?
Solved

(URGENT) Delete the profile of user on login and logoff

Posted on 2006-10-28
16
Medium Priority
?
372 Views
Last Modified: 2009-12-16

In windows 2003 Domain (GPO)Is there any policy or  restirction through which the  profiles( local setting temp, temp inteernet files, history of the users) can be refreshed and deleted on login automticaly  if yes how, it can be  applied?

Is there any policy  through which we can restirct  users from running setup or installing any files or spywares on the  sytem or  registry. If there is any policy or user restirction then kindly tell me how is it possible
0
Comment
Question by:pawankk
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 7
16 Comments
 
LVL 2

Expert Comment

by:Machin__Shin
ID: 17827412
There is a way in GPO to make it so that you don't keep a local profile, you can go to Computer Configuration ->Administrative Templates->System->User Profiles and you can Delete cached copies of roaming profiles. By Default Temporary internet files, Temp and History directories are not transferred over when using roaming profiles. They are only stored on the local machine.

As for restricting users from installing things maybe in GPO, Run Only Allowed Applications from
User Configuration->administrative templates->System.
 Or just put them in a restricted User group.

a host file that can be replacated via WINS or just applied to the local machine from http://www.mvps.org/winhelp2002/hosts.htm
Usually stops most spyware.
Also you could try using an antispyware util from www.pctools.com or www.webroot.com. Both are among the best anti-spyware utils.
0
 

Author Comment

by:pawankk
ID: 17832440
machine_shin



GPO Sysytem> User pofiles i Have tried it  but there is no option as such to delete the  History, Temporary internet files or Temp folders on every login  can it be used though Login script can u give me  complete codes and way to  configure login script as I am a layman to it.

Alowed apllications  i have to completly list down the softwares taht can be  executed and list will go to is there any way to block msi, or setup or to lock registry so that  any application files caanot be registred o installed on the PC


0
 
LVL 2

Accepted Solution

by:
Machin__Shin earned 200 total points
ID: 17832907
As initially suggested put them on guest/restricted group to prevent installation of things. Also there is a "do not run specific applications" part in the GPO almost beneath that run restrict one.

The Temporary Internet files, temp directory and history are not stored on a roaming profile as soon as the local copy is deleted those will go too.
 If you want to use a logon script paste the following in notepad and save with the following path including quotation marks(change server to your server name) "\\SERVER\netlogon\tempdel.bat"

_________________________________

@echo off
REM echo off hides the commands from the user
REM the following deletes all the contents of the folders you specified, but not the folders themselves
REM except index.dat as you cannot delete that file normally so some of the internal folders will remain.
for /d %%G in ("%userprofile%\local settings\temporary internet files\*.*") do rd "%%G" /s/q >nul 2>&1
del "%userprofile%\local settings\temporary internet files\*.*" /s/q >nul 2>&1
for /d %%G in ("%userprofile%\local settings\temp\*.*") do rd "%%G" /s/q >nul 2>&1
del "%userprofile%\local settings\temp\*.*" /s/q >nul 2>&1
for /d %%G in ("%userprofile%\local settings\history\*.*") do rd "%%G" /s/q >nul 2>&1
del "%userprofile%\local settings\history\*.*" /s/q >nul 2>&1
REM the /s switch deletes all files and sub-folders
REM /q suppresses the y/n and stopping on files you can't delete. It also hides what your deleting
REM >nul 2>&1 eliminates error and information messages so the user sees nothing, you can of course change that "nul" part to a file name and it will make a log file instead

__________________________________

select your users in AD right click, go properties->Profile->logon script
just type in tempdel.bat then ok
0
Veeam Task Manager for Hyper-V

Task Manager for Hyper-V provides critical information that allows you to monitor Hyper-V performance by displaying real-time views of CPU and memory at the individual VM-level, so you can quickly identify which VMs are using host resources.

