blog.saalmink.nl

After cleaning up a userprofile on a Windows 7 station (Deleting folders “c:\users\MyUserAccount” and the roaming profile on “\\fs01\profiles\MyUserAccount”) i thought i would start with a clean profile.
But Windows kept logging user “MyUserAccount” in with a temporary profile.

It seems that Windows keeps a list of profile locations in the registry. If that location for a certain user can’t be found, the user is logged on with a temporary profile.
This is the key:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

What you see there is a lists of profile SID’s, so you have to check them all out to find your user and delete the whole key accordingly.

I thought it would be handy to write a script that automates this.
It checks for a key called “ProfileImagePath” and if the value in that key (e.g. c:\users\JohnDoe) doesn’t exist on the local system, it wipes the whole registry key from the ProfileList.

Save as W7ProfileListCleanup.vbs:

ON ERROR RESUME NEXT

'### GLOBAL VARIABLES
Dim WSHShell, oFSO, strComputer, ProfileListRegistryLocation, ArrayWithProfileSIDS, Subkeys, HKEY_LOCAL_MACHINE

'### CREATE OBJECTS
Set WSHShell = CreateObject("WScript.Shell")
Set oFSO = CreateObject("Scripting.FileSystemObject")
strComputer = "."
Set objRegistry = GetObject("winmgmts:\" & strComputer & "\root\default:StdRegProv")

'### CONSTANTS
HKEY_LOCAL_MACHINE = &H80000002
ProfileListRegistryLocation = "SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList"
RegistryKeyContainingPath = "ProfileImagePath"

'### FUNCTIONS NEEDED
Function CheckAndDelete(LocalProfileDir, ProfileSID, FullPath)
  If not oFSO.FolderExists(LocalProfileDir) then
    WScript.Echo "NOT FOUND: " + LocalProfileDir
    DeleteProfileListKeyRecursive FullPath
  else
    WScript.Echo "OK:        " + LocalProfileDir
  end if
End Function

Function DeleteProfileListKeyRecursive(FullPath)
  WSHShell.Run "reg delete ""HKLM" + FullPath + """ /f", 0, True
  WScript.Echo "- Deleted: " + FullPath
End Function
'### END OF FUNCTIONS NEEDED

'### START THE ACTION

'### ENUMERATE THE LIST WITH PROFILES
objRegistry.EnumKey HKEY_LOCAL_MACHINE, ProfileListRegistryLocation, ArrayWithProfileSIDS

For Each ProfileSID In ArrayWithProfileSIDS
  FullPath = ProfileListRegistryLocation & "" & ProfileSID
  objRegistry.GetExpandedStringValue HKEY_LOCAL_MACHINE, FullPath, RegistryKeyContainingPath, LocalProfileDir
  '### CHECK FOR DIRS AND DELETE IF NOT FOUND
  CheckAndDelete LocalProfileDir, ProfileSID, FullPath
Next

A common usecase for the need of open relays are MFC’s (”Copiers”) because people need to scan documents and want to mail them directly to recipients on the internet.

Never apply the following to your normal connector for mailflow, as your mailserver will most certainly be used to send spam!

Create a new receive connector (Server configuration, Hub Transport) and make sure it’s bindings don’t conflict with other connectors. The name for the connector could be something like “Relay Connector MFC’s” and make sure you add the right ip-addresses or ranges.
To grant the relay access, the following line will do the trick:

Get-ReceiveConnector "Relay Connector MFC's" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"

Whether it’s just for fun or your company wants to brand their Windows 7 logon background, here’s how:

Prepare the system:

reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background" /v "OEMBackground" /t REG_DWORD /d "0x1" /f
mkdir c:\windows\system32\oobe\info\backgrounds

Now, at least place the following file in c:\windows\system32\oobe\info\backgrounds.

• backgroundDefault.jpg

This will be the “fallback” image, so if none of the following files is found the image above will be stretched to fit your current resolution.

Optionally you can place the following files:

• background768×1280.jpg
• background900×1440.jpg
• background960×1280.jpg
• background1024×1280.jpg
• background1280×1024.jpg
• background1024×768.jpg
• background1280×960.jpg
• background1600×1200.jpg
• background1440×900.jpg
• background1920×1200.jpg
• background1280×768.jpg
• background1360×768.jpg

Remeber: file size cannot exceed 256 KB (so i’ve heard, not tested)….

After cacls, xcacls.vbs, now we have icacls to set file and folder permissions.

Here are some practical examples.

Create a bunch of directories

md d:\apps
md d:\profiles
md d:\users

Share the directories. Note the offline caching; users are allowed to enable offline caching for their homedirs, other directories are disabled for offline caching.

net share apps=d:\apps /grant:everyone,FULL /CACHE:None
net share profiles=d:\profiles /grant:everyone,FULL /CACHE:None
net share users=d:\users /grant:everyone,FULL /CACHE:Manual

Now let’s script the ntfs permissions for the apps share:
- “(OI)(CI):F” means Full Control “This Folder, Subfolders and files”
- “(OI)(CI):M” means Modify “This Folder, Subfolders and files”
- “/inheritance:r” means remove all inherited ACL’s from parent

icacls "d:\apps" /grant "domain admins":(OI)(CI)F /inheritance:r
icacls "d:\apps" /grant "everyone":(OI)(CI)M /inheritance:r

On the profiles share, only the “domain admins” should be allowed to enter all “Folders, Subfolders and files” (hence the (OI)(CI):F) , everyone else should be able to to ready “this folder only”.
So without an combination of (CI) and/or (OI) it means “this folder only”

icacls "d:\profiles" /grant "domain admins":(OI)(CI)F /inheritance:r
icacls "d:\profiles" /grant "everyone":R /inheritance:r

Upon creating a new user, the Domain Admin should manually create a profile folder for the user and add the user with appropriate rights.

The same goes for the users share containing the homedirectories of all users

icacls "d:\users" /grant "domain admins":(OI)(CI)F /inheritance:r
icacls "d:\users" /grant "everyone":R /inheritance:r

Now use your own imagination :)