Request

Your mission, whether you like it or not, with or without Mission Impossible music playing in the background is…

  1. Run a recurring task to delete older user profiles on a group of shared-use Windows computers to keep disk space from filling up.  These are likely to be conference room computers and display panel (i.e. “MondoPad”) devices, which are joined to the AD domain.
  2. Do NOT delete profiles for a list of IT executive users, but all others are fair game.  Users to exclude are “user1” and “user2”, who are presumably very important muckity-mucks that drink and play golf together from the top deck of their personal yachts.
  3. The script/task must generate a log file on the client with detailed results.
  4. The task needs to be run from the client, rather than from a server (okay, I just made that one up)
  5. Be sure to read the “Notes” and “Caveats” sections as well.

Bender_Reading

Crack your knuckles, inhale and let’s begin…

Ingredients

  1. DelProf2.exe by Helge Klein (link)
  2. A batch script
  3. A text/code editor of your choice
  4. A scheduled task
  5. Sysinternals PsExec.exe (optional, for testing) (link)
  6. Coffee and a doughnut (sugar and creamer are optional. The doughnut is not optional)

Preparation

  1. Create a shared folder with permissions allowing “Domain Computers” to read/execute.
  2. Copy DelProf2.exe into that shared folder.
  3. Create a new script file in that folder named “profile_cleanup.bat”.
  4. Top off your coffee and get a fresh doughnut, or three.

Steps

  1. Sip coffee and make loud slurping noises while doing so.
  2. Take a big bite of the doughnut, chew thoroughly and swallow.  Have another sip of coffee too. Why not.
  3. Open your favorite text/code editor.
  4. Paste in the following gibberish (I’ll explain the details later)…

    @echo off
    title Increditastical Awesome Profile Cleanup Script
    SET LOG=%TEMP%\profile_cleanup.log
    echo %DATE% %TIME% info: starting cleanup >%LOG%
    echo %DATE% %TIME% info: command is %~dp0DelProf2.exe /d:7 /i /u /ed:.NET* /ed:user1 /ed:user2 >>%LOG%
    %~dp0DelProf2.exe /d:7 /i /u /ed:.NET* /ed:user1 /ed:user2 >>%LOG%
    echo %DATE% %TIME% info: completed with exit code %ERRORLEVEL% >>%LOG%

  5. Be aware of unintended word-wrapping imposed by blog/web/browser issues.  The results above should be seven (7) lines of code.  For example only, the blue line should be on one line.
  6. Save the script file as “profile_cleanup.bat” (if you didn’t already do that)

Testing

  1. Run the script using “Run as administrator” on a test computer.  Verify that the accounts you wish to exclude are left intact, and that those older than the number of days.  Open the log file and review the contents as well.
  2. Tweak, update, refine, fine-tune, refactor, fold, spindle and mutilate as needed.
  3. To verify that the script can be invoked on a given computer using it’s local “SYSTEM” account, open a CMD console using Sysinternals’ PsExec command.  The syntax is “psexec.exe -s -i -d cmd.exe” or (get all fancy) “psexec.exe -accepteula -s -i -d cmd.exe“.  See if you can access the shared folder path and invoke the script from within the SYSTEM context CMD shell window.  If not, verify you granted permissions to “Domain Computers” on both the share and NTFS folder itself.

Scheduling

  1. Open Task Scheduler.  If you want, connect to a remote computer to continue this phase, otherwise do this locally.
  2. Right-click somewhere and choose “Create Basic Task
  3. Name = “Profile Clean-Up” (enter a description if you like), click Next
  4. Select a desired Trigger schedule, click Next
  5. Specify the additional scheduling options, click Next
  6. Select “Start a program“, click Next
  7. Enter the full UNC path to the script (e.g. “\\server\share\profile_cleanup.bat”) and click Next
  8. Click Finish

Notes

  1. Replace the user names to suit your needs (e.g. “/ed:user1” with “/ed:someoneElse“)
  2. I used “/d:7” to specify deleting profiles older than 7 days.  You can modify that as needed.
  3. To run DelProf2.exe in test-mode, include /l (lower-case “L”) to invoke “list mode” which is like Powershell’s “what-if” feature.
  4. If you prefer using a shared domain user account for scheduled tasks, ignore the blabber about “domain computers” security rights.
  5. If you prefer, you can invoke this via a “push” from a single source (server, etc.) rather than as a local client operation.  The choice is yours.  There are benefits and drawbacks to either method, but both are fine.
  6. If you choose to use the client operation model, you can export the scheduled task to an .XML file to import on other clients using “schtasks /Create /XML <xmlfile> /TN ProfileCleanup“, or remotely by adding “/S <computername>” if you want.
  7. If you have any intention of sparking a debate about what constitutes the “best” text/code editor, just give up now, because I really don’t care.

Caveats

  1. Assumes this is being used in an AD domain environment.
  2. Assumes you have rights to manage computers remotely.
  3. Assumes you have things set to allow remote management (firewall, services, etc.)
  4. Assumes you are doing this on computers running Windows Vista or newer (7, 8, 8.1, 10-preview, etc.)
  5. Assumes you don’t already have a better solution in use.
  6. Assumes you can do this in Powershell if you prefer.
  7. Glazed or cream-filled doughnuts will work equally well as long as the coffee is hot.
Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s