Solved

(URGENT) Delete the profile of user on login and logoff

Posted on 2006-10-28
16
366 Views
Last Modified: 2009-12-16

In windows 2003 Domain (GPO)Is there any policy or  restirction through which the  profiles( local setting temp, temp inteernet files, history of the users) can be refreshed and deleted on login automticaly  if yes how, it can be  applied?

Is there any policy  through which we can restirct  users from running setup or installing any files or spywares on the  sytem or  registry. If there is any policy or user restirction then kindly tell me how is it possible
0
Comment
Question by:pawankk
  • 8
  • 7
16 Comments
 
LVL 2

Expert Comment

by:Machin__Shin
ID: 17827412
There is a way in GPO to make it so that you don't keep a local profile, you can go to Computer Configuration ->Administrative Templates->System->User Profiles and you can Delete cached copies of roaming profiles. By Default Temporary internet files, Temp and History directories are not transferred over when using roaming profiles. They are only stored on the local machine.

As for restricting users from installing things maybe in GPO, Run Only Allowed Applications from
User Configuration->administrative templates->System.
 Or just put them in a restricted User group.

a host file that can be replacated via WINS or just applied to the local machine from http://www.mvps.org/winhelp2002/hosts.htm
Usually stops most spyware.
Also you could try using an antispyware util from www.pctools.com or www.webroot.com. Both are among the best anti-spyware utils.
0
 

Author Comment

by:pawankk
ID: 17832440
machine_shin



GPO Sysytem> User pofiles i Have tried it  but there is no option as such to delete the  History, Temporary internet files or Temp folders on every login  can it be used though Login script can u give me  complete codes and way to  configure login script as I am a layman to it.

Alowed apllications  i have to completly list down the softwares taht can be  executed and list will go to is there any way to block msi, or setup or to lock registry so that  any application files caanot be registred o installed on the PC


0
 
LVL 2

Accepted Solution

by:
Machin__Shin earned 50 total points
ID: 17832907
As initially suggested put them on guest/restricted group to prevent installation of things. Also there is a "do not run specific applications" part in the GPO almost beneath that run restrict one.

The Temporary Internet files, temp directory and history are not stored on a roaming profile as soon as the local copy is deleted those will go too.
 If you want to use a logon script paste the following in notepad and save with the following path including quotation marks(change server to your server name) "\\SERVER\netlogon\tempdel.bat"

_________________________________

@echo off
REM echo off hides the commands from the user
REM the following deletes all the contents of the folders you specified, but not the folders themselves
REM except index.dat as you cannot delete that file normally so some of the internal folders will remain.
for /d %%G in ("%userprofile%\local settings\temporary internet files\*.*") do rd "%%G" /s/q >nul 2>&1
del "%userprofile%\local settings\temporary internet files\*.*" /s/q >nul 2>&1
for /d %%G in ("%userprofile%\local settings\temp\*.*") do rd "%%G" /s/q >nul 2>&1
del "%userprofile%\local settings\temp\*.*" /s/q >nul 2>&1
for /d %%G in ("%userprofile%\local settings\history\*.*") do rd "%%G" /s/q >nul 2>&1
del "%userprofile%\local settings\history\*.*" /s/q >nul 2>&1
REM the /s switch deletes all files and sub-folders
REM /q suppresses the y/n and stopping on files you can't delete. It also hides what your deleting
REM >nul 2>&1 eliminates error and information messages so the user sees nothing, you can of course change that "nul" part to a file name and it will make a log file instead

__________________________________

select your users in AD right click, go properties->Profile->logon script
just type in tempdel.bat then ok
0
 
LVL 17

Expert Comment

by:kadadi_v
ID: 17834730
If you created the users in domain controller ( active directory serices with DNS server) and at client side they are loging with domian user then there is already restriction for installationapplications or to make any change the windows control panel settings .menas it needs the administarive rights....ok

