Symptoms

When the windows domain password is about to expire, users are prompted to change the password “Your password will expire in X days. Do you want to change it now? “.

   

If the user selects to change the password the system loads a local copy of the user profile or the default user profile, instead of the Citrix Profile, the session may become disconnected and Citrix profile data will not be saved.

This problem was reproduced using Citrix Profile management 2.1.0 and Windows XP SP3 virtual machines running on XenDesktop 4 using Citrix Provisioning Server 5.1.0, but is not necessarily limited to these versions of Citrix products. XP SP3 however is version specific.  

The Citrix Profile management log may show the following errors during logon:

  • DeleteAnyFile: Deleting the file <C:\documents and settings\’username‘\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat> failed with: The process cannot access the file because it is being used by another process.
  • DeleteAnyFile: Deleting the file <C:\documents and settings\’username‘\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG> failed with: The process cannot access the file because it is being used by another process.
  • DeleteDirectory: Deleting the directory <C:\documents and settings\’username‘\Local Settings\Application Data\Microsoft\Windows> failed with: The directory is not empty.
  • DeleteDirectory: Deleting the directory <C:\documents and settings\’username‘\Local Settings\Application Data\Microsoft> failed with: The directory is not empty.
  • DeleteDirectory: Deleting the directory <C:\documents and settings\’username‘\Local Settings\Application Data> failed with: The directory is not empty.
  • DeleteDirectory: Deleting the directory <C:\documents and settings\’username‘\Local Settings> failed with: The directory is not empty.
  • DeleteAnyFile: Deleting the file <C:\documents and settings\’username‘\NTUSER.DAT> failed with: The process cannot access the file because it is being used by another process.
  • DeleteAnyFile: Deleting the file <C:\documents and settings\’username‘\NTUSER.DAT.LOG> failed with: The process cannot access the file because it is being used by another process.
  • DeleteDirectory: Deleting the directory <C:\documents and settings\’username‘> failed with: The directory is not empty.
  • DeleteLocalProfile: Could not delete local profile: <C:\documents and settings\’username‘>: The directory is not empty.

If you have enabled Microsoft’s “User Environment Debug logging” as outlined in Microsoft KB221833 the following entries will be present in the UserEnv.log file :

  • UnloadUserProfile: Failed to enable the restore privilege. error = c0000022
  • TestIfUserProfileLoaded: Profile already loaded.
    Profile Ref Count is 3
  • Wait succeeded. In critical section.
    Didn’t unload user profile, Ref Count is 2
       

Cause

This problem is caused by a documented Microsoft issue, which occurs because the Citrix or roaming profile does not unload successfully after the password change. The profile does not unload because the “SE_RESTORE_PRIVILEGE” right is not present in the thread token.
  

Resolution

Please download and apply the following Microsoft hotfix to the XP SP3 base virtual disk image on the Citrix Provisioning Server with the disk in private image mode.

Download Microsoft KB958058   

This hotfix will also require that the machine is rebooted whilst it is still in private image mode after applying the hotfix. Once the machine has rebooted, the machine should be shutdown prior to putting the virtual disk back to shared mode.
This Microsoft hotfix requires XP SP3.
   

More Information

This issue may also be experienced when changing the password at logon if using Microsoft roaming profiles on XP SP3 and is not limited to virtualized environments.

For further information concerning this issue, please consult the following Microsoft Knowledgebase article KB958058