Group Policy: Automatically Delete User Profiles Older Than Certain Number of Days Win 10 not working.

Question

Hi

I enabled Computer Configuration\Administrative Templates\System\User Profiles\Delete User Profiles Older Than xxx GPO and apply to Windows 10 PCs.
Dayes set to 90.
Unfortunately, this didn't remove old data folders in C:\user.
I checked the registry HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System was added the REG_DWORD
I'm using Win 2019 domain and Win 10 client PC's.
Can someone help me to fix this?
The link which I use is https://social.technet.microsoft.com/wiki/contents/articles/28647.group-policy-how-to-automatically-delete-user-profiles-older-than-certain-number-of-days.aspx

Kr,
Amila.

Answer 1

Hello @P. Amila Mahesh Muthukumarana ,

Thanks for posting here.

I did the testing in my lab, and below are the findings.

The group policy was configured as shown below.

This policy setting allows an administrator to automatically delete user profiles on system restart that have not been used within a specified number of days. Note: One day is interpreted as 24 hours after a specific user profile was accessed.

If you enable this policy setting, the User Profile Service will automatically delete on the next system restart all user profiles on the computer that have not been used within the specified number of days.

So I restarted the system and then checked the folders under C:\Users and User profiles were deleted.

Hope it helps. For any question, please post here.

Best regards,
Hannah Xiong

Answer 2

was there a fix for this - ntuser.dat is getting updated preventing the GPO from working
Is there a way around this to achieve profile removal?

Answer 3

MS have sat on this problem for years now. Even the third party solution, DelProf2 doesn't work anymore due to NTUSER.DAT and ntuser.ini getting updated outside of user logon.

The only current way is to copy the timestamp from another (currently) working file: UsrClass.dat using the script below, then your GPO for removing stale profiles, which tests on NTUSER.DAT's timestamp, will work.

Set the script below to run daily as a Scheduled Task. This will then solve the problem of NTUSER.DAT getting its timestamp updated when patched, etc.

$ErrorActionPreference = “SilentlyContinue”
$Report = $Null
$Path = "C:\Users"
$ExcludedUsers = "Default", "Public", "Administrator"
$UserFolders = $Path | Get-ChildItem -Directory -Exclude $ExcludedUsers

ForEach ($UserFolder in $UserFolders)
{
$UserName = $UserFolder.Name
If (Test-Path “$Path\$UserName\NTUser.dat”)
{
$NTUserDat = Get-Item "$Path\$UserName\NTUSER.DAT" -force
$NTUserDatTimeStamp = $NTUserDat.LastWriteTime
$UsrClassDat = Get-Item "$Path\$Username\AppData\Local\Microsoft\Windows\UsrClass.dat" -force
$UserClassTimeStamp = $UsrClassDat.LastWriteTime
$NTUserDat.LastWriteTime = $UserClassTimeStamp
Write-Host $UserName $NTUserDatTimeStamp
Write-Host (Get-item $Path\$UserName\AppData\Local\Microsoft\Windows\UsrClass.dat -Force).LastWriteTime
$Report = $Report + “$UserNamet$NTUserDatTimeStampr`n”
$NTUserDat = $Null
$UsrClassDat = $Null
}
}

Answer 4

@Adam No name

Hi there. I appreciate your input. I ran the GPO successfully on a couple of test machines, and it works, kind of.

After I found your post here I created a PowerShell script with the contents and rebooted. This does not seem to work and fully resolve the issue making the profile deletable.

Let me know if I am missing something. I am also performing updates on the machines now for good measure.

Thanks

Joe

Answer 5

Any update on this. I can use the script to update ntuser.dat timestamp with the date from usrclass.dat - this works but the GPO is still not removing any old profiles?