0
 
LVL 2

Expert Comment

by:Machin__Shin
ID: 17840483
how are you getting on?
0
 

Author Comment

by:pawankk
ID: 17890490
Machine

1. I have redirected the  my documents and  desktop folders to a different drive can i give full path of that folders  in login script  then default user profile path ""%userprofile%\"  

2. I want to make printer default and install on every login can i  give the vbscript commands in same login script.

3. i want that all the files of all users working goes in a single folder with specified user permissions can it be possible and ant to restirct all other folders and drives for user access an want to restore the PC by deleting all history, documets, desktop, temp, temporary internet files all accessed by any user ad  make the pc fresh fo the new user if is posoibl how i can  proceed wioth y problem.
0
 

Author Comment

by:pawankk
ID: 17895582
Machin__Shin

thanx buddy for the login script i tried it as log off script but  have a problm in it it does not delete hidden folders like  Application Data, Print hood is it posible to change there attributes unhide and system and then delte these folders as i want that very time user  login the  profiles are created automatically
0
 
LVL 2

Expert Comment

by:Machin__Shin
ID: 17895766
I've got a couple more Japanese Exams to do in the next few days. I will give you more advice after that.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Author Comment

by:pawankk
ID: 17907071
machin_Shin

 best of luck for ur exams buddy

waiting for ur exams to be succesfull
and then my probs will be sorted
0
 

Author Comment

by:pawankk
ID: 17930991
excpet mchin no one here to rply the queries ..i think machin  is  stil busy in exams
0
 
LVL 2

Expert Comment

by:Machin__Shin
ID: 18001012
You can add the attrib command into the loging script if you want. But if you are trying to remove the entire profile every Login you will probably encounter the issue where the files are still being used.
 ( command = attrib *.* -s -h -r /s/d)
The users shouldn't mind seeing stuff from those directories and I doubt you want to redo the entire thing from scratch everytime. Just make it a set profile that you like on the roaming profile under non-cached mode and delete or clear said directories if you want to. but easiest is to make the profiles Mandatory.
In order to do it set up your profile as you like it change the ntuser.dat extension to NTuser.man and they cannot change the background or the registry for that user file.
And for cleaning your net files and what not maybe trial out

http://www.download.com/ZeroNetHistory-2005/3000-2248_4-10540287.html?tag=lst-0-2

I only hope I did well on my exams I think I passd all but maybe the listening. (totemo hayai hanasu koto desu yo)
0
 
LVL 2

Expert Comment

by:Machin__Shin
ID: 18001016
Oh and by the way I should have mentioned the user can actually change the background and what not but when they log back in everything is reset.
0
 

Author Comment

by:pawankk
ID: 18005862
Machin
thanx buddy
 I have tried these attrib command before and was successful  in deleting other folder through log off script except  these folders Application Data, Local Setting,  and files Ntuser.dat, ntuser.log, ntuser.ini.

I have told u my purpose is that i want to refresh the profile and registry of each user. Will mandatory profile will work is there any resource for mandatory and roaming profiles and what is the difference between them.

0
 
LVL 2

Expert Comment

by:Machin__Shin
ID: 18006687
A mandatory profile locks the User registry against change. It doesn't save it to the Profile on Lo off. And You can have Roaming Mandatory Profiles.

This should explain it and it should suit your needs.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/policy/policy/mandatory_user_profiles.asp
0
 

Author Comment

by:pawankk
ID: 18059608
Machin  

i  have renamed the individual

ntuser.dat located in c:\documents and settings\user1 folder to ntuser.man of each user but still the  changes made to
internet explorer
home page
internet explorer toolbars are still active  is there any way to disable them
secondly i want to  make the registry read only so that no  user changes are saved in registry of windows  is there any way out.
0
 
LVL 2

Expert Comment

by:Machin__Shin
ID: 18081087
try logging out then logging back in......you might notice it's all back to the same.
In regard to the additional stuff those are controllable through GPO's.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now