2

Is there a way to prevent a local account on a windows xp machine from storing any data in the documents and settings folder?

The machine is used on a domain predominantly and is a base image. When a new instance of the image is created, the use of a local account allows the machine to be added/removed from the domain. It would be nice for that local account not to create a documents and settings folder for itself...

davidsleeps
  • 192
  • 2
  • 11

4 Answers4

2

... Right, I didn't understand on my other answer, but from the comments, I think I do now.

Look at the Deployment section on Technet. There is a whole stack of resources that will help you out.

What I would recommend is getting the Microsoft Deployment Toolkit and building a image that will deploy windows, pre install all your software AND join the pc to the domain within the setup of Windows so there is no login required.

Lastly, if this does not work for you, you may want to try logging on anyway, doing what you need doing and then create a registry key that will make a run once entry for a script on start-up that can delete all items in c:\documents and settings - Just found this, but I can not vouch for it as I have not used it - http://www.wisesoft.co.uk/scripts/vbscript_delete_local_profiles.aspx

Microsoft also make a tool that deleted all local user accounts, but I cannot find it :S I think it was in a support pack, if I find it, I will edit this answer.

William Hilsum
  • 3,506
  • 5
  • 28
  • 39
  • I've been able to use the NET USER commands to remove local users, but the files seem to get left there...and since the usernames are often localUser.MACHINE-NAME.000 etc and the RD command doesn't wildcard... – davidsleeps Aug 13 '09 at 06:14
  • +1 for the useful info...and for the effort. This is relevant for me also. Thanks. – cop1152 Sep 27 '09 at 00:33
1

If you're using this to clone out to many computers, and you use SysPrep, you can issue a RunOnce command at the end of SysPrep to just delete the local profile on first boot. This should leave the base image pretty much pristine, with nothing in Docs & Settings.

phuzion
  • 2,192
  • 1
  • 18
  • 23
0

If this is a base image, people really should not be using it for everyday use, unless you are talking about wanting to prevent data from being written when the image is deployed.

It is possible to prevent people writing and saving files through group policy and restrictions, but you may have problems when it comes to application data as pretty much everything you run in Windows require this.

You do not really give enough details as to the environment so I am just assuming here, but you may want to take a look at Windows SteadyState which will allow others to use this pc then restore it to its original state.

William Hilsum
  • 3,506
  • 5
  • 28
  • 39
  • He's talking about an account that **joins** the computer to the domain. Thus, Group Policy will have no affect until **after** they have logged in already, and all the files have been written to the C: drive – Izzy Aug 13 '09 at 02:27
0

I'm really not sure this is possible. When a user logs in, Windows needs somewhere to store all the information that enables the user logging-in to function. Someone mentioned Group Policy already, but this is of no use to you because this login will be to join the machine to the domain, which will be before group policy can have any effect.

Your best bet is going to be to run a script remotely after the user logs out (after they have joined the machine to the domain). This script would cycle through the User Profiles on the remote machine (the PC just joined to the domain) checking the SIDs. If it finds a matching SID it deletes the profile.

I wrote a very similar script last year. It's at work. Will answer tomorrow with the script (when I'm at work)

UPDATE:

Here's the script I was talking about. It needed a pretty major overhaul as it was doing all kinds of cross domain funkiness because of the environment I'm in.

If you are getting permissions problems, change the UserName = "" and Password = "" sections to an account that has Local Admin rights over the target PC.

Option Explicit
On Error Resume Next

Dim strComputer
Dim objWMIService
Dim propValue
Dim objItem
Dim SWBemlocator
Dim UserName
Dim Password
Dim colItems
Dim strMessage
Dim deleteResponse

strComputer = ""
UserName = ""
Password = ""
strMessage = ""

strComputer = InputBox("Please enter the FQDN of the new computer:")

If strComputer = "" Then
    WScript.quit
End If

If Not Ping (strComputer) Then
    MsgBox "The computer (" + strComputer + ") is not responding to ping - exiting"
    WScript.quit
End if

Set SWBemlocator = CreateObject("WbemScripting.SWbemLocator")
Set objWMIService = SWBemlocator.ConnectServer(strComputer,"root\CIMV2",UserName,Password)
Set colItems = objWMIService.ExecQuery("Select * from Win32_UserProfile",,48)
For Each objItem in colItems
    strMessage = ""
    If not objItem.LastDownloadTime = "" Then 
        strMessage = strMessage + "LastDownloadTime: " & left(objItem.LastDownloadTime,8) + Chr(10) + Chr(13)
    End If

    If Not objItem.LastUploadTime = "" Then
        strMessage = strMessage + "LastUploadTime: " & left(objItem.LastUploadTime,8) + Chr(10) + Chr(13)
    End if

    if not objItem.LastUseTime = "" then
        strMessage = strMessage + "LastUseTime: " & left(objItem.LastUseTime,8) + Chr(10) + Chr(13)
    End If

    If Not objItem.Loaded  = "" Then
        strMessage = strMessage + "Loaded: " & objItem.Loaded + Chr(10) + Chr(13)
    End If

    If not objItem.LocalPath = "" then
        strMessage = strMessage + "LocalPath: " & objItem.LocalPath + Chr(10) + Chr(13)
    End If

    if not objItem.RefCount = "" then
        strMessage = strMessage + "RefCount: " & objItem.RefCount + Chr(10) + Chr(13)
    End If

    if not objItem.RoamingConfigured = "" then
        strMessage = strMessage + "RoamingConfigured: " & objItem.RoamingConfigured + Chr(10) + Chr(13)
    End If

    if not objItem.RoamingPath = "" then
        strMessage = strMessage + "RoamingPath: " & objItem.RoamingPath + Chr(10) + Chr(13)
    End If

    if not objItem.RoamingPreference = "" then
        strMessage = strMessage + "RoamingPreference: " & objItem.RoamingPreference + Chr(10) + Chr(13)
    End If

    if not objItem.SID = "" then
        strMessage = strMessage + "SID: " & objItem.SID + Chr(10) + Chr(13)
    End If

    if not objItem.Special = "" then
        strMessage = strMessage + "Special: " & objItem.Special + Chr(10) + Chr(13)
    End If

    if not objItem.Status = "" then
        strMessage = strMessage + "Status: " & objItem.Status + Chr(10) + Chr(13)
    End If

    strMessage = strMessage + Chr(10) + Chr(13) + Chr(10) + Chr(13) + "Do you wish to delete this profile?"

    deleteResponse = MsgBox (strMessage,35,"Profile Found")

    Select Case deleteResponse
        Case 6
            Err.Clear
            objItem.Delete_
            If Err.Number = 0 Then 
                MsgBox("Profile " & objitem.localpath & " on " & strComputer & " deleted")
            Else
                MsgBox("Profile " & objitem.localpath & " on " & strComputer & " NOT deleted - Is user logged in?")     
            End If
    End Select

Next

Function Ping(strHost)

    dim objPing, objRetStatus

    set objPing = GetObject("winmgmts:{impersonationLevel=impersonate}").ExecQuery _
      ("select * from Win32_PingStatus where address = '" & strHost & "'")

    for each objRetStatus in objPing
        if IsNull(objRetStatus.StatusCode) or objRetStatus.StatusCode<>0 then
            Ping = False
        else
            Ping = True
        end if
    Next
End Function
Izzy
  • 8,214
  • 2
  • 30
  • 35