RES Wisdom: Keeping AD clean

Employees come, employees go, computers come, computers go… What (often) stays are their accounts. In my consulting days, I’ve checked many Active Directories for old and unused accounts. I’ve never ever seen one that didn’t contain at least 10 accounts that were not used anymore.

This, in itself, is nobody’s fault. When a new employee arrives, HR requests a new account, simply because the new user cannot work without a login and password. When the same user leaves, nobody thinks about the account that’s left behind.

Same goes for computer accounts. The new computer is made a part of the AD, but when it dies nobody thinks of updating the AD.

To make an administrator’s life a little easier, RES Wisdom 2009 contains queries to get these “lost” accounts from the AD. Here’s how to use them.

* Create a new Module called “Users and Computers last logged more than 30 days ago”.

* Click on the tasks tab and add the Provisioning task “Query Active Directory User”.

* Fill in the Domain, the Credentials and a (registered) Domain controller.

* Tag the “Filter number of days since last login:” and put in “> 30″. On the User Properties tab, add the “Last logon date” and the “Last logon server” (To easily find these properties, type “last” under “Instant Search:”.

* Now click OK. If your Domain controller is not registered you’ll be asked to do so.

* Add the task “Query Active Directory Computer” and use the same info and properties as in the previous task. Close the module.

When this module has run, open the Job result:

Users and computers with empty “Last logon date” and the “Last logon server” fields have not logged on to the domain. These can be newly created accounts that have not been used yet.

Of course, you need to be careful about removing accounts, but with this info you can keep your AD as lean and mean as possible.