AD Old Users

Discussion in 'Software' started by kat731, Aug 3, 2007.

  1. kat731
    Honorary Member

    kat731 Megabyte Poster

    826
    9
    74
    Hi all,

    i've been given a list with users highlighted, who are no longer working for us, and the MD wants them removed. Are there any complications/precautions i should be aware of/take when deleting them from AD? And is it a straight forward process?

    Kat
     
    Certifications: BA (Hons), A+
    WIP: 70-685 77-884
  2. kat731
    Honorary Member

    kat731 Megabyte Poster

    826
    9
    74
    Is this worth the trouble:

    http://www.specopssoft.com/products/adjanitor/
     
    Certifications: BA (Hons), A+
    WIP: 70-685 77-884
  3. tripwire45
    Honorary Member

    tripwire45 Zettabyte Poster

    13,493
    180
    287
    Certifications: A+ and Network+
  4. Fergal1982

    Fergal1982 Petabyte Poster

    4,196
    172
    211
    Deleting a user from AD is easy enough. Right-Click, select delete. job done.

    however....

    Its not good practice to just delete the accounts, Since someone may have access to their mailbox, etc. At my old company, we had a system we developed which worked out quite well:

    Create 3 OUs in AD: Month1, Month2, and Month3.

    When asked to close an account, disable it and place it in month1. Wait 1 week, then providing no-one has complained, delete the mailbox. Exchange will hold a deleted mailbox for 3 months before automatically removing it from the system (Or it was at our place, might be a different default, etc) - so we always hold the user account for the same length of time.

    Providing no-one complains about it, then you can delete the account after 3 months. to keep track of this, at the start of every month, we deleted all accounts in month 3, moved 2 to 3 and 1 to 2. Any account re-enabled were moved back into the appropriate OU as soon as they were updated and re-enabled.

    This is, I think, the best way to handle the situation, since it ensures that you can step back without issue. Restoring deleted accounts from backups is a pain in the ass. we just didnt do it. if it fell outside the 3 month period, tough. brand new account!
     
    Certifications: ITIL Foundation; MCTS: Visual Studio Team Foundation Server 2010, Administration
    WIP: None at present
  5. Sparky
    Highly Decorated Member Award 500 Likes Award

    Sparky Zettabyte Poster Moderator

    10,718
    543
    364
    I rarely delete users, there is always someone that needs to use the account 2 years after the user has left. :biggrin

    Create a OU and put all the old accounts in there, disable the account and also check the ‘hide from Exchange mailing lists’ tick box.

    If you really have to delete the user backup the profile and mailbox onto DVD.
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) MS-900 AZ-900 Security+ Network+ A+
    WIP: Microsoft Certs
  6. csx

    csx Megabyte Poster

    511
    6
    81
    If using some kind of backup software such as Backup Exec you may have to remove the mailbox from the information store/Exchange or you'll get failed backup reports (backup just moaning it cannot backup the mailbox).
     
    Certifications: A+, Network+, 70-271 & 70-272, CCENT, VCP5-DCV and CCNA
    WIP: Citrix
  7. Fluid

    Fluid Byte Poster

    180
    0
    14
    I wouldnt bother investing in a software like that, if you want one theres bound to be quiet a few open source ones out their, or just follow the instructions set above really.
     
  8. AJ

    AJ 01000001 01100100 01101101 01101001 01101110 Administrator

    6,897
    182
    221
    I do what Sparky does. just disable the account and move it to another OU out of the way. No real need to delete them out of AD.
     
    Certifications: MCSE, MCSA (messaging), ITIL Foundation v3
    WIP: Breathing in and out, but not out and in, that's just wrong
  9. zimbo
    Honorary Member

    zimbo Petabyte Poster

    5,215
    99
    181
    interesting topic.. and something you dont think about till you in the real world - yeah ok delete the account but like you guys have said - someone will always need or want the account sometime soon... 8)
     
    Certifications: B.Sc, MCDST & MCSA
    WIP: M.Sc - Computer Forensics
  10. Theprof

    Theprof Petabyte Poster

    4,607
    83
    211
    I also do the same thing as sparky. There really is no reason deleting an account unless you know for sure that there will never be a user doing the same job as the previous user. I always have it disabled just in case because you never know who might replace the user and when that does happen all you got to do is rename the account and the new user has exact same rights as the previous.
     
    Certifications: A+ | CCA | CCAA | Network+ | MCDST | MCSA | MCP (270, 271, 272, 290, 291) | MCTS (70-662, 70-663) | MCITP:EMA | VCA-DCV/Cloud/WM | VTSP | VCP5-DT | VCP5-DCV
    WIP: VCAP5-DCA/DCD | EMCCA
  11. hippy

    hippy Kilobyte Poster

    307
    5
    40
    I Agree with the above, disable the account and move it into an OU with all the other disabled. If you really want, you can delete the user in AD, delete the mailbox in exchange (or wait for default settings) and if you use backup exec alter the backup otherwise it will moan like a pro...
     

Share This Page

Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.