Force new user profiles at logon (AD enviroment)

Posted on 2010-09-13
Last Modified: 2012-05-10
Hi all,

We are running Windows XP SP3, all PCs are added to a domain (AD 2003), currently we have nothing in place to manage the local user profiles on each PC (around 400 PCs for use by students). Previously we used the Dynamic Local User policy in Novell Zenworks that created and deleted profiles nicely.

(if you want to get straight to the question, look down the bottom and come back here if you want some background)

Now that we don't use Novell anymore, we need to find a way to ensure the same user experience where any files or data created that's not on their home drive will be removed at log off. This also prevents space issues on each PC.

I have a VB script using the delprof utility and another script that deletes common profile areas at log off such as the desktop, cookies, temp internet folder etc but I have had bad experiences in the past where running these elevated means the enviroment variables used to detect the username of the logged in user will end up detecting the SYSTEM account but not the current user so the logged in person ends up with most of their profile deleted which caused very strange errors and problems!!

I have read an answer to this question already that suggests setting the default user account to deny read access to users, but this means all the created profiles do not get our vast customisations in the default user account and it doesn't seem to run ActiveSetup which is something we rely on for customisations.

QUESTION: Is there any method you guys can think of think of that will force Windows XP to create a new user profile for a domain user at logon such as when you do not have access to a profile, it creates a new one such as 'user.001' this way users won't get used to seeing their files when they use the same PC again and I can then tackle removing redundant profiles later.

Many thanks for reading!
Question by:LONBUSS
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +3

Expert Comment

by:Tomas Valenta
ID: 33660362
It can be done by Group policy - on domain controller in Programs/Administrative tools/Group policy Management.
Use Roaming profiles and in you can find Group policy part where you force deleting cached profiles on workstation after logoff.

Expert Comment

ID: 33660363
Running startup script which deletes all non-system profiles?
LVL 11

Expert Comment

ID: 33660364
try deep freeze and exclude home directory
Creating Instructional Tutorials  

For Any Use & On Any Platform

Contextual Guidance at the moment of need helps your employees/users adopt software o& achieve even the most complex tasks instantly. Boost knowledge retention, software adoption & employee engagement with easy solution.


Expert Comment

by:Tomas Valenta
ID: 33660396

Expert Comment

ID: 33660428
You need something like default profile at every logon? And also you don't want to waste disk space on local machines neither on server?
User profiles should be "reset" at every logon?

Expert Comment

ID: 33660771
Roaming profiles follow users around, they aren't recreated at login, and they can really start to balloon out in size and create horrendous logon times if users start saving things to places other than their user folders (which I would assume are redirected).
What you might be looking for is: Mandatory profiles.

They can be tricky to set up, but could be worth a look.

Author Comment

ID: 33669398
The suggestion from Malajlo is something that's more practical for the set up here, does anyone have a VB script or batch file to do this effectively? Ideally it should not delete All Users, Administrator or Default user, and it should not start deleting the currently logged in user (but if it's a startup script then nobody should be able to log in at this point anyway)

I have used a VB script before, but like I said it was run elevated and was unable to detect the logged in user and would start deleting their profile causing Windows to do some odd things, my only concern is that if someone logged off and on a PC without it rebooting, they would see their files on the desktop and assume that it's safe to put work there (remember these are student PCs which have no particular owner, we want students to see that their data is deleted everytime they log off like with Zenworks DLU)

Accepted Solution

Malajlo earned 500 total points
ID: 33669545
My suggestion works for unique accounts. Seems you are using one accont for all or what? But in that case, redirected files are visible to all.
If your accounts are unique, ordinary user won't see other user's files. Unless they are local admins (which is a big no-no).
To delete unwanted directories, use a startup script
I found one on, look at the end. (i think switch /s isn't necessary)
If you think computers won't be restarted to clean profiles, then do a scheduled reset (psshutdown from sysinternals or also shutdown).

Oh, you can also make a logoff script that creates a simple batch and schedule it for every minute.
Something like
echo rd /s /q %userprofile% > deleteme.cmd
rem always wait some time to be sure user is logged off
echo ping localhost -n 120 >> deleteme.cmd
rem let's clean this batch
echo rem > deleteme.cmd
rem the last line perhaps works ;)

To be sure if user is logged off, you can also use psloggedon (from sysinternals) instead pinging for 120 seconds.
Hmmm, you can accomplish schedule with AT command...

Expert Comment

by:Tomas Valenta
ID: 33669651
I think that the best for you is using Group Policy and mandatory profile. The description of this type of profile: you create profile template (or several ) with all thinks you want and this profile is read only - it means if user logon with this mandatory profile, make some changes and logoff and logon again - the initial profile is back (no changes are written). In combination with parameters in Group policy objects you can also delete local cache profile on workstation and more other thinks.

Expert Comment

ID: 33669841
Also creating new profile at every logon takes some time. Anoying.
Mandatory is best fit to achieve your needs.

Expert Comment

ID: 33671204
Mandatory profile is definitely the way to achieve this.  If you want all users to share an identical profile, just set their profile paths to be one folder which contains a profile that you have modified and renamed ntuser.dat to  You can also redirect their My Docs/Desktops to a network location using GPO if you want to allow them to save items to those folders?


Author Comment

ID: 33675839
Thanks for the comments, our customisations are in the Default User folder, for the last few years a new profile has been created each time someone logs on so the students are used to that, once the PC has been on for a while it doesn't take as long. I am going to play with that script first thing tomorrow morning and will get back to you.

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Step by step guide to Clean and Sort your windows registry! Introduction: Always remember: A Clean registry = Better performance = Save your invaluable time In this article we're going to clear our registry manually! Yes, manually! The e…
If you have done a reformat of your hard drive and proceeded to do a successful Windows XP installation, you may notice that a choice between two operating systems when you start up the machine. Here is how to get rid of this: Click Start Clic…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…

628 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question