Mark Minasi's Tech Forum
Sign up Calendar Latest Topics
 
 
 


Reply
  Author   Comment  
lady_mcse

Avatar / Picture

Senior Member
Registered:
Posts: 112
Reply with quote  #1 
Can I just get a reality check from you folks who know Active Directory and/or Identities inside and out ... am I correct that there really is not a little bit/switch/field in Active Directory that says "this employee left the company"?  

As far as I'm aware, there is not.  Sure, we may disable the account, and we may put something in a description field, or some other probably-good-enough flag, but is there really not an actual value that can be set to really mean the person has been terminated?  

Thanks!  
0
cj_berlin

Avatar / Picture

Senior Member
Registered:
Posts: 377
Reply with quote  #2 
Hi,

you are correct, there is no such thing.

__________________
Evgenij Smirnov

My personal blog (German): http://www.it-pro-berlin.de/
My stuff on PSGallery: https://www.powershellgallery.com/profiles/it-pro-berlin.de/
0
jsclmedave

Administrator
Registered:
Posts: 482
Reply with quote  #3 
Quote:
Originally Posted by cj_berlin
Hi,

you are correct, there is no such thing.


Not to say you cannot create a Custom Attribute.  We usually auto add something to the description field and email address.



__________________
Tim Bolton @jsclmedave
Email: [string](0..20|%{[char][int](32+('527377347976847978324785847679797514357977').substring(($_*2),2))}) -replace ' '  

New to the forum? Please Read this
0
lady_mcse

Avatar / Picture

Senior Member
Registered:
Posts: 112
Reply with quote  #4 
I keep coming back in here to at least say "thank you" for replying, but keep getting side tracked in a rant.

I just find it utterly crazy that after 20+ years of various forms of AD, we still rely on workarounds for this.

An employee leaves the company so you disable the account so they can't get in, but gives you time to "hand off" anything they worked on previously, whether it be emails or being able to uncover and address pesky service account / developer account issues that may not arise immediately.  

The relatively new OneDrive cleanup process kicks off once an account is deleted.  So there could be days or weeks before a manager gets access.  But you don't really want that same process kicking off every time an account is disabled, because i know from experience that situation is bad too.  

Why jump through the hoops of making descriptions and utilizing exchange attributes for something that's a pretty straight-forward event? Managers of former employees most likely want access to mailboxes and OneDrives ... let's have an appropriate "trigger" for both of those things.  

OK, I slimmed down my rant considerably.  
0
Matthew

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 22
Reply with quote  #5 
I know this is an old thread, but...

We use MIM to move terminated accounts to a specific OU.  From there at 61 days since termination date we start cleanup. 

If they get rehired at 59 or less days, which happens, MIM sees the change in status and moves it to the correct OU.

If you aren't using MIM, and are acting on some kind of data transfer from HR (spreadsheet, or other "paper" form) you could take that data and using Powershell create a fairly automated means to "flag" the terminated accounts in a manner that makes them easy to clean up with the time comes.  moving to a specific OU for us makes the most sense, might you as well.  Certainly the simplest "flag". 

0
lady_mcse

Avatar / Picture

Senior Member
Registered:
Posts: 112
Reply with quote  #6 
Yeah, I totally get that there are workaround and ways to make up flags.  It just seems to me silly that Msoft hasn't actually added one to AD in all the iterations of NT 4.0 to 2000 to 2003 to 2008 to yadayadayada ... 

0
Previous Topic | Next Topic
Print
Reply

Quick Navigation:

Easily create a Forum Website with Website Toolbox.