Hide disable user, service account, and generic account from outlook organization chart direct reports.

There may be an requirement in organization to set each account manager attributes, so that it can be tracked who is the owner of each accounts (service accounts, generic accounts & which user reports to whom). But for user’s reports to manager looks good in outlook organization chart.

Problem:-

  1. Problem is service accounts & generic accounts as they will be also listed in outlook organization chart, so we still want to keep them manager assigned but should not be visible in outlook organization chart.
  2. The issue is that newly disabled people are not removed from the org chart. For instance we mark an employee as disabled, remove their licensing and ensure access is blocked. Even with this done, a departed employee will display on the org chart. How Microsoft support suggested to fix it – by clearing the ManagerID, but due to organization policies we cannot remove manager id. Delete the user from AD – We cannot also immediately delete that disabled users from AD.

We would like the org chart to have the ability to recognize disabled users and or hidden users should not be displayed on the org chart. This would allow our org chart to be correct all of the time.

Solution:-

  1. Service accounts / generic accounts without mail enabled: – By default below attribute is not configured & if it is not configured means it is False & show up is address book, so we have to make it true.12
  2. Service accounts / generic accounts with mail enabled ( very rare case) : We have to see if these service account needs to be hide or not & if not then we can leave them as it & should be only execute in case basis.
  3. Disabled users account: when the account is getting disabled additionally configure this attributes with “True”, so that it will not show up in address book. You can also schedule a script to updated only disabled user attribute “msExchHideFromAddressLists” to True. But if in future if any of the disable user getting enable then we have to define the process that msExchHideFromAddressLists configure with <Not set>.

 

Advertisements

Active Directory Domain Discovery Checklist

During an AD DS migration or health checks, system engineers and auditors always need a checklist to keep up with what should be discovered.  This checklist is a working checklist, one that has been created here for peer review and peer additions.  This checklist should try and take into account all the high level items one needs to look for during an AD DS discovery/audit.

This checklist is not meant to be a step-by-step guide but a high level overview to keep track of what needs to be discovered.

SR.NO Category Sub-Catagories Status
1 Domain(s) discovery – Forest Information
1.1 All trust
1.2 Stale or broken trust
1.3 Forest Functional Level
1.4 Domains/Sites/DC/GC/Exchange/Other
1.5 Forest Features
1.6 Tombstone lifetime
1.7 SID filter info
2 Sites and Services
2.1 Summary
2.2 Site names
2.3 Locations
2.4 Domains
2.5 DCs
2.6 Subnets
2.7 Site connections
2.8 Site links
2.9 Replication Interval
2.10 GPOs
2.11 Site mirroring between domains and other domains/forest
3 Domain Controllers
3.1 IP addresses
3.2 Names
3.3 Disk space report
3.4 Server up time
3.5 Physical Locations
3.6 Sites and Services
3.7 Subnets
3.8 Missing Subnets
3.9 Sites
3.10 Journal Wrap (if FRS)
3.11 Is DFS used in the environment
3.12 Schema Extensions
3.13 AD FS
3.14 Azure connections
4 Security
4.1 Security Patch report
4.2 What is the patching process
4.3 What patches are missing
4.4 Vulnerability scan
4.5 Is ATA implemented
4.6 Is LAPS implemented
4.7 Are authentication policies and authentication policy silos implemented
4.8 Have default ACLs been changed
5 DNS
5.1 AD integrated zones
5.2 Forest replicated zones
5.3 Domain replicated zones
5.4 Conditional forwarding
5.5 Domain level auditing
6 Infrastructure Services
6.1 Authorized DHCP server discovery
6.2 WINS server discovery
6.3 Exchange server discovery
6.4 SCCM server discovery
6.5 WSUS
6.6 Other
7 Applications in the environment
7.1 Manager per App
7.2 Owner per App
7.3 Tier or SLA (how critical is the app)
7.4 Authentication method
7.5 Local
7.6 Active Directory
7.7 Other
8 Networking
8.1 Physical site list
8.2 Subnets at each site
8.3 Site link speed and utilization level (how saturated is the link)
8.4 Network Topology
8.5 Firewall locations
8.6 VLAN restrictions
8.7 Router ACLs
9 Users
9.1 All
9.2 Detailed information
9.3 Initial count
9.4 Ongoing count for growth projections
9.5 Disabled
9.6 Count
9.7 Password no expire
9.8 Count
9.9 Token size report
9.10 Locked users
9.11 Dial-in enabled
9.12 Delegation
9.13 Password not required
9.14 Password must change
9.15 Services accounts (accounts running as a service on computers in domain)
10 Computers
10.1 Detailed report – plus the following
10.2 With OS attribute populated
10.3 Without OS attribute populated
10.4 Are cluster accounts documented
10.5 Total computer objects
10.6 Disabled
10.7 Grouped by function
10.8 Workstations
10.9 Initial count
10.10 Ongoing count for growth projections
10.11 Stale
10.12 Disabled
10.13 Servers
10.14 Initial count
10.15 Ongoing count for growth projections
10.16 Stale
10.17 Disabled
11 Contacts
11.1 Count
11.2 Logical location
12 Groups
12.1 Initial count
12.2 Ongoing count for growth projections
12.3 Empty
12.4 Similar
12.5 Nested
12.6 Global groups
12.7 Global distribution groups
12.8 Domain local security
12.9 Domain local distribution
12.10 Admin built-in groups
12.11 Enterprise Admin
12.12 Schema Admins
12.13 Domain Admins
12.14 DNS Admins
12.15 Administrators
12.16 Account Operators
12.17 Cert Publishers
12.18 Backup Operators
12.19 Print Operators
12.2 Server Operators
12.21 Membership details
12.22 Membership counts
13 Group Policy
13.1 Backup all GPOs
13.2 Not linked
13.3 Empty
13.4 Disabled
13.5 No Settings
13.6 Passwords in Group Policy
13.7 Scripts/applications in GPOs
13.8 Bat files
13.9 Exe files
13.10 VBScripts
13.11 KixScripts
13.12 PowerShell scripts
13.13 Images in GPOs
13.14 Default Domain Policy – Standard or modified?
13.15 Default Domain Controllers – Standard or modified?
13.16 Who can join computers to the domain
14 Sysvol/Netlogon (What items are stored in Sysvol/Netlogon)
14.1 Bat files
14.2 Exe files
14.3 VBScripts
14.4 KixScripts
14.5 PowerShell scripts
14.6 Images
14.7 Shortcuts

Reference: https://social.technet.microsoft.com/wiki/contents/articles/38512.active-directory-domain-discovery-checklist.aspx