Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2007-11-02) Creating Your Own Deprovisioning Tool Or Script

Posted by Jorge on 2007-11-02


What to do with user accounts that are or not mailbox enabled when the corresponding user(s) leave(s) the company. For that, and without buying a full blown solution you can create tooling in a simple way if the following process is sufficient for you.

IT IS A 5 STEP PROCESS:

(1) Be sure to receive some notification a user has left the company

(2) Move its user account to a special de-provisioning OU (manually) (before that put the Canonical name (Object TAB in advanced view) of the object in the notes property (telephones TAB))

(3) Schedule a script to run regularly (daily or weekly or whatever is good for you) to disable AD enabled user accounts in the de-provisioning OU and if the account is mailbox enabled to add the "Associated External Account" permission to SELF. Also generate and set a difficult password (be careful with certificates if you use them for encryption!)

(4) Schedule a script to run regularly (daily or weekly or whatever is good for you) to check the de-provisioning OU for disabled user accounts that have been unused for a certain (inactive) period (e.g. 90 days). In a W2K3 domain with Domain Functional Level ‘Windows Server 2003’ you can use the ‘lastLogonTimestamp’ attribute that determines the last time a user logged on (with a certain accuracy, about 10 days). In a W2K domain or W2K3 domain with Domain Functional Level ‘Windows Server 2000 native’ or lower you can use the ‘lastLogon’ attribute which is less accurate, but that will do.

If user accounts are found that meet the prerequisites (disabled and exceed a certain inactive period):

* Create a directory for the user in some "Archive Location" (the archive location is a location where the user’s stuff will be copied to, backup for a certain time and after some other period the user’s stuff is removed)

* Extract all populated attributes of the user account to the user’s archive location (using LDIFDE)

* Check if a home directory exists (read attribute and check location) and MOVE it to the user’s archive location

* Check if a profile directory exists (read attribute and check location) and MOVE it to the user’s archive location

* Check if a TS home directory exists (read attribute and check location) and MOVE it to the user’s archive location

* Check if a TS profile directory exists (read attribute and check location) and MOVE it to the user’s archive location

* Exmerge the mailbox into a PST in the user’s archive location (be careful with large PST sizes!!! e.g. > 2GB)(http://support.microsoft.com/default.aspx?scid=kb;en-us;830336)(http://support.microsoft.com/default.aspx?scid=kb;en-us;823176)

(5) Schedule a script to run regularly (daily or weekly or whatever is good for you) to check the all user’s archive locations to see which exceed the archiving period for backup (e.g. 60 days). For this compare the folder creation date with the current date. If a user archive location is found and it is older than the current date minus the minimum required archiving period for backup, delete the folder

TOOLS USED:

* ADModcmd.exe and others from (ADModify.NET) (http://www.gotdotnet.com/workspaces/workspace.aspx?id=f5cbbfa9-e46b-4a7a-8ed8-3e44523f32e2)

* Robocopy.exe (tested with: v5.1.1.1010) (W2K3 Resource Kit) (http://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-4ae7-96ee-b18c4790cffd&displaylang=en)

* ExMerge.exe (tested with: v6.5.7529.0) (http://www.microsoft.com/downloads/details.aspx?FamilyID=429163EC-DCDF-47DC-96DA-1C12D67327D5&displaylang=en)

To exmerge a mailbox you need at least the following permissions:

* ‘Exchange View Only Administrator’ permissions

* ‘Receive As’ and ‘Send As’ permissions

See MS-KBQ292509 & MS-KBQ262054 & MS-KBQ821897 for more info.

Don’t use the default admin groups as these are explicitly denied the permissions mentioned. Use a separate group and don’t use a user account that is a member of the default admin groups!!!

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: