I've got a project on my hands and I'm a bit uncertain about how to handle old Windows profiles in my company. We're using a mix of Active Directory to Entra (with a one-way sync) and some Entra-only tenants. My main concern is that old profiles aren't getting updates, which could lead to problems for our MDR and security teams. We usually follow Microsoft's guidance when it comes to offboarding users in Entra, but users don't always adhere to IT policies. They are advised to use SharePoint or local shares, but that doesn't always happen, and I can't monitor every single machine or offboarded user. I need to consider the risk of lost data.
From my research, it seems that using PowerShell or modifying a specific registry entry would be the best methods to go with, especially since not every setup has access to a group policy or server. Ideally, I want to find one effective method instead of juggling multiple ones. I've looked into using the Registry Key (DWORD CleanupProfiles), but I've read it doesn't work across all setups and may overlook important data recovery needs. So I'm thinking a script could be beneficial. My idea is to check the last activity on the user profiles—if it's over 90 days, I'd copy their data to a shared location, compress it, and then delete the profile. However, I am concerned that even compressed, this could result in a lot of data.
4 Answers
We used to automate the deletion of old profiles, but that caused some issues with certain teams who need intermittent access. Now, we’re more manual about it. We run a detection and remediation script across profiles, looking for 'items of concern' before deciding on deletion. Sometimes practical approaches trump ideal ones!
If you need to clear out stale profiles, we're using delprof2 combined with a Group Policy to automatically delete profiles of users who haven't logged in in over 90 days. But keep in mind, you'll want to make sure you've saved any necessary data before deleting.
We don't enforce a strict limit for deleting profiles. We usually start by removing profiles of users who are no longer with the company or those who won't be returning to that specific workstation.
In our shared labs, we have a script that deletes user profiles as soon as the system is shut down, and we’ve also turned off sleep and hibernate modes to avoid accidental profile retention.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures