I would like to know if there is a utility that can be used to clean up the orphaned Unity users in AD/Exchange. For years our helpdesk has been deleting users out of the Unity interface and not using any tools to cleanly remove all the necessary accounts from the Unity servers. As a result, we have hundreds of accounts in AD/Exchange that no longer exist in Unity and I would like to clean them up. Does anyone know of a way to do this in an efficient manner?
do you mean that the subscibers were deleted out of Unity and not deleted out of AD/Exchange?
there is the revove subscriber properties tool but that is just going to take the Unity properties off the AD/Exchange account and the account will still be there.
I am thinking that dirt can do something. Jeff can you step in. If there is a DiRT back up done and then the message store is deleted the Unity restored will all the Unity accounts be restored? and not the extra ones?
Correct, we are running Unity as Voicemail only so we have a standalone AD / Exchange that our voicemails are stored in. When someone leaves our organization, the helpdesk logs into the Unity Administrator and simply deletes the subscriber from Unity. They don't use the bulk subscriber delete tool to clean up AD and Exchange so we have hundreds of accounts in there that no longer exist in Unity. I was thinking there might be a tool that can compare unity and AD and weed out the ones that no longer exist in Unity.
not sure about the past right now, checking into it.
but going forword I need to know what version of Unity you have? during permissions wizard and message store configuration wizard you have the choice (check boxes) to have Unity have permissions in AD/Exchange. My guess is when you installed you chose not to.
I think you can give the directory account the correct permissions via the registry. I think Ginger posted on this before.
I will search.
In my experience, when the CallManager is Directly connected to the User DB in the AD, you dont have permission to add nor delete users, maybe in Unity is the same way, you can delete local users but not the AD user.
So my guess is that when Unity was installed they chose to not give the director account permissions to add/delete account in AD/Exchange when deleting from Unity.
This will delete the Unity account and leave the AD/Excange account as you have said.
working as expected.
If when installed the choice was made to give the directory account permissions. then deleting from all 3 would be no problem.
What to do now?
Well I remember that going forward there was a way to give the directory account the permissions. Probably rerun permissions wizard, service configuration wizard, and message store configuration wizard.
As for the the hundreds of accounts that you have now I am not sure what to do with them.
Well this is on Cisco Unity 4.2(1) and there is a utility that you can use to bulk delete subscribers. When you run that utility you can select to delete the user from only Unity or remove them from Unity, AD and Exchange all at once. The problem is that if you delete the users only out of Unity and leave them in AD/Exchange then that utility will no longer work for you. I inherited a system where this has been the case for years. I now have hundreds of accounts on this box that no longer exist in the Unity application but they are in AD / Exchange and I wanted to know if there is an automated way to isolate them and clean them up.