I get that totally but it's still small enough to be manageable. If you have a big enough stick to create and enforce standards that will get you a long way.
One thing that will really get you a leg up is force everything to have an owner that is accountable for the object[s]. From: David Lum [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 03, 2008 10:25 AM To: NT System Admin Issues Subject: RE: AD maintenance? Thanks. The problem is we have an amazing number of fingers in the pie for a small shop- our three "Desktop support" (they actually do far more than the typical desktop support guys) folks create machine, user, and group (both security and distribution) accounts, then we have at least three Systems Engineers that do the server side creating servers and accounts they need...and then there's me who straddles both sides, I am a Systems Engineer but I mainly support the employee side of things not the NWEA client side. Dave From: Free, Bob [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 03, 2008 10:11 AM To: NT System Admin Issues Subject: RE: AD maintenance? Oldcmp is your best bet for free/low cost for computers and users. You really need a lifecycle management system in place and it all starts with how you do provisioning and adherence to standards. That can be difficult to implement, especially if none existed in the past. We have a very mature process for user objects but it was a lot of work to get it in place and all automated. IMHO groups are the hardest. It's fairly trivial to tell when a user or computer object was used, groups are more difficult because of the myriad places they can be used without being updated from an AD perspective. Your org is pretty small so it shouldn't be as difficult as bigger ones where there are a lot more fingers in the pie. From: David Lum [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 03, 2008 8:44 AM To: NT System Admin Issues Subject: AD maintenance? How do you guys with larger org's handle keeping AD tidy and not having a bunch on non-existent system, user and group accounts? I work for a mid-size org and am almost certainly the only Systems Engineer here who is willing to take the time to try and maintain AD. If I do an AD query of systems with "description has a value" I come up with 191 objects. A search of computers with "description has a no value" comes up with 811, and since NWEA has ~250 employees and 140-ish servers I'm pretty sure there is a ton of clutter in there. Ferreting out the invalid desktops/laptops is the bigger issue of the two. Suggestions? David Lum SYSTEMS ENGINEER // NORTHWEST EVALUATION ASSOCIATION [EMAIL PROTECTED] // 971.222.1025 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
