Currently we are in the midst of cleaning up our Active Directory. We have gone through and disabled a large amount of computer names that havent logged in to our system in the past 6 months and put them in their own special O.U. Our thought process is that we can re-enable the accounts if we find they should not have been disabled. After a month, we will delete all of these computer accounts. Our current problem is that we have a large amount of CONTACTS in A.D., but there is no ability to DISABLE them (and re-enable them if we find that there was a need for them). We are 90% sure that we can delete them all but just want to be sure. Is there any workaround with this since there is no ability to DISABLE (or inactivate) them? Thanks!

well if its a contact I assume they are just used in Exchange? Isnt there a property that will hide the contact from the GAL? you could probably get a powershell script to hide the contacts or perhaps manipulate the names so they are no longer the obvious selection people are looking for? Justin Rich http://jrich523.wordpress.com Please remember to mark the replies as answers if they help and unmark them if they provide no help.

Contact objects never authenticate. There are no attributes of contact objects in AD that indicate when, or even if, the objects are used. Also, no permissions can be assigned to them. They can be members of groups. You could check for group membership. You could move the suspect contact objects to another OU. You could even rename them, then wait to see if anyone complains. To find all groups (including distribution groups) a specified contact belongs to, you can use dsquery at the command prompt of a DC. For example, to retrieve the group membership of a contact with Common Name "My Contact": dsquery * -filter "(cn=My Contact)" -attr memberOf ----- Richard Mueller - MVP Directory Services

Contact objects never authenticate. There are no attributes of contact objects in AD that indicate when, or even if, the objects are used. Also, no permissions can be assigned to them. They can be members of groups. You could check for group membership. You could move the suspect contact objects to another OU. You could even rename them, then wait to see if anyone complains. To find all groups (including distribution groups) a specified contact belongs to, you can use dsquery at the command prompt of a DC. For example, to retrieve the group membership of a contact with Common Name "My Contact": dsquery * -filter "(cn=My Contact)" -attr memberOf ----- Richard Mueller - MVP Directory Services