Avatar of gbarrientos
gbarrientos asked on

What Computer Objects are Taken

The prior administrator created Computer Objects in active directory. Is there a way to check which computer objects have are used and which ones are vacant?
Windows 2000

Avatar of undefined
Last Comment
infradawn

8/22/2022 - Mon
Gareth Gudger

Are you referring to in Active Directory Users and Computers?

Check under the "Computers" tab.
JamesDS

gbarrientos

diggisaur is correct, but only if the prior administrator left all the objects in the default place - which is not certain and on a large system not very likely.

This is how you find ALL computer accounts everywhere on the domain:

Open up the Active Directory Users and Computers administration tool, right click on the domain and select "Find"

In the Find dialog select Computers from the drop down list and press the find now button.

This will display all computer account objects in the entire domain.

Cheers

JamesDS

ASKER CERTIFIED SOLUTION
infradawn

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER
gbarrientos

Infradawn,
That is exactly what I am looking for; I want to know which computer objects have a corresponding account. Checking DNS will be rather difficult because there is alot of computer accounts. The reason for doing this is that when the domain was originally created computers were joined without proper naming convention, which makes it hard to do any real managment. So looking at the the utility specified above, i received a total of 2011 computers displayed. Now i am looking at number to the right and i am guessing the number is in DAYS (???) what number would you consider safe to delete?
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
infradawn

You get 3 columns: machine name, machine type and password age. The password age is the elapsed time since the password was last changed. By default it's changed every 30 days (W2K). I can't tell you how old a password needs to be before it's safe to delete the AD computer object. It depends, for one thing, on if you've set up a shorter or longer computer account password change period than the default.

I tend to use a figure of 120 days. If someone's left their PC off for 3 months I figure it's not a key piece of kit and, if the phone does ring, I can always recreate the machine account!


iD
ASKER
gbarrientos

Where in AD do you specify how long a computer should renew its password?
infradawn

MaximumPasswordAge
HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

Data type Range Default value
REG_DWORD  1–1,000,000 (days)  30  

Description
Determines how often the system changes the computer account password of the local computer. This entry is used only when the system is configured to change the computer password automatically at regular intervals, that is, when the value of the DisablePasswordChange entry is 0.

Note

Windows 2000 does not add this entry to the registry. You can add it by editing the registry or by using a program that edits the registry.


Extract from Microsoft W2K ResKit Reference.

iD
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.