Identify users that can be deleted safely via DQL

Hi,

I'm looking for a way to identify all dm_user objects that can be deleted because they have never logged in (last login attricube will not work as it seems to get reset by the ldap sync) and don't own any objects except their home cabinet and Users folder, both of which are empty. We have many users like this because of previous bad ldap sync jobs. The users are disabled, but this is causing some performance and application scripting issues as there are many thousands of them, I think.


SELECT USER_NAME FROM dm_user WHERE user_state = 1
AND USER_NAME IN
 (SELECT object_name FROM dm_folder WHERE r_link_cnt=0 AND FOLDER('/Users'))
AND USER_NAME NOT IN
 (SELECT object_name FROM dm_folder WHERE FOLDER('/Resources'))

So this gives me a list of users where they are inactive, they have a folder in the Users cabinet which is empty and they do not have a named folder in the Resources cabinet (used by one of our applications).

Now how do I effectively check that these user names do not appear in any attributes that would cause issue once deleted? is there an exhaustive list? acl_domain, owner_name, ... which others?

I assume the consistency checker would tell me any remaining issues once the other cleanup jobs have been run.

Anyone actually done this in a production docbase with any success?

Find more posts tagged with

Comments

bacham2

The consistency checker is not really exhaustive from this perspective. User references to look for:

- dm_sysobjects where user is stored in owner_name, r_creator_name, r_lock_owner or r_modifier

- dmi_queue_item or dmi_workitem owned by user

- member of groups or roles (dm_group.users_names)

- owner of an ACL (acl_domain)

- listed in an ACL (r_accessor_name)

- subscriptions (dm_relation with relation_name = 'dm_subscription')

- Registrations (notifications), i.e dmi_registry where user_name = user and is_audittrail = 0

- workflows

This list is not complete but I think these are the main ones.