2

I'm desperately trying to delete an account on a Windows 10 workstation. We have an employee who has left the company and we want to delete his account, but we can’t.

The account has been deleted from Active Directory (2012R2). So when the workstation is connected to the network, it is not possible to open a session using his old credentials, but when the computer is not on the network, the account is still usable.

This is a roaming issue! In order to try to correct that we have deleted the files in C:\Users and all the registry keys at Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

But still, if we unplug the computer from the network and the session is still usable.

Is there a way to delete a roaming session on Windows 10 ?

Online / Offline aspect is very important! When the computer is online this is working as expected, but not when it is offline.

I have rebooted the computer and even tried on another one.

UPDATE 1 : with help of @Clayton and @Harry Johnston, my need is to delete cached domain credentials on a specific workstation. And I'm afraid the only workaround is their solution ...

Any help or ideas will be much appreciated,

Thanks

Antoine
  • 43
  • 1
  • 1
  • 7
  • 1
    Possible duplicate of [How to delete domain user profile from a computer?](https://serverfault.com/questions/450389/how-to-delete-domain-user-profile-from-a-computer) – Lenniey Jun 20 '18 at 14:21
  • Well the other post doesn't mention roaming ... And it doesn't solve my case – Antoine Jun 20 '18 at 14:22
  • It probably has nothing to do with roaming, as all domain profiles are always cached locally – Lenniey Jun 20 '18 at 14:23
  • That's what I was assuming, because the other post is not solving my problem. It seems impossible to delete an account – Antoine Jun 20 '18 at 14:27
  • The credentials may be cached in memory. Did you restart the machine after deleting the profile? – Clayton Jun 20 '18 at 14:41
  • Yes I did. I event tried on another computer, same result ... I feel the SAM file is not updated when deleting an user account – Antoine Jun 20 '18 at 14:45
  • Try setting the CachedLogonsCount value to 0 (via registry or local policy). See https://serverfault.com/questions/375036/how-can-i-clear-cached-domain-credentials – Clayton Jun 20 '18 at 15:00
  • Yes, I have not tried that yet because I didn't wanted to have all account deleted, but I will try. Thanks ! – Antoine Jun 20 '18 at 15:07

2 Answers2

0

Open System Properties... click the Advanced tab... click the Settings button under the User Profiles section... find and select the user profile... click the Delete button.

joeqwerty
  • 109,901
  • 6
  • 81
  • 172
0

This has nothing to do with the user's profile. You're seeing the effect of cached domain credentials.

I would have expected Windows to discard the cached credentials as soon as you attempted to log in with the deleted account while connected to the domain, but if that isn't happening you can explicitly disable caching.

You can do this with the Local Security Policy administrative tool. Under Security Options look for the setting

Interactive logon: Number of previous logons to cache

and set it to zero. Alternatively, go to this registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

and change CachedLogonsCount to zero.

After making this change, restart the computer. I'm not sure whether the already cached credentials will be discarded immediately, but if not they should be discarded as soon as you log in (while online) using any active domain account.

Once you have confirmed that the deleted account can no longer log in even when the machine is offline, you can (if you wish) restore the setting to its usual value of 10 to ensure that the new user can still log in if the domain is offline.

If you don't want to support offline logons at all, you could configure the cache setting on all of your workstations at once using domain group policy. Just make sure you don't do this on laptops, or the users won't be able to log in when working remotely.

Harry Johnston
  • 6,005
  • 4
  • 35
  • 52
  • That's exactly that ! The problem is that I absolutely have to support offline logons but I will reduce CachedLogonsCount to 1. My user should not use someone else computer. I was looking for a way to delete on a specific computer the "cached domain credentials" Thanks four your help ! – Antoine Jun 21 '18 at 09:27
  • @Antoine: Setting this to one could be problematic. See: https://blogs.technet.microsoft.com/instan/2011/12/06/cached-logons-and-cachedlogonscount/ – Greg Askew Jun 21 '18 at 11:29
  • Ho no ... That's terrible. I really feel ActiveDirectory can't delete an account when using offline logon (in a practical way) ... – Antoine Jun 21 '18 at 12:06
  • Since you just need to delete this one account on a particular workstation, you can *temporarily* set `CachedLogonsCount` to zero. Once the cached domain credentials are gone, they're gone, and you can restore the default configuration. – Harry Johnston Jun 21 '18 at 21:17
  • ... note that this will not affect user profiles in any way. – Harry Johnston Jun 21 '18 at 21:18
  • Yes true. That's working so far. Thanks for your help ! – Antoine Jun 22 '18 at 13:06