Give your Application Pool Accounts A Profile


While running SharePoint 2010 I started to notice the following error messages in my Application event log each time I restarted the IIS Worker process and made a request.

 

Log Name:      Application
Source:        Microsoft-Windows-User Profiles Service
Date:          5/3/2010 10:05:07 AM
Event ID:      1511
Task Category: None
Level:         Error
Keywords:
User:
          CONTOSO\AppPoolAccount
Computer:      SP2010Dev.contoso.com
Description:
Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.

For the setup of my SharePoint farm I use 3 accounts, Farm (CONTOSO\FarmAccount), SA Service Account (CONTOSO\SPServiceAccount), and an Application Pool account (CONTOSO\AppPoolAccount). Looking at my c:Users directory I see that I have a FarmAccount profile so if you are running your Application Pools as this account then you probably are not seeing this error message. But if you are using a seperate account to run your Application Pools you are probably seeing this error in your event logs.

There is obviously something running with the w3wp process which needs to load the user’s profile, which in this case is my CONTOSO\AppPoolAccount. After creating a profile for my AppPoolAccount this error disappeared and I confirmed with ProcMon that it was loaded and being used by w3wp.

There are obviously several ways to create a profile for a user, for example you might choose to login to the server as that user however I chose a different path which seemed faster.

  1. Run IISReset and ensure the AppPool account is not running any processes and its temporary profile is not loaded.
  2. If your AppPool account does not have login locally permission you will need to grant it for this process, I just use the cmd line: net localgroup administrators CONTOSOAppPoolAccount /add when complete I ran the same command but with a /delete
  3. From the command line run: runas /u:CONTOSOAppPoolAccount /profile cmd  and then type the password when prompted. At the point the cmd prompt opens you should have a new profile for this user at c:usersAppPoolAccount, if not then within your cmd prompt that you just started run echo %userprofile% if this does not work then the real profile was not loaded and you are still probably using the temporary profile. Try deleting the temporary profiles out of c:\users, these are probably named c:\users\Temp.[domainname].00x, example c:userstempcontoso.002 After you delete these try this process again.
  4. Once you have a profile you may want to remove any logon locally rights you may have granted your AppPool account.

3 thoughts on “Give your Application Pool Accounts A Profile

  1. Hey Henry — I have no idea why the Application Pools are set to use a User Profile, good workaround on your part though I have not tried this and I am a bit worried about turning this off — rather give them what they ask for than not give them something beacuse I don’t think they need it.

    Like

  2. Instead of entering the user name as CONTOSOAppPoolAccount, enter it as AppPoolAccount@CONTOSO. There is a bug with IIS in how it parses the user account string and this is the workaround that should successfully load the user profile so long as the account as the sufficient rights to the profile’s directory.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s