Find and Delete Specific User Profiles

JoeG 2020-07-22 17:32:40 UTC #21

This action script looks good, and completes in BigFix Console, although with exit code 2, but it doesn’t remove the profiles evn though it finds them. Here’s a snippet from the log.

Relevant - Delete a_account and 0_accounts from workstations_all computers (fixlet:1479058)
At 10:08:13 -0700 -
ActionLogMessage: (action:1479058) Action signature verified for Execution
ActionLogMessage: (action:1479058) starting action
At 10:08:13 -0700 - actionsite (http://172.x.x.x:52311/cgi-bin/bfgather.exe/actionsite)
Command succeeded delete No 'C:\Program Files (x86)\BigFix Enterprise\BES Client_BESData\CustomSite_Patching_Site_appendfile’ exists to delete, no failure reported (action:1479058)
Command succeeded appendfile {concatenation “%0d%0a” of (“net user " & it & " /delete”) of (names of folders whose (name of it as lowercase starts with "a" or name of it as lowercase starts with "0" and ((now -modification time of file “ntuser.dat” of it) > 24*hour)) of folder “c:\users”) } (action:1479058)
Command succeeded (file created) appendfile net user a_jxxxxxx /delete
net user a_kxxxxx /delete (action:1479058)
Command succeeded appendfile net user a_jxxxxxx /delete
net user a_kxxxxx /delete (action:1479058)
Command succeeded delete No ‘C:\Program Files (x86)\BigFix Enterprise\BES Client__BESData\CustomSite_Patching_Site\cleanup.bat’ exists to delete, no failure reported (action:1479058)
Command succeeded move __appendfile cleanup.bat (action:1479058)
Command started - waithidden cmd.exe /c cleanup.bat (action:1479058)
At 10:08:14 -0700 -
Encryption: optional encryption with no certificate; reports in cleartext
At 10:08:33 -0700 -
Report posted successfully
At 10:08:33 -0700 - actionsite (http://172.x.x.x:52311/cgi-bin/bfgather.exe/actionsite)
Command succeeded (Exit Code=2) waithidden cmd.exe /c cleanup.bat (action:1479058)
Command succeeded action requires restart (action:1479058)
At 10:08:33 -0700 - CustomSite_Patching_Site (http://172.x.x.x:52311/cgi-bin/bfgather.exe/CustomSite_Patching_Site)
Relevant - Delete a_account and 0_accounts from workstations_all computers (fixlet:1479056)
At 10:08:33 -0700 -
ActionLogMessage: (action:1479058) ending action
At 10:08:33 -0700 - mailboxsite (http://172.x.x.x:52311/cgi-bin/bfgather.exe/mailboxsite1074488376)
Not Relevant - Delete a_account and 0_accounts from workstations_all computers (fixlet:1479058)

JasonWalker 2020-07-22 18:21:17 UTC #22

I think we may have tracked down a wrong path here.
To be clear, are you trying to delete user accounts or remove their profiles ? Those are two different things.

The “net.exe” command will delete the user account entirely. I’m guessing this isn’t what you want.

For the User Profile, there are a couple of complications -

The profile needs to be deleted from the disk
The profile needs to be de-referenced from HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList (or else the user may get a “Profile not available” message next time they log on ,and get logged with a TEMP profile instead)
Using ntuser.dat’s modification time is not consistent with finding their last logon time.

To check the profile’s last used time, I’d use a WMI query instead.

items 0 of (sid (string value of property "sid" of it) as string | string value of property "sid" of it, time value of property "LastUseTime" of it) whose (now - item 1 of it > 2 * day) of (select objects "* from Win32_UserProfile" of wmi) whose (set of ("S-1-5-20";"S-1-5-19";"S-1-5-18") does not contain string value of property "sid" of it)

That should give the user names. It would be possible to returning also the ‘component string of sid’ which should align with the Registry’s entry for ProfileList. Then you need to use the path given in the Registry to delete the actual profile, i.e. what if there are multiple domains or similar-named accounts, so you end up with C:\Users\User1 , C:\Users\User1.DOMAIN, etc. and the folder name doesn’t directly match the username? You have to pull the path from the Registry instead.

