Windows 10 – Deleting Locally Cached Roaming Session

active-directoryroamingsessionwindows 10

I'm desperately trying to delete an account on a Windows 10 workstation.
We have an employee who has left the company and we want to delete his account, but we can’t.

The account has been deleted from Active Directory (2012R2). So when the workstation is connected to the network, it is not possible to open a session using his old credentials, but when the computer is not on the network, the account is still usable.

This is a roaming issue! In order to try to correct that we have deleted the files in C:\Users and all the registry keys at Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

But still, if we unplug the computer from the network and the session is still usable.

Is there a way to delete a roaming session on Windows 10 ?

Online / Offline aspect is very important! When the computer is online this is working as expected, but not when it is offline.

I have rebooted the computer and even tried on another one.

UPDATE 1 : with help of @Clayton and @Harry Johnston, my need is to delete cached domain credentials on a specific workstation. And I'm afraid the only workaround is their solution …

Any help or ideas will be much appreciated,

Thanks

Best Answer

This has nothing to do with the user's profile. You're seeing the effect of cached domain credentials.

I would have expected Windows to discard the cached credentials as soon as you attempted to log in with the deleted account while connected to the domain, but if that isn't happening you can explicitly disable caching.

You can do this with the Local Security Policy administrative tool. Under Security Options look for the setting

Interactive logon: Number of previous logons to cache

and set it to zero. Alternatively, go to this registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

and change CachedLogonsCount to zero.

After making this change, restart the computer. I'm not sure whether the already cached credentials will be discarded immediately, but if not they should be discarded as soon as you log in (while online) using any active domain account.

Once you have confirmed that the deleted account can no longer log in even when the machine is offline, you can (if you wish) restore the setting to its usual value of 10 to ensure that the new user can still log in if the domain is offline.

If you don't want to support offline logons at all, you could configure the cache setting on all of your workstations at once using domain group policy. Just make sure you don't do this on laptops, or the users won't be able to log in when working remotely.

Related Topic