Fully delete roaming profile on terminal server upon user logoff
Solution 1
While there is a "Prevent Roaming Profile Changes From Propagating to the server" GPO setting from "Computer Configuration\Administrative Templates\System\User Profiles" which changes the "ReadOnlyProfile" value in the HKLM\Software\Policies\Microsoft\Windows\System regkey, it is a per-machine configuration setting valid for all users logging on to your terminal servers, and thus probably undesirable. Also, I am not sure if it would affect profiles from already logged-on users.
I believe the only method to achieve what you want would be through scripting.
- parse a file for the list of user profiles to delete
- iterate through this list
- check if user is logged on
- if not, delete her roaming profile and the local copy
- wait for a while before proceeding
- go to 1.
This looks simple enough even to be scripted as a CMD batch, but obviously using PowerShell would produce more elegant and resilient code.
Solution 2
Set this script as a powershell “logoff” script, you will need to make sure users have proper perm on the “ProfileList” registry folder. ( our users did not )
Essentially what it does is during the logoff process it changes the Profile State to a “128” which is guest account and nukes they profile while logging off.
Just copy and paste this as a powershell script
$SID = ([Security.Principal.WindowsIdentity]::GetCurrent()).User.Value Set-ItemProperty -path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\$SID\" -name State -value 128
This is handy when you have apps like SKYPE that do not allow manadatory profiles or guest acccounts that do not have permissions to write to the cert store.
Solution 3
Create a new GPO Object, and link it to the OU of the users (or computers).
Computer Configuration => Policies => Administrative Templates => System/User Profiles => Delete cached copies of roaming profiles == Enabled
This worked for me in the past.
Related videos on Youtube
mastbinns
Updated on September 18, 2022Comments
-
mastbinns almost 2 years
We're using roaming profiles on our terminal servers (running Win2k8). Occasionally, it is necessary to delete some of them, for example because of corruption or to test something. They store only preferred settings (e.g. displayed views in applications), no user data. Of course, we can only delete profiles while the affected user is logged off. We'd like to be able to delete a profile at any time, though.
Is it possible to configure that a profile is not updated on the profile server when a user logs out, but deleted instead? This should only happen once, so when he logs in again, a new profile would be created. Alternatively, it would be fine as well if the server profile would be deleted immediately and the update process be prevented once.
Or to put it differently: How can we ensure a specific user will receive a new, clean profile when he logs himself in the next time only?
-
Tom O'Connor about 11 yearsCan I ask the most important question: Why? .. Why do you want to delete the profile whilst the user is logged in?
-
the-wabbit about 11 years@TomO'Connor he basically wants to schedule the deletion so he would not need to wait for the user's logoff to run the necessary commands.
-
Tom O'Connor about 11 yearsAnd if the user's logged in, whilst you delete their profile, doesn't all hell break loose?
-
mastbinns about 11 yearssyneticon-dj is right. If the user is not logged in, delete the profile. If he is logged in, delete it as soon as it's safe to do so (= when he logs off).
-
-
the-wabbit about 11 yearsthe OP is looking for a mechanism to force a one-time profile reset while the user is logged on. The GPO setting to delete local profile copies only would delete the local copy after updating the profile on the server store, so it would not be of much use for this case.