Pages

Monday, February 8, 2010

Altiris Agent Prevents Roaming Profile Removal

When I logged into one of our Citrix Servers, I noticed something interesting:  The user directory folder (C:\Users on Windows 2008), contained multiple copies of users' cached roaming profiles.  So, for example, there would be folders maugustine.domain, maugustine.domain.000, maugustine.domain.001, etc.  I thought for sure that I had set the Group Policy to remove locally cached roaming profiles upon log out to avoid this sort of mess, and when I double checked, my memory was correct.

Upon further scrutiny, I discovered that everything was being deleted from the user's profiles except for one empty directory: C:\Users\username.domain\AppData\LocalLow\Microsoft\CryptnetUrlCache, which is related to Security Certificates when using Internet Explorer.  In a few tests, I was able to reproduce the problem by logging in, opening IE, browsing to an https site (like www.bankofamerica.com), and then trying to log off.

After going through the services on the system and the startup items under msconfig one by one, I learned that it was the Altris DAgent service that caused this.  If I stopped the service and then ran the previously mentioned test, the user's profile would be deleted just fine.

So, I went straight to Symantec support, who has acknowledged the problem, has been able to reproduce it, and now considers it a "known issue."  If you are sitting on Windows Server 2008 and are experiencing the same problem, unfortunately there is no permanent fix available yet.  Your best bet is to disable the Altiris DAgent services and startup items and subscribe to the following KB article for updates:
https://kb.altiris.com/article.asp?article=51228&p=1

However, if you happen to not be on Vista or 2008, you also have the option of going back to the Altiris AClient until they release a new version of the DAgent.  Unfortunately, the AClient is not compatible with Vista or Server 2008.

Sorry for not providing a permanent solution at this point in time, but at least you have a workaround and a KB article to follow!