No announcement yet.

Pre-migration AD cleanup

  • Filter
  • Time
  • Show
Clear All
new posts

  • Pre-migration AD cleanup

    We are migrating into a new domain within the next year. However before we move over I'd like to do as much cleanup as possible, so I don't bring a lot of garbage over. I'd like to cleanup unneeded users, groups, and computers.

    Users - Pretty easy look at last login time and remove old accounts, careful of resource mailboxes/etc.
    Computer - Easy, look at modified time and remove old computers.
    Groups - I haven't a clue.. Is there something I can run to tell if a group is being used or not?

    Could someone give me some hints/tips? Thanks.

  • #2
    Re: Pre-migration AD cleanup

    Originally posted by mb78 View Post
    Groups - I haven't a clue.. Is there something I can run to tell if a group is being used or not?
    Other than looking through your network documentation (which hopefully you have), or by going through and creating a set of documentation, I'm not sure.
    Gareth Howells

    BSc (Hons), MBCS, MCP, MCDST, ICCE

    Any advice is given in good faith and without warranty.

    Please give reputation points if somebody has helped you.

    "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

    "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.


    • #3
      Re: Pre-migration AD cleanup

      I was afraid of that. Unfortunately I took over AD after it put into place sooo.. Yeah.. I'm outta luck there :/

      If anyone else has any ideas I'd love to hear them thou.


      • #4
        Re: Pre-migration AD cleanup

        Are the groups empty?
        Are the security groups or distribution?
        Can you give a basic idea on your setup. If you have loads of servers with lots of NTFS permissions then I would carry things over, if there are only a few then I would spend the time exporting the permissions and checking.
        When do you have the migration planned for?

        Please read this before you post:

        Quis custodiet ipsos custodes?


        • #5
          Re: Pre-migration AD cleanup

          I wouldn't clean anything, I would just not Migrate them.
          I would not try and fix a working domain (might damage it), better migrating what you need
          to the new domain and if something is missing, then migrate it l8er.
          You don't want to find your self in a situation which You need something , but it is no longer there
          b/c you deleted it.
          better have a working copy of a domain for role back rather having none and starting fresh on the new domain.
          Last edited by Akila; 6th November 2008, 12:07.


          • #6
            Re: Pre-migration AD cleanup

            I'm sure some groups are empty, those will be the easy ones to weed out.
            We have some DL's, but mostly security groups.
            We don't have a ton of servers, ~100 or so and only about 15ish file servers. I suppose I could use showacls(I think thats the one) to export all groups used on a server. Was just hoping there was an easier way. Still, that only gives me groups that give NTFS permissions, I'm sure they are used elsewhere. Course that will probably be the bulk of them, so may be good enough. I'm not looking for perfect just a bit of polish..

            We're planning to migrate sometime next year, we don't have a firm date yet as this is something coming from our parent company.

            The problem I thnk is when they migrated from NT4 to 2003 they just dumped it in, didn't even attempt to clean up. Since then we never had an AD admin, now I've been given that fun task along with everything else. I think most of us have been there.

            Thanks for the help all.


            • #7
              Re: Pre-migration AD cleanup

              I got a solution for you.
              in ADMT when you migrate users, you could chose to migrate the groups they are members of along with the user
              (part of the user migration wizard).
              if you do that, you would sure only migrate what you need and not the junk as you described.
              as for file servers , don't worry , ADMT would takes care of those permissions to match the new created User/Group on the new domain based on the old user/group that had permissions.
              I still strongly stick to my comment, not to touch the old domain and try fixing it, concentrate on the new domain instead and migrate only what you want,
              you could always migrate missing stuff if you find out it is missing.
              Migrate in staged, you don't have to migrate it all at once.
              Last edited by Akila; 6th November 2008, 19:27.