Hi, and thanks in advance for any assistance which is truly appreciated.
I’ve been tasked with finding and deleting privileged accounts\user profiles that have an “a_” or “0_” so basically this, “_” from c:\users. And then determining if the ntuser.dat modification date is >24 hours, (then deleting that profile). I’m in the beginning stages of this task but I thought I’d reach out to see if anyone has some helpful input.
Hi Brolly33, thanks, and yes I read through that one briefly and was thinking that I’d be using some of that for relevance and a bat file or powershell for the action script. Let me read through it carefully and see how much of it I can use. This one is a little tricky sucker.
You only need the BAT file because there will probably be more than one account to delete.
For a singleton, you could just use a wait command… something like
wait net user delete {name of local user whose (name of it as lowercase starts with "a_" or name of it as lowercase starts with "0_" and (now - last logon of it > 24*hour))}
Oh geez, you made that look so easy. I truly appreciate your input\help. I normally start off with lots of the leg work myself, but i’m supposed to be fishing right now due to the stressful year we’ve all had, and my truck decided to die on me, timing chain decided to go out so no fishing for me.
I’m going to put some of this together and see what the outcome is. I’ll check in a little later or tomorrow, thanks again Brolly!
Hi Brolly, I’m finally get back around to this, and working on some relevance to start with. The below evaluates to false when i have lots of accounts that start with those on this server. I even removed the lowercase and still False.
exists (name of local users whose (name of it as lowercase starts with “a_” or name of it as lowercase starts with “0_”))
Detection might look like this, if you want to use folder existence:
q: exists folders whose (name of it as lowercase starts with "a_" or name of it as lowercase starts with "0_" and ((now -modification time of file "ntuser.dat" of it) > 24*hour)) of folder "c:\users"
A: False
Can you delete a local profile of a domain account without having Domain Administrator privilege?
I think Net User Delete will only work on local accounts unless you have Domain Admin.
Hi Brolly, so I had something similar, not as clean as yours, but the modification time of file kept evaluating as true even when it wasn’t. And, I just tried it with your relevance and it’s the same.
There are some folders where the names match and >24 hours. and other folders that the names match and are <24 hours, so both statements are true. Instead of Exists, try Names of to see which folders are returning.
q: names of folders whose (name of it as lowercase starts with "a_" or name of it as lowercase starts with "0_" and ((now -modification time of file "ntuser.dat" of it) > 24*hour)) of folder "c:\users"
Delete __appendfile
Appendfile {concatenation "%0d%0a" of ("net user " & it & " /delete") of (names of folders whose (name of it as lowercase starts with "a_" or name of it as lowercase starts with "0_" and ((now -modification time of file "ntuser.dat" of it) > 24*hour)) of folder "c:\users") }
Delete cleanup.bat
Move __appendfile cleanup.bat
Waithidden cmd.exe /c cleanup.bat
Hi Brolly, I was out of the office for a few days but I’m back today. I’m going to get back on this later today and\or tomorrow. But thanks for that jump start for sure. I left last week while working on Relevance so this is going to be a huge help. I’ll post an update tomorrow.