10 COMMENTS

  1. I was wondering if you ever thought of changing the structure of your site? Its very well written; I love what youve got to say. But maybe you could a little more in the way of content so people could connect with it better. Youve got an awful lot of text for only having one or two images. Maybe you could space it out better?

  2. Excellent blog, there’s a typo in one of the snippets mind:

    Get-WmiObject -ClassName Win32_UseProfile -ComputerName computerame | Sort-Object LastUseTime | Select-Object -Last 1

    Should be Win32_UserProfile.
    Get-WmiObject -ClassName Win32_UserProfile -ComputerName computerame | Sort-Object LastUseTime | Select-Object -Last 1

  3. Thank you for this – worth calling out I think – your 2018 update is labeled “better” however some differences that I think are worth calling out and make it a bit more subjective – indeed these differences are what landed me here while trying to find a solution 🙂
    – your first option can be run entirely local on a server and requires no ADDS access – e.g. can be run with an account that has no domain access.
    – your first option can be run on a server that doesn’t have the AD module for powershell, which most servers will not by default.
    – your first option (this really was the solution I was hunting) provides a way to seperate cached domain user profiles from local profiles, that works irrespective of connecting to AD. The bottom option, which it might be good for say… confirming a profile belongs to a disabled user, is not going to be able to tell you anything about a local user profile and thus programatically would appear the same as a deleted user.

    All of which is to say, each option has value. In my case the best option is using the first registry based query to find defunct profiles, and user the .delete method of the WMI profile class to remove the matched-by-SID profiles. Thank you again for this post!

  4. Thanks Kent. Very helpful post. However, I’m getting following error on the very last command.
    “Get-ADUser : Cannot find an object with identity: ‘S-1-5-18’ under: ‘DC=au,DC=xxxxxxxxxx,DC=net,DC=au’.
    At line:1 char:1”
    Am I missing something here?

    • That isn’t an AD SID, so AD can’t find it.
      try
      [System.Security.Principal.SecurityIdentifier]::new(‘S-1-5-18’).Translate([System.Security.Principal.NTAccount]).Value

      [System.Security.Principal.SecurityIdentifier]::new($item.SID).Translate([System.Security.Principal.NTAccount]).Value

LEAVE A REPLY

Please enter your comment!
Please enter your name here