Posts Tagged ‘Domain’

Keeping Windows Time Synchronized

Over the years I have managed a few applications that are time sensitive in recording when certain things were logged. This has caused issues when some computers update time and some get behind. Users have trouble understanding why they did something at one time but it was recorded as another. I did find a few commands that can help remedy this problem.

To check Windows Time Service configuration.

w32tm /query /configuration

To configure a standalone server or domain controller for an external time source.

w32tm /config /update /manualpeerlist:"0.pool.ntp.org,0x8 1.pool.ntp.org,0x8 2.pool.ntp.org,0x8 3.pool.ntp.org,0x8" /syncfromflags:MANUAL

To force update to time source.

w32tm /resync

Source: WindowsTimeService < Support < NTP.
Source: Microsoft Technet: Windows Time Service Tools and Settings

How to Set Permission on a Service Using Subinacl

A couple of months back I was installed some communication software that made a VPN connection to the main server. It used OpenVPN to establish the connection and worked fine as long as your were an administrator on the PC. As I researched it further it installed a service and required that service to run on demand when the user launch the program. Since your standard limited user does not have privileges to start and stop services the application would fail to connect to the server.

So now the question becomes, how do you add permissions to a service?

Microsoft has an answer with a little known command line application called subinacl. This application allows you to view and edit security information for files, registry keys, and services. This can be handy if you are writing a script to change permissions on registry keys or files but the real power lies within the ability to edit the security information on services.

The syntax for subinacl: SUBINACL /SERVICE \\MachineName\ServiceName /GRANT=[DomainName\]UserName[=Access]

The Access parameter is broken down like this:

F : Full Control
R : Generic Read
W : Generic Write
X : Generic eXecute
L : Read controL
Q : Query Service Configuration
S : Query Service Status
E : Enumerate Dependent Services
C : Service Change Configuration
T : Start Service
O : Stop Service
P : Pause/Continue Service
I : Interrogate Service
U : Service User-Defined Control Commands

For my example I just needed to allow the Domain Users group access to run the OpenVPN service.

subinacl /service OpenVPN /GRANT=DOMAIN\Domain Users=TO

You may need to execute this from the folder where subinacl.exe is located. Also if it is running the command on a local system you can just type the name of the service and not the UNC path to the service.

Download subinacl.exe from Microsoft
For more information about this command please visit: http://support.microsoft.com/kb/288129

Report Workstation Uptime in a CSV using Active Directory and VBS

Have you ever been left wondering which computers on your domain have been neglected by their user and not restarted in forever? This is a question that come up in my office every once and a while. One of the easiest ways to solve this problem is to ask WMI for when the computer was last restarted and subtract it from the current time. Also, while asking WMI questions you might as well ask which user is currently logged on the PC that way you know who to blame. This is exactly what the following script does for your domain. It grabs the list of workstations from the domain then queries WMI for the last time the computer is restarted and does some conversion and math and makes you an nice CSV that you can play with.

Script Configuration
Before running this script there is some minor configuration that must be done so it can communicate with your Active Directory setup.

  1. Find objConnection.Open "Active Directory Server" change Active Directory Server to the name of your Domain Controller
  2. Find objCommand.CommandText = _
    "Select Name, Location from 'LDAP://OU=Workstations,DC=west,DC=domain,DC=edu' " _
    & "Where objectClass='computer'"
    change subdomain, domain, and suffix to the name of your domain i.e. west domain edu (respectively)
  3. Find GetUptime objRecordSet.Fields("Name").Value, "C:\uptime.csv" and change C:\uptime.csv to the location where you want the file saved. Be sure to save it with the extension CSV
Const ADS_SCOPE_SUBTREE = 2

Set objConnection = CreateObject("ADODB.Connection")
Set objCommand =   CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Server" 

Set objCOmmand.ActiveConnection = objConnection
objCommand.CommandText = _
    "Select Name, Location from 'OU=Workstations,DC=west,DC=domain,DC=edu' " _
        & "Where objectClass='computer'"  
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE 
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst

Do Until objRecordSet.EOF
	GetUptime objRecordSet.Fields("Name").Value, "C:\uptime.csv"
    objRecordSet.MoveNext
Loop

Sub GetUptime(strComputer, strFilename)
	On Error Resume Next
	Set StdOut = WScript.StdOut
	 
	Set objFSO = CreateObject("scripting.filesystemobject")
	Set logStream = objFSO.opentextfile(strFilename, 8, True)
	 
	Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\default:StdRegProv")
	If Err.Number Then
	      logStream.writeline(strComputer & ",Offline")
	      Err.Clear
	Else
		Set objWMIService = GetObject _
			("winmgmts:\\" & strComputer & "\root\cimv2")
		Set colOperatingSystems = objWMIService.ExecQuery _
			("Select * from Win32_OperatingSystem")
		For Each objOS in colOperatingSystems
			dtmBootup = objOS.LastBootUpTime
			dtmLastBootupTime = WMIDateStringToDate(dtmBootup)
			dtmSystemUptime = DateDiff("h", dtmLastBootUpTime, Now()) 
		Next
		Set objWMIService = GetObject _
			("winmgmts:\\" & strComputer & "\root\cimv2")
		Set colComputerSys = objWMIService.ExecQuery _
			("Select UserName from Win32_ComputerSystem")
		For Each objCS in colComputerSys
			username = objCS.UserName
			logStream.writeline(strComputer & ",Online," & dtmSystemUptime & "," & dtmLastBootupTime & "," & username) 
		Next
				
	End If
	logStream.Close
End Sub
Function WMIDateStringToDate(dtmBootup)
    WMIDateStringToDate = CDate(Mid(dtmBootup, 5, 2) & "/" & _
         Mid(dtmBootup, 7, 2) & "/" & Left(dtmBootup, 4) _
         & " " & Mid (dtmBootup, 9, 2) & ":" & _
         Mid(dtmBootup, 11, 2) & ":" & Mid(dtmBootup, _
         13, 2))
End Function

How to Use WMI Filtering to Improve Group Policy Administration

Group policy is one of the most versatile and powerful ways to manage your workstations in your domain. However, using just basic Group Policy to object relationship links you can limit the customization that is possible with group policy. Today I will show you how to add WMI (Windows Management Interface) Filtering to your group policy. This will allow you to build a kind of rule, and allow you to pick and choose which workstations get the policy and which don’t. My goal today is to apply my group policy to only workstations that start with the name of shs-exam. This is basically all the workstations that reside in our exam rooms and I would like them to have a special set of settings, however I want them to co-exist in my Active Directory structure in the proper ‘departmental’ organizational units that I already have.
Requirementswmi-query

Configuration

  1. Open your Group Policy Management Console and browse to WMI Filters in your Domain.
  2. Go ahead and Right Click on WMI Filters and select New
  3. Give the WMI Filter a nice descriptive name and give more detailed text in the Description if needed.
  4. To build your actual query for WMI you need to think of this as a question to ask the PC and if it returns any result then the Group Policy will be applied to it. The query I have built asks it to return name for the computer and if the name contains “SHS-EXAM” then it will return the name and get the group policy applied, if not then nothing happens and the group policy is skipped.
  5. group-policy-scope-wmi-filtering

  6. Add your WMI Query, mine is Select name from Win32_ComputerSystem WHERE NOT name LIKE “%SHS-EXAM%” This will basically select all computers that are not named “SHS-EXAM”
  7. Now press Save
  8. Now that we have successfully made the WMI Filter we need to apply it to the proper group policy, so go to your Group Policy Objects under your domain and select the one you wish to add the filter to.
  9. The last section on the screen should be WMI Filtering, just drop down the list and select the WMI Filter you just made

Reference Material

  • WQL (SQL for WMI) (Windows) – This is a great list of advanced operators and examples to get you close the the proper syntax
  • HOWTO: Leverage Group Policies with WMI Filters – This article explains in detail how to create a WMI filter to determine the scope of a Group Policy based on computer attributes.
  • Paessler WMI Tester – This tool can help you test your WMI queries before deploying them in Group Policy use. I use this tool all the time to help find information about a workstation.
  • Microsoft Win32 Classes Reference – This is a Microsoft’s reference for all of the objects and events for WMI. You can use this to find that specific settings you need to filter on.

How to Setup a Legal Notice Before Login in Group Policy

A few days ago I was tasked with setting up a notice to users before the actually log on to the computer to notify them that if they use this computer they agree to blah.. blah.. blah legal stuff. To solve this, I decided that this would be good to see on every computer we have in the organization so I added it to the Default Domain Policy, but this can be applied to users or computers at any level you see fit. This is a very easy setting that may also substitute for signing the computer usage agreements every year.

    legal-notice-group-policy-settings

  1. Open up your Group Policy Management Console (gpmc.msc)
  2. Go to the Group Policy Object in your domain, right click on Default Domain Policy and select Edit…
  3. Once the Group Policy Editor is up, using the treeview on on the left go to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
  4. To edit the title of the windows change: Interactive logon:Message title for users attempting to log on
  5. To edit the message text change: Interactive Logon:Message text for users attempting to log on

