Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

AD housekeeping question on disabled/stale users 1

Status
Not open for further replies.
wlfpackr

wlfpackr

IS-IT--Management
May 3, 2003
161
US
I'm relatively new to my current company and have been asked to clean up a lot of the manual processes they have here. The first task is with stale accounts in Active Directory. Currently they run a script to disable anything considered a stale account. They then run another script that also strips the account of all of it's AD group memberships and dumps it into a Disabled Items OU.

My question is what is the purpose of stripping the group memberships before disabling? The last company I was at we only only stripped the memberships before we deleted the account, not prior to disabling the account. So IMHO removing the groups on a disable is excess and makes it a pain to recover should the account need to reinstated (and they have a ton of subsidiaries that only log in a couple times a year for training and HR items). No one here can tell me why this is done.....am I wrong in my thinking?

=================
There are 10 kinds of people in this world, those that understand binary and those that do not.
 
Sort by date Sort by votes
The thinking is generally that if the account is somehow reenabled and compromised, it's impact is limited.

It also makes managing those groups a little cleaner if the ACLs aren't littered with disabled accounts.

Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.
 
Upvote 0 Downvote
Personally I don't see the point of removing the group membership before deleting the account. When you remove the account the relationship to the groups is removed as well.

Denny
MVP
MCSA (2003) / MCDBA (SQL 2000)
MCTS (SQL 2005 / SQL 2005 BI / SQL 2008 DBA / SQL 2008 DBD / SQL 2008 BI / MWSS 3.0: Configuration / MOSS 2007: Configuration)
MCITP (SQL 2005 DBA / SQL 2008 DBA / SQL 2005 DBD / SQL 2008 DBD / SQL 2005 BI / SQL 2008 BI)

My Blog
 
Upvote 0 Downvote
But if you're keeping the account, but it's disabled, then removing group membership makes sense. I do it as well. I have a PowerShell script that does the following:
[ol][li]Runs nightly and looks for accounts disabled in the last 24 hours.[/li]
[li]Adds " - Disabled 07/28/2010" to the display name[/li]
[li]Hides them from the GAL[/li]
[li]Removes them from all distribution lists and security groups other than Domain Users[/li]
[li]Moves them a "disabled users" OU[/li]
[li]Moves the mailbox to a "disabled users" store (low limits so the mailboxes can't send mail)[/li]
[li]Export the mailbox to .pst[/li]
[li]Stamps an extended attribute with a time/data stamp[/li]
[li]Removes that user from any user's AD account where it's listed as Managed By. (this causes another script to email the direct reports and have them update their Managed By using an internal directory update web app)[/li]
[/ol]

This yeilds a "self cleaning" solution that makes administration easier and cleaner. Users then see only active users in the org, and disabled accounts are secured, but could be reactivated if needed. Another script then purges the mailbox and user account 30 days later.

The entire involvement of IT is to just disable the account.

Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.
 
Upvote 0 Downvote
Can you post a scrubbed version of that script? I'd like to use some of that.
 
Upvote 0 Downvote
Essentially what we "currently" do is disable stale accounts after 65 days of non use and move them to a Disabled Objects OU. Then after another 300 days the account is deleted permanently.

In this scenario, I'm just thinking that scripting the removal of users from groups is messy and complicated and if you have to re-enable that user it has the potential to become a bigger mess.

Since the accounts are deleted after a year of non-use I just don't see the benefit and I can handle the risk if the only reason to remove the groups is a "just in case the ID gets re-enabled" scenario.

=================
There are 10 kinds of people in this world, those that understand binary and those that do not.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

rzammit82
  • Locked
  • Question
Windows Server 2016 - DNS/AD problem
Replies
1
Views
567
suncit
suncit
DrB0b
  • Locked
  • Question
Hybrid on prem AD with Azure AD
Replies
2
Views
222
DrB0b
DrB0b
DTGMI
  • Locked
  • Question
WIN 10 Pro PC & Adding back to our Network
Replies
0
Views
386
DTGMI
DTGMI
edgar28
  • Locked
  • Question
Question on Network cards - Windows Server 2019
Replies
1
Views
142
DrB0b
DrB0b
mangentle
  • Locked
  • Question
What are the key advantages of using Microsoft Windows Servers for businesses?
Replies
1
Views
801
gbaughma
gbaughma

Part and Inventory Search

Sponsor

Back
Top