Active Directory Cleanup

I have an up and coming project of cleaning Active Directory. My question is concerning the important parts of active directory which you need to pay attention too.

I know that the obvious points would be inactive user accounts, computer accounts etc. What are other parts of active directory that you need to pay attention to when preparing to clean out Active Directory.

As pat of the project I will need to take two domains and combine them under a single forest. These domains are geographically separated. Can someone point me to good articles about preparing to add separate domains together.
carlocAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Seth SimmonsSr. Systems AdministratorCommented:
What are other parts of active directory that you need to pay attention to when preparing to clean out Active Directory.

I look at DNS - particularly name servers listed that no longer exist; also kerberos/srv/ldap records pointing to servers that no longer exist.

Can someone point me to good articles about preparing to add separate domains together.

You can look into the migration tool.

ADMT Guide: Migrating and Restructuring Active Directory Domains
http://technet.microsoft.com/en-us/library/cc974332(v=ws.10).aspx
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Prashant GirennavarCommented:
If you are cleaning up the computer accounts please consider their passwordLastSet attribute. Every computer account sets their computer account password in 30 days. If the computer accounts having PasswordlastSet attribute set more than 30 days  , then they are good candidates to delete.

You can use powershell to find our the PasswordLastSet on computer account

$m = Get-ADComputer -Server <DomainController> -Properties * | Select-Object -Property PasswordLastSet , DistinguishedName
$m.passwordlastset.ToString("dd/MM/yyyy hh:mm tt")

Open in new window


For User Accounts you can check the LastLogOnTimeStamp on the user account attribute. If you find old dates in there. First disable the account and then delete them/

http://gallery.technet.microsoft.com/scriptcenter/Get-Inactive-User-in-78b8db79

I would suggest  , disable the accounts first , wait for some days , and then delete them to be in safer side.

For Migration , please refer below link

http://social.technet.microsoft.com/Forums/windowsserver/en-US/dc8cf4a8-00ba-4dd0-afa7-6c3cbe632576/active-directory-migration-tools

Thanks,

-Prashant Girennavar.
0
Stacy ACommented:
This tool helped me out a lot.
http://www.cjwdev.co.uk/Software/ADTidy/Info.html 
Any account that was too old I disabled and then deleted after 30days of being disabled
0
carlocAuthor Commented:
Thanks for the tips. Helps a lot when preparing to start this project.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.