How to Deploy Microsoft Office 2007 using Group Policy

Every few years you get the opportunity to update to that new fresh version of Microsoft Office, but you defiantly do not want to go computer to computer uninstalling the old and installing the new version. In the past you have just been able to create an MST and deploy it in group policy, this is not the case anymore. Microsoft is trying to push the System Management Server for most the large corporate environments, however I work at a place where spending money is not so much a popular topic, it is better to solve the problem withe the stuff you already have. Since you can’t make a MST to push out Microsoft Office 2007 customized you get a fancy XML file to play with to customized your installation so you can include things like Product Key, Organization, Display Levels of Installer, Accept the EULA, and which parts of Microsoft Office to install. This XML file is very unfriendly because it is very hard to determine the proper syntax or options since the Microsoft documentation is well… lacking to say the least. Other important things to note, this can only be deployed to as part of a Group Policy for a Computer. It will remind you of this if you try to add the MSI to the Users Group Policy. Microsoft also recommends that you don’t deploy this in large networks because of effects on the bandwidth required to install over the network cannot be managed like they can with System Management Server.

Network Share Setup

  1. Copy your entire Microsoft Office 2007 disk out to a network share that is readable by any user in your domain.
  2. Browse to the Enterprise.WW folder or Pro.WW folder in your deployment network share.
  3. Now Find or Create the config.xml file, scroll down and you can see a sample of mine at the bottom of this post. This is the key file that you will be modifying to customize your deployment of Microsoft Office 2007

Customizing the Microsoft Office 2007 deployment using config.xml
This is where all the magic happens if that is what you want to call it. There is several lines in this file I will try to hit the most important ones that you will need to use. At the bottom of the post you will be able to find the copy my config.xml file that I used for my deployment.

  • <Display Level="full" CompletionNotice="yes" SuppressModal="no" AcceptEula="yes" /> – These options have to do with how setup is displayed to the user.
    Display Level can be set to None, Basic or Full by default it is Full. Full: shows the entire setup to the user and allow them to modify options along the way. Basic: shows a welcome screen, Product Key if not included in config.xml file, EULA if not accepted, progress bar and Completion if allowed.
    CompletionNotice can bet set to Yes or No and is No by default and it will give a final screen showing that it had finished or not.
    SuppressModal can be Yes or No and is No by default and will suppress errors if set to Yes.
    AcceptEula can be set to Yes or No and is No by default, this makes the user accept the license agreement have to accept the EULA if set to No. I would strongly suggest setting this to Yes to save your users the trouble.
  • <PIDKEY Value="xxxxxxxxxxxxxxxxxxxxxxxxx" /> – This is where you insert your product key.
    If you DisplayLevel is set to Basic or None and you enter a product key it will automatically accept the EULA for the installation reguardless of what AcceptEula is set to.
  • <COMPANYNAME Value="My Cool Company" /> – Allows you to modify the organization field for the software registration
  • <OptionState Id="ACCESSFiles" State="Local" Children="force" /> – These lines help determine which parts of Microsoft Office 2007 will be installed. The ID element varies depending on what version of Office you are installing. The State option allows you to determine if you want to install this portion of Office or not. It can be set to Absent, which will not install it, Advertise, which will install on first use, Local, which will install it item, or default which will do the Microsoft default action for the element. The option Children is specific to the ID and if set to force will install all sub items, I prefer this that way you don’t ever have to worry about dependence or special features some user might want to use.
  • <Setting Id="RemovePrevious" Value="ACCESSFiles,EXCELFiles,OUTLOOKFiles,PPTFiles,PubPrimary,WORDFiles" /> – This is an important line if you are wanting it to replace or uninstall the current version of Microsoft Office that is installed like Office 2003 or XP during the installation of Microsoft Office 2007.

Adding the MSI to Group Policy
This next step is very simple as you need to go to the Group Policy that will be in charge of installing Office 2007. Now open up your Group Policy Managment Console and select the GP you plan to use to deploy office, then right click and select edit. Now use the Tree on the Left to browse to Computer Configuration > Software Settings > Software Installation and right click on Software Installation and select New > Packageā€¦ It will now prompt you with an open dialog box, go and select the MSI in the Office deployment directory for Enterprise it is called EnterpriseWW.msi. That’s it! Now just be sure to apply that Group Policy to the correct workstations and you will be good to go. The workstations should get the new version of Office 2007 next time it is restarted. You may want to test deploy it to a few machines to make sure everything goes smoothly.

