For something resembling kiosk-type usage, I need to create a non-persistent Windows 8.1 user account that resets itself to a pre-configured state every time a user logs on to it, then reverts any changes that are made locally during the session (downloaded files, saved Windows network passwords, interface settings, browser history, etc).
A Mandatory User Profile (http://msdn.microsoft.com/en-us/library/windows/desktop/bb776892(v=vs.85).aspx) sounds like it would be exactly what I want, but from everything I've found, it seems to be set up using tools available only in Pro or Enterprise versions of Windows, whereas I need it in garden variety Windows 8.1. (I'd also like the option of keeping the profile local, and I think they might have to be stored on a remote server?)
I'm *completely* new to PowerShell, so here's what I came up with. It doesn't work yet, and I'm aware of at least some of the problems with it, but it should at least get the idea across. In a neater world, it would just be the Logoff script since it's a better time to slow the system down, but the Logon script and IsTainted.txt is in case the account doesn't get logged off properly for whatever reason.
Logon.ps1
---------
if (get-content C:\Users\AdminAccount\KioskProfile\IsTainted.txt) {
rm -recurse -force C:\Users\NonPersistentUser\
cp C:\Users\AdminAccount\KioskProfile\NonPersistentUser\ -destination C:\Users\NonPersistentUser\ -recurse -force
} else {
Set-Content -path C:\Users\AdminAccount\KioskProfile\IsTainted.txt -value "1"
}
Logoff.ps1
----------
rm -recurse -force C:\Users\NonPersistentUser\
cp C:\Users\AdminAccount\KioskProfile\NonPersistentUser\ -destination C:\Users\NonPersistentUser\ -recurse -force
Clear-Content C:\Users\AdminAccount\KioskProfile\IsTainted.txt
The first problem I'm running into is that it's telling me the script doesn't have permission to delete the user folder. I'm running PowerShell as administrator from within the administrator account, so how can it not have permission? (Once it works, I plan on scheduling tasks for the scripts following the directions on http://blogs.technet.com/b/heyscriptingguy/archive/2012/08/11/weekend-scripter-use-the-windows-task-scheduler-to-run-a-windows-powershell-script.aspx)
Another (bigger) question is whether or not I can even nuke and replace a profile at all as I'm logging into / out of it. Is that timing going to be a problem?
One more thing I think is going to go wrong is retaining file permissions. How do I preserve the correct ownership and permissions with the script while copying between profile folders?
I also hit a speed bump with the computer not running scripts, but "Set-ExecutionPolicy RemoteSigned" seemed to resolve it. That's not a security risk, is it? These will likely be the only two scripts I'd ever like run on this system.
Any advice / suggestions? There are clearly a lot of experienced and talented admins here, so if there's a better way to do this, even using different tools or methods, please do let me know. Especially if it doesn't involve me hacking around wildly like this. Just keep in mind that this is the "Home" edition of Windows 8.1, and not Pro.
Thanks!