Rob,
Thank you very much for that. Unfortunately I don’t have the Quest AD Commandlets installed, but I was able to adapt your excellent suggestion to generate a csv list of ‘offending’ accounts, using just the regular Active Directory module commandlets.
Fortunately (thanks to you) I’ve discovered that there were a number of test accounts and also disabled accounts on the list, so the overall figure is considerably less than I originally thought. Only (?!) 143 users across the estate have (had) access to the very sensitive information (patient medical history).
We’ve removed a handful of users to check there are no adverse effects (nobody seems to know how or why they got added in the first place). Then I’ll proceed with the last part of your snippet to remove the rest.
Thanks again for your help. This would have been classed as a major security breach.