Guest JohnB Posted August 12, 2008 Posted August 12, 2008 What's the best way to remove terminated employees from AD? I'm talking about doing this on a domain that has never been cleaned up, not just one employee. I exported all the users from AD to a CSV file. And I have, from HR, a list of current employees, in an Excel file. But I am looking for some type of automated method to compare the two. TIA
Guest Phillip Windell Posted August 12, 2008 Posted August 12, 2008 Re: Removing term'd employees from AD This doesn't directly address your question,..but I don't delete user accounts,...I disable them and move them to a unique OU that only has disabled accounts in them. I also delete the Exchange Mailbox from the accounts. Sometimes there are auditing reasons to not delete the accounts,...some of those reasons may be based on Laws. -- Phillip Windell http://www.wandtv.com The views expressed, are my own and not those of my employer, or Microsoft, or anyone else associated with me, including my cats. ----------------------------------------------------- "JohnB" <jbrigan@yahoo.com> wrote in message news:utIz3bK$IHA.5048@TK2MSFTNGP05.phx.gbl... > What's the best way to remove terminated employees from AD? I'm talking > about doing this on a domain that has never been cleaned up, not just one > employee. > > I exported all the users from AD to a CSV file. And I have, from HR, a > list of current employees, in an Excel file. But I am looking for some > type of automated method to compare the two. > > TIA
Guest Richard Mueller [MVP] Posted August 12, 2008 Posted August 12, 2008 Re: Removing term'd employees from AD "JohnB" <jbrigan@yahoo.com> wrote in message news:utIz3bK$IHA.5048@TK2MSFTNGP05.phx.gbl... > What's the best way to remove terminated employees from AD? I'm talking > about doing this on a domain that has never been cleaned up, not just one > employee. > > I exported all the users from AD to a CSV file. And I have, from HR, a > list of current employees, in an Excel file. But I am looking for some > type of automated method to compare the two. > > TIA In my experience HR keeps a separate database of employees, so the names they use may not match up with the information in AD. I spent months at a large company cleaning up their databases and learned that identifying people by name can be useless. The danger in your case is that an employee will appear in the Excel file, but not match the corresponding user in AD, and you will delete the account. To make this work you must either have a list of current user "pre-Windows 2000 logon" names or Distinguished Names (not just Common Names). Then you know you can reliably identify current users. Even then, just because an AD account does not match with the HR list does not mean it should be deleted. It could be Administrator, for example. If this approach can be used, I would generate a list of candidate accounts for deletion, then manually scrub the list before using it to delete user objects. Moving the candidate objects to another OU and disabling them might be a good idea. An alternative is to use Joe Richards' free oldcmp utility: http://www.joeware.net/freetools/tools/oldcmp/index.htm This identifies old accounts using last logon and password last set dates. Even if an account seems to be on the HR list, if it is never used perhaps it should be deleted. It could be old, belong to someone with a similar name, or even be a duplicate where the person changed jobs. -- Richard Mueller MVP Directory Services Hilltop Lab - http://www.rlmueller.net --
Guest Keith Posted August 13, 2008 Posted August 13, 2008 Re: Removing term'd employees from AD This may be of use, I've used it in my test lab only and it does the job. http://www.netwrix.com/inactive_users_tracker_freeware.html "JohnB" <jbrigan@yahoo.com> wrote in message news:utIz3bK$IHA.5048@TK2MSFTNGP05.phx.gbl... > What's the best way to remove terminated employees from AD? I'm talking > about doing this on a domain that has never been cleaned up, not just one > employee. > > I exported all the users from AD to a CSV file. And I have, from HR, a > list of current employees, in an Excel file. But I am looking for some > type of automated method to compare the two. > > TIA
