It seems no matter how much you try you cannot ever get those damned orphaned homedirs cleaned up. Well, this helps. Our org always has additional groups in the homedir (no, we don’t just let the users have whatever they want in there, so we have to monitor). This causes a little confusion amongst most orphaned file checkers (as there is still a group in there that resolves). Read on for the code and an example.
What this script does is it scans a directory’s subdirectories (as with many homedirs, the subdirectories are usually the AD account name). It then tries to match the subdirectory to an AD account name. If this proves that one doesn’t exist, it prompts and spits out the ACL info and a prompt to move the files. If you say yes, it moves them to the directory you specified in arg1.
'Example: cscript orphaned-files.vbs "T:" "T:~archive" where T: is a mapped drive strDomain = "dc=yourdomain,dc=com" strFromDir = wscript.arguments(0) strToDir = wscript.arguments(1) Set FSO = CreateObject("Scripting.FileSystemObject") ShowSubfolders FSO.GetFolder(strFromDir) Sub ShowSubFolders(Folder) For Each Subfolder in Folder.SubFolders 'Wscript.Echo Subfolder.Path sUserName = replace(Subfolder.Path, strFromDir,"") UserExist(sUserName) Next End Sub Sub UserExist(sUserName) dtStart = TimeValue(Now()) Set objConnection = CreateObject("ADODB.Connection") objConnection.Open "Provider=ADsDSOObject;" Set objCommand = CreateObject("ADODB.Command") objCommand.ActiveConnection = objConnection objCommand.CommandText = _ "<LDAP://" & strDomain & ">;(&(objectCategory=User)" & _ "(samAccountName=" & sUserName & "));samAccountName;subtree" Set objRecordSet = objCommand.Execute If objRecordset.RecordCount = 0 Then WScript.Echo "*******************sAMAccountName: " & sUserName & " does not exist." DisplayACLS(sUserName) End If objConnection.Close End Sub Sub DisplayACLS(sUserName) Set objShell = CreateObject("WScript.Shell") Set objWshScriptExec = objShell.Exec("ICACLS " & strFromDir & sUserName & "") Set objStdOut = objWshScriptExec.StdOut strLine = objStdOut.ReadAll Wscript.Echo strLine intAnswer = _ Msgbox("Do you want to move these files?", _ vbYesNo, "Move Files") If intAnswer = vbYes Then MoveFiles(sUserName) Else wscript.echo "Skipping Files" wscript.echo "*******************" End If End Sub Sub MoveFiles(sUserName) wscript.echo "Moving Files" wscript.echo "*******************" Set wshShell = WScript.CreateObject ("WScript.shell") rc=wshShell.run("cmd /c robocopy """ & strFromDir & sUserName & """ """ & strToDir & sUserName & """ /S /E /MOVE /COPY:DAT /V /NP /NFL /ZB /R:3 /W:3 /TEE",1,False) Set wshShell = nothing End Sub
Example Output:
*******************sAMAccountName: username does not exist. S:username BUILTINAdministrators:(OI)(CI)(F) CREATOR OWNER:(OI)(CI)(IO)(F) (OI)(CI)(F) Successfully processed 1 files; Failed processing 0 files Moving Files *******************
quick question:
why would other ‘orphaned file checker’ be confused? if the ‘owner’ of a file doesn’t exist in AD then the file is a good candidate to be tagged ‘orphaned’, no?
or are you saying that some also look at the ACL to make the determination? would you mind sharing which sw products you had experience with that failed at this?
when doing a folder based orphaned lookup (like removing old home directories) the owner isn’t necessarily the best object to go by when determining orphaned directories. Our files have been moved many many times, and in the process, usually the account doing the migration or for some other reason ends up with ownership (and not the person that is no longer there). Also, there may be files where the owner no longer exists, but they exist in shared directories where there are other users that access those files, therefore also not an orphaned directory.
This script helps me because I can do a lookup on home directories for users that no longer exist in AD, but protects because some of those folders may have had rights added to them for other purposes (HR, supervisor, etc) and would need to be followed up with. I think ACL inclusion in orphaned files is a must, also think that a “folder” can be determined as orphaned if only administrative groups have access (such as computerAdministrators or global admin only groups).
I’ve used Tek-Tool’s profiler and NetApp’s file SRM tool.