Well, then OLDCMP can help you
detect "old" accounts. OLDCMP is from Joeware (http://www.joeware.net/win/free/tools/oldcmp.htm)
For computer accounts you could
use something similar as mentioned below or just fire up OLDCMP each 2 months or
something like that
Then, what you are talking about
is user deprovisioning. For users you could think about a procedure that does
something like:
What to do with user accounts
that are or not mailbox enabled when the corresponding user(s) leave(s) the
company. For that and without buying a full blown solution you can create
tooling in a simple way if the following process is sufficient for
you.
IT IS A 5 STEP PROCESS:
(1) Be sure to receive some notification a user has left the company (2) Move its user account to a special de-provisioning OU (manually) (3) Schedule a script to run regularly (dayly or weekly or whatever is good for you) to disable AD enabled user accounts in the de-provisioning OU and if the account is mailbox enabled to add the "Associated External Account" permission to SELF. Also generate and set a difficult password (be carefull with certificates if you use them for encryption!) (4) Schedule a script to run regularly (dayly or weekly or whatever is good for you) to check the de-provisioning OU for disabled user accounts that have been unused for a certain (inactive) period (e.g. 90 days). In a W2K3 domain with Domain Functional Level 'Windows Server 2003' you can use the 'lastLogonTimestamp' attribute that determines the last time a user logged on. In a W2K domain or W2K3 domain with Domain Functional Level 'Windows Server 2000 native' or lower you can use the 'lastLogon' attribute which is less accurate, but that will do. If user accounts are found that meet the prerequisites (disabled and exceed a certain inactive period): * Create a directory for the user in some "Archive Location" (the archive location is a location where the user's stuff will be copied to, backup for a certain time and after some other period the user's stuff is removed) * Extract all populated attibutes of the user account to the user's archive location (using LDIFDE) * Check if a home directory exists (read attribute and check location) and MOVE it to the user's archive location * Check if a profile directory exists (read attribute and check location) and MOVE it to the user's archive location * Check if a TS home directory exists (read attribute and check location) and MOVE it to the user's archive location * Check if a TS profile directory exists (read attribute and check location) and MOVE it to the user's archive location * Exmerge the mailbox into a PST in the user's archive location (be carefull with large PST sizes!!! e.g. > 2GB)(http://support.microsoft.com/default.aspx?scid=kb;en-us;830336)(http://support.microsoft.com/default.aspx?scid=kb;en-us;823176) (5) Schedule a script to run regularly (dayly or weekly or whatever is good for you) to check the all user's archive locations to see which exceed the archiving period for backup (e.g. 60 days). For this compare the folder creation date with the current date. If a user archive location is found and it is older than the current date minus the minimum required archiving period for backup, delete the folder TOOLS USED:
* ADModcmd.exe and others from (ADModify.NET) (http://www.gotdotnet.com/workspaces/workspace.aspx?id=f5cbbfa9-e46b-4a7a-8ed8-3e44523f32e2) * Robocopy.exe (tested with: v5.1.1.1010) (W2K3 Resource Kit) (http://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-4ae7-96ee-b18c4790cffd&displaylang=en) * ExMerge.exe (tested with: v6.5.7529.0) (http://www.microsoft.com/downloads/details.aspx?FamilyID=429163EC-DCDF-47DC-96DA-1C12D67327D5&displaylang=en) Cheers,
Jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Oluwaseyi Owoeye Sent: Friday, September 30, 2005 09:53 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Cleaning up Stale entries in AD No I am not talking
about records in DNS (in that case, the scavenging option in DNS will handle
that). What I am talking about specifically is automatically deleting computer
and user accounts from active directly if they have not been used for about a
period of 90 days. The stale records are
too many and it would be impossible to manually remove all this
accounts From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Almeida Pinto, Jorge
de Just to be sure what
you are asking... IMHO: * AD contains objects (users,
groups, etc) * DNS zones contain records (A
records, SRV records, etc) Are you talking about users in AD or
are you talking about records in DNS? Can you be more specific? My feeling
says you are talking about DNS records (host records), but I'm not
sure Cheers Jorge From:
[EMAIL PROTECTED] on behalf of Hello
guys, This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. |
Title: [ActiveDir] Cleaning up Stale entries in AD