Hi, I wrote the following a while ago... See if you can use the procedure What to do with user accounts that are or not mailbox enabled when the corresponding user(s) leave(s) the company. For that and without buying a full blown solution you can create tooling in a simple way if the following process is sufficient for you. IT IS A 5 STEP PROCESS: (1) Be sure to receive some notification a user has left the company (2) Move its user account to a special de-provisioning OU (manually) (3) Schedule a script to run regularly (dayly or weekly or whatever is good for you) to disable AD enabled user accounts in the de-provisioning OU and if the account is mailbox enabled to add the "Associated External Account" permission to SELF. Also generate and set a difficult password (be carefull with certificates if you use them for encryption!) (4) Schedule a script to run regularly (dayly or weekly or whatever is good for you) to check the de-provisioning OU for disabled user accounts that have been unused for a certain (inactive) period (e.g. 90 days). In a W2K3 domain with Domain Functional Level 'Windows Server 2003' you can use the 'lastLogonTimestamp' attribute that determines the last time a user logged on. In a W2K domain or W2K3 domain with Domain Functional Level 'Windows Server 2000 native' or lower you can use the 'lastLogon' attribute which is less accurate, but that will do. If user accounts are found that meet the prerequisites (disabled and exceed a certain inactive period): * Create a directory for the user in some "Archive Location" (the archive location is a location where the user's stuff will be copied to, backup for a certain time and after some other period the user's stuff is removed) * Extract all populated attibutes of the user account to the user's archive location (using LDIFDE) * Check if a home directory exists (read attribute and check location) and MOVE it to the user's archive location * Check if a profile directory exists (read attribute and check location) and MOVE it to the user's archive location * Check if a TS home directory exists (read attribute and check location) and MOVE it to the user's archive location * Check if a TS profile directory exists (read attribute and check location) and MOVE it to the user's archive location * Exmerge the mailbox into a PST in the user's archive location (be carefull with large PST sizes!!! e.g. > 2GB)(http://support.microsoft.com/default.aspx?scid=kb;en-us;830336)(http://support.microsoft.com/default.aspx?scid=kb;en-us;823176) (5) Schedule a script to run regularly (dayly or weekly or whatever is good for you) to check the all user's archive locations to see which exceed the archiving period for backup (e.g. 60 days). For this compare the folder creation date with the current date. If a user archive location is found and it is older than the current date minus the minimum required archiving period for backup, delete the folder TOOLS USED: * ADModcmd.exe and others from (ADModify.NET) (http://www.gotdotnet.com/workspaces/workspace.aspx?id=f5cbbfa9-e46b-4a7a-8ed8-3e44523f32e2) * Robocopy.exe (tested with: v5.1.1.1010) (W2K3 Resource Kit) (http://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-4ae7-96ee-b18c4790cffd&displaylang=en) * ExMerge.exe (tested with: v6.5.7529.0) (http://www.microsoft.com/downloads/details.aspx?FamilyID=429163EC-DCDF-47DC-96DA-1C12D67327D5&displaylang=en)
cheers, Jorge ________________________________ From: [EMAIL PROTECTED] on behalf of Noah Eiger Sent: Tue 2006-01-31 04:00 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] User Account Lifecyle -- Best Practices Hi - Can someone recommend or point me to best practices for user account management? I guess that in large organizations this is either automated or some junior tech jockey is assigned to handle this full time. In smaller organizations, what is on the checklist when a user leaves? Do you disable or expire the account? Does this happen the day the user leaves? How long before archiving home directory and email? When are accounts finally deleted? Any pointers welcome. Thanks. -- nme -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.375 / Virus Database: 267.14.24/244 - Release Date: 1/30/2006 This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
<<winmail.dat>>