RE: [ActiveDir] Cleaning up Stale entries in AD

Fri, 30 Sep 2005 01:40:16 -0700

Title: [ActiveDir] Cleaning up Stale entries in AD
Well, then OLDCMP can help you detect "old" accounts. OLDCMP is from Joeware (http://www.joeware.net/win/free/tools/oldcmp.htm)
 
For computer accounts you could use something similar as mentioned below or just fire up OLDCMP each 2 months or something like that
 
Then, what you are talking about is user deprovisioning. For users you could think about a procedure that does something like:
 
What to do with user accounts that are or not mailbox enabled when the corresponding user(s) leave(s) the company. For that and without buying a full blown solution you can create tooling in a simple way if the following process is sufficient for you.
 
IT IS A 5 STEP PROCESS:
(1) Be sure to receive some notification a user has left the company
(2) Move its user account to a special de-provisioning OU (manually)
(3) Schedule a script to run regularly (dayly or weekly or whatever is good for you) to disable AD enabled user accounts in the de-provisioning OU and if the account is mailbox enabled to add the "Associated External Account" permission to SELF. Also generate and set a difficult password (be carefull with certificates if you use them for encryption!)
(4) Schedule a script to run regularly (dayly or weekly or whatever is good for you) to check the de-provisioning OU for disabled user accounts that have been unused for a certain (inactive) period (e.g. 90 days). In a W2K3 domain with Domain Functional Level 'Windows Server 2003' you can use the 'lastLogonTimestamp' attribute that determines the last time a user logged on. In a W2K domain or W2K3 domain with Domain Functional Level 'Windows Server 2000 native' or lower you can use the 'lastLogon' attribute which is less accurate, but that will do.
If user accounts are found that meet the prerequisites (disabled and exceed a certain inactive period):
* Create a directory for the user in some "Archive Location" (the archive location is a location where the user's stuff will be copied to, backup for a certain time and after some other period the user's stuff is removed)
* Extract all populated attibutes of the user account to the user's archive location (using LDIFDE)
* Check if a home directory exists (read attribute and check location) and MOVE it to the user's archive location
* Check if a profile directory exists (read attribute and check location) and MOVE it to the user's archive location
* Check if a TS home directory exists (read attribute and check location) and MOVE it to the user's archive location
* Check if a TS profile directory exists (read attribute and check location) and MOVE it to the user's archive location
* Exmerge the mailbox into a PST in the user's archive location (be carefull with large PST sizes!!! e.g. > 2GB)(http://support.microsoft.com/default.aspx?scid=kb;en-us;830336)(http://support.microsoft.com/default.aspx?scid=kb;en-us;823176)
(5) Schedule a script to run regularly (dayly or weekly or whatever is good for you) to check the all user's archive locations to see which exceed the archiving period for backup (e.g. 60 days). For this compare the folder creation date with the current date. If a user archive location is found and it is older than the current date minus the minimum required archiving period for backup, delete the folder
 
 
Cheers,
Jorge

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Oluwaseyi Owoeye
Sent: Friday, September 30, 2005 09:53
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Cleaning up Stale entries in AD

No I am not talking about records in DNS (in that case, the scavenging option in DNS will handle that). What I am talking about specifically is automatically deleting computer and user accounts from active directly if they have not been used for about a period of 90 days.

 

The stale records are too many and it would be impossible to manually remove all this accounts

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de
Sent: Thursday, September 29, 2005 8:13 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Cleaning up Stale entries in AD

 

Just to be sure what you are asking...

 

IMHO:

* AD contains objects (users, groups, etc)

* DNS zones contain records (A records, SRV records, etc)

 

Are you talking about users in AD or are you talking about records in DNS?

 

Can you be more specific? My feeling says you are talking about DNS records (host records), but I'm not sure

 

Cheers

Jorge

 

From: [EMAIL PROTECTED] on behalf of Oluwaseyi Owoeye
Sent: Thu 9/29/2005 6:52 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Cleaning up Stale entries in AD

Hello guys,

I have an active directory domain that has about 4000 records. I noticed
that because of the way the company operates (as in many people come
into the company on short notices) we have a lot of stale and obsolete
records in active directory and these number of this stale entries keep
increasing.

Is there a way where we records that have not being used for a
particular period of time (say 60 days) can be automatically removed
from active directory.

Your inputs will be highly appreciated
List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/



This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.

Reply via email to