Script: Check for Orphaned HomeDirs

It seems no matter how much you try you cannot ever get those damned orphaned homedirs cleaned up. Well, this helps. Our org always has additional groups in the homedir (no, we don’t just let the users have whatever they want in there, so we have to monitor). This causes a little confusion amongst most orphaned file checkers (as there is still a group in there that resolves). Read on for the code and an example.

What this script does is it scans a directory’s subdirectories (as with many homedirs, the subdirectories are usually the AD account name). It then tries to match the subdirectory to an AD account name. If this proves that one doesn’t exist, it prompts and spits out the ACL info and a prompt to move the files. If you say yes, it moves them to the directory you specified in arg1.

'Example: cscript orphaned-files.vbs "T:" "T:~archive"  where T: is a mapped drive
strDomain = "dc=yourdomain,dc=com"
strFromDir = wscript.arguments(0)
strToDir = wscript.arguments(1)
Set FSO = CreateObject("Scripting.FileSystemObject")
ShowSubfolders FSO.GetFolder(strFromDir)
Sub ShowSubFolders(Folder)
    For Each Subfolder in Folder.SubFolders
        'Wscript.Echo Subfolder.Path
  sUserName = replace(Subfolder.Path, strFromDir,"")
  UserExist(sUserName)
    Next
End Sub
Sub UserExist(sUserName)
 dtStart = TimeValue(Now())
 Set objConnection = CreateObject("ADODB.Connection")
 objConnection.Open "Provider=ADsDSOObject;"
 Set objCommand = CreateObject("ADODB.Command")
 objCommand.ActiveConnection = objConnection
 objCommand.CommandText = _
  "<LDAP://" & strDomain & ">;(&(objectCategory=User)" & _
    "(samAccountName=" & sUserName & "));samAccountName;subtree"
 Set objRecordSet = objCommand.Execute
 If objRecordset.RecordCount = 0 Then
  WScript.Echo "*******************sAMAccountName: " & sUserName & " does not exist."
  DisplayACLS(sUserName)
 End If
 objConnection.Close
End Sub
Sub DisplayACLS(sUserName)
 Set objShell = CreateObject("WScript.Shell")
 Set objWshScriptExec = objShell.Exec("ICACLS " & strFromDir & sUserName & "")
 Set objStdOut = objWshScriptExec.StdOut
 strLine = objStdOut.ReadAll
 Wscript.Echo strLine
 intAnswer = _
    Msgbox("Do you want to move these files?", _
        vbYesNo, "Move Files")
 If intAnswer = vbYes Then
  MoveFiles(sUserName)
 Else
  wscript.echo "Skipping Files"
  wscript.echo "*******************"
 End If
End Sub
Sub MoveFiles(sUserName)
 wscript.echo "Moving Files"
 wscript.echo "*******************"
 Set wshShell = WScript.CreateObject ("WScript.shell")
 rc=wshShell.run("cmd /c robocopy """ & strFromDir & sUserName & """ """ & strToDir & sUserName & """ /S /E /MOVE /COPY:DAT /V /NP /NFL /ZB /R:3 /W:3 /TEE",1,False)
 Set wshShell = nothing
End Sub

Example Output:

*******************sAMAccountName: username does not exist.
S:username BUILTINAdministrators:(OI)(CI)(F)
         CREATOR OWNER:(OI)(CI)(IO)(F)
         (OI)(CI)(F)
Successfully processed 1 files; Failed processing 0 files
Moving Files
*******************

2 thoughts on “Script: Check for Orphaned HomeDirs

  1. quick question:
    why would other ‘orphaned file checker’ be confused? if the ‘owner’ of a file doesn’t exist in AD then the file is a good candidate to be tagged ‘orphaned’, no?
    or are you saying that some also look at the ACL to make the determination? would you mind sharing which sw products you had experience with that failed at this?

    1. when doing a folder based orphaned lookup (like removing old home directories) the owner isn’t necessarily the best object to go by when determining orphaned directories. Our files have been moved many many times, and in the process, usually the account doing the migration or for some other reason ends up with ownership (and not the person that is no longer there). Also, there may be files where the owner no longer exists, but they exist in shared directories where there are other users that access those files, therefore also not an orphaned directory.

      This script helps me because I can do a lookup on home directories for users that no longer exist in AD, but protects because some of those folders may have had rights added to them for other purposes (HR, supervisor, etc) and would need to be followed up with. I think ACL inclusion in orphaned files is a must, also think that a “folder” can be determined as orphaned if only administrative groups have access (such as computerAdministrators or global admin only groups).

      I’ve used Tek-Tool’s profiler and NetApp’s file SRM tool.

Leave a Reply