Create a LDS Instance for Deleted User Accounts

Good morning experts, I have a rather bespoke query that I hope you can assist me with.

My client currently does not delete user accounts related to leavers and their Active Directory is populated with over 1,000 disabled accounts for old users that have since left the organisation. They have decided that they want to start deleting the accounts when the user(s) leave the organisation however they are concerned that they may, at some point in the future, need to know various snippets of information about one or more deleted users (stuff like email address, manager, profile, home drive etc.).

They have set their mind on having this store in a LDAP/LDS this is where your collective brains may be able to help.

I need to create a powershell script that will extract deleted USERS from AD, dump them to a file and the file is then used to populate the LDS instance with this information.

Any advice, comments etc. are most welcome.

Darren ReevellActive Directory & Messaging SpecialistAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dan McFaddenSystems EngineerCommented:
First a few questions:

1. What Server OS on the DCs?
2. What is the Forest/Domain function level?
3. Is the AD Recycle Bin enabled?
4. If no AD Recycle Bin, how are accounts determined to be "deleted?"

Darren ReevellActive Directory & Messaging SpecialistAuthor Commented:

Thanks...answers below:

1. What Server OS on the DCs? Win 2008 R2
2. What is the Forest/Domain function level? Windows 2008
3. Is the AD Recycle Bin enabled? Yes
4. If no AD Recycle Bin, how are accounts determined to be "deleted?" See previous answer

Rgds FMcFF
Dan McFaddenSystems EngineerCommented:
More questions...

1. Is the implementation of this process set in stone already?
2. Do they desire to maintain group memberships as well?
3. Have they already started to delete these accounts?
4. Do they have a data retention policy?

Reason for asking... you can set the data retention policy on the AD Recycle Bin.  The default is 180 days.  You can use PowerShell to create a simple report of the user objects in the Bin.  If they needed to review a deleted user object, you can output the attributes using a similar script.

How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

Darren ReevellActive Directory & Messaging SpecialistAuthor Commented:
sounds interesting, can you expand a little more on how I create the report and the sort of information the report can contain? Or...point me towards a KB..

Dan McFaddenSystems EngineerCommented:
Sample script for pulling a list of deleted user objects in the AD Recycle Bin:

Get-ADObject -SearchBase "CN=Deleted Objects,DC=<YourDomainName>a,DC=<YourExtension>" -Filter {objectClass -eq "user" -and objectclass -ne "computer"} -includeDeletedObjects -Properties DisplayName,mail,department,title | ft ObjectGuid,DisplayName,mail,department,title -auto

Open in new window

To see the info available on a deleted user object in the Bin:

Get-ADObject -SearchBase "CN=Deleted Objects,DC=<YourDomainName>,DC=<YourExtension>" -Filter {CN -like "*<YourLastName>*"} -includeDeletedObjects -Properties *

Open in new window

You could generate a daily/weekly/etc report with the first command and use the second command to get the info someone wants to know.

Dan McFaddenSystems EngineerCommented:
They first command can be enhanced to pull more fields but you would want to export it to a CSV.
Dan McFaddenSystems EngineerCommented:
Any additional thoughts or updates?
Darren ReevellActive Directory & Messaging SpecialistAuthor Commented:
Sorry...been looking at other service issues for the last few days. Will be revisiting this again later this week and I'll update accordingly.

Thanks for you help thus far.
Dan McFaddenSystems EngineerCommented:
Did any of this help out?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.