I am attempting to figure out the details of why the GPO for deleting user profiles older than X days is not working properly in our environment. I have read tons of sites/posts about this same issue, but I'm coming to the conclusion that it just may not work properly for us.
We have the GPO set for over 180 days and it is being applied to the machines, but then we ran into the issue where Windows Update (or something else) was updating the NTUSER.dat file so no profile was ever getting deleted. We applied the script that I have found in several places online (posted below) that is updating the LastWriteTime of the NTUSER.dat file to the same date as the LastWriteTime of the user's profile folder. It did just that, but the GPO is now deleting pretty much every profile that exists on the machines (aside from default) no matter how long it has been logged in, even if it's less than a week. Because of this, we have disabled the GPO and script for now.
After more research, found out that the LastWriteTime of the user profile is not necessarily accurate with logins either. This date can often be really far behind when the actual person logged in, resulting in accidental deletions. Other posts also state that the GPO no longer uses the NTUSER.dat but instead a reg key, which doesn't exist in our environment (likely because we're on an older OS (Server 2012 R2)). There were updates released in Oct 2020 for this/a similar issue, but our servers are up to date on patches.
Does anyone have a solid fix for this issue? It seems to be pretty widespread over the years with tons of people having the same problem. I don't know if newer OS's have the issue anymore, but that would be helpful to know too. We plan to upgrade to Server 2019 here in the future, but that's not coming for a bit.
If there is not a known solid fix for it, any recommendations on a file that I can reference in a custom script to check against when deleting profiles? One that for sure gets updated every login, but does not get affected by Windows Updates or AV?
Also please note that I cannot introduce new software such as delprof2 due to our security constraints, so I am looking for either a solution to the GPO problem or something I can implement in a custom script (which I can/will write).
Here is the script we are using to update the NTUSER.dat file that was found online. Several others had mostly success with it initially, but seems to not be the case any longer.
Thanks in advance
$ErrorActionPreference = "SilentlyContinue"
$Report = $Null
$Path = "C:\Users"
$UserFolders = $Path | GCI -Directory
ForEach ($UserFolder in $UserFolders)
{
$UserName = $UserFolder.Name
If (Test-Path "$Path\$UserName\NTUSer.dat") {
$Dat = Get-Item "$Path\$UserName\NTUSer.dat" -force
$DatTime = $Dat.LastWriteTime
If ($UserFolder.Name -ne "default") {
$Dat.LastWriteTime = $UserFolder.LastWriteTime
}
Write-Host $UserName $DatTime
Write-Host (Get-item $Path\$UserName -Force).LastWriteTime
$Report = $Report + "$UserName`t$DatTime`r`n"
$Dat = $Null
}
}
Related
In our Active Directory we have a group policy to allow users to manage the server via Remote Desktop.
I have to apply this to my user EVERYDAY because it seemingly removes itself overnight on it's on. 5:30 pm yesterday it was working properly. Today (no reboot) I login and the remote connection says the permission is missing.
Has anyone experienced this and can anyone help?
Are you sure you are applying it to the correct user group?
I’ve had trouble in the past with this, being a novice. I would suggest doing running the following from command prompt Gpresult /h report.html /f
This will generate a HTML document that you can see what has been applied to this machine. If it’s not on there then it’s probably a wrong target from the GPO end. If it’s there but fails you should have a reason why.
One more thing to check too is what your GPOs are on your computer itself. there might be something that is overwriting/blocking what the AD is sending?
So, I am trying to make a PowerShell scripted backup of our documentation, solutions, and white papers to a windows server which can be easily accessed
Unfortunately, when I download them I am unable to name the articles and attachments by their long names.
I did attempt a workaround, which somewhat works in some places, where I download the webpage and attachments and just do a Get-ChildItem "$ItemOriginalfilepath" | Rename-Item -NewName "$ItemFullNameWithExtension" -Force and that works for one location, I don't know why.
My main issue is how do I rename the file in other windows servers, where this trick seems to NOT work.
How do I overcome that 260 limit for renaming or maybe in general?
You can tweak GPO or registry to overcome 260 character limits, but since there are no details in your question I am not sure if it'll help.
AFAIK it works in Windows 10 and Windows Server 2016. You will need GPO templates to make it available on windows server 2012r2
This article is pretty useful
https://www.saotn.org/ntfs-long-paths-windows-server-2016-gpo/
Please have a look at this question and answer.
https://serverfault.com/questions/847142/cant-use-long-path-names-in-windows-2016
I have been trying to automate Windows server build QA in my company. One of the tasks is to make sure vmware tools is up to date or not. Servers are built off of templates which may not be up to date.
Obviously I thought of getting the vmware tool version on the new build and comparing it with a standard build number to determine uptodateness. But that leaves little room for flexibility.
