Pages

Search

Sunday, February 26, 2012

My Foray in Moving Disabled AD Accounts & Home Folder Directories Part 1

It's been a while since I have posted anything but I wanted to write about a little issue I recently worked on and had some success in performing. There may have been other ways to do this more effectively, but I could not find any sources that would apply to this particular situation. After about a month of research, trial and error, I found one solution that did fit my particular situation and it was a proverbial "one-liner" worth of code that I would like to share. But first, let me explain this situation and how I was able to use Powershell to work on the issue. This will be one of a couple of planned posts in the comming weeks/months.

A client I am working for has a large Active Directory user base and every user has been assigned a home directory for personal network storage. A year or so ago this client added another server and started adding any new user object's home directory path to the new \Home directory path. There were still quite a few user objects that were residing on the old server's \Home directory that needed to be transferred to the new server. Here's where the issue begins. Before I started working for this client, a file migration was attempted and failed to the point where the whole project was put on hold. The worst part of it was that the home directories that were transferred to the new server in the first failed attempt were never cleaned up, thus making it appear that directories were moved and resulting in duplicate data with the recently moved directories missing the original ACL's assigned to each.

Here was my first mission. Perform cleanup for future move of remaining active user object \Home folder directories from old server to new server.

Step 1) Remove duplicated files from new server \Home directory for Active Directory Users 
Before I start, I need to remove as much garbage as possible to allow for that extra space to be available for future use in this project. I utilized WinMerge to perform a directory comparison, giving me accurate time stamps, filtering and the ability to delete folders that were duplicated. Great utility, and I strongly recommend it for doing file comparisons. After doing this comparison, I was successful in removing about 16GB worth of duplicated files on the new server and now both directories are clean again.

Step 2) Find inactive Active Directory User Objects
This was a simple task. I first created a custom saved query using Active Directory Users & Computers Microsoft Management Console (MMC). After creating my custom console I also added the Advanced Features view. My first query was configured to display all user objects that had not logged in during the past 180 days (6 months) on the OU container for the user base I was working with. This query returned over 485 objects! With a quick CTRL+A I selected all the user objects and disabled the accounts, then moved them to a new OU I created called Disabled Accounts. AD is now a little cleaner.

Step 3) Find Disabled User Objects and Move Objects' Home Directory to Alternate Location
Here's the part that involved lots of research and testing. I wanted to use a Powershell script to accomplish this task because I am learning Powershell. I was also looking for a code example that would be easy to implement and was not real complex but could be slightly modified for future use. My original plans included such tools as RoboCopy , VB script, and Powershell. I settled on this Powershell cmdlet that I found on PowerGUI.org. Big THANK YOU! to Shay Levy and his reply to a post I found there. His code was an excellent example of what I was looking for. After obtaining the required free Active Roles PSSnapin from Quest Software I was able to execute this line of code with my attributes to successfully scanned and moved almost all 485 user object \Home directories to a temporary archive folder on the old server. It even found some of the disabled accounts that did not have home folders specified since the disabled user never logged in, returning an error but continuing. I tried to move the files to a NAS unit but Powershell returned an error stating that the files could not be moved across volumes. The best part was that the folder ACL's did not change.

My next post will be about how I moved those folders to a NAS using RoboCopy (if the client decides to keep them that is) and how I move the remaining \Home folders to the new server while retaining the ACL's.