Roaming Profile Cleanup Script
-
For some reason - I have someone that wants to go into the local computer(s) of the office and clean out all the departed Users. They are pretty adamant about deleting users no longer at the company.
This seems like a good candidate for a script, as there are about 20 computers in the office and I have no real desire to log into all 20 of them to delete them.
Is this best suited for PowerShell or batch file? Could you delete the local computer folder for the user on logout?
-
Doesn't AD automatically do this?
We're up to 10 users here and roaming profiles would be a very good thing as they all jump between different computers. This sort of thing is nice to know before hand.
-
No - User accounts are 'left' so that is connection to the AD / DC is lost, then the user can still log on.
-
@gjacobse I am not the one to give specifics, because I'm not nearly as versed in powershell as I would like to be. However, I would think that this would be a task best suited for powershell. I would look at constructing the script so that it checks for existing domain accounts that have been either disabled or inactive for a set period of time and then goes through the necessary steps to cleanly remove them from all systems that they have logged into and cached/established a local profile.
Aside from that you could just use thermite. I not-so-fondly remember the woes associated with managing roaming profiles with proprietary banking software at a previous employer.
Blech...
Good luck!
-
https://helgeklein.com/free-tools/delprof2-user-profile-deletion-tool/
This tool will list all inactive profiles on whatever computer you run it against. I use it all the time to clean users profiles.
-
@gjacobse said:
No - User accounts are 'left' so that is connection to the AD / DC is lost, then the user can still log on.
That's not totally true, all profiles files are left, that doesn't mean you can still login to it necessarily. There's no process for AD to talk to the local computer to tell it the user was removed. It is just a directory service, The local computer has to request to login to the account. There is no method AD to tell computers anything changed without them requesting.