dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
5669

workablob
join:2004-06-09
Houston, TX

1 edit

workablob

Member

Disabling/Deleting AD Computer Accounts. What's your strateg

Every month I run a scan that gathers all AD computer accounts that have been inactive for 90 or more days.

I have a script that pings all of the returned PCs and lists which ones are online and which ones are offline.

The ones that are online I leave alone.

Then I disable the offline accounts and move them to a special OU.

After 6 months I run the ping script on the disabled PCs and the ones that are offline get deleted.

The ones that are online I move back to the appropriate OU.

I'm curious how my strategy compares to other's.

Thanks,

Blob

dmas1er
join:2006-10-11
Peterborough, ON

dmas1er

Member

I use this to log pc's that have not logged in for 8 weeks or more
dsquery computer -inactive 8 >c:\inactive.computers.txt

If i wish to delete all PC's in that list I can pipe the results to dsmod / dsrm bulk delete or disable by;

dsquery computer -inactive 8 | dsmod -c -noprompt

Its a pretty handy tool for digging through AD.

Here are some other gems I use sometimes...

If You need to know which computer is running which OS syntax will be:
dsquery * domainroot -filter "(&(objectCategory=computer)(operatingSystem=Windows XP*))"
OR
dsquery * domainroot -filter "(&(objectCategory=computer)(operatingSystem=Windows Server*))"

For those who wants to know what service pack is on those OS:
dsquery * -scope subtree -attr "cn" "operatingSystem" "operatingSystemServicePack" -filter "(&(objectclass=computer)(objectcategory=computer)(operatingSystem=Windows XP*))" -limit 100000

workablob
join:2004-06-09
Houston, TX

workablob

Member

said by dmas1er:

I use this to log pc's that have not logged in for 8 weeks or more
dsquery computer -inactive 8 >c:\inactive.computers.txt

If i wish to delete all PC's in that list I can pipe the results to dsmod / dsrm bulk delete or disable by;

dsquery computer -inactive 8 | dsmod -c -noprompt

Its a pretty handy tool for digging through AD.

Here are some other gems I use sometimes...

If You need to know which computer is running which OS syntax will be:
dsquery * domainroot -filter "(&(objectCategory=computer)(operatingSystem=Windows XP*))"
OR
dsquery * domainroot -filter "(&(objectCategory=computer)(operatingSystem=Windows Server*))"

For those who wants to know what service pack is on those OS:
dsquery * -scope subtree -attr "cn" "operatingSystem" "operatingSystemServicePack" -filter "(&(objectclass=computer)(objectcategory=computer)(operatingSystem=Windows XP*))" -limit 100000

Very cool.

I sometimes forget about dsquery because we have so many third-party tools that do these things like McAfee ePO and Inactive Computer Cleanup.

But I have a nice script using dsquery that is configurable which will dump AD to a spreadsheet with the items and properties you specify.

I hope you don't mind but I am saving your scripts to my knowledge base.

Yoink!

Thanks :)

Blob
tomdlgns
Premium Member
join:2003-03-21

tomdlgns to workablob

Premium Member

to workablob
one thing that confuses me...

"After 6 months I run the ping script on the disabled PCs and the ones that are offline get deleted.

The ones that are online I move back to the appropriate OU."

if they were offline when you did your initial scan and you move them and then they appear online on the "after 6 month" scan, isnt there a short period of time where they are not in the correct OU?
tomdlgns

tomdlgns to dmas1er

Premium Member

to dmas1er
nice, i am saving these for later use.

jay608
Going Nucking Futs
join:2007-01-22
Homewood, IL

jay608 to dmas1er

Member

to dmas1er
These are nice and simple. I am also going to add them to my list of scripts..

Thanks dmas1er See Profile!

urbanriot
Premium Member
join:2004-10-18
Canada

urbanriot to workablob

Premium Member

to workablob
said by workablob:

Disabling/Deleting AD Computer Accounts. What's your strateg

Procedurally I have IT staff set the PC to workgroup and the account deleted in Active Directory. Well written procedures should trump the need for someone to do something by hand.

But for a catchall, I also have IT admins configure a powershell script that does something along the lines of what bitchtorn suggests which sends the information monthly (along with other information). It's very easy to email from a powershell script.

workablob
join:2004-06-09
Houston, TX

workablob to tomdlgns

Member

to tomdlgns
said by tomdlgns:

one thing that confuses me...

"After 6 months I run the ping script on the disabled PCs and the ones that are offline get deleted.

The ones that are online I move back to the appropriate OU."

if they were offline when you did your initial scan and you move them and then they appear online on the "after 6 month" scan, isnt there a short period of time where they are not in the correct OU?

Indeed there is.

What often happens is a computer that was disabled will get rejoined to the domain by a site admin because it came back online.

I just identify them and move them back if the automated login script fails to move them back.

Blob
tomdlgns
Premium Member
join:2003-03-21

tomdlgns

Premium Member

thanks, makes sense.

dmas1er
join:2006-10-11
Peterborough, ON

dmas1er to workablob

Member

to workablob
Hey Blob,

Out of curiosity, how many sites / PC's / Users do you manage?

We are around the 500 machine mark, (27 physical sites) and I try to script most tasks.

I have to provide monthly audit reports on PC's / Users - Last log in time / exchange mailbox size, amount of email sent/received ... etc etc.

workablob
join:2004-06-09
Houston, TX

workablob

Member

said by dmas1er:

Hey Blob,

Out of curiosity, how many sites / PC's / Users do you manage?

We are around the 500 machine mark, (27 physical sites) and I try to script most tasks.

I have to provide monthly audit reports on PC's / Users - Last log in time / exchange mailbox size, amount of email sent/received ... etc etc.

About 3200 PCs.

Edit, under 50 sites nationwide.

I don't run the scan on servers.

Thanks,

Blob

dmas1er
join:2006-10-11
Peterborough, ON

dmas1er

Member

Sounds like you have your hands full!

tomdlgns
Premium Member
join:2003-03-21

tomdlgns to workablob

Premium Member

to workablob
where do you run it?

workablob
join:2004-06-09
Houston, TX

workablob

Member

I do the scan on a Domain Controller.

I take that list and run a ping script on that list to find offline/online PCs.

Blob
tomdlgns
Premium Member
join:2003-03-21

tomdlgns

Premium Member

which is a server

workablob
join:2004-06-09
Houston, TX

workablob

Member

said by tomdlgns:

which is a server

Yes, the DC is a server.

Blob
Moffetts
join:2005-05-09
San Mateo, CA

Moffetts to workablob

Member

to workablob
I just delete em'. Makes my job more interesting.

workablob
join:2004-06-09
Houston, TX

workablob

Member

said by Moffetts:

I just delete em'. Makes my job more interesting.

Excellent. There was a time when I could do that but it got more serious

Blob