Removing the contents of the "Downloads" folder while folder re-direction is enabled.

Server OS: 2012 r2
Clients: Win 10
Folder re-direction:  GPO redirects Desktop, Documents, Favorites and Downloads to \\Server\Share$\%username%\

Normally I disagree with re-directing downloads, but due to compliance requirements, we have to re-direct the downloads folder.

That being said, we are trying to figure out the most effective way to have the contents of the downloads folder removed nightly without impacting user logon/logoff times.

The only way we can think of doing this is by using a scheduled task that runs on the server nightly.
We tried using a script that runs on each computer at logoff but that proved to be impractical because it caused users to experience really long logoff times depending on the size of their downloads directory.

The issue we are faced with is, if we create a scheduled task on the server, would we have to create an account with full access permissions to user's home folders or can we run a scheduled task with gMSA? Does gMSA have full system access to any directory regardless of NTFS permissions?

I say regardless, but that's assuming NTFS permissions for the folder re-direction shares have the "SYSTEM" user account added with full control to the parent directory and all subfolders and files.

It makes sense to just try it and test it, but we're on a bit of a time crunch. We're working on getting a gMSA setup and try to run a script using that account.
David ZacharczykNetwork & Systems EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Adam BrownSr Solutions ArchitectCommented:
Yes, it's possible. https://blogs.technet.microsoft.com/askpfeplat/2012/12/16/windows-server-2012-group-managed-service-accounts/ covers how to do it. You will have to configure permissions for the gMSA itself. It does not run in the System context by default and has to be granted permissions.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
David ZacharczykNetwork & Systems EngineerAuthor Commented:
using gMSA account to remove contents of downloads folder using a scheduled task.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.