With ADMODCMD you can query AD, disable users and add SELF to the ACL. This is something I posted a while ago... What to do with user accounts that are or not mailbox enabled when the corresponding user(s) leave(s) the company. For that and without buying a full blown solution you can create tooling in a simple way if the following process is sufficient for you. IT IS A 5 STEP PROCESS: (1) Be sure to receive some notification a user has left the company (2) Move its user account to a special de-provisioning OU (manually) (3) Schedule a script to run regularly (dayly or weekly or whatever is good for you) to disable AD enabled user accounts in the de-provisioning OU and if the account is mailbox enabled to add the "Associated External Account" permission to SELF. Also generate and set a difficult password (be carefull with certificates if you use them for encryption!) (4) Schedule a script to run regularly (dayly or weekly or whatever is good for you) to check the de-provisioning OU for disabled user accounts that have been unused for a certain (inactive) period (e.g. 90 days). In a W2K3 domain with Domain Functional Level 'Windows Server 2003' you can use the 'lastLogonTimestamp' attribute that determines the last time a user logged on. In a W2K domain or W2K3 domain with Domain Functional Level 'Windows Server 2000 native' or lower you can use the 'lastLogon' attribute which is less accurate, but that will do. If user accounts are found that meet the prerequisites (disabled and exceed a certain inactive period): * Create a directory for the user in some "Archive Location" (the archive location is a location where the user's stuff will be copied to, backup for a certain time and after some other period the user's stuff is removed) * Extract all populated attibutes of the user account to the user's archive location (using LDIFDE) * Check if a home directory exists (read attribute and check location) and MOVE it to the user's archive location * Check if a profile directory exists (read attribute and check location) and MOVE it to the user's archive location * Check if a TS home directory exists (read attribute and check location) and MOVE it to the user's archive location * Check if a TS profile directory exists (read attribute and check location) and MOVE it to the user's archive location * Exmerge the mailbox into a PST in the user's archive location (be carefull with large PST sizes!!! e.g. > 2GB)(http://support.microsoft.com/default.aspx?scid=kb;en-us;830336)(http://support.microsoft.com/default.aspx?scid=kb;en-us;823176) (5) Schedule a script to run regularly (dayly or weekly or whatever is good for you) to check the all user's archive locations to see which exceed the archiving period for backup (e.g. 60 days). For this compare the folder creation date with the current date. If a user archive location is found and it is older than the current date minus the minimum required archiving period for backup, delete the folder TOOLS USED: * ADModcmd.exe and others from (ADModify.NET) (http://www.gotdotnet.com/workspaces/workspace.aspx?id=f5cbbfa9-e46b-4a7a-8ed8-3e44523f32e2) * Robocopy.exe (W2K3 Resource Kit) (http://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-4ae7-96ee-b18c4790cffd&displaylang=en) * ExMerge.exe (http://www.microsoft.com/downloads/details.aspx?FamilyID=429163EC-DCDF-47DC-96DA-1C12D67327D5&displaylang=en) I have build te above for a customer of mine and it works great Cheers, Jorge
________________________________ From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED] Sent: Thu 11/10/2005 3:03 AM To: [email protected] Subject: RE: [ActiveDir] Automating NoMas Me? I don't. I just change the password to a randomly-generated complex one, make domain users its primary group, remove it from all groups except domain users, hide it from GAL and move it to a "Terminated" OU. That's where it stays until my monthly cleanup script runs, detects its modified date, see if it's longer than "x number of days" (depending on corporate retention policy), exmerges the mailbox and DELETEs the account. I still have most of the scripts that does all that handy if you are interested. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] on behalf of Harding, Devon Sent: Wed 11/9/2005 9:25 AM To: [email protected] Subject: RE: [ActiveDir] Automating NoMas Ok with that said, what would be the correct way or tools to disable a mail enabled account in Active Directory? -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, November 09, 2005 11:49 AM To: [email protected] Subject: RE: [ActiveDir] Automating NoMas Let me restate this just a little. The issue are due to Exchange Dev having an incomplete understanding of how people do things in the enterprise and assuming that the only time a disabled account could have a mailbox is because it is a resource mailbox so instead of having an attribute for it they assume and then after assuming run into all sorts of issues with their assumption. >From our side, it means that we have to adjust how we deprovision accounts to properly populate the directory so Exchange doesn't get its panties in a bunch. And yes, enough of these will get your Exchange server's panties in a bunch. Lots of folks (primarily from MS) like to say these are meaningless and can't hurt anything but I have seen multiple cases where they caused store hangs and queues. I actually got an MS person to admin they were a huge issue about 2-3 years ago but couldn't get the person to give me an email stating that. I understood completely. The interesting thing is that you would at least expect ADUC with the Exchange extensions to properly disable these accounts but nope, we have to handle it manually. But that is ok, we really shouldn't be using ADUC to manage users in larger orgs anyway. No business rules, no decent logging, too many people with too many permissions: you want to use provisioning tools, either self written or purchased. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, November 09, 2005 10:59 AM To: [email protected] Subject: RE: [ActiveDir] Automating NoMas Correct your deprovisioning process. Those issues are due to incorrectly setting values on mailbox enabled users. Basically bad data is going in the directory and then you are manually swinging back and correcting it. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Wednesday, November 09, 2005 9:18 AM To: [email protected] Subject: [ActiveDir] Automating NoMas How can I prevent the Event ID error 9548(MSExchangeIS) from happening? I normally use NoMas to fix em, but I want to prevent them from happening. Would it be possible to create a script that runs like every morning and perform exactly what NoMas does for every child domain I have? Devon Harding Windows Systems Engineer Southern Wine & Spirits - BSG 954-602-2469 ----------------------------------------- __________________________________ This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
<<winmail.dat>>
