Dealing with Active Directory operations in bulk can drive an administrator crazy. Thankfully, there are ways to automate Active Directory maintenance tasks such as adding users, deleting references to long-gone users or computers or automatically creating strong passwords for those users who won't do it for themselves.
In a busy environment, Active Directory can start to resemble the garage full of junk that never gets cleaned out. When expired users, nonexistent machine references and other clutter fill up Active Directory, performance and manageability problems surface. Manual cleanup of Active Directory isn't much fun and eats up a lot of time.
There are many tools that automate a good deal of the work involved in keeping Active Directory clean. One of the simplest is Special Operations Software's Active Directory Janitor, which scours an Active Directory store to find all objects that no longer seem to correspond to a "living" entity, such as an active computer or an existing user. The admin gets a report of all such suspect objects and can delete, disable or rearrange them as needed.
When scanning an Active Directory domain, Active Directory Janitor uses more than 30 customizable properties (such as last logon date, which is quite useful for finding dead user accounts). You can have it automatically flag user accounts that are a security risk based on certain conditions.
Another program that can help with Active Directory maintenance is NetPro's DirectoryAnalyzer. This tool handles another labor-intensive category of Active Directory management: checking for health problems such as replication latency or DNS inconsistencies and suggesting fixes for each flagged problem. Directory Analyzer can also provide statistics for replication and determine the impact of a given application, such as Exchange, on Active Directory behavior. It can also be integrated with framework applications such as Microsoft Operations Manager.
Another product from NetPro, ChangeAuditor, offers an easy way to track changes in Active Directory. The tool logs all changes made to Active Directory along with metadata about each change, such as who made it, when and under what conditions.
Quest Software Inc. has many products for Active Directory maintenance, including Reporter, which audits and tracks all changes made to Active Directory -- i.e., who did what to whose records and when -- and shows whether those changes were made by hand or by other Quest products. Quest's ActiveRoles Direct is another product admins can use to help with Active Directory maintenance. It speeds deployments of Active Directory or the creation of new user groups according to specific criteria.
Five back-end tasks Windows administrators should automate
Introduction
Automating Active Directory maintenance
Automating Group Policy Object management tasks
Automating DNS management tasks
Automating full-system backups
Automating Web server log archiving
About the author: Serdar Yegulalp is editor of Windows Insight, (formerly the Windows Power Users Newsletter), a blog site devoted to hints, tips, tricks and news for users and administrators of Windows NT, Windows 2000, Windows XP, Windows Server 2003 and Vista. He has more than 12 years of Windows experience under his belt, and contributes regularly to SearchWinComputing.com and SearchSQLServer.com.
