Force new user profiles at logon (AD enviroment)

Posted on 2010-09-13
Last Modified: 2012-05-10
Hi all,

We are running Windows XP SP3, all PCs are added to a domain (AD 2003), currently we have nothing in place to manage the local user profiles on each PC (around 400 PCs for use by students). Previously we used the Dynamic Local User policy in Novell Zenworks that created and deleted profiles nicely.

(if you want to get straight to the question, look down the bottom and come back here if you want some background)

Now that we don't use Novell anymore, we need to find a way to ensure the same user experience where any files or data created that's not on their home drive will be removed at log off. This also prevents space issues on each PC.

I have a VB script using the delprof utility and another script that deletes common profile areas at log off such as the desktop, cookies, temp internet folder etc but I have had bad experiences in the past where running these elevated means the enviroment variables used to detect the username of the logged in user will end up detecting the SYSTEM account but not the current user so the logged in person ends up with most of their profile deleted which caused very strange errors and problems!!

I have read an answer to this question already that suggests setting the default user account to deny read access to users, but this means all the created profiles do not get our vast customisations in the default user account and it doesn't seem to run ActiveSetup which is something we rely on for customisations.

QUESTION: Is there any method you guys can think of think of that will force Windows XP to create a new user profile for a domain user at logon such as when you do not have access to a profile, it creates a new one such as 'user.001' this way users won't get used to seeing their files when they use the same PC again and I can then tackle removing redundant profiles later.

Many thanks for reading!
Question by:LONBUSS
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +3

Expert Comment

by:Tomas Valenta
ID: 33660362
It can be done by Group policy - on domain controller in Programs/Administrative tools/Group policy Management.
Use Roaming profiles and in you can find Group policy part where you force deleting cached profiles on workstation after logoff.

Expert Comment

ID: 33660363
Running startup script which deletes all non-system profiles?
LVL 11

Expert Comment

ID: 33660364
try deep freeze and exclude home directory
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Expert Comment

by:Tomas Valenta
ID: 33660396

Expert Comment

ID: 33660428
You need something like default profile at every logon? And also you don't want to waste disk space on local machines neither on server?
User profiles should be "reset" at every logon?

Expert Comment

ID: 33660771
Roaming profiles follow users around, they aren't recreated at login, and they can really start to balloon out in size and create horrendous logon times if users start saving things to places other than their user folders (which I would assume are redirected).
What you might be looking for is: Mandatory profiles.

They can be tricky to set up, but could be worth a look.

Author Comment

ID: 33669398
The suggestion from Malajlo is something that's more practical for the set up here, does anyone have a VB script or batch file to do this effectively? Ideally it should not delete All Users, Administrator or Default user, and it should not start deleting the currently logged in user (but if it's a startup script then nobody should be able to log in at this point anyway)

I have used a VB script before, but like I said it was run elevated and was unable to detect the logged in user and would start deleting their profile causing Windows to do some odd things, my only concern is that if someone logged off and on a PC without it rebooting, they would see their files on the desktop and assume that it's safe to put work there (remember these are student PCs which have no particular owner, we want students to see that their data is deleted everytime they log off like with Zenworks DLU)

Accepted Solution

Malajlo earned 500 total points
ID: 33669545
My suggestion works for unique accounts. Seems you are using one accont for all or what? But in that case, redirected files are visible to all.
If your accounts are unique, ordinary user won't see other user's files. Unless they are local admins (which is a big no-no).
To delete unwanted directories, use a startup script
I found one on, look at the end. (i think switch /s isn't necessary)
If you think computers won't be restarted to clean profiles, then do a scheduled reset (psshutdown from sysinternals or also shutdown).

Oh, you can also make a logoff script that creates a simple batch and schedule it for every minute.
Something like
echo rd /s /q %userprofile% > deleteme.cmd
rem always wait some time to be sure user is logged off
echo ping localhost -n 120 >> deleteme.cmd
rem let's clean this batch
echo rem > deleteme.cmd
rem the last line perhaps works ;)

To be sure if user is logged off, you can also use psloggedon (from sysinternals) instead pinging for 120 seconds.
Hmmm, you can accomplish schedule with AT command...

Expert Comment

by:Tomas Valenta
ID: 33669651
I think that the best for you is using Group Policy and mandatory profile. The description of this type of profile: you create profile template (or several ) with all thinks you want and this profile is read only - it means if user logon with this mandatory profile, make some changes and logoff and logon again - the initial profile is back (no changes are written). In combination with parameters in Group policy objects you can also delete local cache profile on workstation and more other thinks.

Expert Comment

ID: 33669841
Also creating new profile at every logon takes some time. Anoying.
Mandatory is best fit to achieve your needs.

Expert Comment

ID: 33671204
Mandatory profile is definitely the way to achieve this.  If you want all users to share an identical profile, just set their profile paths to be one folder which contains a profile that you have modified and renamed ntuser.dat to  You can also redirect their My Docs/Desktops to a network location using GPO if you want to allow them to save items to those folders?


Author Comment

ID: 33675839
Thanks for the comments, our customisations are in the Default User folder, for the last few years a new profile has been created each time someone logs on so the students are used to that, once the PC has been on for a while it doesn't take as long. I am going to play with that script first thing tomorrow morning and will get back to you.

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
ntdlr  is missing or corrupt 15 155
Weird keyboard issue in Windows XP 8 102
Where can I find a virus scanner for XP SP2? 22 81
Migration of Exchange mailbox can be done with the ExProfre.exe tool. But at times, when the ExProfre.exe tool migrates the Exchange Server user profile, it results in numerous synchronization problems. Synchronization error messages appear in the e…
Issue: Unstable cursor in Windows XP and Windows runs extremely slow in that any click will bring up the Hour glass (sometimes for several seconds before giving you what you want) . Troubleshooting Process and the FINAL FIX: This issue see…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below.…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question