I went down that process before, and it’s definitely no fun. Instead, what I much prefer is configuring Windows itself to remove old profiles, using Local Group Policy. With this policy in place, Windows will delete Profiles that are more than 2 days unused (the actual cleanup occurs whenever the system reboots, so they can stack up for a while between restarts):

begin prefetch block

  add prefetch item name=LGPO.zip sha1=0c74dac83aed569607aaa6df152206c709eef769 size=815660 url=https://download.microsoft.com/download/8/5/C/85C25433-A1B0-4FFA-9429-7E023E7DA8D8/LGPO.zip sha256=6ffb6416366652993c992280e29faea3507b5b5aa661c33ba1af31f48acea9c4

  // Download UnZip utility
  add prefetch item name=unzip.exe sha1=e1652b058195db3f5f754b7ab430652ae04a50b8 size=167936 url=http://software.bigfix.com/download/redist/unzip-5.52.exe sha256=8d9b5190aace52a1db1ac73a65ee9999c329157c8e88f61a772433323d6b7a4a

collect prefetch items
end prefetch block


// Add LGPO.zip to the client utility cache
utility __Download\LGPO.zip

// Add unzip.exe to the client utility cache
utility __Download\unzip.exe

waithidden __Download\unzip.exe -o "{pathname of client folder of current site}\__Download\LGPO.zip" -d "{pathname of client folder of current site}\__Download"


action uses wow64 redirection false

delete __createfile
createfile until EOF_EOF_EOF
; ----------------------------------------------------------------------
; PARSING COMPUTER POLICY
; Source file:  registry.pol

Computer
Software\Policies\Microsoft\Windows\System
CleanupProfiles
DWORD:2

; PARSING COMPLETED.
; ----------------------------------------------------------------------


EOF_EOF_EOF


delete regpol.txt
move __createfile regpol.txt

waithidden __Download\LGPO.exe  /t regpol.txt

// Regardless of whether we try to force a GPUpdate, the registry may not update until reboot
runhidden gpupdate.exe /target:computer /wait:0

JoeG 2020-07-22 18:39:59 UTC #23

Hi Jason, thanks for helping out.

So we do want to delete the profile\account entirely from the workstation.

I had looked into delprof2.exe at the beginning stages of this. But then I focused on the “net user” command. After struggling with relevance and an action script, I decided to come ask for help (I definitely could user more BF training) as there’s always so many different ways of doing things. My manager just suggested using delprof2. So I’m going to test that out. But, I will also test out your LGPO as initially I wanted to delete profiles not used for a specific amount of days via GPO. But, they want to use BigFix for this task so that we can leave it open to catch any future profiles.

JoeG 2020-07-22 20:24:47 UTC #24

For the action script, I tested the line below locally and seems to work. I’m going to put it in a task and test it out. I’ll let you know how it works out. Tonight is patch night for us so I’m not sure how much more I’ll get to today. But I’m planning on finishing this thing this week if all goes well. Thanks again guys, you’re knowledge and willingness to help are truly appreciated.

//Deletes all profiles older then one day with an a_ or 0_ without confirmation.

DelProf2.exe /u /d:1 /id:a_* /id:0_*

JoeG 2020-07-27 18:10:56 UTC #25

So this is just an update. Delprof2 doesn’t work well in Windows 10. I had a very small percentage complete successfully. It seems that even GPO has issues deleting profiles in Windows 10 let alone with a specific pattern in the name. Still searching.

brolly33 2020-07-30 16:23:58 UTC #26

If all else fails, would a brute force delete of the user profile location on the drive be an option here?
That would also nuke their HKCU (as their .reg file is in the profile folder)
but it might leave lingering stuff in other, more esoteric places…

JoeG 2020-07-30 16:37:16 UTC #27

I believe it would. What the end game is, is to delete a user profile that has privileged\admin access and it’s cached information to prevent against any hacks. I think I found something that might work for us.

