Jump to content

Removing term'd employees from AD

Guest JohnB

By Guest JohnB
in Windows 2003 Server

 Share

Recommended Posts

Guest JohnB

Guest JohnB

Posted
Posted

What's the best way to remove terminated employees from AD? I'm talking

about doing this on a domain that has never been cleaned up, not just one

employee.

 

I exported all the users from AD to a CSV file. And I have, from HR, a list

of current employees, in an Excel file. But I am looking for some type of

automated method to compare the two.

 

TIA

  • Replies 6
  • Created
  • Last Reply

Popular Days

Popular Days

Guest Phillip Windell

Guest Phillip Windell

Posted
Posted

Re: Removing term'd employees from AD

 

This doesn't directly address your question,..but I don't delete user

accounts,...I disable them and move them to a unique OU that only has

disabled accounts in them. I also delete the Exchange Mailbox from the

accounts.

 

Sometimes there are auditing reasons to not delete the accounts,...some of

those reasons may be based on Laws.

 

--

Phillip Windell

http://www.wandtv.com

 

The views expressed, are my own and not those of my employer, or Microsoft,

or anyone else associated with me, including my cats.

-----------------------------------------------------

 

 

"JohnB" <jbrigan@yahoo.com> wrote in message

news:utIz3bK$IHA.5048@TK2MSFTNGP05.phx.gbl...

> What's the best way to remove terminated employees from AD? I'm talking

> about doing this on a domain that has never been cleaned up, not just one

> employee.

>

> I exported all the users from AD to a CSV file. And I have, from HR, a

> list of current employees, in an Excel file. But I am looking for some

> type of automated method to compare the two.

>

> TIA

Guest Richard Mueller [MVP]

Guest Richard Mueller [MVP]

Posted
Posted

Re: Removing term'd employees from AD

 

 

"JohnB" <jbrigan@yahoo.com> wrote in message

news:utIz3bK$IHA.5048@TK2MSFTNGP05.phx.gbl...

> What's the best way to remove terminated employees from AD? I'm talking

> about doing this on a domain that has never been cleaned up, not just one

> employee.

>

> I exported all the users from AD to a CSV file. And I have, from HR, a

> list of current employees, in an Excel file. But I am looking for some

> type of automated method to compare the two.

>

> TIA

 

In my experience HR keeps a separate database of employees, so the names

they use may not match up with the information in AD. I spent months at a

large company cleaning up their databases and learned that identifying

people by name can be useless. The danger in your case is that an employee

will appear in the Excel file, but not match the corresponding user in AD,

and you will delete the account.

 

To make this work you must either have a list of current user "pre-Windows

2000 logon" names or Distinguished Names (not just Common Names). Then you

know you can reliably identify current users. Even then, just because an AD

account does not match with the HR list does not mean it should be deleted.

It could be Administrator, for example. If this approach can be used, I

would generate a list of candidate accounts for deletion, then manually

scrub the list before using it to delete user objects. Moving the candidate

objects to another OU and disabling them might be a good idea.

 

An alternative is to use Joe Richards' free oldcmp utility:

 

http://www.joeware.net/freetools/tools/oldcmp/index.htm

 

This identifies old accounts using last logon and password last set dates.

Even if an account seems to be on the HR list, if it is never used perhaps

it should be deleted. It could be old, belong to someone with a similar

name, or even be a duplicate where the person changed jobs.

 

--

Richard Mueller

MVP Directory Services

Hilltop Lab - http://www.rlmueller.net

--

Guest Keith

Guest Keith

Posted
Posted

Re: Removing term'd employees from AD

 

This may be of use, I've used it in my test lab only and it does the job.

http://www.netwrix.com/inactive_users_tracker_freeware.html

 

 

"JohnB" <jbrigan@yahoo.com> wrote in message

news:utIz3bK$IHA.5048@TK2MSFTNGP05.phx.gbl...

> What's the best way to remove terminated employees from AD? I'm talking

> about doing this on a domain that has never been cleaned up, not just one

> employee.

>

> I exported all the users from AD to a CSV file. And I have, from HR, a

> list of current employees, in an Excel file. But I am looking for some

> type of automated method to compare the two.

>

> TIA

Guest JohnB

Guest JohnB

Posted
Posted

Re: Removing term'd employees from AD

 

I took a look at that. Pretty cool.

 

Now why doesn't Microsoft make that same information readily available from

the AD Users and Computers MMC???

