Find and Delete Specific User Profiles

Hi, and thanks in advance for any assistance which is truly appreciated.

I’ve been tasked with finding and deleting privileged accounts\user profiles that have an “a_” or “0_” so basically this, “_” from c:\users. And then determining if the ntuser.dat modification date is >24 hours, (then deleting that profile). I’m in the beginning stages of this task but I thought I’d reach out to see if anyone has some helpful input.

Thank you!

This one has some starting snippets for the relevance.
https://bigfix.me/analysis/details/2994557

The action script will likely be a bat file with a bunch of net user delete commands, similar to this post:

1 Like

Hi Brolly33, thanks, and yes I read through that one briefly and was thinking that I’d be using some of that for relevance and a bat file or powershell for the action script. Let me read through it carefully and see how much of it I can use. This one is a little tricky sucker.

Thanks again!

You only need the BAT file because there will probably be more than one account to delete.

For a singleton, you could just use a wait command… something like

wait net user delete {name of local user whose (name of it as lowercase starts with "a_" or name of it as lowercase starts with "0_" and (now - last logon of it > 24*hour))}

1 Like

Oh geez, you made that look so easy. I truly appreciate your input\help. I normally start off with lots of the leg work myself, but i’m supposed to be fishing right now due to the stressful year we’ve all had, and my truck decided to die on me, timing chain decided to go out so no fishing for me. :frowning:

I’m going to put some of this together and see what the outcome is. I’ll check in a little later or tomorrow, thanks again Brolly!

1 Like

Hi Brolly, I’m finally get back around to this, and working on some relevance to start with. The below evaluates to false when i have lots of accounts that start with those on this server. I even removed the lowercase and still False.

exists (name of local users whose (name of it as lowercase starts with “a_” or name of it as lowercase starts with “0_”))

try without the filter at all.
names of local users

1 Like

Yep, I had tried that but it was also False.

q:exists (names of local users whose (name of it as lowercase starts with “a_” or name of it as lowercase starts with “0_”))
A: False
T: 39.584 ms

As you can see, there are lots of profiles with that _ in it.

What does
names of local users
return?

Asking because the Local User object is different than the Folder object and they don’t always correlate.

image

1 Like

ah, good catch, that doesn’t give me what I’m looking for.

image

@JoeG I am not sure if your requirement is to delete a user account, or a profile folder, or a profile or something else.

1 Like

Sorry…it’s to delete the profile if it’s not logged in and hasn’t logged in the last 24 hours.

1 Like

Detection might look like this, if you want to use folder existence:

q: exists folders whose (name of it as lowercase starts with "a_" or name of it as lowercase starts with "0_" and ((now -modification time of file "ntuser.dat" of it) > 24*hour)) of folder "c:\users"
A: False

Can you delete a local profile of a domain account without having Domain Administrator privilege?
I think Net User Delete will only work on local accounts unless you have Domain Admin.

1 Like

Hi Brolly, so I had something similar, not as clean as yours, but the modification time of file kept evaluating as true even when it wasn’t. And, I just tried it with your relevance and it’s the same.

Thanks!

Actually, this relevance is proving to work out. Now to work on an action script to delete those accounts without wiping out any others. :slight_smile:

1 Like

There are some folders where the names match and >24 hours. and other folders that the names match and are <24 hours, so both statements are true. Instead of Exists, try Names of to see which folders are returning.

q: names of folders whose (name of it as lowercase starts with "a_" or name of it as lowercase starts with "0_" and ((now -modification time of file "ntuser.dat" of it) > 24*hour)) of folder "c:\users"

1 Like

and as a jump start on your action script:

Delete __appendfile
Appendfile {concatenation "%0d%0a" of ("net user " & it & " /delete") of (names of folders whose (name of it as lowercase starts with "a_" or name of it as lowercase starts with "0_" and ((now -modification time of file "ntuser.dat" of it) > 24*hour)) of folder "c:\users") }

Delete cleanup.bat
Move __appendfile cleanup.bat

Waithidden cmd.exe /c cleanup.bat

(Note - you will probably have to adjust this some to accommodate DOMAIN accounts… )
Also, I am taking advantage of the folder names being the same as the account names. This usually true, but there may be edge cases where they do not match.
More on the net use command here:
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/gg651155(v=ws.11)

1 Like

Hi Brolly, I was out of the office for a few days but I’m back today. I’m going to get back on this later today and\or tomorrow. But thanks for that jump start for sure. I left last week while working on Relevance so this is going to be a huge help. I’ll post an update tomorrow.

Thank you Sir!