Domain user logs in and is immediately logged out
-
I have, and it was a virus like 10+ years ago.
-
Anything in the event log?
-
@Dashrender this issue only effects the one user, and no others on the same device.
either way, any pointers?
-
I don't recall the name of the tool, but there was a tool what would log everything done during a logon process, you could google that.
Also, you could manually load their registry and look at the autorun options.
-
@Dashrender said in Domain user logs in and is immediately logged out:
Anything in the event log?
Which logs should I be looking for, nothing stands out to me as an issue here.
-
Backup and then blow the user profile away. No use trying to recover it.
-
@coliver said in Domain user logs in and is immediately logged out:
Backup and then blow the user profile away. No use trying to recover it.
Sadly, in the OP he said that wasn't really an option.
-
@Dashrender said in Domain user logs in and is immediately logged out:
@coliver said in Domain user logs in and is immediately logged out:
Backup and then blow the user profile away. No use trying to recover it.
Sadly, in the OP he said that wasn't really an option.
Right... but that's the problem. It sounds like a corrupt user profile, you really can't login to it in its current state.
You can change the state via the registry.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
There should be two registry keys with the same name, except one has a .bak after it. Change the one without to .backup and remove .bak. Restart the machine. That should get you back into the profile... but no guarantees it won't just corrupt again as soon as you try to login.
-
@coliver said in Domain user logs in and is immediately logged out:
Backup and then blow the user profile away. No use trying to recover it.
Yeah not an option. We're looking for emails that may still be held in the local user profile, the user account was disabled on AD (which then marks the email account for deletion on office365) after 30 days.
So if there is any chance that I can get into this account and see what the mailbox still has cached would be critical.
Of course the mailbox matter is a different issue entirely that I need to address.
-
@DustinB3403 said in Domain user logs in and is immediately logged out:
@coliver said in Domain user logs in and is immediately logged out:
Backup and then blow the user profile away. No use trying to recover it.
Yeah not an option. We're looking for emails that may still be held in the local user profile, the user account was disabled on AD (which then marks the email account for deletion on office365) after 30 days.
So if there is any chance that I can get into this account and see what the mailbox still has cached would be critical.
Of course the mailbox matter is a different issue entirely that I need to address.
Can you just browse the local folders? There should be an outlook cache file in the users directory.
-
@coliver said in Domain user logs in and is immediately logged out:
@Dashrender said in Domain user logs in and is immediately logged out:
@coliver said in Domain user logs in and is immediately logged out:
Backup and then blow the user profile away. No use trying to recover it.
Sadly, in the OP he said that wasn't really an option.
Right... but that's the problem. It sounds like a corrupt user profile, you really can't login to it in its current state.
You can change the state via the registry.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
There should be two registry keys with the same name, except one has a .bak after it. Change the one without to .backup and remove .bak. Restart the machine. That should get you back into the profile... but no guarantees it won't just corrupt again as soon as you try to login.
No, no .bak registry for the account.
The employee's registry file is there though.
-
@coliver said in Domain user logs in and is immediately logged out:
@DustinB3403 said in Domain user logs in and is immediately logged out:
@coliver said in Domain user logs in and is immediately logged out:
Backup and then blow the user profile away. No use trying to recover it.
Yeah not an option. We're looking for emails that may still be held in the local user profile, the user account was disabled on AD (which then marks the email account for deletion on office365) after 30 days.
So if there is any chance that I can get into this account and see what the mailbox still has cached would be critical.
Of course the mailbox matter is a different issue entirely that I need to address.
Can you just browse the local folders? There should be an outlook cache file in the users directory.
Tried looking for it, and I don't see any of the files I need.
Looking for a local cache of outlook, so a PST or OST file.
-
@coliver said in Domain user logs in and is immediately logged out:
@DustinB3403 said in Domain user logs in and is immediately logged out:
@coliver said in Domain user logs in and is immediately logged out:
Backup and then blow the user profile away. No use trying to recover it.
Yeah not an option. We're looking for emails that may still be held in the local user profile, the user account was disabled on AD (which then marks the email account for deletion on office365) after 30 days.
So if there is any chance that I can get into this account and see what the mailbox still has cached would be critical.
