AD Clean Up Tips

[RobFuller]

Hey People,

Started a new job at a college and looking at their AD now it’s a mess!! Stuff never been deleted like user and computer accounts etc.
Does anyone have any good tools that could do a ‘scavenge’ and look for accounts that haven’t been used for a long time (i.e. for leavers) or for computer accounts that are no longer in use.

Anything would help at the moment, otherwise it’s just a good old clean up job! Any tips or anything much appreciated!

Cheers people,
Rob

[plexer]

http://www.codeproject.com/useritems...e_AD_Users.asp

Ben

[RobFuller]

Thank you, that looks good. Ill give that a try!

[sidewinder]

OldCmp is great for deleting old computer accounts
http://www.joeware.net/freetools/tools/oldcmp/index.htm
It will only let you disable computers first as a safety mechanism

For accounts I just use an AD query to filter user accounts not logged on in xx amount of days. Then I disable them for a while and if I hear no moans they get deleted

[RobFuller]

OldCmp is good, giving me a decent list of users and comps that need attention so to speak. Format needs working on but that nothing that I can’t sort out in Excel.
Thanks guys!

[bugginmiami]

We use Active Directory Janitor for this. A pretty simple tool. I just use it to run reports to find dead computer accts. It can also find user accts that havent logged in forever. Disable everything, delete later! Ive used oldcmp with good results as well.

[plock]

I've used this for testing and so forth. May find it useful?

http://manageengine.adventnet.com/pr...ger/index.html

[Richie1972]

Alternatively just run an Active Directory query against user or computer accounts based on last logon

[srochford]

Last logon is not always accurate. If you have more than 1 DC then you're only seeing the logon time at the DC you query.

If you have a Windows 2003 domain (at 2003 FFL) then there is also Last-Logon-Timestamp which is more useful (because it's replicated between servers) and would be good for this (but is not always good for telling you when someone most recently logged on - it can be up to 14 days out of date)

[plock]

To get last logon information we have placed a command in the login script to write to a text file with the following variables, %username$, %time% and %date%.

This is then outputted to two different files, one named with the computer name and the other named by the username. This is so we can track computer and user usage.

[Nick_Parker]

I'm pretty sure I'm being daft, but what Fields to you use in your AD filter to show users who haven't logged on in more than 60 days?

I'd assume it'd be under User, but I can't find anything there that links to "Last Logon" or anything similar?

[Lithium]

I believe that it's one of the many millions (well, ok, not millions) of hidden fields which exist for user/computer accounts.

you can see it using ADSI Edit, but I am unsure if you can search for acounts and do stuff like that in ADSI Edit (you can set values and view them though...)

From what I've read and noticed, this is largely something that is automated using VB scripts and the such...

[boomam]

To get last logon information we have placed a command in the login script to write to a text file with the following variables, %username$, %time% and %date%.

This is then outputted to two different files, one named with the computer name and the other named by the username. This is so we can track computer and user usage.

Any chance you can post up the login script you use please?

Thanks. .

[gshaw]

Could anyone upload the oldcmp.exe file please as the whole joeware site seems to be down

[bizzel]

Last logon is not always accurate. If you have more than 1 DC then you're only seeing the logon time at the DC you query.

Yes, be careful with that as I've had users I know to be active thrown up in LDAP queries using last logon.