I’m using this now and testing with it today. I’ll come back and give a status once I’m done with testing. Feel free to chime in if you think there’s a cleaner way of using what I have below.

Thanks again, truly appreciate the help.

delete __creatfile

//CreateFile
createfile until EOF

#Purpose: Used to delete all “a_" and "0_” profiles that have not been used within the last day.

$Profiles = Get-CimInstance -Class Win32_UserProfile
$Date = (Get-Date).Date
ForEach ($i in $Profiles)
{
$profile = $i.LocalPath.Split("")[-1]
if ((($profile -like “a_") -or ($profile -like "0_”)) -and (($i.LastUseTime -lt $Date) -or ($i.LastUseTime -eq $null)))
{
Write-Host “Removing $($Profile) …” -ForegroundColor Green
Remove-CimInstance $i
}

}

EOF

delete DeleteUserProfiles.ps1
move __createfile DeleteUserProfiles.ps1

waithidden { pathname of file ((it as string) of value “Path” of key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell” of native registry) } -ExecutionPolicy Bypass -File DeleteUserProfiles.ps1

JoeG 2020-07-30 16:39:19 UTC #28

There’s a \ in the quotes after Split. It’s not showing up on my reply though.

JoeG 2020-07-30 16:43:06 UTC #29

Also, Delprof2 doesn’t not work well in Windows 10 so that’s why I had to go a different route.

JoeG 2020-08-04 16:21:43 UTC #30

Here’s a status update on this and a short recap.

We were trying to delete privileged user profiles not used within the last 24 hours\1 day. As i was trying different methods and utilities, I noticed that I was getting a very small percentage completed or a low success rate. After troubleshooting and searching the web, I found other folks had similar issues, and the common denominator was the NTUSER.Dat date was being modified by some process.

I came across this link… https://techcommunity.microsoft.com/t5/windows-10-deployment/issue-with-date-modified-for-ntuser-dat/m-p/102438 and in there, a user has a script that will change the NTUSER.DAT modified date to match the the date of the user profile folders last modified date. The script works well and you can massage it to your liking. Once this step is done, I follow up with the power shell script I have above and so far it’s working 100% out of 160-ish machines.

If I find any issues or anything more to add, I’ll post here. Thanks again for your help guys, your knowledge of BigFix is priceless and it’s a good feeling knowing that I can come here when I feel stuck.

brolly33 2020-08-04 16:25:58 UTC #31

@JoeG wow - modification date on the NTUsers.DAT file? I did not see that coming.

Very nice twist ending.

This sounds like a great community Fixlet. Once you have it dialed in, could you post it out to http://bigfix.me to help those that come seeking future knowledge?

JoeG 2020-08-04 16:33:34 UTC #32

@brolly33 yeah, it was a head scratcher on why it worked on a few, but not the rest. And will do, I need to run it by the powers that be, but once it’s a standard fixlet\baseline, as I do have to separate components right now (one to chane the date and one to delete the profiles), I’ll post there. Thanks again Brolly, I truly appreciate your willingness to help.

karthi365 2021-01-22 01:14:11 UTC #33

Hi Guys,
I have to create a fixlet for delete user profile more than 355 days old using delprof2.exe,but problem is how can i write relevance for that Fixlet.

Can some one please help me on this?
Thanks advance.

brolly33 2021-01-22 13:30:55 UTC #34

@JoeG any chance you can post your Fixlet to help out @karthi365?

JoeG 2021-01-22 16:25:11 UTC #35

@brolly33 Sure thing. I’ve never actually posted a Fixlet. Let me look into that process and I’ll get it posted. @karthi365 I tried using delprof2 for deleting old profiles but it wasn’t working consistently in Win10 so I had to use a script for this.