Windows OS Hub
  • Windows Server
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Group Policies
  • Windows Clients
    • Windows 10
    • Windows 8
    • Windows 7
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
  • PowerShell
  • Exchange
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Group Policies
  • Windows Clients
    • Windows 10
    • Windows 8
    • Windows 7
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
  • PowerShell
  • Exchange

 Windows OS Hub / PowerShell / How to Delete Old User Profiles Using GPO and PowerShell?

November 19, 2019 Group PoliciesPowerShellWindows Server 2016

How to Delete Old User Profiles Using GPO and PowerShell?

On Windows workstations and servers, especially on RDS (Remote Desktop Services) servers, there is a regular need to remove old (unused) user profiles from C:\Users. The main problem of any Remote Desktop server is the constant growth the size of user profile directories on a local drive. It is partially solved by enabling quotas on the maximum user profiles size (with FSRM or NTFS quotas). However, if there are a lot of terminal server users, with time the C:\Users directory will accumulate a huge number of directories with user profiles that are not longer needed.

Contents:
  • How to Delete a User Profile Manually in Windows?
  • GPO: Delete User Profiles Older Than a Specified Number Days
  • PowerShell Script to Delete Old User Profiles in Windows

How to Delete a User Profile Manually in Windows?

Many novice Windows admins try to manually delete a user profile folder from C:\Users. You can do it if after manually deleting the folder, you will delete the user profile section with the link to this folder from the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\ CurrentVersion\ProfileList.

The correct way to manually delete a user profile in Windows is to open System Properties, go to Advanced System Settings -> User Profiles -> Settings, select a user in the list (the Size column shown the size of the profile on the local drive) and click the Delete button.

removing user profile manually in windows

But this is a manual method, and you may want to automate it.

GPO: Delete User Profiles Older Than a Specified Number Days

In Windows, there is a built-in Group Policy to automatically delete user profiles older than xx days. You can find the policy Delete user profiles older than a specified number days on system restart in the GPO section Computer Configuration -> Administrative Templates -> System -> User Profiles. You can enable this policy in the Local Group Policy Editor (gpedit.msc) or using domain policies in GPMC.msc.

Enable the policy and specify the number of days a user profile is considered active. When this period is over, Windows user profile service will automatically delete the profile at the next restart. It is recommended to specify the period of 45-90 days here.

group policy: Delete user profiles older than a specified number days on system restart

When using this policy, make sure that when a server is shut down or restarted there are no problems with the system time (check the article “System time and date changes after reboot”). Otherwise active user profiles may be deleted.

The main troubles associated with this automatic method of profile removal is waiting for the server restart and non-selectivity (you cannot prohibit deleting certain user profiles like local accounts, administrative accounts, etc.). Also, this policy may not work if some third-party software (most often it is an antivirus) accesses NTUSER.DAT file in user profiles and updates the date of last use.

PowerShell Script to Delete Old User Profiles in Windows

Instead of using the automatic cleanup profile policy described above, you can use a simple PowerShell script to find and remove profiles of disabled or inactive users.

First of all, let’s try to count the size of all user profil folders in C:\Users using a simple script from the article Getting Directory Sizes in PowerShell:

gci -force 'C:\Users'-ErrorAction SilentlyContinue | ? { $_ -is [io.directoryinfo] } | % {
$len = 0
gci -recurse -force $_.fullname -ErrorAction SilentlyContinue | % { $len += $_.length }
$_.fullname, '{0:N2} GB' -f ($len / 1Gb)
$sum = $sum + $len
}
“Total size of profiles”,'{0:N2} GB' -f ($sum / 1Gb)

The total size of all user profiles in C:\Users is 31,5 GB.

count the total user profile size on RDS host

Let’s display the list of users, whose profiles has not been used for more than 60 days. To find them, you can use the value in the LastUseTime field of the profile.

Get-WMIObject -class Win32_UserProfile | Where {(!$_.Special) -and ($_.ConvertToDateTime($_.LastUseTime) -lt (Get-Date).AddDays(-60))}| Measure-Object

It turned out that I had 127 inactive user accounts on my RDS host (with a profiles total size of about 18 GB).

get inactive users list by profile LastUseTime on RDSH

To remove all these profiles, it is enough to redirect the user list to the Remove-WmiObject command (prior to running the script, it is recommended to double-check its output using the –WhatIf parameter):

Get-WMIObject -class Win32_UserProfile | Where {(!$_.Special) -and (!$_.Loaded) -and ($_.ConvertToDateTime($_.LastUseTime) -lt (Get-Date).AddDays(-30))} | Remove-WmiObject –WhatIf

