent files..?

So we know that clients which have the “corrupted” printer driver registry settings look like this:

  • Key: HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows NT x86\Drivers\Version-3\Lexmark Universal
  • Value1: Help File=””
  • Value2: Dependent Files=””

We also know that clients which are healthy look like this:

  • Key: HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows NT x86\Drivers\Version-3\Lexmark Universal
  • Value1: Help File=”UNIDRV.HLP”
  • Value2: Dependent Files=”blabla.dll blablo.dll ….dll”

And we should not forget that not all clients have this driver! So the ones which don’t have have the key/value should not be reported!

SCCM DCM to the rescue! I’ve actually spent quit some time to get this right. Probably because I’m a first time DCM’r, but perhaps because some things aren’t that obvious as well. What I wanted to achieve with DCM explained in words: get me a report which returns all computers that have a blank value for the “Help File” value. So I’d specifically wanted to ignore the ones where that registry value didn’t exist or where it has a value of “UNIDRV.HLP”.

So here is how you don’t do it:

Adding a CI (Configuration Item) where you add a registry key to the Objects tab


As far as I’ve come to understand the DCM configuration, by adding a registry key to the Objects tab, you can check for it’s existence. Now I typed key in bold as in registry terms, a key is like a folder. A registry value on the other hand is like a string, or binary thing which can hold an actual value.

Here’s how can do it:

Leave the Objects tab empty and go on with the Settings tab.


On the settings tab we can add a specific setting of the type registry. Your definition should look like this:


On the general tab all we need to do is specify the Hive, the Key and the name of the Value we are interested in. The validation tab is the one where the real magic happens:


I will first go the next screenshot and then I’ll come back to this one. In the next screenshot you will see how I added a new validation rule by clicking “new”.


What you see here should be pretty obvious: I specified that if the “Help File” registry value equals “UNIDRV.HLP” all is good. And more specific if this wouldn’t be the case it should be expressed as a severity of Error. Now some examples:

  • Value example #1: “UNIDRV.HLP”: compliant
  • Value example #2: “UNIDRV”: non-compliant
  • Value example #2: “”: non-compliant
  • Now what if the registry value doesn’t exist to begin with?!

Well that’s where the previous screenshot comes into play: by default Report a non-compliance event when this instance count fails is checked. I specifically unchecked this one. It is to my understanding that this one will cause the CI to be non-compliant if the registry value (the instance) can’t be found. In my case if the value can’t be found it means the driver isn’t installed and thus the client is not suffering the issue.

So in short, using the configuration as shown above I have established that all clients which have a registry value “Help File” under the given key should have a value of “UNIDRV.HLP”. If they’ve got an empty value, they’ll be included in the report. The ones which don’t have this driver, and thus don’t have this registry value will be excluded from the report. This will allow us to do some quick and dirty fixing of the clients which already are suffering this issue and at the same time we can try distributing a printer feature hotfix package of Microsoft. Once that one is out on the clients we can use the reporting to find out if new cases are occurring.

It was a post of KevinM (MSFT)  which made all of the above fall together: social.technet.microsoft.com: Check if Registry Value Exists?


SCCM 2007: DCM Development Tip

Published on in

The actual reason why I’m toying around with DCM (Desired Configuration Management) will be explained in my next post. But here’s a tip I’ve found to be quit practical when trying to get your CI (Configuration Item) configuration right.

I quickly found out that whenever you changed settings in the CI you’ve had to initiate the Machine Policy Retrieval & Evaluation Cycle action so that the Conf Manager client would have the latest version of your Baseline/CI.


In the Configuration Manager client you’ve got a button called Evaluate on the last tab which you can use to actually allow the CI to be evaluated and give you a report displaying the current compliance state.


In the screenshot you see “Unknown:Scopel….” but that’s just a GUI refresh thingy. After a few minutes it’s properly displayed. Now this part is easy. Now on the other hand I was switching a regkey by hand on the client in order to trigger the various possible outcomes of my baseline. And after I while I figured out that there had to occur some caching behind the scene’s…

Using google I found an explanation at the following forum: myitforum.com:[mssms] Configuring DCM to detect (Default) Value name [mdfdr5]

And then I started using the following workaround in order to avoid the 15’ interval:


By appending a number to the CI name I was triggering a version increase. This in turn causes the cached result to be come invalid and ensures my evaluation always gives the most up to date answer. It’s a bit dirty and causes for a high version number, but on the other hand, this is in a test environment, and it’s damn easy like this.


DebugView 100% CPU In a Windows 2008 VM

Published on in ,

A while ago I got a tip of a colleague to use the DebugView utility from Sysinternals (Microsoft) to debug code. Once in a while I write a simple rules extension for Forefront Identity Manager, or even an attribute store for ADFS. As simple as they may be, sometimes things don’t go as I wish…

You can use DebugView by using the following lines in your coding: at the top of your class you make sure you have “using System.Diagnostics;” and everywhere you feel like you want diagnostic output you put “Debug.WriteLine(“your string here”); It might be obvious, but you have to make sure you compile your code in Debug mode!

