Solved

Force new user profiles at logon (AD enviroment)

Posted on 2010-09-13
12
507 Views
Last Modified: 2012-05-10
Hi all,

We are running Windows XP SP3, all PCs are added to a domain (AD 2003), currently we have nothing in place to manage the local user profiles on each PC (around 400 PCs for use by students). Previously we used the Dynamic Local User policy in Novell Zenworks that created and deleted profiles nicely.

(if you want to get straight to the question, look down the bottom and come back here if you want some background)

Now that we don't use Novell anymore, we need to find a way to ensure the same user experience where any files or data created that's not on their home drive will be removed at log off. This also prevents space issues on each PC.

I have a VB script using the delprof utility and another script that deletes common profile areas at log off such as the desktop, cookies, temp internet folder etc but I have had bad experiences in the past where running these elevated means the enviroment variables used to detect the username of the logged in user will end up detecting the SYSTEM account but not the current user so the logged in person ends up with most of their profile deleted which caused very strange errors and problems!!

I have read an answer to this question already that suggests setting the default user account to deny read access to users, but this means all the created profiles do not get our vast customisations in the default user account and it doesn't seem to run ActiveSetup which is something we rely on for customisations.

QUESTION: Is there any method you guys can think of think of that will force Windows XP to create a new user profile for a domain user at logon such as when you do not have access to a profile, it creates a new one such as 'user.001' this way users won't get used to seeing their files when they use the same PC again and I can then tackle removing redundant profiles later.

Many thanks for reading!
0
Comment
Question by:LONBUSS
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +3
12 Comments
 
LVL 9

Expert Comment

by:Tomas Valenta
ID: 33660362
It can be done by Group policy - on domain controller in Programs/Administrative tools/Group policy Management.
Use Roaming profiles and in http://support.microsoft.com/kb/274152 you can find Group policy part where you force deleting cached profiles on workstation after logoff.
0
 
LVL 4

Expert Comment

by:Malajlo
ID: 33660363
Running startup script which deletes all non-system profiles?
0
 
LVL 11

Expert Comment

by:sumeshbnr
ID: 33660364
try deep freeze and exclude home directory
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 9

Expert Comment

by:Tomas Valenta
ID: 33660396
0
 
LVL 4

Expert Comment

by:Malajlo
ID: 33660428
You need something like default profile at every logon? And also you don't want to waste disk space on local machines neither on server?
User profiles should be "reset" at every logon?
0
 
LVL 1

Expert Comment

by:gonzaria
ID: 33660771
Roaming profiles follow users around, they aren't recreated at login, and they can really start to balloon out in size and create horrendous logon times if users start saving things to places other than their user folders (which I would assume are redirected).
What you might be looking for is: Mandatory profiles.

They can be tricky to set up, but could be worth a look.

http://support.microsoft.com/kb/307800
0
 
LVL 1

Author Comment

by:LONBUSS
ID: 33669398
The suggestion from Malajlo is something that's more practical for the set up here, does anyone have a VB script or batch file to do this effectively? Ideally it should not delete All Users, Administrator or Default user, and it should not start deleting the currently logged in user (but if it's a startup script then nobody should be able to log in at this point anyway)

I have used a VB script before, but like I said it was run elevated and was unable to detect the logged in user and would start deleting their profile causing Windows to do some odd things, my only concern is that if someone logged off and on a PC without it rebooting, they would see their files on the desktop and assume that it's safe to put work there (remember these are student PCs which have no particular owner, we want students to see that their data is deleted everytime they log off like with Zenworks DLU)
0
 
LVL 4

Accepted Solution

by:
Malajlo earned 500 total points
ID: 33669545
My suggestion works for unique accounts. Seems you are using one accont for all or what? But in that case, redirected files are visible to all.
If your accounts are unique, ordinary user won't see other user's files. Unless they are local admins (which is a big no-no).
To delete unwanted directories, use a startup script
I found one on http://www.computing.net/answers/programming/batch-delete-folders-but-skip-few/14380.html, look at the end. (i think switch /s isn't necessary)
If you think computers won't be restarted to clean profiles, then do a scheduled reset (psshutdown from sysinternals or also shutdown).

Oh, you can also make a logoff script that creates a simple batch and schedule it for every minute.
Something like
echo rd /s /q %userprofile% > deleteme.cmd
rem always wait some time to be sure user is logged off
echo ping localhost -n 120 >> deleteme.cmd
rem let's clean this batch
echo rem > deleteme.cmd
rem the last line perhaps works ;)
exit


To be sure if user is logged off, you can also use psloggedon (from sysinternals) instead pinging for 120 seconds.
Hmmm, you can accomplish schedule with AT command...
0
 
LVL 9

Expert Comment

by:Tomas Valenta
ID: 33669651
I think that the best for you is using Group Policy and mandatory profile. The description of this type of profile: you create profile template (or several ) with all thinks you want and this profile is read only - it means if user logon with this mandatory profile, make some changes and logoff and logon again - the initial profile is back (no changes are written). In combination with parameters in Group policy objects you can also delete local cache profile on workstation and more other thinks.
0
 
LVL 4

Expert Comment

by:Malajlo
ID: 33669841
Also creating new profile at every logon takes some time. Anoying.
Mandatory is best fit to achieve your needs.
0
 
LVL 3

Expert Comment

by:esp-projects
ID: 33671204
Mandatory profile is definitely the way to achieve this.  If you want all users to share an identical profile, just set their profile paths to be one folder which contains a profile that you have modified and renamed ntuser.dat to ntuser.man.  You can also redirect their My Docs/Desktops to a network location using GPO if you want to allow them to save items to those folders?

0
 
LVL 1

Author Comment

by:LONBUSS
ID: 33675839
Thanks for the comments, our customisations are in the Default User folder, for the last few years a new profile has been created each time someone logs on so the students are used to that, once the PC has been on for a while it doesn't take as long. I am going to play with that script first thing tomorrow morning and will get back to you.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
networked printer 4 92
XP Pro desktop dropping itnernet connection 11 136
Can’t delete a file 14 233
repairing Windows XP on a different partition 17 117
We have adopted the strategy to use Computers in Student Labs as the bulletin boards. The same target can be achieved by using a Login Notice feature in Group policy but it’s not as attractive as graphical wallpapers with message which grabs the att…
If you have done a reformat of your hard drive and proceeded to do a successful Windows XP installation, you may notice that a choice between two operating systems when you start up the machine. Here is how to get rid of this: Click Start Clic…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question