Remove AD Profiles of deleted accounts

Posted on 2011-04-26
Last Modified: 2012-05-11
Our organization is a Windows 2003 AD Domain with several hundred XP Pro clients.  We do not use roaming profiles.  This, over time leaves numerous orphaned profiles as users leave and their domain accounts are deleted.  I am looking for a way to programatically have non AD account profiles removed when the computer is rebooted or on log out.

When a user leaves, the account is disabled and moved to a Disabled User OU for a two week period.  After that, the account is deleted from AD.

The way I see it working is as follows.  Please forgive the bad pseudo code :)

On logout
      Enumerate profiles in C:\Documents and Settings
      Compare Profile 1 to active AD Users
            If match, Do Nothing
            If match Exempted account (Local Admin, Default User) Do Nothing
            If no match, delete profile
            Log Deletion to network storage
      Next Profile

Any and all assistance is greatly appreciated.
Question by:minder49
    LVL 12

    Expert Comment

    Could you elaborate on Log Deletion to network storage?
    LVL 3

    Author Comment

    Sorry, that was rather vague.  What that means is I would like a log of all the profiles deleted to be written to a log file on a network share.
    LVL 12

    Accepted Solution

    Try the following...

    Mention the folder path where logs will be written.

    The script will automatically create a log file with machine name and append to it.
    log_file_path="\\server\c$\profile_deleted_logs\" 'ensure path ends with a "\"
    Const LocalDocumentsFolder = "C:\Documents and Settings\"
    Set WshNetwork = WScript.CreateObject("WScript.Network")
    Set objFSO = CreateObject("Scripting.FileSystemObject")
    Set objFolder = objFSO.GetFolder(localdocumentsfolder)
    log_file=log_file_path & WshNetwork.ComputerName & "_Profile_Deletion.log"
    If Not objfso.FileExists(log_file) Then
    End If
    Set logfilewrite=objfso.OpenTextFile(log_file,8)
    Set objRootDSE = GetObject("LDAP://RootDSE")
    strDNSDomain = objRootDSE.Get("defaultNamingContext")
    Set objConnection = CreateObject("ADODB.Connection")
    Set objCommand = CreateObject("ADODB.Command")
    objConnection.Provider = "ADsDSOObject"
    objConnection.Open "Active Directory Provider"
    Set objCommand.ActiveConnection = objConnection
    objCommand.Properties("Page Size") = 1000
    objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE 
    On Error Resume Next
    For Each fldr In objFolder.SubFolders
        If Not isexception( Then
            objFSO.DeleteFolder fldr.path, True
            If Err.Number=0 Then
                logfilewrite.WriteLine WshNetwork.ComputerName &" - " & fpath & " - Deleted"
                logfilewrite.WriteLine WshNetwork.ComputerName &" - " & fpath & " - Not Deleted check manually"
            End If
        End If
    Function isException(byval foldername)
        Select Case foldername
            Case "All Users"
            isException = True
            Case "Default User"
            isException = True
            Case "LocalService"
            isException = True
            Case "NetworkService"
            isException = True
            Case "Administrator"
            isException = True
            Case Else
            strName = foldername
            objCommand.CommandText = _
            "SELECT * FROM 'LDAP://"& strdnsdomain &"' WHERE objectCategory='user' " & _
            "AND samAccountName='" & strName & "'"
            Set objRecordSet = objCommand.Execute
            If objRecordset.RecordCount = 1 Then
                isException = True
                isException = False
            End If
        End Select
    End Function

    Open in new window

    LVL 3

    Author Comment

    Looks good.  Will test this out and post results.
    LVL 3

    Author Comment

    Works great!  Thank you very much!

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Can I legally transfer my OEM version of Windows to another PC?  (AKA - Can I put a new systemboard in my OEM PC?) Few of us are both IT and legal experts but we all have our own views of Microsoft's licensing rules and how they apply.  There are…
    [b]Ok so now I will show you how to add a user name to the description at login. [/b] First connect to your DC (Domain Controller / Active Directory Server) SET PERMISSIONS FOR SCRIPT TO UPDATE COMPUTER DESCRIPTION TO USERNAME 1. Open Active …
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now