I’m a bit stumbled that I’ve only come across this now. Recently I discovered that there are some cases where you can end up with your service account using a temporary profile. Typically this is the case where your service account has very limited privileges on a Server. Like application pool identities which run as a regular AD user, which I consider a best practice. I myself saw this in the context of the application pool identities in a SharePoint 2010 farm or with SQL Server Reporting Services 2008 R2.
The phenomena is also described at: Todd Carter: Give your Application Pool Accounts A Profile So this does not apply to all Application Pool identities! Only those running with “load profile=true”.
In the Application event log you can find the following event:
Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.
How to fix it if you see those nasty “c:\users\TEMP” folders?
- Stop the relevant application pools
- Stop the IIS Admin Service (in services.msc)
- See that the TEMP folders are gone in c:\users
- Follow the next steps
How to make sure your accounts get a decent profile?
We will temporary add the service account to the local administrators group so they can create a profile. In fact all they need is the “logon locally” privilege. The second command will start a command prompt while loading a profile. This will ensure a proper profile is created.
- net localgroup administrators CONTOSO\AppPoolAccount /add
- runas /u:CONTOSO\AppPoolAccount /profile cmd
- net localgroup administrators CONTOSO\AppPoolAccount /del
As a side note: if the TEMP folders are not disappearing, or you are still getting a temporary profile, you can try to properly cleanup the temporary profile:
- Stop the application pools
- Stop the IIS Admin Service
- Using right-click properties on computer, choose advanced tab and then pick User Profiles. There you can properly delete them.
If you’re still having troubles you might need to delete the TEMP folders manually AND cleanup the following registry location: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList Especially look if there aren’t any keys with .bak appended to it.