Solved

Profile Fragments after Removal (Windows 7)

Posted on 2011-03-15
8
756 Views
Last Modified: 2012-05-11
I operate a computer lab that is open to general use on a campus. Within a week or so we can collect about 100-200 user profiles on the computer.

I've been using a WMI Powershell script to clean the profiles, and it seems to work ok, but now I've noticed some profiles are being left with a single empty folder inside them. The folder is Appdata, and inside it is usually an empty start menu folder or empty Windows media player folder.

I've tried using the Group Policy to remove profiles but it doesn't seem to work well, even after applying a patch to prevent Anti-virus from modifying the last accessed date.

What am I doing wrong? or is there a better way?

I set the script to run at 5;45am on Sunday and I set the BIOS to wake the computer at 5:30am daily. The script is set to run with no one logged in as "SYSTEM" with full permissions, but the scheduled task never runs, I have to run it by hand, and that's a pain on 12 computers.

I really don't understand why Microsoft made automatic profile removal so very hard.

I appreciate any help I can get.

# Powershell Script to delete all user profiles in your computer Except the once that you specify in the Exception List
# Running Syntax: .\ws50_del_unused_profiles.ps1 
# This script will delete the profile completely including the SID, Registery key, in the user profile list,
# and also from C:\Users.
# This script will not delete the user profile through which you are currently logged in

function Get-Profiles
{   
	<#
		.Synopsis
		Gets a list of user profiles on a computer.
	
		.Description
		This command gets a list of user priles on a computer. The info is pipable and can be used to do other useful tasks.
		
		.Parameter computer
		The computer on which you wish to recieve profiles. (defaults to localhost)
	
		.Example
		Get-Profiles -comptuer comp1
		Gets all of the profiles from comp1
		
		.Example
		Get-Content .\computers.txt | Get-Profiles
		Returns all of the profiles for the computers listed in computers.txt	
		
	#>
	[CmdletBinding()]
    	param ([parameter(ValueFromPipeLine=$true)][String]$computer = "localhost")	
	process {
		$ErrorActionPreference = "SilentlyContinue"
        	# Check for pipe input
		if ($_.Name) { $computer = $_.Name }
        	elseif ($_) { $computer = $_ }
       		else {  }

		$profiles=$null
		# Get the userprofile list and then filter out the built-in accounts
		if ($computer) {
			#$profiles = Get-WmiObject win32_userprofile -computerName $computer | ?{$_.SID -like "s-1-5-21*"}
            #if (!$?) { Write-Warning "Unable to communicate with - $computer" }
            
            $profiles = Get-WmiObject win32_userprofile -computerName $computer			
		}
		else {
			Write-Warning "Unable to communicate with specified host."
		}
		
		if($profiles.count -gt 0 -or ($profiles -and ($profiles.GetType()).Name -eq "ManagementObject")) {
			# Loop through the list of profiles
			foreach ($profile in $profiles) {
				Write-Verbose ("Reading profile for SID " + $profile.SID + " on $computer")
				$user = $null
				$objUser = $null
				#Create output objects
				$Output = New-Object PSObject
				# create a new secuity identifier object
				$ObjSID = New-Object System.Security.Principal.SecurityIdentifier($profile.SID)
				# Try to link the user SID to an actual user object (can fail for local accounts on remote machines, 
				#  or the user no long exists but the profile still remains)
				Try { 
					$objUser = $objSID.Translate([System.Security.Principal.NTAccount]) 
				}
				catch { 
					$user = "ERROR: Not Readable"
				}
				
				if ($objUser.Value) { $user = $objUser.Value }
				
				$Output | Add-Member NoteProperty Computer $computer
				$Output | Add-Member NoteProperty Username $user                 
				#$Output | Add-Member NoteProperty SID $profile.SID
				#$Output | Add-Member NoteProperty Path $profile.LocalPath
				#$Output | Add-Member NoteProperty Profile $profile
                       
				Write-Output $Output
			}
		}
	}
}

function Remove-Profiles(){    
    
	# Defining Exception List
      $exceptionList = New-Object System.Collections.ArrayList
      $result =$exceptionList.Add("Administrator")
      $result =$exceptionList.Add("Default User")
      $result =$exceptionList.Add("Default")
      $result =$exceptionList.Add("Default Profile")
      $result =$exceptionList.Add("All Users")
      $result =$exceptionList.Add("Local Service")
      $result =$exceptionList.Add("Network Service")
      $result =$exceptionList.Add("csuser")      
      $result =$exceptionList.Add("clsmach")
      $result =$exceptionList.Add("sam")
      $result =$exceptionList.Add("lsreer0")
      $result =$exceptionList.Add("cbyun0")
      $result =$exceptionList.Add("SYSTEM")
      $result =$exceptionList.Add("Public")
      