Guest JohnB Posted August 13, 2008 Posted August 13, 2008 Re: Removing term'd employees from AD I took a look at that. Pretty cool. Now why doesn't Microsoft make that same information readily available from the AD Users and Computers MMC??? Thanks "Keith" <metis@winnetworks.com> wrote in message news:eJO4lOT$IHA.2060@TK2MSFTNGP05.phx.gbl... > This may be of use, I've used it in my test lab only and it does the job. > http://www.netwrix.com/inactive_users_tracker_freeware.html > > > "JohnB" <jbrigan@yahoo.com> wrote in message > news:utIz3bK$IHA.5048@TK2MSFTNGP05.phx.gbl... >> What's the best way to remove terminated employees from AD? I'm talking >> about doing this on a domain that has never been cleaned up, not just one >> employee. >> >> I exported all the users from AD to a CSV file. And I have, from HR, a >> list of current employees, in an Excel file. But I am looking for some >> type of automated method to compare the two. >> >> TIA >
Guest JohnB Posted August 13, 2008 Posted August 13, 2008 Re: Removing term'd employees from AD >>The danger in your case is that an employee will appear in the Excel file, >>but not match the corresponding user in AD, and you will delete the >>account. Yup. What I've found in a couple cases was; in HR's spreadsheet the person went by their first name. But in AD they went by their middle name. An example; Robert D. Smith in HR, but in AD that same person was Dale Smith. We're supposed to be "All Knowing". "Richard Mueller [MVP]" <rlmueller-nospam@ameritech.nospam.net> wrote in message news:%237$78%23L$IHA.3908@TK2MSFTNGP05.phx.gbl... > > "JohnB" <jbrigan@yahoo.com> wrote in message > news:utIz3bK$IHA.5048@TK2MSFTNGP05.phx.gbl... >> What's the best way to remove terminated employees from AD? I'm talking >> about doing this on a domain that has never been cleaned up, not just one >> employee. >> >> I exported all the users from AD to a CSV file. And I have, from HR, a >> list of current employees, in an Excel file. But I am looking for some >> type of automated method to compare the two. >> >> TIA > > In my experience HR keeps a separate database of employees, so the names > they use may not match up with the information in AD. I spent months at a > large company cleaning up their databases and learned that identifying > people by name can be useless. The danger in your case is that an employee > will appear in the Excel file, but not match the corresponding user in AD, > and you will delete the account. > > To make this work you must either have a list of current user "pre-Windows > 2000 logon" names or Distinguished Names (not just Common Names). Then you > know you can reliably identify current users. Even then, just because an > AD account does not match with the HR list does not mean it should be > deleted. It could be Administrator, for example. If this approach can be > used, I would generate a list of candidate accounts for deletion, then > manually scrub the list before using it to delete user objects. Moving the > candidate objects to another OU and disabling them might be a good idea. > > An alternative is to use Joe Richards' free oldcmp utility: > > http://www.joeware.net/freetools/tools/oldcmp/index.htm > > This identifies old accounts using last logon and password last set dates. > Even if an account seems to be on the HR list, if it is never used perhaps > it should be deleted. It could be old, belong to someone with a similar > name, or even be a duplicate where the person changed jobs. > > -- > Richard Mueller > MVP Directory Services > Hilltop Lab - http://www.rlmueller.net > -- > >
Guest Phillip Windell Posted August 14, 2008 Posted August 14, 2008 Re: Removing term'd employees from AD "JohnB" <jbrigan@yahoo.com> wrote in message news:esKzDOW$IHA.5004@TK2MSFTNGP05.phx.gbl... >I took a look at that. Pretty cool. > > Now why doesn't Microsoft make that same information readily available > from the AD Users and Computers MMC??? Someone might sue them for "monopolistic practices" for putting the companies that make such tools out of business because their tools would no longer be needed. So they "leave room" for third parties to make tools to "improve" Windows. If the products are really really good and popular MS will buy the company and incorperate the product into Windows, this way they never actually put them out of business and the company won't sue MS because they are absorbed into MS. That's my interpretation of it anyway. -- Phillip Windell http://www.wandtv.com The views expressed, are my own and not those of my employer, or Microsoft, or anyone else associated with me, including my cats. -----------------------------------------------------
Recommended Posts