I encountered a challenge today that was fun to fix. There’s an Organizational Unit in my AD setup that has historically been used to store disabled AD objects instead of deleting them.
When an employee leaves the organization, our standard procedure is as followed:
- Disable User Object
- Move to separate OU (IE AD://internal.msd/disabled/users)
- Update Description field with something like: Disabled by [username] on [date]
- Retain user object for x amount of days, then tombstone it.
Best laid plans of mice and men… yada yada…