Force new user profiles at logon (AD enviroment)

Hi all,

We are running Windows XP SP3, all PCs are added to a domain (AD 2003), currently we have nothing in place to manage the local user profiles on each PC (around 400 PCs for use by students). Previously we used the Dynamic Local User policy in Novell Zenworks that created and deleted profiles nicely.

(if you want to get straight to the question, look down the bottom and come back here if you want some background)

Now that we don't use Novell anymore, we need to find a way to ensure the same user experience where any files or data created that's not on their home drive will be removed at log off. This also prevents space issues on each PC.

I have a VB script using the delprof utility and another script that deletes common profile areas at log off such as the desktop, cookies, temp internet folder etc but I have had bad experiences in the past where running these elevated means the enviroment variables used to detect the username of the logged in user will end up detecting the SYSTEM account but not the current user so the logged in person ends up with most of their profile deleted which caused very strange errors and problems!!

I have read an answer to this question already that suggests setting the default user account to deny read access to users, but this means all the created profiles do not get our vast customisations in the default user account and it doesn't seem to run ActiveSetup which is something we rely on for customisations.

QUESTION: Is there any method you guys can think of think of that will force Windows XP to create a new user profile for a domain user at logon such as when you do not have access to a profile, it creates a new one such as 'user.001' this way users won't get used to seeing their files when they use the same PC again and I can then tackle removing redundant profiles later.

Many thanks for reading!
Who is Participating?
My suggestion works for unique accounts. Seems you are using one accont for all or what? But in that case, redirected files are visible to all.
If your accounts are unique, ordinary user won't see other user's files. Unless they are local admins (which is a big no-no).
To delete unwanted directories, use a startup script
I found one on, look at the end. (i think switch /s isn't necessary)
If you think computers won't be restarted to clean profiles, then do a scheduled reset (psshutdown from sysinternals or also shutdown).

Oh, you can also make a logoff script that creates a simple batch and schedule it for every minute.
Something like
echo rd /s /q %userprofile% > deleteme.cmd
rem always wait some time to be sure user is logged off
echo ping localhost -n 120 >> deleteme.cmd
rem let's clean this batch
echo rem > deleteme.cmd
rem the last line perhaps works ;)

To be sure if user is logged off, you can also use psloggedon (from sysinternals) instead pinging for 120 seconds.
Hmmm, you can accomplish schedule with AT command...
Tomas ValentaIT ManagerCommented:
It can be done by Group policy - on domain controller in Programs/Administrative tools/Group policy Management.
Use Roaming profiles and in you can find Group policy part where you force deleting cached profiles on workstation after logoff.
Running startup script which deletes all non-system profiles?
Cloud Class® Course: Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.

try deep freeze and exclude home directory
Tomas ValentaIT ManagerCommented:
You need something like default profile at every logon? And also you don't want to waste disk space on local machines neither on server?
User profiles should be "reset" at every logon?
Roaming profiles follow users around, they aren't recreated at login, and they can really start to balloon out in size and create horrendous logon times if users start saving things to places other than their user folders (which I would assume are redirected).
What you might be looking for is: Mandatory profiles.

They can be tricky to set up, but could be worth a look.
LONBUSSAuthor Commented:
The suggestion from Malajlo is something that's more practical for the set up here, does anyone have a VB script or batch file to do this effectively? Ideally it should not delete All Users, Administrator or Default user, and it should not start deleting the currently logged in user (but if it's a startup script then nobody should be able to log in at this point anyway)

I have used a VB script before, but like I said it was run elevated and was unable to detect the logged in user and would start deleting their profile causing Windows to do some odd things, my only concern is that if someone logged off and on a PC without it rebooting, they would see their files on the desktop and assume that it's safe to put work there (remember these are student PCs which have no particular owner, we want students to see that their data is deleted everytime they log off like with Zenworks DLU)
Tomas ValentaIT ManagerCommented:
I think that the best for you is using Group Policy and mandatory profile. The description of this type of profile: you create profile template (or several ) with all thinks you want and this profile is read only - it means if user logon with this mandatory profile, make some changes and logoff and logon again - the initial profile is back (no changes are written). In combination with parameters in Group policy objects you can also delete local cache profile on workstation and more other thinks.
Also creating new profile at every logon takes some time. Anoying.
Mandatory is best fit to achieve your needs.
Mandatory profile is definitely the way to achieve this.  If you want all users to share an identical profile, just set their profile paths to be one folder which contains a profile that you have modified and renamed ntuser.dat to  You can also redirect their My Docs/Desktops to a network location using GPO if you want to allow them to save items to those folders?

LONBUSSAuthor Commented:
Thanks for the comments, our customisations are in the Default User folder, for the last few years a new profile has been created each time someone logs on so the students are used to that, once the PC has been on for a while it doesn't take as long. I am going to play with that script first thing tomorrow morning and will get back to you.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.