1 edit |
Disabling/Deleting AD Computer Accounts. What's your strategEvery month I run a scan that gathers all AD computer accounts that have been inactive for 90 or more days.
I have a script that pings all of the returned PCs and lists which ones are online and which ones are offline.
The ones that are online I leave alone.
Then I disable the offline accounts and move them to a special OU.
After 6 months I run the ping script on the disabled PCs and the ones that are offline get deleted.
The ones that are online I move back to the appropriate OU.
I'm curious how my strategy compares to other's.
Thanks,
Blob |
|
dmas1er join:2006-10-11 Peterborough, ON |
I use this to log pc's that have not logged in for 8 weeks or more
dsquery computer -inactive 8 >c:\inactive.computers.txt
If i wish to delete all PC's in that list I can pipe the results to dsmod / dsrm bulk delete or disable by;
dsquery computer -inactive 8 | dsmod -c -noprompt
Its a pretty handy tool for digging through AD.
Here are some other gems I use sometimes...
If You need to know which computer is running which OS syntax will be:
dsquery * domainroot -filter "(&(objectCategory=computer)(operatingSystem=Windows XP*))" OR
dsquery * domainroot -filter "(&(objectCategory=computer)(operatingSystem=Windows Server*))"
For those who wants to know what service pack is on those OS:
dsquery * -scope subtree -attr "cn" "operatingSystem" "operatingSystemServicePack" -filter "(&(objectclass=computer)(objectcategory=computer)(operatingSystem=Windows XP*))" -limit 100000 |
|
|
said by dmas1er:I use this to log pc's that have not logged in for 8 weeks or more
dsquery computer -inactive 8 >c:\inactive.computers.txt
If i wish to delete all PC's in that list I can pipe the results to dsmod / dsrm bulk delete or disable by;
dsquery computer -inactive 8 | dsmod -c -noprompt
Its a pretty handy tool for digging through AD.
Here are some other gems I use sometimes...
If You need to know which computer is running which OS syntax will be:
dsquery * domainroot -filter "(&(objectCategory=computer)(operatingSystem=Windows XP*))" OR
dsquery * domainroot -filter "(&(objectCategory=computer)(operatingSystem=Windows Server*))"
For those who wants to know what service pack is on those OS:
dsquery * -scope subtree -attr "cn" "operatingSystem" "operatingSystemServicePack" -filter "(&(objectclass=computer)(objectcategory=computer)(operatingSystem=Windows XP*))" -limit 100000 Very cool. I sometimes forget about dsquery because we have so many third-party tools that do these things like McAfee ePO and Inactive Computer Cleanup. But I have a nice script using dsquery that is configurable which will dump AD to a spreadsheet with the items and properties you specify. I hope you don't mind but I am saving your scripts to my knowledge base. Yoink! Thanks :) Blob |
|
|
to workablob
one thing that confuses me...
"After 6 months I run the ping script on the disabled PCs and the ones that are offline get deleted.
The ones that are online I move back to the appropriate OU."
if they were offline when you did your initial scan and you move them and then they appear online on the "after 6 month" scan, isnt there a short period of time where they are not in the correct OU? |
|
tomdlgns |
to dmas1er
nice, i am saving these for later use. |
|
|
jay608Going Nucking Futs join:2007-01-22 Homewood, IL |
to dmas1er
These are nice and simple. I am also going to add them to my list of scripts.. Thanks dmas1er ! |
|
|
to workablob
said by workablob:Disabling/Deleting AD Computer Accounts. What's your strateg Procedurally I have IT staff set the PC to workgroup and the account deleted in Active Directory. Well written procedures should trump the need for someone to do something by hand. But for a catchall, I also have IT admins configure a powershell script that does something along the lines of what bitchtorn suggests which sends the information monthly (along with other information). It's very easy to email from a powershell script. |
|
|
to tomdlgns
said by tomdlgns:one thing that confuses me...
"After 6 months I run the ping script on the disabled PCs and the ones that are offline get deleted.
The ones that are online I move back to the appropriate OU."
if they were offline when you did your initial scan and you move them and then they appear online on the "after 6 month" scan, isnt there a short period of time where they are not in the correct OU? Indeed there is. What often happens is a computer that was disabled will get rejoined to the domain by a site admin because it came back online. I just identify them and move them back if the automated login script fails to move them back. Blob |
|
|
tomdlgns
Premium Member
2013-Jul-8 3:12 pm
thanks, makes sense. |
|
dmas1er join:2006-10-11 Peterborough, ON |
to workablob
Hey Blob,
Out of curiosity, how many sites / PC's / Users do you manage?
We are around the 500 machine mark, (27 physical sites) and I try to script most tasks.
I have to provide monthly audit reports on PC's / Users - Last log in time / exchange mailbox size, amount of email sent/received ... etc etc. |
|
|
said by dmas1er:Hey Blob,
Out of curiosity, how many sites / PC's / Users do you manage?
We are around the 500 machine mark, (27 physical sites) and I try to script most tasks.
I have to provide monthly audit reports on PC's / Users - Last log in time / exchange mailbox size, amount of email sent/received ... etc etc. About 3200 PCs. Edit, under 50 sites nationwide. I don't run the scan on servers. Thanks, Blob |
|
dmas1er join:2006-10-11 Peterborough, ON |
Sounds like you have your hands full! |
|
|
to workablob
where do you run it? |
|
|
I do the scan on a Domain Controller.
I take that list and run a ping script on that list to find offline/online PCs.
Blob |
|
|
tomdlgns
Premium Member
2013-Jul-8 4:59 pm
which is a server |
|
|
Yes, the DC is a server. Blob |
|
|
to workablob
I just delete em'. Makes my job more interesting. |
|
|
said by Moffetts:I just delete em'. Makes my job more interesting. Excellent. There was a time when I could do that but it got more serious Blob |
|