Hello everybody,

I'd rather not cross-post but after 9 months (no, I haven't thought about it each day...) without a single answer on ServerFault I thought I might try a second shot as the following is still haunting us (both in W10 22H2 and W11 23H2):


In our Active Directory with roaming profiles I see frequent events with Id 69 in log "Microsoft-Windows-User Profile Service/Operational".

These events warn about NTUSER.DAT not being copied at logon time from the Domain Controller to the profile's local copy because the timestamp of the local file is newer than the timestamp of the file on the DC. While that would be a legitimate reason for not copying NTUSER.DAT I doubt that it is true.

As an example Windows Event Viewer gives the following Event Data:

Code:
 <EventData>  
    <Data Name="SourceFile">\\DC\Profiles$\user.V6\NTUSER.DAT</Data>  
    <Data Name="SourceTimestamp">Year: 2024, Month 1, Day 22, Hour 15, Minute 40</Data> 
    <Data Name="DestinationFile">C:\Users\user\NTUSER.DAT</Data> 
    <Data Name="DestinationTimestamp">Year: 2024, Month 1, Day 22, Hour 15, Minute 41</Data> 
  </EventData>
However: using "wmic datafile [...] get lastmodified" on both SourceFile and DestinationFile shows that both have exactly the same timestamp. The file in the user profile's local copy that has indeed been modified at 15:41 is the file NTUSER.INI.

So it looks to me that the decision whether or not to copy NTUSER.DAT from server to client is based on comparing the timestamp of NTUSER.DAT on the server with that of NTUSER.INI on the client. Could that be true? And what would be the reasoning behind that behaviour?

I suppose I'm either completely missing a point here or Microsoft is doing something very strange there... Can anybody enlighten me?

Cheers