Important Notice: On February 29th, this community was put into read-only mode. All existing posts will remain but customers are unable to add new posts or comment on existing. Please feel to join our Community Discord for any questions and discussions.

Remove-LocalUser

So I am trying to figure out powershell script that will use Remove-LocalUser to clear local profiles off a remote computer using PDQ Deploy to push the power script. The tricky thing is that I have a GPO that does not allow remote scripts to run unless your the admin or run a powershell script that changes the settings in the registry to allow the script to run.

Back to my script I want to convert the last logged in user time to a readable value, then use a greater statement of 100 days so filter out old user accounts. Then I want to exclude the special accounts and PDQ admin account so I do not delete the local accounts. I have tried a few different ways to remove the delprof2 and a few powershell scripts that microsoft has but nothing fits my needs. Can someone point me in the correct direction.

OS - Windows 10 1703

0

Comments

3 comments
Date Votes
  • I have to run first --

    powershell Set-ExecutionPolicy RemoteSigned

    Then this powershell script

      Function GetChoice
    {
        #Prompt message
        $Caption = "Delete Confirming."
        $Message = "Do you want to delete the unused user folder?"
        $Choices = [System.Management.Automation.Host.ChoiceDescription[]]`
        @("&Yes","&No")
        [Int]$DefaultChoice = 0
        $ChoiceRTN = $Host.UI.PromptForChoice($Caption, $Message, $Choices, $DefaultChoice)
        Switch ($ChoiceRTN)
        {
            0 	{$True}
            1  	{break}
        }
    }
    
    Function isException($Foldername) 
    {
        Switch($Foldername)
    	{
    		"All Users"
    		{ $True} 
    		"Default User" 
    		{ $True }
    		"Default" 
    		{ $True }
    		"LocalService" 
    		{ $True }
    		"NetworkService" 
    		{ $True } 
    		"Administrator" 
    		{ $True }
    		"Adm-Pass" 
    		{ $True }
    		"AppData" 
    		{ $True }
    		"Classic .NET AppPool" 
    		{ $True}
    		"Public" 
    		{ $True}
    		default 
    		{ $False}
    	}
    }
    
    #Get user folder
    If(Test-Path -Path "C:\Documents and Settings\")
    {
    	$UserParentFolder = "C:\Documents and Settings\"
    }
    
    If(Test-Path -Path "C:\Users\")
    {
    	$UserParentFolder = "C:\Users\"
    }
    #set unused days
    $PeriodDays = 100 
    
    $Result = @()
    #get all user folders
    $userFolders = Get-ChildItem -Path $UserParentFolder 
    
    Foreach($Folder in $userFolders)
    {
    	#get lastaccesstime
    	$LastAccessTime = $Folder.LastAccessTime
    	#Get date
    	$CurrentDate = Get-Date 
    	$Tim = New-TimeSpan $LastAccessTime $CurrentDate 
    	$Days = $Tim.days
    	#Compare current date and lastaccesstime 
        If((isException $Folder.Name )-eq $false -and  ($Days -gt $PeriodDays) )
    	{
    	$temp = New-Object  psobject -Property @{
    		"FileName" = $Folder.FullName;
    		"LastAccessTime" = $Folder.LastAccessTime;
    		"UnusedDays" = $Days
    		}
    		$Result += $Temp
    	}
    	
    }
    If($Result)
    {
    	$Result
    	If(GetChoice)
    	{
    		foreach($Folder in $Result)
    		{
    			try
    			{
    				#Remove user folder
    				$path = $Folder.FileName 
    				cmd.exe /c "RD /S /Q `"$path`""
    				If((test-path $path) -eq $false)
    				{
    					Write-Host "Delete unused user folder $path successfully!"
    				}
    			
    			}
    			Catch
    			{
    				Write-Error $_
    				
    			}
    		}
    	}
    	
    }
    
    0
  • Found some powershell script from another user on microsoft website and built on it. Since I have it locked down by GPO to not allow scripts to run, I had to add powershell Set-ExecutionPolicy RemoteSigned

    0
  • Well.. I dont believe in default timestamps (win update or pdq deploy changes lots of stuff under inactive users folders and files). Second if you just delete useraccount folder, then you need also delete userprofile in registry, otherwise next time same name (SID) user can login only with temp profile. Better use DelProf2.exe. I think this forum have also some notes on that.

    I am using DelProf2 domainwide but only with GPO > Scheduled Task, run on system startup, powershell -ExecutionPolicy Bypass \domain\netlogon\DelProf.ps1 with my specific arguments and code like "timestamp" (inactive 90 days). I am taking it from one specific shortcut on user desktop which is only created or updated by gpo when user is logged in.

    You can also use DelProf2 with Deploy easily for local users etc. As I wrote - I think this forum have also some notes on that.

    Have phun!

    0