Solved

Force new user profiles at logon (AD enviroment)

Posted on 2010-09-13
12
502 Views
Last Modified: 2012-05-10
Hi all,

We are running Windows XP SP3, all PCs are added to a domain (AD 2003), currently we have nothing in place to manage the local user profiles on each PC (around 400 PCs for use by students). Previously we used the Dynamic Local User policy in Novell Zenworks that created and deleted profiles nicely.

(if you want to get straight to the question, look down the bottom and come back here if you want some background)

Now that we don't use Novell anymore, we need to find a way to ensure the same user experience where any files or data created that's not on their home drive will be removed at log off. This also prevents space issues on each PC.

I have a VB script using the delprof utility and another script that deletes common profile areas at log off such as the desktop, cookies, temp internet folder etc but I have had bad experiences in the past where running these elevated means the enviroment variables used to detect the username of the logged in user will end up detecting the SYSTEM account but not the current user so the logged in person ends up with most of their profile deleted which caused very strange errors and problems!!

I have read an answer to this question already that suggests setting the default user account to deny read access to users, but this means all the created profiles do not get our vast customisations in the default user account and it doesn't seem to run ActiveSetup which is something we rely on for customisations.

QUESTION: Is there any method you guys can think of think of that will force Windows XP to create a new user profile for a domain user at logon such as when you do not have access to a profile, it creates a new one such as 'user.001' this way users won't get used to seeing their files when they use the same PC again and I can then tackle removing redundant profiles later.

Many thanks for reading!
0
Comment
Question by:LONBUSS
  • 4
  • 3
  • 2
  • +3
12 Comments
 
LVL 9

Expert Comment

by:Tomas Valenta
Comment Utility
It can be done by Group policy - on domain controller in Programs/Administrative tools/Group policy Management.
Use Roaming profiles and in http://support.microsoft.com/kb/274152 you can find Group policy part where you force deleting cached profiles on workstation after logoff.
0
 
LVL 4

Expert Comment

by:Malajlo
Comment Utility
Running startup script which deletes all non-system profiles?
0
 
LVL 11

Expert Comment

by:sumeshbnr
Comment Utility
try deep freeze and exclude home directory
0
 
LVL 9

Expert Comment

by:Tomas Valenta
Comment Utility
0
 
LVL 4

Expert Comment

by:Malajlo
Comment Utility
You need something like default profile at every logon? And also you don't want to waste disk space on local machines neither on server?
User profiles should be "reset" at every logon?
0
 
LVL 1

Expert Comment

by:gonzaria
Comment Utility
Roaming profiles follow users around, they aren't recreated at login, and they can really start to balloon out in size and create horrendous logon times if users start saving things to places other than their user folders (which I would assume are redirected).
What you might be looking for is: Mandatory profiles.

They can be tricky to set up, but could be worth a look.

http://support.microsoft.com/kb/307800
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 1

Author Comment

by:LONBUSS
Comment Utility
The suggestion from Malajlo is something that's more practical for the set up here, does anyone have a VB script or batch file to do this effectively? Ideally it should not delete All Users, Administrator or Default user, and it should not start deleting the currently logged in user (but if it's a startup script then nobody should be able to log in at this point anyway)

I have used a VB script before, but like I said it was run elevated and was unable to detect the logged in user and would start deleting their profile causing Windows to do some odd things, my only concern is that if someone logged off and on a PC without it rebooting, they would see their files on the desktop and assume that it's safe to put work there (remember these are student PCs which have no particular owner, we want students to see that their data is deleted everytime they log off like with Zenworks DLU)
0
 
LVL 4

Accepted Solution

by:
Malajlo earned 500 total points
Comment Utility
My suggestion works for unique accounts. Seems you are using one accont for all or what? But in that case, redirected files are visible to all.
If your accounts are unique, ordinary user won't see other user's files. Unless they are local admins (which is a big no-no).
To delete unwanted directories, use a startup script
I found one on http://www.computing.net/answers/programming/batch-delete-folders-but-skip-few/14380.html, look at the end. (i think switch /s isn't necessary)
If you think computers won't be restarted to clean profiles, then do a scheduled reset (psshutdown from sysinternals or also shutdown).

Oh, you can also make a logoff script that creates a simple batch and schedule it for every minute.
Something like
echo rd /s /q %userprofile% > deleteme.cmd
rem always wait some time to be sure user is logged off
echo ping localhost -n 120 >> deleteme.cmd
rem let's clean this batch
echo rem > deleteme.cmd
rem the last line perhaps works ;)
exit


To be sure if user is logged off, you can also use psloggedon (from sysinternals) instead pinging for 120 seconds.
Hmmm, you can accomplish schedule with AT command...
0
 
LVL 9

Expert Comment

by:Tomas Valenta
Comment Utility
I think that the best for you is using Group Policy and mandatory profile. The description of this type of profile: you create profile template (or several ) with all thinks you want and this profile is read only - it means if user logon with this mandatory profile, make some changes and logoff and logon again - the initial profile is back (no changes are written). In combination with parameters in Group policy objects you can also delete local cache profile on workstation and more other thinks.
0
 
LVL 4

Expert Comment

by:Malajlo
Comment Utility
Also creating new profile at every logon takes some time. Anoying.
Mandatory is best fit to achieve your needs.
0
 
LVL 3

Expert Comment

by:esp-projects
Comment Utility
Mandatory profile is definitely the way to achieve this.  If you want all users to share an identical profile, just set their profile paths to be one folder which contains a profile that you have modified and renamed ntuser.dat to ntuser.man.  You can also redirect their My Docs/Desktops to a network location using GPO if you want to allow them to save items to those folders?

0
 
LVL 1

Author Comment

by:LONBUSS
Comment Utility
Thanks for the comments, our customisations are in the Default User folder, for the last few years a new profile has been created each time someone logs on so the students are used to that, once the PC has been on for a while it doesn't take as long. I am going to play with that script first thing tomorrow morning and will get back to you.
0

Featured Post

Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

Join & Write a Comment

Ok I have been working on this for some time having learned and gained certification in XenDesktop 4 along came version 5 which was released last month. Since then I have been working to deploy XenDesktop 5 in a small environment with only 2 virt…
Sometimes people don't understand why download speed shows differently for Windows than Linux.Specially, this article covers and shows the solution for throughput difference for Windows than a Linux machine. For this, I arranged a test scenario.I…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now