Resources

<Configuration Product="Enterprise">

<Display Level="full" CompletionNotice="yes" SuppressModal="no" AcceptEula="yes" />
	
	<!-- <Logging Type="standard" Path="%temp%" Template="Microsoft Office Enterprise Setup(*).txt" /> -->
	
<PIDKEY Value="xxxxxxxxxxxxxxxxxxxxxxxxx" />

	<!-- <USERNAME Value="Customer" /> -->
	
<COMPANYNAME Value="My Organization" />
	
	<!-- <INSTALLLOCATION Value="%programfiles%\Microsoft Office" /> -->
	
	<!-- <LIS CACHEACTION="CacheOnly" /> -->
	
	<!-- <SOURCELIST Value="\\server\Apps\Office2007" /> -->
	
	<!-- <DistributionPoint Location="\\server\Apps\Office2007" /> -->
	
<OptionState Id="ACCESSFiles" State="Local" Children="force" />
<OptionState Id="EXCELFiles" State="Local" Children="force" />
<OptionState Id="GrooveFiles" State="Absent" />
<OptionState Id="OneNoteFiles" State="Local" Children="force" />
<OptionState Id="OUTLOOKFiles" State="Local" Children="force" />
<OptionState Id="PPTFiles" State="Local" Children="force" />
<OptionState Id="PubPrimary" State="Local" Children="force" />
<OptionState Id="WORDFiles" State="Local" Children="force" />
<OptionState Id="XDOCSFiles" State="Local" Children="force" />
<OptionState Id="SHAREDFiles" State="Local" Children="force" />
<OptionState Id="TOOLSFiles" State="Local" Children="force" />

<Setting Id="RemovePrevious" Value="ACCESSFiles,EXCELFiles,OUTLOOKFiles,PPTFiles,PubPrimary,WORDFiles" />


	
	<!-- <Setting Id="Reboot" Value="IfNeeded" /> -->
	
	<!-- <Command Path="msiexec.exe" Args="/i \\server\share\my.msi" QuietArg="/q" ChainPosition="after" Execute="install" /> -->
</Configuration>

List All Active Directory User Accounts in a CSV

We all know maintaining hundreds of user accounts can be frustrating especially when it comes to audit time and you need a good list of information to pass on to an auditor. Well today I am your savory, this simple script will produce you a list of users with some detailed information that can make audits or documentation much easier. The script creates a Comma Separated Values file or CSV that you can edit in Microsoft Excel or any standard spreadsheet application so you can customize the information before adding it to your report or audit. Below are the specific fields that this script will provide detail on for your Active Directory Users.

User Details

  • Name
  • Description
  • Profile Path
  • Home Drive
  • Account Disabled
  • Password Required
  • User Changable Password
  • Password Expires
  • SmartCard Required
  • Login Count
  • Last Login (date)
  • Last Password Change (date)
  • Created (date)
  • Modified (date)

Script Configuration
Before running this script there is some minor configuration that must be done so it can communicate with your Active Directory setup.

  1. Find objConnection.Open "Active Directory Server" change Active Directory Server to the name of your Domain Controller
  2. Find objCommand.CommandText = _
    "SELECT Name, description, profilePath, homeDrive, distinguishedName,userAccountControl FROM 'LDAP://dc=subdomain,dc=domain,dc=suffix' WHERE objectCategory='user'"
    change subdomain, domain, and suffix to the name of your domain i.e. west consco com (respectively)
  3. Find Set logStream = objFSO.opentextfile("C:\domainusers.csv", 8, True) and change C:\domainusers.csv to the location where you want the file saved. Be sure to save it with the extension CSV
On Error Resume Next
Const ADS_SCOPE_SUBTREE = 2

Const ADS_UF_ACCOUNTDISABLE = &H0002 
Const ADS_UF_PASSWD_NOTREQD = &H0020 
Const ADS_UF_PASSWD_CANT_CHANGE = &H0040 
Const ADS_UF_DONT_EXPIRE_PASSWD = &H10000 
Const ADS_UF_SMARTCARD_REQUIRED = &H40000 
 
