Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 378
  • Last Modified:

(URGENT) Delete the profile of user on login and logoff


In windows 2003 Domain (GPO)Is there any policy or  restirction through which the  profiles( local setting temp, temp inteernet files, history of the users) can be refreshed and deleted on login automticaly  if yes how, it can be  applied?

Is there any policy  through which we can restirct  users from running setup or installing any files or spywares on the  sytem or  registry. If there is any policy or user restirction then kindly tell me how is it possible
0
pawankk
Asked:
pawankk
  • 8
  • 7
1 Solution
 
Machin__ShinCommented:
There is a way in GPO to make it so that you don't keep a local profile, you can go to Computer Configuration ->Administrative Templates->System->User Profiles and you can Delete cached copies of roaming profiles. By Default Temporary internet files, Temp and History directories are not transferred over when using roaming profiles. They are only stored on the local machine.

As for restricting users from installing things maybe in GPO, Run Only Allowed Applications from
User Configuration->administrative templates->System.
 Or just put them in a restricted User group.

a host file that can be replacated via WINS or just applied to the local machine from http://www.mvps.org/winhelp2002/hosts.htm
Usually stops most spyware.
Also you could try using an antispyware util from www.pctools.com or www.webroot.com. Both are among the best anti-spyware utils.
0
 
pawankkAuthor Commented:
machine_shin



GPO Sysytem> User pofiles i Have tried it  but there is no option as such to delete the  History, Temporary internet files or Temp folders on every login  can it be used though Login script can u give me  complete codes and way to  configure login script as I am a layman to it.

Alowed apllications  i have to completly list down the softwares taht can be  executed and list will go to is there any way to block msi, or setup or to lock registry so that  any application files caanot be registred o installed on the PC


0
 
Machin__ShinCommented:
As initially suggested put them on guest/restricted group to prevent installation of things. Also there is a "do not run specific applications" part in the GPO almost beneath that run restrict one.

The Temporary Internet files, temp directory and history are not stored on a roaming profile as soon as the local copy is deleted those will go too.
 If you want to use a logon script paste the following in notepad and save with the following path including quotation marks(change server to your server name) "\\SERVER\netlogon\tempdel.bat"

_________________________________

@echo off
REM echo off hides the commands from the user
REM the following deletes all the contents of the folders you specified, but not the folders themselves
REM except index.dat as you cannot delete that file normally so some of the internal folders will remain.
for /d %%G in ("%userprofile%\local settings\temporary internet files\*.*") do rd "%%G" /s/q >nul 2>&1
del "%userprofile%\local settings\temporary internet files\*.*" /s/q >nul 2>&1
for /d %%G in ("%userprofile%\local settings\temp\*.*") do rd "%%G" /s/q >nul 2>&1
del "%userprofile%\local settings\temp\*.*" /s/q >nul 2>&1
for /d %%G in ("%userprofile%\local settings\history\*.*") do rd "%%G" /s/q >nul 2>&1
del "%userprofile%\local settings\history\*.*" /s/q >nul 2>&1
REM the /s switch deletes all files and sub-folders
REM /q suppresses the y/n and stopping on files you can't delete. It also hides what your deleting
REM >nul 2>&1 eliminates error and information messages so the user sees nothing, you can of course change that "nul" part to a file name and it will make a log file instead

__________________________________

select your users in AD right click, go properties->Profile->logon script
just type in tempdel.bat then ok
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
kadadi_vCommented:
If you created the users in domain controller ( active directory serices with DNS server) and at client side they are loging with domian user then there is already restriction for installationapplications or to make any change the windows control panel settings .menas it needs the administarive rights....ok

0
 
Machin__ShinCommented:
how are you getting on?
0
 
pawankkAuthor Commented:
Machine

1. I have redirected the  my documents and  desktop folders to a different drive can i give full path of that folders  in login script  then default user profile path ""%userprofile%\"  

2. I want to make printer default and install on every login can i  give the vbscript commands in same login script.

3. i want that all the files of all users working goes in a single folder with specified user permissions can it be possible and ant to restirct all other folders and drives for user access an want to restore the PC by deleting all history, documets, desktop, temp, temporary internet files all accessed by any user ad  make the pc fresh fo the new user if is posoibl how i can  proceed wioth y problem.
0
 
pawankkAuthor Commented:
Machin__Shin

thanx buddy for the login script i tried it as log off script but  have a problm in it it does not delete hidden folders like  Application Data, Print hood is it posible to change there attributes unhide and system and then delte these folders as i want that very time user  login the  profiles are created automatically
0
 
Machin__ShinCommented:
I've got a couple more Japanese Exams to do in the next few days. I will give you more advice after that.
0
 
pawankkAuthor Commented:
machin_Shin

 best of luck for ur exams buddy

waiting for ur exams to be succesfull
and then my probs will be sorted
0
 
pawankkAuthor Commented:
excpet mchin no one here to rply the queries ..i think machin  is  stil busy in exams
0
 
Machin__ShinCommented:
You can add the attrib command into the loging script if you want. But if you are trying to remove the entire profile every Login you will probably encounter the issue where the files are still being used.
 ( command = attrib *.* -s -h -r /s/d)
The users shouldn't mind seeing stuff from those directories and I doubt you want to redo the entire thing from scratch everytime. Just make it a set profile that you like on the roaming profile under non-cached mode and delete or clear said directories if you want to. but easiest is to make the profiles Mandatory.
In order to do it set up your profile as you like it change the ntuser.dat extension to NTuser.man and they cannot change the background or the registry for that user file.
And for cleaning your net files and what not maybe trial out

http://www.download.com/ZeroNetHistory-2005/3000-2248_4-10540287.html?tag=lst-0-2

I only hope I did well on my exams I think I passd all but maybe the listening. (totemo hayai hanasu koto desu yo)
0
 
Machin__ShinCommented:
Oh and by the way I should have mentioned the user can actually change the background and what not but when they log back in everything is reset.
0
 
pawankkAuthor Commented:
Machin
thanx buddy
 I have tried these attrib command before and was successful  in deleting other folder through log off script except  these folders Application Data, Local Setting,  and files Ntuser.dat, ntuser.log, ntuser.ini.

I have told u my purpose is that i want to refresh the profile and registry of each user. Will mandatory profile will work is there any resource for mandatory and roaming profiles and what is the difference between them.

0
 
Machin__ShinCommented:
A mandatory profile locks the User registry against change. It doesn't save it to the Profile on Lo off. And You can have Roaming Mandatory Profiles.

This should explain it and it should suit your needs.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/policy/policy/mandatory_user_profiles.asp
0
 
pawankkAuthor Commented:
Machin  

i  have renamed the individual

ntuser.dat located in c:\documents and settings\user1 folder to ntuser.man of each user but still the  changes made to
internet explorer
home page
internet explorer toolbars are still active  is there any way to disable them
secondly i want to  make the registry read only so that no  user changes are saved in registry of windows  is there any way out.
0
 
Machin__ShinCommented:
try logging out then logging back in......you might notice it's all back to the same.
In regard to the additional stuff those are controllable through GPO's.
0

Featured Post

[Webinar] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

  • 8
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now