GPO for logoff.bat to delete the cookie on local drive

[Lillian]

I want to create the logoff.bat file for delete the
cookie on local machine with GPO, but is not working,
here is what I did, the logoff.bat like this:
echo off
del /q " \\%computername%\c$\documents and settings\%
username%\cookie\%username, so when I test on command
prompt it work no problem,no mater I login as
administrator or glctest1 (user name), I am running
nt2003 server, so I open the GPMC, create an GPO
name "deleted cookies", and copy the logoff.bat file into
c:\training1.gov\sysvol in
traing1.gov\training1.gov\policy\{54A172EB-DD19-4E38-A3C1
\user\scripts\logoff directory, then I did the gpupdate,
when I edit the GPO, I select user configuration--

windows settings\scripts\logoff, add logoff.bat in there.

so logoff administrator, then login glctest1, then I
search c:\documents and settings\glctest1.training1
\cookies\, all the cookies still there, what is wrong
wiht my GPO, in order for make this work, should I edit
the default domain controller policy or default domain
policy under Group Policy Objects, I don't know I am
doing this right or not. need help.

Thanks.

Lillian

 

[Marin Marinov]

<snip>
Hi Lillian,
I would suggest you slightly modify your script for two reasons. First,
you don't need to connect to the admin share since the script runs
locally, plus only member of Administrators can connect to c$ anyway.
Second,it's not always guaranteed that the profile will be named after
the user's logon name. So here's my idea:
del /q "%userprofile%/cookies/*.*"

You didn't mention in your post if the domain user accounts are in the
OU you linked the GPO to. You're on the right track here, don't edit the
default GPOs. Bare in mind that in order for settings under User
Configuration to apply to a user her user account must be in an OU that
is "hit" by the GPO (directly or from a parent).Respectively for
Computer configuration the computer account must be in such an OU.

Also, in your case you logged off Administrator which should trigger the
deletion of Administrator's cookies and not those of glctest1 which you
later examined. So while logged on with glctest1 review the cookies of
Administrator - they should be gone.

HTH
--
Cheers,
Marin Marinov
MCT, MCSE 2003/2000/NT4.0,
MCSE:Security 2003/2000, MCP+I
-
This posting is provided "AS IS" with no warranties, and confers no
rights.

"True knowledge exists in knowing that you know nothing."
Socrates

 

[Lillian]

Marin:

I have logoff.bat file on the c:\ directory, when I
login as glctest1, I double click logoff.bat file,
nothing happen, the cookies is still there, why? also you
mention about del /q "%userprofile%/cookies/*.*", how to
define userprofile ? I also create the separate OU is
call "Deleted cookies" under training1.gov, I did not
modify default domain policy and default domain
controllers policy.

thanks.

Lillian

 

[Marin Marinov]

Marin:

I have logoff.bat file on the c:\ directory, when I
login as glctest1, I double click logoff.bat file,
nothing happen, the cookies is still there, why? also you
mention about del /q "%userprofile%/cookies/*.*", how to
define userprofile ? I also create the separate OU is
call "Deleted cookies" under training1.gov, I did not
modify default domain policy and default domain
controllers policy.

thanks.

Lillian

%userprofile% is an environment variable and the OS replaces it with the
actual path under Documents and Settings to the user's profile so just
use it as typed. I didn't ask you what client OS you have though this
should work for Win2K and above. Also, please excuse my mistyping of the
slashes, they should be backslashes like:

del /q "%userprofile%\cookies\*.*"

You can also modify the *.* filter to *.txt otherwise delete gives an
error about not being able to delete index.dat (though it's no harm if
you leave it this way).

Give this a shot and let me know if it still doesn't work.
--
Cheers,
Marin Marinov
MCT, MCSE 2003/2000/NT4.0,
MCSE:Security 2003/2000, MCP+I
-
This posting is provided "AS IS" with no warranties, and confers no
rights.

"True knowledge exists in knowing that you know nothing."
Socrates

 

[Lillian]

Marin:

I use your del /q "%userprofile%\cookies\*.*" make a
batch file name call deletecookie.bat, should I copy this
file to c:\training1.gov\sysvol on
training1.gov\training1.gov\policy\{54A172EB-DD19-4E38-
A3C1\user\scripts\logoff directory, and I created the OU
is call delete cookie, import this file in here, one more
question, if I just want the only all the glctest1-
glctest16 users affect this GPO, I created an global
group call GLC_G contains all the glctest users, and
removed Authenticated Users from the Scope of GPO, so
regular users except glctest users their cookie still
remain, am I right? if I want everyone login to PC when
they logoff the PC, make all the cookies goes away, I
suppose leave Authenticated Users along, do not deleted
it, am I right?

thanks.

Lillian