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand =   CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Server"
Set objCommand.ActiveConnection = objConnection

objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE 

objCommand.CommandText = _
    "SELECT Name, description, profilePath, homeDrive, distinguishedName,userAccountControl FROM 'LDAP://dc=subdomain,dc=domain,dc=suffix' WHERE objectCategory='user'"  
Set objRecordSet = objCommand.Execute

objRecordSet.MoveFirst
Set objFSO = CreateObject("scripting.filesystemobject")
Set logStream = objFSO.opentextfile("C:\domainusers.csv", 8, True)
logStream.writeline("Name,Description,Profile Path,Home Drive,Account Disabled,Password Required,User Changable Password,Password Expires,SmartCard Required,Login Count,Last Login,Last Password Change,Created,Modified")
Do Until objRecordSet.EOF

	strDN = objRecordset.Fields("distinguishedName").Value 
	Set objUser = GetObject ("LDAP://" & strDN)
	 
	If objRecordset.Fields("userAccountControl").Value AND ADS_UF_ACCOUNTDISABLE Then
		Text = "Yes"
	Else
		Text = "No"
	End If
	If objRecordset.Fields("userAccountControl").Value AND ADS_UF_PASSWD_NOTREQD Then
		Text = Text & ",No"
	Else
		Text = Text & ",Yes"
	End If
	 
	If objRecordset.Fields("userAccountControl").Value AND ADS_PASSWORD_CANT_CHANGE Then
		Text = Text & ",No"
	Else
		Text = Text & ",Yes"
	End If	 
	If objRecordset.Fields("userAccountControl").Value AND ADS_UF_DONT_EXPIRE_PASSWD Then
		Text = Text & ",No"
	Else
		Text = Text & ",Yes"
	End If
	If objRecordset.Fields("userAccountControl").Value AND ADS_UF_SMARTCARD_REQUIRED Then
		Text = Text & ",Yes"
	Else
		Text = Text & ",No"
	End If
	
	logStream.writeline(objRecordset.Fields("Name").Value & ","_
		& objRecordset.Fields("description").Value & ","_
		& objRecordset.Fields("profilePath").Value & ","_
		& objRecordset.Fields("homeDrive").Value & ","_
		& text & ","_
		& objUser.logonCount & ","_
		& objUser.LastLogin & ","_
		& objUser.PasswordLastChanged & ","_
		& objUser.whenCreated & ","_
		& objUser.whenChanged & ","_
		)
		
    objRecordSet.MoveNext
Loop
logStream.Close

How to Deploy VNC using Group Policy

Do you spend too much time running from desk to desk just to help someone make a shortcut or change the default printer? This could be the solution for you. Using UltraVNC you can remotely view and control their workstation from your desk. This can save you time from running around everywhere, and make your users happier faster by solving their problems on the spot. You can also make your boss happy be making it authenticate with Active Directory. That will ensure that everyone that has the remote support access uses their own username and password, and it is easily managed with Active Directory Groups. VNC works very simply by installing a server on every workstation which allows it to share out the desktop to other clients / viewer programs. By installing the VNC Server on all your workstations it will allow you to connect using the client / viewer application and provide hands on support directly from your workstation.

Requirements

Making the MSI using VNCed
Now that you have the required software, the first thing we need to do is uncompress the VNCed UltraVNC MSI Creator to a folder on your desktop. Once completed, run the run.bat and it should popup a GUI interface you can use to configure different parts of the UltraVNC Server.VNCed UltraVNC MSI Maker
Using this interface you can adjust and explore what options you have to choose from to customize your UltraVNC Deployment for your environment. The defaults here are a pretty good start and you can click on each item to get a description of what it will change. You may want to install this to a test computer a few times before rolling it out.
At this time you also need to configure if you will be using if you will be using Active Directory Authentication or just a plain password.

– To setup the plain password just fill out the password item and leave the newMSLogon unchecked.
– To setup Active Directory Authentication check the newMSLogon and you will need to make a file to select for aclImportFile. This file can either be generated based on the UltraVNC Instructions or you can use my file by creating a text file called: MSACL.ini and pasting allow 0x00000003 "..\Domain Admins in to it. That will allow anyone in the Domain Admins group to have full access to any machine setup using this MSI.

Once you have finished configuring the options for UltraVNC hit the Generate UltraVNC MSI button at the bottom. This will generate your UltraVNC.msi in the folder in which VNCed was extracted to. This file is what you will use to deploy UltraVNC to your workstations.

