NTUSER.DAT LOCK

[squatpuke]

.

.

Hello all...

I'm a sys-admin and on my 2003 server I was cleaning up, deleting old window profiles.

I tried to delete a profile of a previous admin which was about a year old. Told me NTUSER.DAT was in use, so it wouldn't delete the profile. Looked at the date and it was very recent. My first thought was the system had been compromised and semi-panicked.

Rebooted the server, and the profile again locked but the modified date of NTUSER.DAT was current. Obviously something was running at startup using that account.

Downloaded the sysinternal process explorer and from the best I could tell, explorer.exe was doing something explicit with that user profile.

I was able to kill that handle and free up the NTUSER.DAT and could even delete the profile if I wanted, but instead I wanted to see if I could really find out what was going on....

Any one else have any ideas on how I can out? Did a little deeper to find out exactly what this NTUSER.DAT was doing with explorer.exe?

Thanks...

(oops...wrong forum....could admin please move?)

Edited April 11, 2009 by squatpuke

[redxii]

The ntuser.dat is the profile's HKEY_CURRENT_USER registry hive, cuz you know, each account has their own HKEY_CURRENT_USER. If a user is logged in, the file is loaded, and when you load a file in Windows, it becomes locked and you can't delete it while it's in use. So to delete a profile folder, you have to be logged off of that account.

The folder will be recreated when the user logs in again. It will not delete the account, you have to use Local Users and Groups snap-in (locally) or Active Directory snap-in (domain account).

Edited April 11, 2009 by redxii

[squatpuke]

Your exactly right...sorry I probably didn't explain myself and rambled a bit...

The user hasn't been w/the company for over a year...I'm not the domain admin, just an OU admin...so I can't delete the user account from AD.

I just want to delete their "old" profile off my server...

However, I wasn't able to since ON STARTUP something on that profile starts using explorer.exe and prevents me from deleting the profile w/o first deleting the handle that the NTUSER.DAT (reg hive) has on explorer.exe

I'd like to find out exactly what that NTUSER.DAT is doing....

Edited April 11, 2009 by squatpuke

[redxii]

Well, it doesn't do anything by itself, it's a registry hive.

Open the Services snap-in, and see if in the "Log On As" column there are any services set to run with the account. Additionally, see if maybe the user is logged in remotely (may see this in Task Manager).

[squatpuke]

Yeah...I started to look at all the services but stopped after the first 5 or so....figuring that was a dead end...but I should probably do all of them...

I did check security logs and don't see any attempts of logging in by that user...

[IcemanND]

MOVED.

Could be any number of things, a service that is running under his credentials, a scheduled task set tu run under his creds, an dapplication that itself required a local/AD user account (like backup software).