gbarrientos
asked on
What Computer Objects are Taken
The prior administrator created Computer Objects in active directory. Is there a way to check which computer objects have are used and which ones are vacant?
gbarrientos
diggisaur is correct, but only if the prior administrator left all the objects in the default place - which is not certain and on a large system not very likely.
This is how you find ALL computer accounts everywhere on the domain:
Open up the Active Directory Users and Computers administration tool, right click on the domain and select "Find"
In the Find dialog select Computers from the drop down list and press the find now button.
This will display all computer account objects in the entire domain.
Cheers
JamesDS
diggisaur is correct, but only if the prior administrator left all the objects in the default place - which is not certain and on a large system not very likely.
This is how you find ALL computer accounts everywhere on the domain:
Open up the Active Directory Users and Computers administration tool, right click on the domain and select "Find"
In the Find dialog select Computers from the drop down list and press the find now button.
This will display all computer account objects in the entire domain.
Cheers
JamesDS
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Infradawn,
That is exactly what I am looking for; I want to know which computer objects have a corresponding account. Checking DNS will be rather difficult because there is alot of computer accounts. The reason for doing this is that when the domain was originally created computers were joined without proper naming convention, which makes it hard to do any real managment. So looking at the the utility specified above, i received a total of 2011 computers displayed. Now i am looking at number to the right and i am guessing the number is in DAYS (???) what number would you consider safe to delete?
That is exactly what I am looking for; I want to know which computer objects have a corresponding account. Checking DNS will be rather difficult because there is alot of computer accounts. The reason for doing this is that when the domain was originally created computers were joined without proper naming convention, which makes it hard to do any real managment. So looking at the the utility specified above, i received a total of 2011 computers displayed. Now i am looking at number to the right and i am guessing the number is in DAYS (???) what number would you consider safe to delete?
You get 3 columns: machine name, machine type and password age. The password age is the elapsed time since the password was last changed. By default it's changed every 30 days (W2K). I can't tell you how old a password needs to be before it's safe to delete the AD computer object. It depends, for one thing, on if you've set up a shorter or longer computer account password change period than the default.
I tend to use a figure of 120 days. If someone's left their PC off for 3 months I figure it's not a key piece of kit and, if the phone does ring, I can always recreate the machine account!
iD
I tend to use a figure of 120 days. If someone's left their PC off for 3 months I figure it's not a key piece of kit and, if the phone does ring, I can always recreate the machine account!
iD
ASKER
Where in AD do you specify how long a computer should renew its password?
MaximumPasswordAge
HKLM\SYSTEM\CurrentControl
Data type Range Default value
REG_DWORD 1–1,000,000 (days) 30
Description
Determines how often the system changes the computer account password of the local computer. This entry is used only when the system is configured to change the computer password automatically at regular intervals, that is, when the value of the DisablePasswordChange entry is 0.
Note
Windows 2000 does not add this entry to the registry. You can add it by editing the registry or by using a program that edits the registry.
Extract from Microsoft W2K ResKit Reference.
iD
HKLM\SYSTEM\CurrentControl
Data type Range Default value
REG_DWORD 1–1,000,000 (days) 30
Description
Determines how often the system changes the computer account password of the local computer. This entry is used only when the system is configured to change the computer password automatically at regular intervals, that is, when the value of the DisablePasswordChange entry is 0.
Note
Windows 2000 does not add this entry to the registry. You can add it by editing the registry or by using a program that edits the registry.
Extract from Microsoft W2K ResKit Reference.
iD
Check under the "Computers" tab.