Now, if the vmtools are not upto date, the server shows a notification in the tray. So I am looking for a way to obtain that result remotely through commandline(I am open to using psexec). Am I asking for the impossible?
You can download all VMWare Tools manually Here
Write a program to compare the file size of online and offline files
and update it if they are outdated.
Schedule the Program as per your requirements
This is what I am using right now. Getting the installed version and comparing with the current version number. It is not the best way but it works for me.
$VMtoolVersion = Invoke-Command -ComputerName $FQDN -Credential $PSCredential -ScriptBlock { & 'C:\Program Files\VMware\VMware Tools\VMwareToolboxCmd.exe' -v} -ErrorAction Stop
if($VMtoolVersion -match "9.4.15.48277")
{
Write-Host "`tUPTO DATE" -ForegroundColor Green
}
else
{
Write-Host "`tOUT OF DATE. Please Update VMWare Tools " -ForegroundColor Red
}
Problem is when the tool version is higher than 9.4.15.48277, it is still gonna give me "Outdated" message. So the script will need to be updated as tools get updated.
Say I have a Collection for installing Java for 2k computers, and I'd like to check the compliance, not for all computers, but for a list of specified computers (say 500 computers in a .txt).
How can I do that?
You can of course deploy a compliance baseline on any collection, so the basic question here is how to add arbitrary computers from a list to a collection.
The easiest solution is probably using powershell. Open up your SCCM Console, click in the upper left and choose: "Connect via Windows Powershell"
This does the same as manually opening a PS window, Importing the Module ConfigurationManager.psd1 from the "bin" subfolder of the SCCM Console installation and changing to the PSDrive to the SCCM site using "cd :
from there you can add a direct membership using:
Add-CMDeviceCollectionDirectMembershipRule -CollectionId <collectionid> -ResourceId <resourceid>
So to add a whole list of computers you can just use
$Computers = get-content C:\computers.txt
Foreach ($Computer in $Computers) {
add-cmdevicecollectiondirectmembershiprule -CollectionId <collectionid> -resourceid (Get-CMDevice -name $Computer).ResourceID
}
If the computer is already a direct member of your collection you will get an error, but the powershell will continue to run, so it's not an issue.
The title says it. I'm looking for a way to determine exactly which file/registry key this executable is attempting to access. I have attempted to use Windows auditing capabilities and Process Monitor to determine where the failure is happening but, this failure does not produce audit failure events or show as access denial in Process Monitor.
Of course, If someone has experienced this and can provide a solution to resolve the error directly that would be almost as nice.
Background:
I am using moveuser.exe which is part of the Windows Server 2003 Resource Kit Tools to convert the security of local user profiles on a number Windows XP workstations.
Symptom:
Occasionally, moveuser.exe will fail to convert the security of a profile with the error "Error: 5 access denied". I have not been able to determine any commonality among the failing accounts or the computers they reside upon. A given computer may have host 6 profiles, 5 of which convert without issue and 1 which produces the error.
There are a few factors that I'm as sure as I can be about:
-The account I'm using to run moveuser.exe with has full Administrator rights to the local machine and the domain to which the profile security is being converted.
-The failure is not related to file permissions within the profile directory (the entire directory can be moved, renamed, deleted, or successfully converted via a workaround).
I've developed a reliable workaround for these cases but, it is fairly involved and I would much rather understand the root cause of this error and correct it pre-emptively.
My workaround (glad to share it, left out for brevity) seems to indicate that the failure is related to HKEY_LOCAL_MACHINE \ SOFTWARE\ Microsoft\ Windows NT \ CurrentVersion \ ProfileList registry keys but, I cannot determine exactly how/why.
Did you try to use the "regini" command line tool to grab registry permissions for the administrator account?
Use FileMon and RegMon (now Microsoft, formerly SysInternals, still free) to monitor what exactly is being accessed, how, and what rights/access are being requested.
I don't have a URL handy, but a Google search should be able to hook you up with these tools.
A couple items I would try. First, could it be that the user was logged in and the computer hasn't been rebooted. Microsoft has a product called UPHClent which helps in unloading unneeded user hives.
Next thing I wanted to know, is if you try rebooting before running the moveuser executable. This Conversation seems to indicate this would help with this kind of error.
Two days after posting this I got to the bottom of the problem. It turned out, just as Rob Haupt suggested to be related to a stuck user hive. The program I was running, moveuser, was reading the Refcount key found under HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\ ProfileList\ <SID>\ and ending immediately.
Setting Refcount to 0 solved the problem immediately
Pushing out UPHClean to all the target machines pre-emptively has all but elimated the problem and we were able to successfully convert profiles on several hundred machines over the last week.
An important note about UPHClean:
I'd tried installing it previously but, it didn't appear to help. I was too impatient, the UPHClean ReadMe revealed that the service just takes time to do its job.