Procmon may help you figure who / what is deleting them.
https://learn.microsoft.com/en-us/sysinternals/downloads/procmon
--please don't forget to upvote
and Accept as answer
if the reply is helpful--
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
The environment here consists of a Windows Server 2012 R2 as the domain controller and about forty workstation all running Windows 10. On only a hand full of workstations, we occasionally (about once a month) experience an issue where all the user profiles get deleted. When the user signs in, it creates a brand new profile. All the previous profiles are completely gone with no trace. There is not a Windows.000 or any other copies. The registry profilelist doesn't show any other profiles either. I do keep my workstations backed up so I've been able to restore them, but it's still too much productivity loss for the user. How do I prevent this from happening? I've found lots of discussions about corrupted profiles, but it does not appear that is the case here.
Procmon may help you figure who / what is deleting them.
https://learn.microsoft.com/en-us/sysinternals/downloads/procmon
--please don't forget to upvote
and Accept as answer
if the reply is helpful--
Hi,
To audit who deleted the user profiles, it is suggested to enable the file system audit policy on the Users folder.
1, Enable the audit policy on the workstation.
Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Audit Policy
Double click the configuration item named: Audit Object Access.
Enable the following security settings:
• Define these policy settings
• Success
• Failure
2, Set auditing on the files that you want to track。
For more details, you can refer to:
https://www.lepide.com/how-to/track-who-read-files-on-your-windows-file-servers.html
Also, it is suggested to check if there are any scripts and schedule tasks on your computer.
If configure any profiles related policies on the workstation.
You may run command: gpresult /h report.html to collect the group policy results.
This response contains a third-party link. We provide this link for easy reference. Microsoft cannot guarantee the validity of any information and content in this link.
Best Regards,
Just checking if there's any progress or updates?
--please don't forget to upvote
and Accept as answer
if the reply is helpful--
Thank you all for your replies. It happened twice to two different users this past week while I was out of town. I will play with the suggestions and see what happens.