Cleaning out old user accounts

Active Directory was designed to manage millions of objects in a domain. But even with good use of OUs, we humans have a hard time properly juggling too many objects.

Active Directory was designed to manage millions of objects in a domain. But even with good use of OUs, we humans have a hard time properly juggling too many objects. So, one way to keep the number of objects, or specifically, user accounts, from piling up on you is to perform some cleanup work.

Cleanup is most needed on accounts that are no longer required by your organization. These are accounts which no longer has an employee tied to them (i.e. they were let go or left on their own). There are two camps of thought in the issue of managing old user accounts. One is that all accounts ever created in a domain should be retained to simplify future security audits. If you delete an account, then the audit record may point to a non-existent record. The second idea is to delete an account once the person is no longer employed. In either case, there are a few things you can do to tidy things up.

First, if you must keep the accounts around (i.e. not delete them), then first make sure the accounts have been properly disabled. If you think that may not be sufficient, consider assigning these now defunct accounts new complex passwords. Finally, you may want to create a special OU and move all non-used accounts into that OU. This might prevent the rest of your domain from getting too cluttered by keeping disabled accounts corralled in one location.

Next, even if you elect to delete a user account, often the user profile directory and the user account's home directory will remain. The OS will not automatically delete these folders when the account is deleted. You can delete the user profile directory and home directory on any account that has been branded as out-of-commission. Doing so will clean up your servers and free up significant drive space. But don't forget to inspect and peruse them first for important or valuable data. Unless it is on a backup, once a file is deleted, it might be gone forever.

You may have discovered that sometimes even Administrators have difficulty deleting the user profiles and home directories of normal user accounts. This annoying issue is usually resolved by first ensuring that you are a Domain Admin, then taking ownership of the doomed folder before attempting to delete the contents. On a side note, be sure to take ownership of both the folder and its contents. The OS will often grant the user account ownership of their user profile folder (or some of the contents of that folder) and of their home directory. Thus, without taking ownership, not even Administrators have sufficient permissions over those objects. By exercising the Admin's user right of taking ownership, the issue of permissions is bypassed since the owner of an object has full control over that object.

So, with a bit of planning, a bit of organizational re-arrangement, and a little hard drive house cleaning, you can keep your drives and your AD database a bit more tidy.

James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.

This was first published in January 2005

Dig deeper on Microsoft Active Directory Design and Administration

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close