My company has been under a data hold for a period of time now. I’m not sure if every company is like this, but our people like to retain literally EVERYTHING! Over the past few years this has caused all our methods of storing data to explode. We have recently gotten the clearance to remove the users and their related data from the systems so long as they are not related to the hold order. Here is the situation and criteria:
- Users must be >= 30 days terminated
- User account must be disabled
- extensionAttribute10 = NULL
I am using the ‘extensionAttribute10′ as the place to ensure that we don’t delete users that should be retained. I set this to various things depending on the reason we are retaining the specific account and related data.
I have put in place a two step process that will verifying and allow for saving a user account a week before it’s to be removed from the system. The first script will run and query AD for the user accounts that have been specified using the criteria above. I am currently dumping this to a CSV file so it’s easy to look at; I eventually want to email the manager of the former employee a form letter notifying them of the impending deletion.
$ThirtyDaysAgo = (Get-Date).Subtract((New-TimeSpan -Days 10))
$users = (Get-ADUser -Filter { (enabled -eq “False”) -and ( extensionAttribute10 -notlike “*” ) -and ( Modified -lt $ThirtyDaysAgo )} -property * | select-object -property Name, Description, modified, extensionAttribute10, DistinguishedName | sort-object Name)
$users | export-csv c:\temp\UserDel.csv
foreach($user in $users) {
set-aduser -Identity $user.DistinguishedName -replace @{extensionAttribute10 = “False”} -whatif
}
The second will then remove those accounts and home directories when it is set to run.
$users = Get-ADUser -Filter { (enabled -eq “False”) -and (extensionAttribute10 -eq “False”) } -Properties *
foreach ($user in $users) {
write-host $user.name
remove-item $user.homedirectory -force -recurse –whatif
remove-aduser -Identity $user.distinguishedname -whatif
}
There is a lot of improvement to be made here, but I wanted to post this to see if anyone had any suggestions or questions.
I’m sure someone is wondering about the Exchange mailbox. We are still using Exchange 2003 and so there is no PowerShell management of the mailboxes. We have decided that since this is a new process and is still getting updated, it would be best to abandon the mailbox and allow Exchange to clean up after 30 days. This way if there was something missed we could restore the user data from backup and just re-attach the mailbox to the new/old user account. This will change when we migrate to Exchange 2010, but by then the process will be solid and we shouldn’t have any issues.
Recent Comments