Microsoft Domain Admins.. help

[bealzz]

We're currently having a problem with people loggin into their computers and their profiles being left behind under the Documents & Settings folder. This wouldn't be such a bad thing except when you have 200 profiles it starts to take up space. I was wondering if anyone had any scripts that they would be willing to share that could delete all the profiles in that folder except for ones specified ie: administrator, all users.. etc.

Thanks,
Bryan

 

[Burnout01]

You could use a Group Policy to remove the profile after someone logs off.
I found this on another forum.

http://support.microsoft.com/?kbid=274152

Take a look ate the "delprof.exe". Its included in the "Windows Server 2003 Resource Kit Tools" from Microsoft.
With this tool you can do it also remotely.
--- CUT ---
delprof /?
Microsoft« Windows« Operating System User Profile Deletion Utility v5.2
® Microsoft Corporation. All rights reserved.

This utility deletes Windows NT, Windows 2000, Windows XP and Windows Server 200
3 family user profiles.

usage: DELPROF [/Q] [/I] [/P] [/R] [/C:\\<computername>] [/D:<days>]

/Q Quiet, no confirmation.
/I Ignore errors and continue deleting.
/P Prompts for confirmation before deleting each profile.
/R Delete roaming profile cache only
/C Remote computer name.
--- CUT ---

The second, much better way is an Active Directory Group Policy.
"Delete cached copies of roaming profiles policy" in the Group Policy Editor under: "Computer Configuration\Administrative Templates\System\User Profiles"
It's delete the locally cached versions of roaming user profiles when the user logs off. Best practice for Terminal Servers an so on...

 

[swatbat]

Using the group policys is the way to go.

 

[priteshvarsani]

The easiest way of removing the profile after logoff is to use the group policy.
If i was you i would set up folder redirection within group policy to redirect parts of the profile, thus making the profile a lot smaller a they do not need to be copied to the client

 

[JayAre]

This also brings up a big security issue in my eye. With all the local profiles being cached on the local disk...any user that logs on has access to all that data.

 

[cyr0n_k0r]

This also brings up a big security issue in my eye. With all the local profiles being cached on the local disk...any user that logs on has access to all that data.

no they dont. If they tried to access the profiles it will tell them access denied.

 

[swatbat]

no they dont. If they tried to access the profiles it will tell them access denied.

As long as they don't have admin access to the local machine then yes they will get access denied messages. If they have local admin access they can take ownership of the folder. Most of the time this isn't an issue.

 

[nessus]

This also brings up a big security issue in my eye. With all the local profiles being cached on the local disk...any user that logs on has access to all that data.

Only if they are all admins. If that is the case on a terminal server, you've got bigger issues...

 

[bealzz]

Hey everyone, just wanted to share a update.
Checked out expert exchange and we have this script running now...

echo off
pushd "C:\Documents and Settings"
for /d %%d in (*) do ( if "%%~fd" neq "%userprofile%" if "%%d" neq "All Users" if "%%d" neq "bryan" if "%%d" neq "lyle" if "%%d" neq "mark" if "%%d" neq "Default User" if "%%d" neq "LocalService" if "%%d" neq "NetworkService" if "%%d" neq "user" if "%%d" neq "Administrator" rd /s /q "%%d")
popd

GP doesnt always work thats why I got this running. We run it automatically once a week to clear up our labs (I work for a school board) and it works great.

Thanks for everyone's responses.

 

[JayAre]

Only if they are all admins. If that is the case on a terminal server, you've got bigger issues...

Yes you would have bigger issues, BUT we're not talking about terminal servers.

Also, even if they get an access denied message, hack the local admin password and BINGO you have access to all those pretty 10101010101010101010101010100000's