And perhaps a little sting here: make sure the DEBUG constant is enabled. It’s on by default though.


I’ve used this approach a few times now, but yesterday things went bad. After starting DebugView my server, a VM I was running on my Laptop, became sluggish. I still could reproduce my issue though, but nothing was being captured. Odd. After checking the task manager I found out my DebugView.exe process was using 100% CPU.

Off to google! I quickly found this topic: forum.sysinternals.com: DbgView.exe 100%CPU

Finding the DebugView version 4.76 is not that easy though, there’s a zillion sites just linking through to the Microsoft site and thus giving you version 4.79 every time. Finally I found this site which has the actual 4.76 version:  http://www.myfiledown.com/download/435608/debugview-435608-3.html But the link seems down now… Once I used this version my CPU usage was normal and my debug came out just fine.


Windows Azure: Add Your Own Management Certificate

Published on Monday, September 3, 2012 in

Recently I figured out that I can try out Azure as that comes as one of the benefits of having an MSDN account. I got 375 hours of free computing hours per month! Just for the fun of it I want to host a small VM which acts as a TeamSpeak server every now and then. I guess that’s not really what the Azure subscription is meant for in the MSDN package, but hey I’m experimenting and getting to know the possibilities of Azure in the meanwhile! Guess that’s a Win-Win right?

Either way, because I only have 375 hours that means I can’t have my VM deployed 24/7. I wrote some simple PowerShell scripts which basically remove the VM, leaving the VDH intact and recreate it whenever I want. That might be another blogpost if I find some time. But now I want the possibility to have my colleagues power it up whenever I’m not around. The following options were not OK:

  • Be on duty 24/7 with an internet connection at hand
  • Hand out my live-id to everyone

So here comes the, be it limited, delegation capabilities of the Windows Azure management infrastructure: it seems you need your live ID to log in via the web interface. But for the PowerShell cmdlets you can actually have up to 10 certificates! So here comes how to start toying around with that part of Azure.

Remark: I only used the Get-AzurePublishSettingsFile cmdlet as explained on Windows Azure Cmdlet Guidance for my initial Azure PowerShell configuration on my home PC. However it seems like if you run the command again it will just generate another Windows Azure very long name –date-credentials management certificate. So in the end you got no clue to who you handed out which certificate.

So here we go:

1. Generate a new certificate

Using Visual Studio’s makecert utility I created my own certificate, for a detailed howto: How to Create a Certificate for a Role

The command I used: makecert -sky exchange -r-n "CN=[CNF]Invisibal" -pe -a sha1 -len 2048 -ss My "o:\SkyDrive\Documenten\Personal\Azure\Invisibal.cer"

2. Upload the .cer file in the Windows Azure management portal


3. Export your certificate from your local store and store it somewhere safe

The makecert command created a .cer file which is good for the upload,  but you have to make sure that from whatever computer you want to run your Azure PowerShell cmdlets you have the certificate with the private key available. So as in my case I created the certificate on my own PC, and I want my colleague to be able to connect to the Azure management API using PowerShell, I have to export the certificate (including the private key) and hand it over to him.

To export the certificate:

Start –> Run –> MMC –> Add/Remove the certificate snap-in, choose user



4. Download and configure the Azure PowerShell cmdlets

You can download the cmdlets from here: Downloads for managing Azure

After starting the shell and trying out a simple command you will be greeted with an error:


In words: Get-AzureVM : Call Set-AzureSubscription and Select-AzureSubscription first.

After some trial and error I found the following in one of the help sections of a cmdlet.

5. Retrieve your Azure subscription ID

You can get it either from the account section (where you get to see the usage & billing information) or just copy it from the Management Certificates section where you just uploaded a certificate:


Just copy paste it in a temporary notepad file.

6. Retrieve your certificate thumbprint

From a PowerShell prompt execute get-item cert:\\currentuser\my\*


Also just copy paste it in a temporary notepad file.

7. Start up the Azure PowerShell shell and start the magic

You can now easily copy the SubscriptionID ($subID) and the Thumbprint ($thumbprint) from the tempory notepad into the required variables.

$subID = "af2f6ce8-demo-demo-demo-dummydummyd3"
$thumbprint = "01675217CF4434C905CF0A34BBB75752471869C6"
$myCert = Get-Item cert:\\CurrentUser\My\$thumbprint
Set-AzureSubscription -SubscriptionName "CNF_TS" -SubscriptionId $subID -Certificate $myCert

This should command should also persist between sessions. Meaning if you restart the shell, it will still be available and you can go ahead and start executing cmdlets right away.

8. You’re good to go!


Well just when I was about the wrap this up I found this great article: it covers most of my stuff and way more. Definitely worth reading: Automating Windows Azure Virtual Machines with PowerShell