Categories
Sysadmin Thoughts

When Too Many Users have Accounts on a Domain Joined Windows Computer

When I started my technician/sysadmin job one of the first things I wanted to do was re-image and re-deploy our fleet of netbooks for the students to use as there were a few SoE’s and even Windows versions in use. I dumped Windows Deployment Services (WDS) in favor of a live Clonezilla server using PXE which allowed me to configure as many computers as I could fit on my workbench all at once (our WDS server was broken and could apparently handle only three consecutive computers before failing). Part of my workflow involved some PowerShell scripts I would leave in the local Administrator’s desktop which I ran to rename the computer, join the domain and separate functions to install WiFi certificates and add the WiFi network. As you could imagine they were like my illegitimate Lenovo children and I’d fix them up when they got injured or needed some attention. I must have done a good job of keeping them going because two years later an issue we didn’t consider had reared its head for the first time – the storage on the netbooks started to hit 100% usage causing all sorts of issues from failure of students to log in (each has their own Active Directory account) to straight up system crashes as the memory filled up (can’t page to the disk when it’s full). 120GB is not nearly enough for a shared Windows device in 2020.

After dealing with three lots of these overloaded computers and the ire of waiting for tens of thousands, nay hundreds of thousands of files to get manually deleted I looked for a way to automate this. We explored options like Faronics’ Deep Freeze and in principle it looked great but cost was enough to scare me away. I then thought about running a PowerShell to delete any of the folders in C:\Users\ that hadn’t been modified for a certain time period but it wasn’t a clean removal because there would still be bits and pieces left throughout the install including in the registry.

There is a correct technique built into Windows to remove an account and it’s not just deleting the users folder. Open the Settings App -> System -> About -> System Info -> Advanced System Settings -> User Profiles [Settings] and delete them one at a time. One. At. A. Time. This didn’t sound like a good time to me, especially when dealing with tiny netbook trackpads. Back to thinking about automation. USB Rubber Ducky? Nah. Then it dawned on me…

It turns out there’s a Group Policy titled Delete user profiles older than a specified number of days on system restart. Nice.

This policy setting allows an administrator to automatically delete user profiles on system restart that have not been used within a specified number of days. Note: One day is interpreted as 24 hours after a specific user profile was accessed. If you enable this policy setting, the User Profile Service will automatically delete on the next system restart all user profiles on the computer that have not been used within the specified number of days. If you disable or do not configure this policy setting, User Profile Service will not automatically delete any profiles on the next system restart.

Group Policy Manager

I got on the domain controller and got to work. The trick is to be really careful to make sure the policy is only applied to the students’ netbooks and not the teachers’ (domain joined) notebooks or else anyone who hasn’t used their computer for a while (those on leave in particular) would find themselves having their own bad time. After extensive testing I’m glad to say my policy only affected the netbooks and is now live. Thanks automation!

Nice.

To verify which policies are applied on a domain joined device we can use the CLI command:
gpresult /Scope Computer /v

In closing there were still some avenues we could have used including Roaming Profiles (I still want to look into this) or just upgrading the disks in the computers.

Leave a Reply

Your email address will not be published. Required fields are marked *