We are deleting stale AD accounts for the companies we work for.
I contacted the owner of a particular company to help us determine which AD accounts we can delete. He said he'd first like to see what files the deletion candidates have stored on the network to help decide which accounts are OK to delete.
We have a domain admin account. Is there a way to access AD User files? Is there a PowerShell command (or GUI app) to list the files of each AD user in a clean/presentable format that we could present to the owner?
I think he's only really concerned with the contents of each user's Home directories (the directories containing the Documents, Music etc. folders) -- and not network shares or shared folders users may happen to have access to -- because the Home directories are the only directories risking deletion as a result of deleting their accounts, right?
Yes. Take ownership of the files.
There are probably a bazillion ways to do this. Pick your preferred method/tool and then research how to do it with your preferred method/tool.
The users network folders won't be deleted when you delete the user accounts.
before I will try to answer let me share some doubts...
What is the reason to delete AD object, especially user object? I am afraid it is really not a good approach because of AD itself and related systems. Once the user exists there may be (and the most probably there is) several logs, files or any other objects in AD or on the other systems (even connected systems in case you are using AD as authentication backend). Related system could be also exchange / office 365. Once you simply delete the object you are loosing integrity of the information. Next to it behind each object in AD there is SID (unique ID in the AD environment).
Once you delete the user and in the future create it again, technically it is not the same user but different one! In general the best practise is just disable the user. The account is not possible to use and in case the user became valid again in the future you can just enable the account.
To your question. Unfortunately there is not "easy way" how to get this information. You should iterate over the filesystem (e.g. powershell script). Please note that in case you want really delete the user account you should also remove all related information like file permissions on other than owned files or you would see just simple SID instead of username so any future audit would be really mess.
Please think about just disabling the account. There is much more information then just "owned files". In case of any kind of audit the better is to have somewhere disabled user than unknown SID ;-).