Removing term'd employees from AD

  • Thread starter Thread starter JohnB
  • Start date Start date
J

JohnB

Guest
What's the best way to remove terminated employees from AD? I'm talking
about doing this on a domain that has never been cleaned up, not just one
employee.

I exported all the users from AD to a CSV file. And I have, from HR, a list
of current employees, in an Excel file. But I am looking for some type of
automated method to compare the two.

TIA
 
Re: Removing term'd employees from AD

This doesn't directly address your question,..but I don't delete user
accounts,...I disable them and move them to a unique OU that only has
disabled accounts in them. I also delete the Exchange Mailbox from the
accounts.

Sometimes there are auditing reasons to not delete the accounts,...some of
those reasons may be based on Laws.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------


"JohnB" <jbrigan@yahoo.com> wrote in message
news:utIz3bK$IHA.5048@TK2MSFTNGP05.phx.gbl...
> What's the best way to remove terminated employees from AD? I'm talking
> about doing this on a domain that has never been cleaned up, not just one
> employee.
>
> I exported all the users from AD to a CSV file. And I have, from HR, a
> list of current employees, in an Excel file. But I am looking for some
> type of automated method to compare the two.
>
> TIA
 
Re: Removing term'd employees from AD


"JohnB" <jbrigan@yahoo.com> wrote in message
news:utIz3bK$IHA.5048@TK2MSFTNGP05.phx.gbl...
> What's the best way to remove terminated employees from AD? I'm talking
> about doing this on a domain that has never been cleaned up, not just one
> employee.
>
> I exported all the users from AD to a CSV file. And I have, from HR, a
> list of current employees, in an Excel file. But I am looking for some
> type of automated method to compare the two.
>
> TIA

In my experience HR keeps a separate database of employees, so the names
they use may not match up with the information in AD. I spent months at a
large company cleaning up their databases and learned that identifying
people by name can be useless. The danger in your case is that an employee
will appear in the Excel file, but not match the corresponding user in AD,
and you will delete the account.

To make this work you must either have a list of current user "pre-Windows
2000 logon" names or Distinguished Names (not just Common Names). Then you
know you can reliably identify current users. Even then, just because an AD
account does not match with the HR list does not mean it should be deleted.
It could be Administrator, for example. If this approach can be used, I
would generate a list of candidate accounts for deletion, then manually
scrub the list before using it to delete user objects. Moving the candidate
objects to another OU and disabling them might be a good idea.

An alternative is to use Joe Richards' free oldcmp utility:

http://www.joeware.net/freetools/tools/oldcmp/index.htm

This identifies old accounts using last logon and password last set dates.
Even if an account seems to be on the HR list, if it is never used perhaps
it should be deleted. It could be old, belong to someone with a similar
name, or even be a duplicate where the person changed jobs.

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--
 
Re: Removing term'd employees from AD

This may be of use, I've used it in my test lab only and it does the job.
http://www.netwrix.com/inactive_users_tracker_freeware.html


"JohnB" <jbrigan@yahoo.com> wrote in message
news:utIz3bK$IHA.5048@TK2MSFTNGP05.phx.gbl...
> What's the best way to remove terminated employees from AD? I'm talking
> about doing this on a domain that has never been cleaned up, not just one
> employee.
>
> I exported all the users from AD to a CSV file. And I have, from HR, a
> list of current employees, in an Excel file. But I am looking for some
> type of automated method to compare the two.
>
> TIA
 
Re: Removing term'd employees from AD

I took a look at that. Pretty cool.

Now why doesn't Microsoft make that same information readily available from
the AD Users and Computers MMC???

Thanks


"Keith" <metis@winnetworks.com> wrote in message
news:eJO4lOT$IHA.2060@TK2MSFTNGP05.phx.gbl...
> This may be of use, I've used it in my test lab only and it does the job.
> http://www.netwrix.com/inactive_users_tracker_freeware.html
>
>
> "JohnB" <jbrigan@yahoo.com> wrote in message
> news:utIz3bK$IHA.5048@TK2MSFTNGP05.phx.gbl...
>> What's the best way to remove terminated employees from AD? I'm talking
>> about doing this on a domain that has never been cleaned up, not just one
>> employee.
>>
>> I exported all the users from AD to a CSV file. And I have, from HR, a
>> list of current employees, in an Excel file. But I am looking for some
>> type of automated method to compare the two.
>>
>> TIA
>
 
Re: Removing term'd employees from AD

>>The danger in your case is that an employee will appear in the Excel file,
>>but not match the corresponding user in AD, and you will delete the
>>account.
Yup. What I've found in a couple cases was; in HR's spreadsheet the person
went by their first name. But in AD they went by their middle name. An
example; Robert D. Smith in HR, but in AD that same person was Dale Smith.
We're supposed to be "All Knowing".






"Richard Mueller [MVP]" <rlmueller-nospam@ameritech.nospam.net> wrote in
message news:%237$78%23L$IHA.3908@TK2MSFTNGP05.phx.gbl...
>
> "JohnB" <jbrigan@yahoo.com> wrote in message
> news:utIz3bK$IHA.5048@TK2MSFTNGP05.phx.gbl...
>> What's the best way to remove terminated employees from AD? I'm talking
>> about doing this on a domain that has never been cleaned up, not just one
>> employee.
>>
>> I exported all the users from AD to a CSV file. And I have, from HR, a
>> list of current employees, in an Excel file. But I am looking for some
>> type of automated method to compare the two.
>>
>> TIA
>
> In my experience HR keeps a separate database of employees, so the names
> they use may not match up with the information in AD. I spent months at a
> large company cleaning up their databases and learned that identifying
> people by name can be useless. The danger in your case is that an employee
> will appear in the Excel file, but not match the corresponding user in AD,
> and you will delete the account.
>
> To make this work you must either have a list of current user "pre-Windows
> 2000 logon" names or Distinguished Names (not just Common Names). Then you
> know you can reliably identify current users. Even then, just because an
> AD account does not match with the HR list does not mean it should be
> deleted. It could be Administrator, for example. If this approach can be
> used, I would generate a list of candidate accounts for deletion, then
> manually scrub the list before using it to delete user objects. Moving the
> candidate objects to another OU and disabling them might be a good idea.
>
> An alternative is to use Joe Richards' free oldcmp utility:
>
> http://www.joeware.net/freetools/tools/oldcmp/index.htm
>
> This identifies old accounts using last logon and password last set dates.
> Even if an account seems to be on the HR list, if it is never used perhaps
> it should be deleted. It could be old, belong to someone with a similar
> name, or even be a duplicate where the person changed jobs.
>
> --
> Richard Mueller
> MVP Directory Services
> Hilltop Lab - http://www.rlmueller.net
> --
>
>
 
Re: Removing term'd employees from AD

"JohnB" <jbrigan@yahoo.com> wrote in message
news:esKzDOW$IHA.5004@TK2MSFTNGP05.phx.gbl...
>I took a look at that. Pretty cool.
>
> Now why doesn't Microsoft make that same information readily available
> from the AD Users and Computers MMC???

Someone might sue them for "monopolistic practices" for putting the
companies that make such tools out of business because their tools would no
longer be needed. So they "leave room" for third parties to make tools to
"improve" Windows. If the products are really really good and popular MS
will buy the company and incorperate the product into Windows, this way they
never actually put them out of business and the company won't sue MS because
they are absorbed into MS.

That's my interpretation of it anyway.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
 
Back
Top