Deleting User Accounts in RMS Configuration Database

When you delete a user account from Active Directory, the entry for the user’s rights account certificate that is in the user key table of the root configuration cluster’s configuration database is not automatically deleted. Because of this, the user key table can grow unbounded as new user keys are added, but old ones are not deleted. If the user accounts are not deleted from the database, the RMS Account Certification Report in the RMS Administration page will be skewed with the old user account information.

There are also no SQL SP that can perform this task automatically.

You can however perform the following steps to clean up user accounts in the configuration database:

Note: The tables that are relevant to this scenario are UD_Machines, UD_UserMachine, UD_Users, and UD_WindowsAuthIdentities.

1. Given a user SID that has been deleted from Active Directory, you would first look up the SID in the UD_WindowsAuthIdentities to find the corresponding i_UserId.
2. You would then delete any occurrences of the i_UserId from the UD_UserMachine, UD_Users, and UD_WindowsAuthIdentities tables.*
3. Then, if any i_MachineId entry in the UD_UserMachine table does not have another user designated besides the deleted i_UserId, than that i_MachineId should be deleted out of the UD_Machines table."