 
LVL 17

Expert Comment

by:kadadi_v
ID: 17834730
If you created the users in domain controller ( active directory serices with DNS server) and at client side they are loging with domian user then there is already restriction for installationapplications or to make any change the windows control panel settings .menas it needs the administarive rights....ok

0
 
LVL 2

Expert Comment

by:Machin__Shin
ID: 17840483
how are you getting on?
0
 

Author Comment

by:pawankk
ID: 17890490
Machine

1. I have redirected the  my documents and  desktop folders to a different drive can i give full path of that folders  in login script  then default user profile path ""%userprofile%\"  

2. I want to make printer default and install on every login can i  give the vbscript commands in same login script.

3. i want that all the files of all users working goes in a single folder with specified user permissions can it be possible and ant to restirct all other folders and drives for user access an want to restore the PC by deleting all history, documets, desktop, temp, temporary internet files all accessed by any user ad  make the pc fresh fo the new user if is posoibl how i can  proceed wioth y problem.
0
 

Author Comment

by:pawankk
ID: 17895582
Machin__Shin

thanx buddy for the login script i tried it as log off script but  have a problm in it it does not delete hidden folders like  Application Data, Print hood is it posible to change there attributes unhide and system and then delte these folders as i want that very time user  login the  profiles are created automatically
0
 
LVL 2

Expert Comment

by:Machin__Shin
ID: 17895766
I've got a couple more Japanese Exams to do in the next few days. I will give you more advice after that.
0
 

Author Comment

by:pawankk
ID: 17907071
machin_Shin

 best of luck for ur exams buddy

waiting for ur exams to be succesfull
and then my probs will be sorted
0
 

Author Comment

by:pawankk
ID: 17930991
excpet mchin no one here to rply the queries ..i think machin  is  stil busy in exams
0
 
LVL 2

Expert Comment

by:Machin__Shin
ID: 18001012
You can add the attrib command into the loging script if you want. But if you are trying to remove the entire profile every Login you will probably encounter the issue where the files are still being used.
 ( command = attrib *.* -s -h -r /s/d)
The users shouldn't mind seeing stuff from those directories and I doubt you want to redo the entire thing from scratch everytime. Just make it a set profile that you like on the roaming profile under non-cached mode and delete or clear said directories if you want to. but easiest is to make the profiles Mandatory.
In order to do it set up your profile as you like it change the ntuser.dat extension to NTuser.man and they cannot change the background or the registry for that user file.
And for cleaning your net files and what not maybe trial out

http://www.download.com/ZeroNetHistory-2005/3000-2248_4-10540287.html?tag=lst-0-2

I only hope I did well on my exams I think I passd all but maybe the listening. (totemo hayai hanasu koto desu yo)
0
 
LVL 2

Expert Comment

by:Machin__Shin
ID: 18001016
Oh and by the way I should have mentioned the user can actually change the background and what not but when they log back in everything is reset.
0
 

Author Comment

by:pawankk
ID: 18005862
Machin
thanx buddy
 I have tried these attrib command before and was successful  in deleting other folder through log off script except  these folders Application Data, Local Setting,  and files Ntuser.dat, ntuser.log, ntuser.ini.

I have told u my purpose is that i want to refresh the profile and registry of each user. Will mandatory profile will work is there any resource for mandatory and roaming profiles and what is the difference between them.

0
 
LVL 2

Expert Comment

by:Machin__Shin
ID: 18006687
A mandatory profile locks the User registry against change. It doesn't save it to the Profile on Lo off. And You can have Roaming Mandatory Profiles.

This should explain it and it should suit your needs.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/policy/policy/mandatory_user_profiles.asp
0
 

Author Comment

by:pawankk
ID: 18059608
Machin  

i  have renamed the individual

ntuser.dat located in c:\documents and settings\user1 folder to ntuser.man of each user but still the  changes made to
internet explorer
home page
internet explorer toolbars are still active  is there any way to disable them
secondly i want to  make the registry read only so that no  user changes are saved in registry of windows  is there any way out.
0
 
LVL 2

Expert Comment

by:Machin__Shin
ID: 18081087
try logging out then logging back in......you might notice it's all back to the same.
In regard to the additional stuff those are controllable through GPO's.
0

Featured Post

Video: Liquid Web Managed WordPress Comparisons

If you run run a WordPress, you understand the potential headaches you may face when updating your plugins and themes. Do you choose to update on the fly and risk taking down your site; or do you set up a staging, keep it in sync with your live site and use that to test updates?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is a collection of issues that people face from time to time and possible solutions to those issues. I hope you enjoy reading it.
This program is used to assist in finding and resolving common problems with wireless connections.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question