Active Directory Maintenance
Regular maintenance of your Active Directory is important for many reasons. One must first understand that the Active Directory database exists on each Domain Controller. So if you have many domain controllers, the information in the Active Directory database is replicated between the doamin controllers on preset intervalls.
Two important pieces in the Active Directory database are the User accounts and Computer accounts in your network environment. Information about the users and computers are thus stored in Active Directory and replicated around the network on the Domain Controllers.
A common problem for many companies is that a process for maintaining the lifecycle of a user account or computer account is missing.
User Accounts
A good process for user accounts maintenance is to start by creating the account, for example when a new employee starts at the company. Then you need to put the user account into the correct Organizational Unit (OU) in your Active Directory structure. Prior to this you have assigned the correct Group Policy/policies to the OU. When an employee changes his role at the company he can easiliy be moved within the OU structure. When an employee quits his employment his account should first be disabled and moved out of the ordinary OU-structure. Then after a predefined time, the account should finally be deleted.
Computer Accounts
A computer account is a little bit different compared to a user account. A computer account is normally created when a new desktop or server is purchased. The computer is assigned a name and just as a user account it is put into an Organizational Unit (OU) that has assigned Group Policies. Over time, the computer might break and when it does, proper maintenance to Active Directory needs to be done. Computer accounts that are not valid any more are usually deleted right away.
Maintenance
In order to perform Active Directory maintenance, you need to get an acurate overview over all your user and computer account in the Active Directory. You will also need a good and trusted way of identifying and disabling/deleting accounts. Since the Active Directory Maintenance tasks will be run on a regular basis it must be an easy and quick way to do it.
Manual process
An administrator could always manually maintain Active Directory. However, the problem is that a human can make an error or forget steps in the maintenance process. A human can even forget to maintain Active Directory at all.
Script
Complicated scripts can be written or even copied from the web. These scripts often does the job but also takes a great deal of knowledge and experience to run. Scripts can cause a lot of damage if they are poorly written. An system administrator is probably not interested in explaining damage a script has done to the IT Management, especially if the script has been copied from the internet and the administrator does not understand everything the script does.
Active Directory Maintenance Tool
The advantage of a tool is that it, compared to a script, provides many times the functionality. A tool is also a lot more scalable. All administrators, despite experience level, can use a tool. A tool usually saves a lot of time while it preserves good quality of the Active Directory maintenance process. In addition, a tool if often supported by expert personnel giving the system administrator and the company some added maintenance quality.
Suggested Active Directory Maintenance tool
A tool that will fulfill your needs regarding identifying and clean old user and computer accounts in your Active Directory is the Active Directory Janitor. With this tool you can easily scan your entire network environment and in minutes decide what accounts to keep, disable or delete. In addition, you can find out if you have user accounts that have to much security privilege in your Active Directory and tighten the security.