question

Allen-7225 avatar image
0 Votes"
Allen-7225 asked CptSplint-0418 commented

Delete profiles after number of days not working on Windows 10

Hello!

We are experiencing problems where the AD feature "Delete profiles after number of days" is not working on Windows 10 machines. I found another article that stated how the NTUser.dat date modified date is being updated with Windows updates and how this feature uses this date inside the ntuser.dat file.

I found a PS script that changes the ntuser.dat file's date modified to the users folder last modified date. This worked well by setting it up to run as a scheduled task, but now the feature is not working any longer.

Does anyone else have this problem with their Windows 10 machines? I'm not seeing any logs in event viewer giving me any clue why it's not deleting profile past 100 days (in my case). I also confirmed the GPO is setting this feature by checking the registry entry on the machine. This is happening across our entire environment on all Windows 10 boxes.



Please help!

windows-10-general
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

What build of Windows 10 are you using?
Since when this problem started?
Are you seeing any failure in the event viewer?

0 Votes 0 ·

1909 and we are aren't certain when it actually stopped working. I know I had it working in March of '20, but outside of that we just found the issue (again) when machines started running out of space due to large profiles and large quantity of users on the workstation. My script does run and I've confirmed it updates the ntuser.dat mod date. There are no errors in the event viewer. I know it happens when the system is restarted, but I'm not seeing anything log.

0 Votes 0 ·
HannahXiong-MSFT avatar image
0 Votes"
HannahXiong-MSFT answered

Hello,

Thank you so much for posting here.

To further troubleshoot, how have we configured "Delete profiles after number of days"? Have we configured the GPO talked in the below link?

https://social.technet.microsoft.com/wiki/contents/articles/28647.how-to-automatically-delete-user-profiles-older-than-a-certain-number-of-days-using-group-policy.aspx

If we configured it via GPO, have we checked the gpresult since it is not working now?
For computer configuration:
Logon one client and open CMD, run as administrator. Type gpresult /h C:\report.html and click Enter. Open report file to check the policies under Computer Details.

For any question, please feel free to contact us.

Best regards,
Hannah Xiong

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Allen-7225 avatar image
0 Votes"
Allen-7225 answered

We have confirmed the GPO is deploying the setting just like your instructions stated in the link. We check rsop and gpresult and that setting is applying correctly on workstations but it just simply does not apply work when we restart the workstation I also verified the ntuser.dat date is not modified which is the issue we found originally.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

HannahXiong-MSFT avatar image
0 Votes"
HannahXiong-MSFT answered

Hello,

Thank you so much for your kindly reply.

As mentioned, the GPO is applied correctly on workstations. Meanwhile, check if the corresponding registry entries and values based on the policy setting are changed:

60448-1.png

Besides, according to my research, "The main troubles associated with this automatic method of profile removal is waiting for the server restart and non-selectivity (you cannot prohibit deleting certain user profiles like local accounts, administrative accounts, etc.). Also, this policy may not work if some third-party software (most often it is an antivirus) accesses NTUSER.DAT file in user profiles and updates the date of last use."

Reference: http://woshub.com/delete-old-user-profiles-gpo-powershell/#:~:text=You%20can%20find%20the%20policy,using%20domain%20policies%20in%20GPMC.

Have we configured other GPO such as Folder Redirection? Are the profile types are Local or Roaming User Profiles?

60426-12.png

Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.

Best regards,
Hannah Xiong

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



1.png (14.4 KiB)
12.png (59.9 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JonathanBer-5963 avatar image
0 Votes"
JonathanBer-5963 answered CptSplint-0418 commented

I have the exact same issue. and its a big issue for us, cause when we make a InPlace upgrade of a device that have like 100 profil, its take many many hours!!

we alos tried with a powershell script, but it use win32_profileuser, so its the same problem.

Did someone find a solution to clear users profils ??

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Jonathan, did you find/ created a script to remove the profiles?


the old method does not work anymore:
Get-WMIObject -class Win32_UserProfile | Where {(!$.Special) -and ($.ConvertToDateTime($_.LastUseTime) -lt (Get-Date).AddDays(-30))}| Measure-Object

From Microsoft we got the information the values in "LocalProfileLoadTimeLow" / "LocalProfileLoadTimeHigh" is used for the GPO to delete old profiles.
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-...SID"

We have such GPO not in place and it's a long way to discuss GPOs with colleagues (we have >100.000 clients). So I search for a way we can implement via Script, e.g. during the inplace upgrade task sequence.

Do you know, how the time is calculated? Probably you already have a script which could help?

0 Votes 0 ·