Of course the mailbox matter is a different issue entirely that I need to address.
Can you just browse the local folders? There should be an outlook cache file in the users directory.
Ok now with more information, this ^ why not browse for the Outlook cache file?
-
@DustinB3403 said in Domain user logs in and is immediately logged out:
@coliver said in Domain user logs in and is immediately logged out:
@Dashrender said in Domain user logs in and is immediately logged out:
@coliver said in Domain user logs in and is immediately logged out:
Backup and then blow the user profile away. No use trying to recover it.
Sadly, in the OP he said that wasn't really an option.
Right... but that's the problem. It sounds like a corrupt user profile, you really can't login to it in its current state.
You can change the state via the registry.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
There should be two registry keys with the same name, except one has a .bak after it. Change the one without to .backup and remove .bak. Restart the machine. That should get you back into the profile... but no guarantees it won't just corrupt again as soon as you try to login.
No, no .bak registry for the account.
The employee's registry file is there though.
Hmm, that's interesting. Have a look at scheduled tasks on that machine. Is there anything running at user login?
-
@DustinB3403 said in Domain user logs in and is immediately logged out:
@coliver said in Domain user logs in and is immediately logged out:
@DustinB3403 said in Domain user logs in and is immediately logged out:
@coliver said in Domain user logs in and is immediately logged out:
Backup and then blow the user profile away. No use trying to recover it.
Yeah not an option. We're looking for emails that may still be held in the local user profile, the user account was disabled on AD (which then marks the email account for deletion on office365) after 30 days.
So if there is any chance that I can get into this account and see what the mailbox still has cached would be critical.
Of course the mailbox matter is a different issue entirely that I need to address.
Can you just browse the local folders? There should be an outlook cache file in the users directory.
Tried looking for it, and I don't see any of the files I need.
Looking for a local cache of outlook, so a PST or OST file.
Then, unfortunately, it seems like local caching was turned off. If the cache was on you would see both PST and OST files.
-
@coliver said in Domain user logs in and is immediately logged out:
@DustinB3403 said in Domain user logs in and is immediately logged out:
@coliver said in Domain user logs in and is immediately logged out:
@DustinB3403 said in Domain user logs in and is immediately logged out:
@coliver said in Domain user logs in and is immediately logged out:
Backup and then blow the user profile away. No use trying to recover it.
Yeah not an option. We're looking for emails that may still be held in the local user profile, the user account was disabled on AD (which then marks the email account for deletion on office365) after 30 days.
So if there is any chance that I can get into this account and see what the mailbox still has cached would be critical.
Of course the mailbox matter is a different issue entirely that I need to address.
Can you just browse the local folders? There should be an outlook cache file in the users directory.
Tried looking for it, and I don't see any of the files I need.
Looking for a local cache of outlook, so a PST or OST file.
Then, unfortunately, it seems like local caching was turned off. If the cache was on you would see both PST and OST files.
Right, if the files aren't there, then they just aren't there.
-
@coliver said in Domain user logs in and is immediately logged out:
@DustinB3403 said in Domain user logs in and is immediately logged out:
@coliver said in Domain user logs in and is immediately logged out:
@DustinB3403 said in Domain user logs in and is immediately logged out:
@coliver said in Domain user logs in and is immediately logged out:
Backup and then blow the user profile away. No use trying to recover it.
Yeah not an option. We're looking for emails that may still be held in the local user profile, the user account was disabled on AD (which then marks the email account for deletion on office365) after 30 days.
So if there is any chance that I can get into this account and see what the mailbox still has cached would be critical.
Of course the mailbox matter is a different issue entirely that I need to address.
Can you just browse the local folders? There should be an outlook cache file in the users directory.
Tried looking for it, and I don't see any of the files I need.
Looking for a local cache of outlook, so a PST or OST file.
Then, unfortunately, it seems like local caching was turned off. If the cache was on you would see both PST and OST files.
Yeah that is what it looks like...
-
EDIT: Sorry just read through the thread, can't be any help
-
@DustinB3403 Been there
-
Yeah and a litigation hold or migrating the mailbox to a shared mailbox would've been all that is needed.
I want to say the 4 words you should never say.....