JohnB
Wed Aug 13 11:43:55 PDT 2008
>>The danger in your case is that an employee will appear in the Excel file,
>>but not match the corresponding user in AD, and you will delete the
>>account.
Yup. What I've found in a couple cases was; in HR's spreadsheet the person
went by their first name. But in AD they went by their middle name. An
example; Robert D. Smith in HR, but in AD that same person was Dale Smith.
We're supposed to be "All Knowing".
"Richard Mueller [MVP]" <rlmueller-nospam@ameritech.nospam.net> wrote in
message news:%237$78%23L$IHA.3908@TK2MSFTNGP05.phx.gbl...
>
> "JohnB" <jbrigan@yahoo.com> wrote in message
> news:utIz3bK$IHA.5048@TK2MSFTNGP05.phx.gbl...
>> What's the best way to remove terminated employees from AD? I'm talking
>> about doing this on a domain that has never been cleaned up, not just one
>> employee.
>>
>> I exported all the users from AD to a CSV file. And I have, from HR, a
>> list of current employees, in an Excel file. But I am looking for some
>> type of automated method to compare the two.
>>
>> TIA
>
> In my experience HR keeps a separate database of employees, so the names
> they use may not match up with the information in AD. I spent months at a
> large company cleaning up their databases and learned that identifying
> people by name can be useless. The danger in your case is that an employee
> will appear in the Excel file, but not match the corresponding user in AD,
> and you will delete the account.
>
> To make this work you must either have a list of current user "pre-Windows
> 2000 logon" names or Distinguished Names (not just Common Names). Then you
> know you can reliably identify current users. Even then, just because an
> AD account does not match with the HR list does not mean it should be
> deleted. It could be Administrator, for example. If this approach can be
> used, I would generate a list of candidate accounts for deletion, then
> manually scrub the list before using it to delete user objects. Moving the
> candidate objects to another OU and disabling them might be a good idea.
>
> An alternative is to use Joe Richards' free oldcmp utility:
>
>
http://www.joeware.net/freetools/tools/oldcmp/index.htm
>
> This identifies old accounts using last logon and password last set dates.
> Even if an account seems to be on the HR list, if it is never used perhaps
> it should be deleted. It could be old, belong to someone with a similar
> name, or even be a duplicate where the person changed jobs.
>
> --
> Richard Mueller
> MVP Directory Services
> Hilltop Lab -
http://www.rlmueller.net
> --
>
>