Using Group Policy to Deploy the MSI
First you will need to open either your Group Policy Management Console (gpmc.msc) and either modify your existing Workstation Group Policy or make a new one just for the deployment of this application depending on how you want to deploy it. By making a different GP to install, it can allow you deploy it just to a few machines, and only change the settings on those machines, where as the workstation method installs it to all workstations. This really up to the requirements of your environment. Either way you will need to look under Group Policy Object for your domain and create one or right click on one and edit it.Group Policy Software Installation
Now use the Tree on the Left to browse to Computer Configuration > Software Settings > Software Installation and right click on Software Installation and select New > Package… It will now prompt you with an open dialog box, go and select the MSI that we created earlier. If all goes well you should end up with something like the screenshot shows to the left. If all goes well now the only thing you have to do is link it to the OUs that you want it to effect if you created a new one , or you let your workstation group policy deploy to all the workstations the next time they restart.

Firewall ConfigurationGroup Policy Firewall Configuration for UltraVNC
If you run a firewall on your machine you will need to allow port 5900 open. If you only running the default Windows Firewall you can configure this using the same group policy that you deployed UltraVNC with. Just go to Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile then select Windows Firewall: Define port exceptions select Enabled then click the Show… button and click Add and fill out the items to specification.

For any other questions you have feel free to leave a comment I will be happy to assist you with the deployment.

For any other detailed information about UltraVNC you should check out their website at http://www.uvnc.com

Disable Windows Games Using Software Restriction Policy

Do you find that your users spend more time in freecell and minesweeper than actually doing work? Then one would say that it is time to block those applications from being started. To do this you can use the Software Restriction Policy that is Built in to Group Policy and your Domain. What you will need to do is create a new Group Policy, you could call it “No Windows Games” and then Edit it and drill down into Computer Configuration > Windows Settings > Security Settings > Software Restriction Policies from there you will probably be presented with “No Software Restriction Policies Defined” now right click back on Software Restriction Polices in the tree view on the left and select Create New Policies. Now you should have the option for Additional Rules. This is where you need your restrictions. Here is the long article about what the different types of rules are, and what you can do with the from Microsoft, but since we just want to block Windows Games we just need to add a New Path Rules with the Disallowed option.

  • %SystemRoot%\system32\freecell.exe
  • %SystemRoot%\system32\mshearts.exe
  • %SystemRoot%\system32\sol.exe
  • %SystemRoot%\system32\spider.exe
  • %SystemRoot%\system32\winmine.exe
  • C:\Program Files\MSN Gaming Zone
  • C:\Program Files\Windows NT\Pinball\PINBALL.EXE

Once these restriction are in place you can link them to the OU or workstations to make them take effect. Your end result should look something like this:
No Windows Games Group Policy

Remove Temporary Files at Logoff

Over time users tend to open a lot of items programs that write little files to be used just once to print a document or a small setting for a program. These items build up over time and cause your computer to run slower due to your antivirus solution scanning it, your hard drive taking longer to find a free space of disk to write your new file or has to spend more time gathering up fragments of your file from in between these temp files. The solution here is pretty simple, these files need to go, and probably the easiest solution is the remove them when the user logs off. This doesn’t require anymore time for the user and typically isn’t a problem since most computers are logged on and off once a day.

This script will remove the most common temporary folder for the user as well as remove any of the temporary internet files that they have gathered while surfing the web. When we implemented this script we noticed that the antivirus scan time and how many files it scanned were significantly reduced providing a better and faster workstation for your users. This script should be placed in the Group Policy for users as one of their logoff script.

Const TEMPORARY_INTERNET_FILES = &H20&
dim intDepth
 
Set objShell = CreateObject("Shell.Application")
Set objFSO = CreateObject("Scripting.FileSystemObject")

'Clean User Temporary Intenet Files
Set objNameSpace = objShell.Namespace(TEMPORARY_INTERNET_FILES)
Set objFolderItem = objNameSpace.Self
set objFolder=objFSO.GetFolder(objFolderItem.Path)
intDepth=0
RemoveFolder objFolder

'Clean User Temp Files
Const TemporaryFolder = 2
Set tempFolder = objFSO.GetSpecialFolder(TemporaryFolder)
RemoveFolder tempFolder

 
sub RemoveFolder(objFolder)
	' Recursively remove files and folders
	intDepth=intDepth+1
	on error resume next
	for each objFile in objFolder.Files
		objFile.Delete true
	next
	Err.Clear
	on error goto 0
	for each objSubfolder in objFolder.SubFolders
		RemoveFolder objSubFolder
	next
	intDepth=intDepth-1
	if intDepth<>0 then' Don't delete top-level folder
		on error resume next
		objFolder.Delete true 
		err.Clear
		on error goto 0
	end if
end sub
Twitter Delicious Facebook Digg Stumbleupon Favorites More