 

Thanks

 

 

"Keith" <metis@winnetworks.com> wrote in message

news:eJO4lOT$IHA.2060@TK2MSFTNGP05.phx.gbl...

> This may be of use, I've used it in my test lab only and it does the job.

> http://www.netwrix.com/inactive_users_tracker_freeware.html

>

>

> "JohnB" <jbrigan@yahoo.com> wrote in message

> news:utIz3bK$IHA.5048@TK2MSFTNGP05.phx.gbl...

>> What's the best way to remove terminated employees from AD? I'm talking

>> about doing this on a domain that has never been cleaned up, not just one

>> employee.

>>

>> I exported all the users from AD to a CSV file. And I have, from HR, a

>> list of current employees, in an Excel file. But I am looking for some

>> type of automated method to compare the two.

>>

>> TIA

>

Guest JohnB

Guest JohnB

Posted
Posted

Re: Removing term'd employees from AD

 

>>The danger in your case is that an employee will appear in the Excel file,

>>but not match the corresponding user in AD, and you will delete the

>>account.

Yup. What I've found in a couple cases was; in HR's spreadsheet the person

went by their first name. But in AD they went by their middle name. An

example; Robert D. Smith in HR, but in AD that same person was Dale Smith.

We're supposed to be "All Knowing".

 

 

 

 

 

 

"Richard Mueller [MVP]" <rlmueller-nospam@ameritech.nospam.net> wrote in

message news:%237$78%23L$IHA.3908@TK2MSFTNGP05.phx.gbl...

>

> "JohnB" <jbrigan@yahoo.com> wrote in message

> news:utIz3bK$IHA.5048@TK2MSFTNGP05.phx.gbl...

>> What's the best way to remove terminated employees from AD? I'm talking

>> about doing this on a domain that has never been cleaned up, not just one

>> employee.

>>

>> I exported all the users from AD to a CSV file. And I have, from HR, a

>> list of current employees, in an Excel file. But I am looking for some

>> type of automated method to compare the two.

>>

>> TIA

>

> In my experience HR keeps a separate database of employees, so the names

> they use may not match up with the information in AD. I spent months at a

> large company cleaning up their databases and learned that identifying

> people by name can be useless. The danger in your case is that an employee

> will appear in the Excel file, but not match the corresponding user in AD,

> and you will delete the account.

>

> To make this work you must either have a list of current user "pre-Windows

> 2000 logon" names or Distinguished Names (not just Common Names). Then you

> know you can reliably identify current users. Even then, just because an

> AD account does not match with the HR list does not mean it should be

> deleted. It could be Administrator, for example. If this approach can be

> used, I would generate a list of candidate accounts for deletion, then

> manually scrub the list before using it to delete user objects. Moving the

> candidate objects to another OU and disabling them might be a good idea.

>

> An alternative is to use Joe Richards' free oldcmp utility:

>

> http://www.joeware.net/freetools/tools/oldcmp/index.htm

>

> This identifies old accounts using last logon and password last set dates.

> Even if an account seems to be on the HR list, if it is never used perhaps

> it should be deleted. It could be old, belong to someone with a similar

> name, or even be a duplicate where the person changed jobs.

>

> --

> Richard Mueller

> MVP Directory Services

> Hilltop Lab - http://www.rlmueller.net

> --

>

>

Guest Phillip Windell

Guest Phillip Windell

Posted
Posted

Re: Removing term'd employees from AD

 

"JohnB" <jbrigan@yahoo.com> wrote in message

news:esKzDOW$IHA.5004@TK2MSFTNGP05.phx.gbl...

>I took a look at that. Pretty cool.

>

> Now why doesn't Microsoft make that same information readily available

> from the AD Users and Computers MMC???

 

Someone might sue them for "monopolistic practices" for putting the

companies that make such tools out of business because their tools would no

longer be needed. So they "leave room" for third parties to make tools to

"improve" Windows. If the products are really really good and popular MS

will buy the company and incorperate the product into Windows, this way they

never actually put them out of business and the company won't sue MS because

they are absorbed into MS.

 

That's my interpretation of it anyway.

 

--

Phillip Windell

http://www.wandtv.com

 

The views expressed, are my own and not those of my employer, or Microsoft,

or anyone else associated with me, including my cats.

-----------------------------------------------------

 Share
Go to topic listing
×
×
  • Create New...