locked
Clean user profile at logoff RRS feed

  • Question

  • Hi,

    Windows 10 has an issue where it takes 60-90 seconds for a new user to log in. That's too long. I had that time down to under 30 seconds on Windows 7, running on the same hardware. The reason why I'm focused on the new user is because the target machines are in classrooms and computing labs where, to ensure data privacy, any local user profiles are removed at logoff. To do this, I added the user's domain group to the local computer's "Guests" group. Aside from some BS caused by SEP, it works. The downside is that each time someone logs into a PC, they're doing so for the first time and it takes forever.

    I tried a different approach, using a domain-based, GPO provided logoff script that deletes the contents of the user's Desktop, Documents, Downloads, and TEMP folders at logoff.

    @echo off
    del /q %USERPROFILE%\Documents\*.*
    del /q %USERPROFILE%\Desktop\*.*
    del /q %USERPROFILE%\Downloads\*.*
    del /q %USERPROFILE%\AppData\Local\Temp\*.*
    echo Profile cleanup script run for %USERNAME% on %date% at %time% >> C:\Scripts\LogoffScript.txt
    exit

    The script runs when used interactively, but not through the logoff process. Also, if the user is a local admin, the script runs. Regular users are not domain or local admins, but just domain users. The Event Log indicates the script is run for the users at logoff. The LogoffScript.txt file shows the indicated logoff sessions. What's going on? All of this stems from the need to prevent one user from looking at another's data and Windows 10's abysmal logon performance.

    Windows 10 Enterprise LTSB 2016 x64 on a Windows domain with Server 2008 R2 and Server 2012 R2 DCs.

    Thanks


    Jason

    • Moved by Bill_Stewart Monday, October 2, 2017 9:49 PM This is not a Group Policy support forum
    Thursday, August 24, 2017 1:43 PM

All replies

  • Hi Jason,

    you could set it up to be a scheduled task that is triggered by the logout event and runs as system.

    You could also redirect those folders (except for temp. Appdata can be redirected, but it's rarely a good idea) and clean the contents independent of the desktop client's state.

    Cheers,
    Fred


    There's no place like 127.0.0.1

    Thursday, August 24, 2017 1:53 PM
  • Great idea, but how?

    I have to set up the scheduled task with group policy as I need it to apply to close to 300 computers. There's no option to run at logoff from the task creation dialogs. There's a "run at logon" option, but no logoff. Custom dialogs offer only the option to run upon a certain Event occurring.

    Thanks!


    Jason

    Thursday, August 24, 2017 3:03 PM
  • Hi Jason,

    you attach a task on Event ID 23 of the log "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" (which is the logout event).

    The simple-most way to do this would be to ...

    • Open your eventlog
    • Navigate to the log (It's in the additional application logs section under "Microsoft" > "Windows")
    • Lookup such an event of id 23
    • Rightclick on it and create a scheduled task in reaction.
    • Customize the scheduled task in the task scheduler to do just what you want it to do
    • Export the finished task to xml
    • In the group policy editor, paste the file into the scheduled task section (there's an "Insert" functionality)
    • Done

    Cheers,
    Fred

    PS: Sorry if some of the names are inaccurate, but I don't have an English Windows ready at hand here.


    There's no place like 127.0.0.1

    Thursday, August 24, 2017 3:38 PM
  • Great stuff, except it is not taking my XML file. It throws an error stating.

    "The pasted document is invalid and will be ignored."

    I created the XML file straight from the Event Viewer.


    Jason

    Thursday, August 24, 2017 5:04 PM
  • You can configure a users profile to be "Mandatory" which will cause all changes to be discarded at logoff.  This is very fast as the profile is never deleted it is just never updated.

    https://msdn.microsoft.com/en-us/library/windows/desktop/bb776895(v=vs.85).aspx

    This can be set by Group Policy.


    \_(ツ)_/

    Thursday, August 24, 2017 5:21 PM
  • How does that help a situation where everyone who logs it does so for the first time? We're not using a roaming profile stored on a server, that may logins take even longer. I think a big part of the login delays are from the process of copying the profile from default to <username>.

    Thanks


    Jason

    Thursday, August 24, 2017 5:33 PM
  • How does that help a situation where everyone who logs it does so for the first time? We're not using a roaming profile stored on a server, that may logins take even longer. I think a big part of the login delays are from the process of copying the profile from default to <username>.

    Thanks


    Jason

    Mandatory user profiles are very fast.  This is how we have been doing it for years.  Since NT4.

    It is also possible to change a local profile to mandatory.

    https://docs.microsoft.com/en-us/windows/client-management/mandatory-user-profile


    \_(ツ)_/

    Thursday, August 24, 2017 5:36 PM