Microsoft KB Archive/911805

= You cannot load or unload a roaming user profile if it contains EFS files on a Windows XP-based or a Windows Server 2003-based client =

Article ID: 911805

Article Last Modified on 10/11/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition
 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003, Standard x64 Edition
 * Microsoft Windows Server 2003, Enterprise x64 Edition
 * Microsoft Windows Server 2003, Datacenter x64 Edition
 * Microsoft Windows Server 2003, 64-Bit Enterprise Edition
 * Microsoft Windows Server 2003, 64-Bit Datacenter Edition
 * Microsoft Windows XP Professional

-





INTRODUCTION
On a Microsoft Windows XP-based or a Microsoft Windows Server 2003-based client, you cannot load or unload a roaming user profile if it contains Encrypting File System (EFS) files. In this case, the following error messages are logged in the Application event log:

Event Type: Error

Event Source: Userenv

Event Category: None

Event ID: 1513

Date:

Time:

User: NT AUTHORITY\SYSTEM

Computer:

Description:

Windows cannot copy your profile because it contains encrypted files or directories. The keys to decrypt the files or directories are also stored in the profile and are not available now. Please decrypt the files and try again. For more information, see Help and Support Center at .

Event Type: Error

Event Source: Userenv

Event Category: None

Event ID: 1504

Date:

Time:

User:

Computer:

Description:

Windows cannot update your roaming profile. Possible causes of this error include network problems or insufficient security rights. If this problem persists, contact your network administrator. DETAIL - The specified file is encrypted and the user does not have the ability to decrypt it. For more information, see Help and Support Center at .

Event Type: Error

Event Source: Userenv

Event Category: None

Event ID: 1513

Date:

Time:

User:

Computer:

Description:

Windows cannot copy your profile because it contains encrypted files or directories. The keys to decrypt the files or directories are also stored in the profile and are not available now. Please decrypt the files and try again. For more information, see Help and Support Center at .



MORE INFORMATION
If an encrypted file is in any part of a roaming profile, the profile will fail. A roaming profile copies the whole profile from the server and then starts to log on as the user. Because the profile is not loaded during this process, the roaming profile does not have access to a user's encryption keys and cannot encrypt or decrypt any data. Therefore, when a roaming profile finds an encrypted file, it fails.

The use of encrypted files in a roaming user profile is not supported. This behavior is by design.

To work around this behavior, you can redirect the My Documents folder and then encrypt the client-side cache.

For more information about folder redirection, click the following article number to view the article in the Microsoft Knowledge Base:

232692 Folder redirection feature in Windows

For more information about how to encrypt the client-side cache, click the following article number to view the article in the Microsoft Knowledge Base:

312221 How to encrypt offline files to secure data in Windows XP

For more information about the Encrypting File System and about folder redirection, click the following article numbers to view the articles in the Microsoft Knowledge Base:

223316 Best practices for the Encrypting File System

274443 How to dynamically create security-enhanced redirected folders by using folder redirection in Windows 2000 and in Windows Server 2003

Keywords: kbinfo kbtshoot kbprofiles kbefs KB911805

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.