GPO to remove profiles on reboot not working

DonnaSmith 86 Reputation points
2023-01-19T14:48:16.7366667+00:00

I know this seems to be a recurring issue for some but I still cant get Group Policy to remove profiles over x days on reboot for Windows 10 devices. Details as follows;

  • Created new gpo and enabled 'Delete user profiles older than a specified number of days on system restart. Value for testing = 1 day
  • I have created a test OU and scoped the GPO to this - pc is in here
  • Security filtering has a test SG - pc is in here
  • GPRESULT / rsop all good. GPO applied as is also the case with gp wizard
  • GPO has been enforced
  • No errors with GPO in event logs and can see it applied along with other GPOs
  • Added all originally inherited gpos to the OU then blocked inheritence. Disabled almost all GPOs bar default domain policy and the test profile GPO - no change (several reboots)
  • Permissions on the GPO for the SG changed from read to edit - no change
  • Enabled in gpedit for local policies, rebooted, setting still held but still no profiles removed
  • I confirmed NTUSER.DAT dates are showing over the 1 day value specified as i ran a script to match these with the usrclass.dat timestamp
  • in advanced system settings > user profiles, these are listed as local with correct timestamps

Seems to be applying and configured but no profiles being removed off the machines. Checked other questions and forums. some people are able to use this whilst others see similar results to myself

Windows Group Policy
Windows Group Policy
A feature of Windows that enables policy-based administration using Active Directory.
1,875 questions
No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Miloslav Ďurina 0 Reputation points
    2023-01-19T15:57:00.5233333+00:00

    [https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.UserProfiles::CleanupProfiles
    I would check if the registry is really set up (regardless the GPO is applied and "everything looks fine")
    If not, you can also to set the registry manually and see...


  2. Limitless Technology 9,291 Reputation points
    2023-01-20T16:58:02.0566667+00:00

    Hello DonnaSmith,

    Firstly mentioned that the X Days correspond not to the date of the NTUSER file but the timestamp which corresponds to the last time that the user Logged In.

    For example if you set the expiration to 1 Day, and the user logs at 11:00am the system will consider "older than" next day at 11:01am.

    On the other side, the timestamping of the NTUSER.DAT file has been a recurrent problem for this purpose since many administrators have struggled to get the proper updated timestamps. One solution I found, is to run the next script as a Scheduled Task (Run on Start) on the specific machines in order to get it properly updated:

    Set the script below to run daily as a Scheduled Task. This will then solve the problem of NTUSER.DAT getting its timestamp updated when patched, etc.

    $ErrorActionPreference = “SilentlyContinue”

    $Report = $Null

    $Path = "C:\Users"

    $ExcludedUsers = "Default", "Public", "Administrator"

    $UserFolders = $Path | Get-ChildItem -Directory -Exclude $ExcludedUsers

    ForEach ($UserFolder in $UserFolders)

    {

    $UserName = $UserFolder.Name

    If (Test-Path “$Path$UserName\NTUser.dat”)

    {

    $NTUserDat = Get-Item "$Path$UserName\NTUSER.DAT" -force

    $NTUserDatTimeStamp = $NTUserDat.LastWriteTime

    $UsrClassDat = Get-Item "$Path$Username\AppData\Local\Microsoft\Windows\UsrClass.dat" -force

    $UserClassTimeStamp = $UsrClassDat.LastWriteTime

    $NTUserDat.LastWriteTime = $UserClassTimeStamp

    Write-Host $UserName $NTUserDatTimeStamp

    Write-Host (Get-item $Path$UserName\AppData\Local\Microsoft\Windows\UsrClass.dat -Force).LastWriteTime

    $Report = $Report + “$UserNamet$NTUserDatTimeStampr`n”

    $NTUserDat = $Null

    $UsrClassDat = $Null

    }

    }

    --If the reply is helpful, please Upvote and Accept as answer--