In order not to delete profiles of some users, like System and Network Service accounts, a local administrator account, accounts of users having active sessions, account exception list), you can modify the script as follows:

#The list of accounts, which profiles must not be deleted
$ExcludedUsers ="Public","zabbix_agent","svc",”user_1”,”user_2”
$LocalProfiles=Get-WMIObject -class Win32_UserProfile | Where {(!$_.Special) -and (!$_.Loaded) -and ($_.ConvertToDateTime($_.LastUseTime) -lt (Get-Date).AddDays(-60))}
foreach ($LocalProfile in $LocalProfiles)
{
if (!($ExcludedUsers -like $LocalProfile.LocalPath.Replace("C:\Users\","")))
{
$LocalProfile | Remove-WmiObject
Write-host $LocalProfile.LocalPath, "profile deleted” -ForegroundColor Magenta
}
}

You can run this PowerShell script using a GPO at shutdown or with a PoSh script in Task Scheduler.

Before configuring automatic deletion of profiles, it is recommended to test the script in your environment!

You can modify the script to automatically remove all user profiles added to the specific AD group (for example, DisabledUsers group):

$users = Get-ADGroupMember -Identity DisabledUsers | Foreach {$_.Sid.Value}
$profiles = Get-WmiObject Win32_UserProfile
$profiles | Where {$users -eq $_.Sid} | Foreach {$_.Delete()}

5 comments
1
Facebook Twitter Google + Pinterest
previous post
Get-ADUser: Getting Active Directory Users Info via PowerShell
next post
VMWare vSphere: Failed to Upload Files to Datastore

Related Reading

How to Troubleshoot, Repair and Rebuild the WMI...

March 2, 2021

How to Sign a PowerShell Script (PS1) with...

February 25, 2021

How to Shadow (Remote Control) a User’s RDP...

February 22, 2021

Configuring PowerShell Script Execution Policy

February 18, 2021

Configuring Proxy Settings on Windows Using Group Policy...

February 17, 2021

5 comments

Aaron April 16, 2020 - 3:38 pm

Using Remove-WmiObject to get rid of the Win32_UserProfile sets only clears out the user home folders. I found that users can still sign in with their old locally-cached Windows Hello (for Business) PINs; is there a way to flush those credentials out of the TPM too?

Reply
admin April 21, 2020 - 6:31 am

This article shows how to clear user profiles that have not been logged in for a long time. After deleting the profile, users can log in again and a new profiles directory will be created for them.

Reply
REX October 13, 2020 - 10:06 am

Amazing! Thanks a lot for this!

Reply
Viv December 10, 2020 - 7:15 pm

This is going to save me so much time.. and its so clearly explained.. Fantastisch!

Reply
Ste January 15, 2021 - 4:34 pm

Thank you for the very detailed article. However, what is the right command to delete only a specific user profile?

Reply

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange
  • Windows 10
  • Windows 8
  • Windows 7
  • Windows Server 2016
  • Windows Server 2012 R2
  • Windows Server 2008 R2
  • PowerShell
  • VMWare
  • MS Office

Recent Posts

  • How to Troubleshoot, Repair and Rebuild the WMI Repository?

    March 2, 2021
  • Accessing USB Flash Drive from VMWare ESXi

    February 26, 2021
  • How to Sign a PowerShell Script (PS1) with a Code Signing Certificate?

    February 25, 2021
  • Change the Default Port Number (TCP/1433) for a MS SQL Server Instance

    February 24, 2021
  • How to Shadow (Remote Control) a User’s RDP session on RDS Windows Server 2016/2019?

    February 22, 2021
  • Configuring PowerShell Script Execution Policy

    February 18, 2021
  • Configuring Proxy Settings on Windows Using Group Policy Preferences

    February 17, 2021
  • Updating Group Policy Settings on Windows Domain Computers

    February 16, 2021
  • Managing Administrative Shares (Admin$, IPC$, C$, D$) in Windows 10

    February 11, 2021
  • Packet Monitor (PktMon) – Built-in Packet Sniffer in Windows 10

    February 10, 2021

Follow us

woshub.com
  • Facebook
  • Twitter
  • RSS
Popular Posts
  • How to Configure Google Chrome Using Group Policy ADMX Templates?
  • Updating List of Trusted Root Certificates in Windows 10/8.1/7
  • Allow RDP Access to Domain Controller for Non-admin Users
  • Backup/Restore and Export Local Group Policy Settings to Another Computer
  • How to Show/Hide All User Accounts from Login Screen in Windows 10?
  • Reset Local Group Policy Settings in Windows
  • How to Block USB Drives in Windows using Group Policy?
Footer Logo

@2014 - 2018 - Windows OS Hub. All about operating systems for sysadmins


Back To Top