Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

What Computer Objects are Taken

Posted on 2004-03-30
7
135 Views
Last Modified: 2010-05-18
The prior administrator created Computer Objects in active directory. Is there a way to check which computer objects have are used and which ones are vacant?
0
Comment
Question by:gbarrientos
7 Comments
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 10720121
Are you referring to in Active Directory Users and Computers?

Check under the "Computers" tab.
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 10721181
gbarrientos

diggisaur is correct, but only if the prior administrator left all the objects in the default place - which is not certain and on a large system not very likely.

This is how you find ALL computer accounts everywhere on the domain:

Open up the Active Directory Users and Computers administration tool, right click on the domain and select "Find"

In the Find dialog select Computers from the drop down list and press the find now button.

This will display all computer account objects in the entire domain.

Cheers

JamesDS

0
 
LVL 3

Accepted Solution

by:
infradawn earned 500 total points
ID: 10721826
Hi gbarrientos. Is it that you want to check which AD computer objects have a corresponding machine?

If so, then you can check DNS to see if there's a machine registration for each machine AD object. If there isn't then either the machine's been off-line for a while or it doesn't actually exist!

Also, check out the tool 'password age' which can generate a report of when a machine (or user) last had it's password changed. You can generally assume that if a machine account password hasn't been changed in n days then it's doesn't exist. Tool can be found here:

http://www.systemtools.com/free_frame.htm


iD
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 
LVL 9

Author Comment

by:gbarrientos
ID: 10724895
Infradawn,
That is exactly what I am looking for; I want to know which computer objects have a corresponding account. Checking DNS will be rather difficult because there is alot of computer accounts. The reason for doing this is that when the domain was originally created computers were joined without proper naming convention, which makes it hard to do any real managment. So looking at the the utility specified above, i received a total of 2011 computers displayed. Now i am looking at number to the right and i am guessing the number is in DAYS (???) what number would you consider safe to delete?
0
 
LVL 3

Expert Comment

by:infradawn
ID: 10731154
You get 3 columns: machine name, machine type and password age. The password age is the elapsed time since the password was last changed. By default it's changed every 30 days (W2K). I can't tell you how old a password needs to be before it's safe to delete the AD computer object. It depends, for one thing, on if you've set up a shorter or longer computer account password change period than the default.

I tend to use a figure of 120 days. If someone's left their PC off for 3 months I figure it's not a key piece of kit and, if the phone does ring, I can always recreate the machine account!


iD
0
 
LVL 9

Author Comment

by:gbarrientos
ID: 10734228
Where in AD do you specify how long a computer should renew its password?
0
 
LVL 3

Expert Comment

by:infradawn
ID: 10740207
MaximumPasswordAge
HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

Data type Range Default value
REG_DWORD  1–1,000,000 (days)  30  

Description
Determines how often the system changes the computer account password of the local computer. This entry is used only when the system is configured to change the computer password automatically at regular intervals, that is, when the value of the DisablePasswordChange entry is 0.

Note

Windows 2000 does not add this entry to the registry. You can add it by editing the registry or by using a program that edits the registry.


Extract from Microsoft W2K ResKit Reference.

iD
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
IT certifications are a concrete representation of continual learning on the part of the candidate.  Continual learning is necessary for the long term success of an IT professional, but are IT certifications the right path for you?
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question