Technical Insights • • 1 min read
How to find User Directories from unauthorized Users
A PowerShell script to find and delete leftover user directories on a Terminal Server from users who no longer have AD group membership.
We wanted to clean up our Terminal Servers by deleting existing user directories from unauthorized users (e.g. deleted AD accounts). As a side effect we also identified all authorized users who have never logged in on the server.
# Find User directories on a server (e.g. Terminal Server) from unauthorized Users
# and delete them.
# Also finds authorized Users not logged in yet (authorized users without user directory).
Import-Module ActiveDirectory
# The directory name must match the SamAccountName; path must end with "\"
$path = "C:\Users\"
$adgroup = "YourGroupName"
$users = Get-ADGroupMember $adgroup | Select-Object SamAccountName
$users = $users | Add-Member -MemberType AliasProperty -Name Name -Value SamAccountName -PassThru
$dirs = Get-ChildItem $path | Where-Object { $_.Attributes -eq 'Directory' } | Select-Object Name
# Directories without a matching AD user (should be deleted)
$delme = Compare-Object $dirs $users -Property Name | Where-Object { $_.SideIndicator -eq '<=' }
# AD users without a matching directory (never logged in)
$nie = Compare-Object $dirs $users -Property Name | Where-Object { $_.SideIndicator -eq '=>' }
# Delete unauthorized directories
foreach ($d in $delme) {
$dd = $path + $d.Name
Remove-Item -Recurse $dd
}Note: Subgroups (nested AD groups) are not supported by
Get-ADGroupMemberwithout the-Recursiveflag.