I regularly find myself talking to my customers about the importance of house keeping your other Microsoft products as this has knock on effect on your data contained within your System Center 2012 R2 Configuration Manager environment. I therefore thought i would write a blog around this and why you should perform regular house keeping.
Active Directory is a key component of Configuration Manager. It is generally used for importing the users and devices that are managed by Configuration Manager and as such must be kept as accurate as possible so that features such as reporting, compliance, asset intelligence and patching / software deployments can be measured accurately. You don’t want to be sending your boss poor information on license usage for his annual true up! This is also important from a security perspective as you don’t want stale accounts to be able to log onto your infrastructure.
Each organisation has different policies with regards to stale accounts so nobody is really right. I recommend that my customers generally remove anything older than 90 days from their Active Directory as this is fairly indicative of someone / something that is more than likely inactive.
How to clean your Active Directory
There are many ways that your Active Directory can be cleaned. You can use one of the many PowerShell scripts available online and set this as a scheduled task to run once a week. I would recommend starting with looking at the TechNet script gallery here.
There are also GUI tools e.g. ADTidy that can be used to report and manipulate accounts. I used ADTidy for a large Active Directory migration from 4 forests into 1 and it was a life saver for quickly gathering accurate information and creating reports. Prior to performing your housekeeping if not already implemented I would advise that you configure the Active Directory Recycle Bin for the restoration of any mistakenly removed accounts. If you have a nervous boss then I would suggest that you disable the account first and configure your Configuration Manager maintenance task to remove disabled.
Once you have disabled and / or deleted these accounts these will be removed by your maintenance tasks within Configuration Manager. If you would like this done in a more aggressive timescale as this can take some time by default (90 days) then adjust accordingly
TURN SCAVENGING ON!!!
If you don’t then there is a possible plethora of issues that you will eventually see within your Configuration Manager environment such as discovery, remote control, software distribution and reporting as there will be a multitude of dynamic records that will lead to confusion when the aforementioned processes are performed.
As with the Active Directory discussion above it is entirely up to you how you configure your DNS house keeping but i see no issues with leaving the default 7 day removal configured on your zone
Pretty much all customers I talk to haven’t changed the default maintenance tasks within their Configuration Manager site. Spend some time reviewing them, what they do and configuring them to your needs. As with the other topics I have discussed each environment has their own requirements.