      $chkDelete = 1;
      
      if($chkDelete -eq 1){
        $profiles = Get-WmiObject win32_userprofile -computerName "localhost"
        
        foreach($delProfile in $profiles){
            $ObjSID = New-Object System.Security.Principal.SecurityIdentifier($delProfile.SID)
            $objUser = $objSID.Translate([System.Security.Principal.NTAccount]) 
            
            $user = $objUser.value
            $userName = $user.split("\")
            
            $chkValue = 1
            foreach($exceptionName in $exceptionList){
                if($exceptionName -eq $userName[1]){
                    $chkValue=0
                }                
            }
            
            if($chkValue){
                 $delUserProfile = Get-WmiObject -query ("select * from win32_userprofile where SID='" + $delProfile.SID + "'") -computer "localhost"                             
                
                try { 
                    echo $delUserProfile.Delete() 
                    echo " All User Profile Deleted Successfully as if you would do it using Wizard!"
                }catch { echo "Error!!: Either $uprofile is logged in currently or User profile doesn't Exists" }            
            }
            
              
        }       
      }
}

Get-Profiles($env:computername)
Remove-Profiles
Get-Profiles($env:computername)

Open in new window

Task-Remover.xml
Clipboard01.jpg
0
Comment
Question by:TowsonStaff
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 2
8 Comments
 
LVL 80

Expert Comment

by:David Johnson, CD, MVP
ID: 35141165
You might want to  use group policy instead.. run gpedit.msc
Computer Configuration / Administrative Templates / System / User Profiles / Delete user profiles older than a specified number of days on system restart. Select Enable and then select the day you would like to delete or remove the profile.

0
 

Author Comment

by:TowsonStaff
ID: 35143095
I activated that policy as well but we had a lot of problems with that policy that made us go to this new script mostly related to profiles that weren't in use being modified by a virus scanner. I applied the patch that Microsoft says will prevent that so let's hope.

I'm trying it again with the hopes things will change.
0
 

Author Comment

by:TowsonStaff
ID: 35148563
I set the process to delete profiles older than one day, and ran gpupdate.

I still see profiles from back in February on the machines.
0
Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

 
LVL 80

Expert Comment

by:David Johnson, CD, MVP
ID: 35149025
hmmmm... have you looked at programs i.e. deepfreeze  or only having 1 user profile that brings up a virtual machine that will revert to original on reboot?
0
 

Author Comment

by:TowsonStaff
ID: 35149448
I'd love to be able to do the Virtual machine thing with differencing disks, but it's far beyond the ability of what we have here. I wanted to buy a premade program for profile removal, but they won't let me.

I applied the Group Policy above, now when I run GPupdate or gpupdate /force, I get this error

Registry value "%windir%\SoftwareDistribution\Datastore\Logs\Res*.log" is of unexpected type.

or

"%windir%\Security\Database\*.jr" is of unexpected type.

0
 

Author Comment

by:TowsonStaff
ID: 35234694
I tried using the GPO profile removal tool, and it removed 3/4 profiles. But it still left profile folders with nothing in them.

Problem is because the folder is there, windows creates a new profile called gprimros.towsonU

If I let it go, it will start making folders

gprimros.towsonu.000
gprimros.towsonu.001

Obviously this is not an acceptable solution. I find it hard to believe there is no way to remove user profiles effectively.
0
 

Accepted Solution

by:
TowsonStaff earned 0 total points
ID: 35325524
I found a solution:

Place the groups you desire to have their profiles deleted into the Guests group.

All user profiles that are connected with groups in the Guests folder will have their profile deleted at log-off.

Profiles that are in the administrators group as well are exempted.
0
 

Author Closing Comment

by:TowsonStaff
ID: 35360849
I figured it out myself.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Capture image using MDT 21 78
Can't install Windows 7 on Intel NUC 9 121
Upgrading Windows 7 2 32
"Could not obtain OLE control window handle" under Delphi XE8 8 33
If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question