[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 413
  • Last Modified:

Active Directory Cleanup

I have an up and coming project of cleaning Active Directory. My question is concerning the important parts of active directory which you need to pay attention too.

I know that the obvious points would be inactive user accounts, computer accounts etc. What are other parts of active directory that you need to pay attention to when preparing to clean out Active Directory.

As pat of the project I will need to take two domains and combine them under a single forest. These domains are geographically separated. Can someone point me to good articles about preparing to add separate domains together.
0
carloc
Asked:
carloc
2 Solutions
 
Seth SimmonsSr. Systems AdministratorCommented:
What are other parts of active directory that you need to pay attention to when preparing to clean out Active Directory.

I look at DNS - particularly name servers listed that no longer exist; also kerberos/srv/ldap records pointing to servers that no longer exist.

Can someone point me to good articles about preparing to add separate domains together.

You can look into the migration tool.

ADMT Guide: Migrating and Restructuring Active Directory Domains
http://technet.microsoft.com/en-us/library/cc974332(v=ws.10).aspx
0
 
Prashant GirennavarCommented:
If you are cleaning up the computer accounts please consider their passwordLastSet attribute. Every computer account sets their computer account password in 30 days. If the computer accounts having PasswordlastSet attribute set more than 30 days  , then they are good candidates to delete.

You can use powershell to find our the PasswordLastSet on computer account

$m = Get-ADComputer -Server <DomainController> -Properties * | Select-Object -Property PasswordLastSet , DistinguishedName
$m.passwordlastset.ToString("dd/MM/yyyy hh:mm tt")

Open in new window


For User Accounts you can check the LastLogOnTimeStamp on the user account attribute. If you find old dates in there. First disable the account and then delete them/

http://gallery.technet.microsoft.com/scriptcenter/Get-Inactive-User-in-78b8db79

I would suggest  , disable the accounts first , wait for some days , and then delete them to be in safer side.

For Migration , please refer below link

http://social.technet.microsoft.com/Forums/windowsserver/en-US/dc8cf4a8-00ba-4dd0-afa7-6c3cbe632576/active-directory-migration-tools

Thanks,

-Prashant Girennavar.
0
 
Stacy ACommented:
This tool helped me out a lot.
http://www.cjwdev.co.uk/Software/ADTidy/Info.html 
Any account that was too old I disabled and then deleted after 30days of being disabled
0
 
carlocAuthor Commented:
Thanks for the tips. Helps a lot when preparing to start this project.
0

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now