Automating archival of disabled users’ data

Automating archival of disabled users’ data

Download

Managing users in Active Directory is part and parcel of IT life. When someone leaves a company, the first thing we do of course is disable that user. But what about their data? Is their profile still taking up valuable realestate on the production file server? Should we be archiving them somewhere else? It’s particularly difficult to manage this when multiple people are managing users – some of whom may or may not even know the archive policies.

So anyway, let’s just cut to the chase because I’m tired. Here’s a powershell script to automate the archive of users profile data to an archive location, once a user is disabled or deleted. Just stick it in scheduled tasks to run once a day and never worry about archiving users again.

#Constants
#User's home folders.
$folder = "g:\users"
#Administrator to take ownership of files to move them.
$administrator = "DOMAINNAME\administrator"
#Archive to move files to
$archive = "f:\temp\users"

#Grant Permissions to the Administrator

$users = Get-ChildItem $folder -Directory |Select -expandproperty name
for ( $i = 0; $i -lt $users.Count; $i++ ) {

if (dsquery user -samid $users[$i]){

Remove-Variable enabled
$enabled = Get-ADUser -Identity $users[$i] | Select -expandproperty Enabled
$users[$i] + ": " + $enabled
if ("$enabled" -eq 'False'){

"Move " + $folder + "\" + $users[$i] + " to $archive"
$moveFolder = $folder + "\" + $users[$i]
Get-ChildItem -path "$moveFolder" -Recurse | Add-NTFSAccess -Account "$administrator" -AccessRights FullControl
move-item "$moveFolder" "$archive"

}

}else {

$users[$i] + " no longer exists. Preparing to move folder to archive"
"Move " + $folder + "\" + $users[$i] + " to $archive"
$moveFolder = $folder + "\" + $users[$i]
Get-ChildItem -path "$moveFolder" -Recurse | Add-NTFSAccess -Account "$administrator" -AccessRights FullControl
move-item "$moveFolder" "$archive"

}

}

So that’s it. You might need to add something to take ownership, if that’s a problem in NTFS but overall, this should work for most environments. I’ll revisit and refine this when I’m less tired but the above certainly works.

If you wish to automate it form Task Scheduler, you’d better load the AD-Modules, by putting this at the top of the script:

"Importing AD Module"
import-module activedirectory
"AD Module loaded"

As always, watch the cut and paste – sometimes this wordpress theme changes quotes into backticks, etc.

About the Author

Rodney

I’m a veteran of way too many years of IT (although I still love it) and I currently head up the techincal work over at Host One (major sponsor of this site), where I’m also a partner. Feel free to ask me anything about Cloud Computing and I’ll try to be helpful, in a non-salesy kind of way.

View all posts by Rodney →

Leave a Reply

Time limit is exhausted. Please reload CAPTCHA.