Categories
Welcome Center
Education & Development
Discussions
Certification Preparation
Recent Posts
Groups
Free Resources
Ebooks
Free Workshops
Trending Certifications Infographic
Infosec Training
IT & Security Training
Live Boot Camps
Security Awareness Training
About Infosec Institute
Home
Discussions
Off Topic
AD Maint
staggerlee
Hi all,
Currently looking at cleaning up our AD as we have a lot of users and computers that are no longer in play but still exist in AD.
What do you all do for general maintenance in AD for clearing out old users/computers.
What i was thinking is
a: Run a task that will find Computers and Users that have not logged in for x weeks. (easy in DSQuery)
b: auto disable/add to a group or move to a new OU (again easy using DSxx)
c: for users auto email there manager in there AD attribute informing them the user has been disabled and can it be deleted. (not sure how i would do this)
d: for computers leave disabled (we have a few laptops that are largely used offsite which cause a problem for this one. )
-
How i can get the email to auto send out im not sure, thinking of using SQL to get all the data/clean it up and using SQLMail. Also thought it could be a cool way to learn and play with Powershell, as im sure it could all be done via that.
what do you guys do for these tasks?
Cheers
S
Find more posts tagged with
Save $250 on 2025 certification boot camps from Infosec!
Book now with code EOY2025
Button
Comments
mikedisd2
It depends on how big your organisation is. If it's a small business, I'd probably just go through it manually. Either case get HR involved. Query for the usused user accounts and send to HR to see what is still valid.
And of course submit any recommendations of deletion for approval.
For computers, may have to do a thorough audit to see who has what. Or maybe disable and see who complains.
Cleanups aren't usually quick and easy.
staggerlee
Hi Mike,
yeah users seems pretty straight forward (as in easy to confirm they are still here or not)
computers seems to be the main problem.. we are constantly rolling out new kit over the year as our helpdesk team (2 poeple) does all the new installs to ease pressure on them and the guys sometimes forget to remove the old stuff from AD.
We have 8xx computers in AD now but DSquery is brining up 200 inactive computers for 52 weeks! that would bring it to the sort of number i would expect.
Mike do you do any regular maintenance work on AD accounts?
Quick Links
All Categories
Recent Posts
Activity
Unanswered
Groups
Best Of
INFOSEC Boot Camps
$250
OFF
Use code
EOY2025
to receive $250 off your 2025 certification boot camp!
BROWSE BOOT CAMPS
