Force new user profiles at logon (AD enviroment)
Posted on 2010-09-13
We are running Windows XP SP3, all PCs are added to a domain (AD 2003), currently we have nothing in place to manage the local user profiles on each PC (around 400 PCs for use by students). Previously we used the Dynamic Local User policy in Novell Zenworks that created and deleted profiles nicely.
(if you want to get straight to the question, look down the bottom and come back here if you want some background)
Now that we don't use Novell anymore, we need to find a way to ensure the same user experience where any files or data created that's not on their home drive will be removed at log off. This also prevents space issues on each PC.
I have a VB script using the delprof utility and another script that deletes common profile areas at log off such as the desktop, cookies, temp internet folder etc but I have had bad experiences in the past where running these elevated means the enviroment variables used to detect the username of the logged in user will end up detecting the SYSTEM account but not the current user so the logged in person ends up with most of their profile deleted which caused very strange errors and problems!!
I have read an answer to this question already that suggests setting the default user account to deny read access to users, but this means all the created profiles do not get our vast customisations in the default user account and it doesn't seem to run ActiveSetup which is something we rely on for customisations.
QUESTION: Is there any method you guys can think of think of that will force Windows XP to create a new user profile for a domain user at logon such as when you do not have access to a profile, it creates a new one such as 'user.001' this way users won't get used to seeing their files when they use the same PC again and I can then tackle removing redundant profiles later.
Many thanks for reading!